View RSS Feed

amolnaik4

SQL Injection Via XSS

Rate this Entry
One of the G4H member mandi from Garage4hackers Forums - Home (my second home) asked few days before about xsssqli attack. He had a scenario where the main site is having a cross-site scripting vulnerability and the admin panel has SQL Injection. The page having sql injection in admin panel is only accessible to admin. The question was is it possible to use xss on main site to exploit sql injection on admin panel to get admin account pwned?

Here is my answer with following scenario:

There is a main site which is vulnerable to xss flaw (reflected/stored). The same site has a admin panel which is only accessible to admin users and one of the authenticated pages is vulnerable to sql injection. the admin panel can be a separate package like cpanel and the sql injection vulnerability will be already published (exploit-db FTW!!!).

This is how we can pwn admin account using sql injection via xss.
1. Attacker crafts a xss payload which is using AJAX to make a request with sql injection payload.
2. He sends the payload to admin user.
3. When admin user is logged in into admin panel and clicks the payload link from attacker, the sql injection in admin page is exploited and returns the username & password hashes from admin table.
4. Attacker then submit the returned data to his site using Ajax and will crack password hashes offline.

Video Demonstration:


Any suggestions, comments are welcome.

Update:
As rightly pointed by @antisnatchor on twitter, the issue having xss in main site and sql injeciton in admin panel can be exploited with BeEF Tunneling proxy technique. In tunneling proxy, BeEF will use hooked browser (in this case browser used by Admin) as proxy to access the authenticated sessions (in this case the admin panel). Check BeEF Tunneling Proxy in action:
TheBeefproject's Channel - YouTube

AMol NAik

Updated 02-14-2012 at 02:05 PM by amolnaik4

Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

  1. [s]'s Avatar
    This way is really a innovative, I have question.
    1) How we know Table name ,Column name. If it is public CMS and vuln to SQL then possible to do easily.
    2) What about IE , they have anti-XSS
  2. amolnaik4's Avatar
    Quote Originally Posted by [s]
    This way is really a innovative, I have question.
    1) How we know Table name ,Column name. If it is public CMS and vuln to SQL then possible to do easily.
    2) What about IE , they have anti-XSS
    Here are the answers:
    1) At the moment of writing this post, I assumed that SQL injection vulnerability in CMS is already public. So you can use that to know the database details to fetch the data.

    The other scenario I can think of is in case of grey-box audit. Suppose you audited the admin portal and found that it is vulnerble to SQLi, you reported issue and client says it's should be low/medium as only admin has access to the vulnerble page. Again client has extra mitigations such as there is only 1 admin which is trusted & has IP address level access to admin portal. So now in this case, if you have a xss bug in main site, you can demonstrate using this technique that still the authenticated sqli can be exploited.

    2. Those are browser protections and part of browser security eventually user security. To successfully conduct this attack the admin should be using browser not having plugins such as anti-XSS, NoScript, etc. If that's the case, then u need to find the 0-day in that or decrease the threat level.

    That's my thoughts.

    AMol NAik
  3. [s]'s Avatar

    f that's the case, then u need to find the 0-day in that or decrease the threat level.
    Most probably threat level is low : ) Thanks Bro...
  4. amolnaik4's Avatar
    Quote Originally Posted by [s]


    Most probably threat level is low : ) Thanks Bro...
    In same sense, all XSSes on IE will have a threat level as low. But that will not be the case. Threat Severity will be always depend on other points as well such as ease of exploitation, exploit availability, knowledge required to exploit, etc.

    So you can only say it's low level only when you know admin only uses browser having anti-XSS protections (filters, addons, extenstions, etc). Single instance of using other browser makes it High.

    AMol NAik

Trackbacks

Total Trackbacks 0
Trackback URL: