NullHyd Jan Meetup Talk on Chaining bugs and Writing single click Exploits

Excited to share that I gave a talk at the Null Hyderabad Security Meet. The event was organized on 25th Jan 2020 by Salesforce, Hyderabad.

Abstract

We started the talk with quick recap on basics with Authentication, SQLi and some demos of Context-based XSS. This talk leveraged Pentesterlab’s “XSS and MySQL FILE” exercise for demonstration of chaining Pre and Post authenticated vulnerabilities and developing a single click exploit to gain Remote Code Execution.

Agenda

Slides

Vulnerability Discovery

Spin up both VMs, Kali Linux (Attacker) & XSS-MySQL Lab (Target)
Quickly Run a few commands to add identified IPs to /etc/hosts files for ease.

Opening up http://target shows a blog available with 2 posts (post.php?id=1) where unauthenticated users can comment.

Cross Site Scripting
We analyzed post.php and post_comment.php files having multiple consecutive function calls to POST and DISPLAY comments to the users. Posted comments will be inserted into the database and retrieved back to users when posts are displayed. Interestingly there’s no validation in between resulting in Stored XSS.

Setting up python proxy to BurpSuite for debugging

Minimizing the POST Requests

We identified the POST request to /post_comment.php endpoint is making it vulnerable for XSS but before automating this we should always remove the optional parameters and headers from the REQUEST to keep it clean.
We identified that only Content-Type header is required and other headers can be removed from the Request.

Session Hijacking vs Session Riding
Considering limitations of session hijacking i.e., HttpOnly cookie headers in 2020 and expiration of session on user logging out of his account, we tried understanding how session riding can be utilized to access administration functionality to exploit a Post-authenticated SQL injection and gain RCE.

And there’s no CSRF protection on authenticated pages to prevent us from Riding user sessions.

Post-Authenticated SQL Injection
Once again we analyzed the source code for identifying SQLi in authenticated functionalities. Reviewing the code of /admin/edit.php, we came to know that user controlled input is being used in generating MySQL UPDATE query without any validation resulting in SQL injection attack. We can confirm that by visiting the following URLs and extracting the admin creds from the DB.

SQLi and MySQL FILE priv
The FILE privilege allows MySQL users to read and write files on the system.

Connecting the Dots and Crafting the Exploit

Automate the whole process to a Single Exploit

root@kali:~/nullhyd# cat post_comment.py

root@kali:~/nullhyd# cat alert.js

root@kali:~/nullhyd# cat cookie_steal.js

root@kali:~/nullhyd# cat xss_exploit.js

Trigger the Shell!

We’ve kept ready all the files shared above in the same folder and running a simple HTTP server locally to host files which will be requested by the application when our exploit runs.

Now a new terminal with Netcat listener running on port 1337

All set! Let’s fire up the exploit and catch the reverse shell on to the system…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store