Black magic of squirrel-XSS Exploitation

Black magic of squirrel-XSS Exploitation

Currently, XSS vulnerabilities are common, but there are not many tricks. I hope this topic will serve as an example to attract more people to share interesting gameplay.

This topic describes some basic XSS applications and advanced gameplay, such as XSS detection environment, phishing, and Intranet attacks. So that everyone is no longer limited to getting a Cookie into the background. Because once the Cookie has the HttpOnly attribute or access control is implemented in the background, you will not be able to change the current status.
The first half of the topic is more about gameplay and the principles of gameplay. The second half is about how to use these examples to show you how interesting these methods are.

1. Multiple Xss exploitation methods

1.1 XSS obtain trigger pages, cookies, and other sensitive information

If the keyword segment of the Cookie does not use HttpOnly, background access restrictions, and other protection measures.

Therefore, attackers can use cookies to access the website background, and further discover SQL Injection file uploads and other vulnerabilities in the background to win WebShell.

What is a keyword segment? Php session and other Cookie fields used for identity authentication.

1.2 use JavaScript protocol to do interesting things

Why is XSS output in the first iframe element? But does the second iframe element?

 

The h1 label is displayed in the first iframe because the returned value is not undefined.
Q: What can we do with this?

Use XSS of trusted domains for phishing attacks

1.3 XSS Worm

General Flowchart

How can we enable more people to trigger your XSS in various ways and then make the victim an attacker?

If you use an XSS, these will no longer be the obstacle of your worm.

How to implement it?

What is the difference between such a worm and CSRF?

 

If you encounter a point that can be dynamically published without the need for tokens and other verification information, you can use CSRF for worms.

Case: XSS + CSRF for sending and replying with various clicks

How do I get worms?

1.4 hijacking form

1. Which environments does it apply?

A form exists on the page where XSS code can be embedded.

Users with website control permissions cannot unlock user passwords

2. How do I hijack a form?

Currently, this function is available in the short xss library.

Usage: xss. xform (form object, accept address)

3. Principle of form hijacking:

1. first obtain the action of the form to be hijacked, target (in order not to affect the function)

2. Replace the submission address of the current form with our address.

3. submit the form to us before submitting it to the original address.

Benefits: normal login can be performed without affecting the function while hijacking data.

Sogili XSS Library: http://pujun.li/xss.js

1.5 test target environment

Sometimes, in order not to blindly attack a target, we need to obtain more information. For example, the Flash version of the Java version of the operating system browser and so on.

1. Why?

How can we detect the target environment?

Although Navigator objects are supported by any browser, Some browsers may not be able to obtain certain information because they are not a standard.

The operating system and browser version can be seen from UserAgent.

1.6 XSS intranet applications

1. Obtain the Intranet IP Address:

Obtain the IP address and guess the Intranet range to prepare for scanning other machines in the intranet.

 

How does the browser obtain the Intranet IP address?

Javascript: window. webkitRTCPeerConnection

WebRTC has an example of online chat on firefox. Although he was not originally born to facilitate xss, some of its APIs can help us do more with XSS. For example, obtain the Intranet IP address.

2. Scan the Web port of the open port of the Intranet machine:

Use the onload feature of javascript.

2. Scan the open port of the Intranet machine for the Service port:

Use the protocols of other services and private protocols, such as the FTP protocol.

You can use the ftp protocol when detecting whether port 21 is open, which is supported by almost all browsers.

3. Scan the Web Container of the Intranet machine:

Using img's onload, we can think about what else to do this?

 

4. Attack other machines in the Intranet

 

Prerequisites: there are enough paths and POC

In this way, we can use cms vulnerabilities to attack internal network machines. For example, after wordpress is installed, the default path is/wordpress.

Then, we can use the ip address and open port we have scanned to launch some attacks along with the route.

Not all vulnerabilities can be exploited. For example, you can execute a reverse shell command.

For example, if getshell is used to request and verify with js, You can see whether the request is successful or not.

Reference the image of using st2 to rebound shell in heige PPT:

XSS Proxy

1. When attackers directly access the background:

2. When attackers use XSS Proxy to access the background:

5. Principles of XSS Proxy

Note: JS is a client script that can trigger your XSS. It must be the person with the permission to access the background.

 

2. XSS in actual cases

2.1 Case 1: XSS + CSRF + Phishing

2.2 Case 2: 51job.com two storage-type XSS + worms (loading js with 20 characters outside the html Tag)

No one forwarded the collar, and the face exposure rate is not high enough? Worms help you.

Crawling:

How to worm? Simulate normal operations and capture packets at the same time.

Packet Capture when forwarding Weibo:

Analysis parameter value:

Type 4: Weibo

Noticeid Replyid indicates the Weibo ID

Content indicates the forwarded Content.

After analysis, we can crawl

Replace the dynamic Weibo ID with Noticeid Replyid

Then we use js to write ajax code to make it crawl

How to write the code?

 

 

Address is the Address for receiving the request.

Shuju is the modified POST data packet

Define a function. The function creates an AJAX object and sets the Content-Type.

You can call the function to pass in the address and data packet to POST successfully.

To achieve the effect of forwarding Weibo. After forwarding, someone else clicks Weibo and sends it to others.

2.3 Case 3: How can I use an XSS to detect Sohu Intranet scanning and crawling to the front-end! (With a variety of POC)

Cookie retrieval is incomplete (because httpOnly is available) and the background is placed on the Intranet. Will this XSS point continue?

Sohu came out of the Self-media system, so I went to test XSS and got the following information.

What do we get from this?

Url, Ping this Url to find the unknown host, and then realize that it must be an intranet host.

UserAgent: It can be seen from UserAgent that it is WIN7 + Chrome30 (if there is a vulnerability in the browser, you can directly get the employee's machine)

What is the use of this information for us? At least we know that their employees use modern browsers instead of Internet Explorer 6. Now we can do a big job.

1. Obtain the Intranet IP Address:

 

Finally, the employee's intranet IP address segment is 10.7.8.1-10.7.8.255.

What can I do?

Employee segments should be office network segments that can try some hardware device vulnerabilities, such as TP-link csrf to modify DNS. And so on. Use your imagination ....

Common problems that are often convenient to us in Intranet XSS ":

Someone accesses the Intranet through a domain name or an intranet IP address.

It can be seen from the figure above that when someone accesses the port through an intranet IP address, the Intranet IP address and port number are exposed, and they are collected to prepare for the next port scan.

For large companies like sohu, the Intranet must be strictly divided, and servers may be placed in one CIDR block. Therefore, you only need to scan the frequently-opened ports, 80 8080, and exposed 8087 for the 10.10.125.195 CIDR block.

Why not scan the dot port? Because too many ports are scanned, the webpage may become relatively slow or even crash.

Scan the WEB ports opened by the Intranet server CIDR Block:

We can see that in the figure above, each ip address detects three ports. The ports in the onload event also correspond to the ports to be tested.

Result After running:

Sort out the results after deduplication:

 

What should we do after we get the port opened by the Intranet Web server?

 

Collect some CMS, the default path of the framework, and the POC. In the next step, you can use the POC to reverse the shell or Getshell.

For example, the Command Execution Vulnerability refers to the image in the hacker PPT to use the collected ip address, port, and Path in one piece to try to use the POC, for example:

If the previous step fails, you can first find an SQL injection and File Upload Vulnerability.

How to do it? You can use ajax to crawl some web pages in the background, and then use local rendering to find the possible vulnerabilities.

The ID parameter of an article URL is sent with single quotation marks and without single quotation marks.

The second request added a single quotation mark and reported an error. At that time, I thought there was an injection. I was so happy that it was not an injection point.

What should I do if I am in a dilemma, and there are no vulnerabilities in the background, and there are not enough paths and POC?

 

Start from the old industry, phishing:

 

When crawling the website background, I specially crawled the login interface to prepare for phishing.

Because it is not meticulous, it may be that you are too greedy to catch more points of account, not set only once, resulting in later discovery.