czwartek, 30 listopada 2017

First results from modus.py

Ok. Here we go again... During last few days after I had a pleasure to received some 'results' from CVE Team (1,2,3). I decided that it should be good ('enough';]) idea to create a small 'poc script' (again) to automate a little bit the process of 'finding bugs' (for example: like those mentioned in CVE's reference(s)). Below you will find few details collected after few days of 'research' and pinging the Vendors...
Let's start from the beginning.

Idea was simple:
if I'm able to use BurpSuite with few payloads to find bugs described later as "CVE-ID" maybe I can use python script and automate it (to get at last 'similar' results).

After few hours of blackbox testing and comparing results with the source code (of few webapps I tried) I found few interesting cases. You will find them below (but to be honest, all published here are related to "admin-only" part of the webapp :]).

Here we go:

#01 - osCommerce

I tried to contact the Vendor (twitter/linkedin/github) - no success.

Version I tried: oscommerce-2.3.4.1

(I called the script 'modus.py' (from 'modus operandi' ;]) so later we will use that name in the post.)

Below you will find some results for 'latest' (afaik) version of osCommerce:


As you can see as a result(s) we will get the filename with buggy declaration (read: not or wrong sanitize was here) and next we will try to find where that ('declared') param was used in the code.


Why this 'scenario' was good? Let's verify the finding:


Results:



When I saw "HTTP_POST_VARS" for the first time in the code I was wondering if this is a hint for me to check any other string contains this 'variable'... So:


This is how I found another vulnerable ('declaration' of) parameter. Verification:



As a 'browser-user' you should see:


Later (reading the code) you will see that there are few other places also vulnerable to XSS, for example:



Another example - manufacture_name:


Response:


Persistent because:

Next one:

Results:



Quick summary:



...modus.py vs. osCommerce - 1:0 :]

Cool. Let's switch to PrestaShop for a moment...



#02 - PrestaShop

Contact was great until I sent the poc... :|

So: during blackbox testing of PrestaShop (available somewhere between TurnKeyLinux and Bitnami versions ;) ) I identified few XSS bugs. When I spot few of them I decide to "teach" modus.py to identify more "similar to those I was able to find during blackbox pentest".

Below few results:



As you can see we have a XSS-over-GET here. Below request and response from Burp:


Below you will find something interesting:


Next case:


 Result:



...and if you're still looking for more - modus will suggest for example those lines:


Let's go deeper...


#03 - Horde 5.2.21 

As usual - you will find 'ready to go' VM at Bitnami's (or TurnKeyLinux) webpage(s):


 As you can see "wrong declaration" at the 'beginning' will results in XSS (in this example) in (probably) any other place in your webapp, where the (not/wrong filtered) param is used.

Running modus.py to find similar bugs? No problem (results from grep):


Maybe you're interested how other declarations are prepared? Ok, below few examples:


Let's try more:



Ok, one more:


At this stage you should be able to get the idea and find for example also those lines too:


If you still want more XSS, maybe this is the hint for you:



Ok, direct copy/paste from modus.py (you should be already familiar with those results, anyway):


...or here...


Of course there are many more, so read the source!

(FYI: modus.py will not be available in public for now).

Cheers


Brak komentarzy:

Prześlij komentarz