Some time ago I started searching for bugs in NagiosIX. Few days ago I decided to continue my "research" and that's how I landed with NagiosIM (2.0.0 afaik ;)). Below you'll find few notes about it. :) Here we go...
This time we'll start here:
As we're starting from creating a 'normal user' account - I used Burp proxy to intercept requests and understand how this app works.
TL;DR:
After a while one of the requests I found was 'in fact' a stored XSS. It was a good beginning for the plan. ;>
Read as:
TL;DR:
After a while one of the requests I found was 'in fact' a stored XSS. It was a good beginning for the plan. ;>
Read as:
> with normal user account - we can store 'additional code'
> 'code' is (later) executed for 'all users' (visitors; so admin is vulnerable too)
> csrf to add new admin user (so 'LPE').
> csrf to add new admin user (so 'LPE').
Easy.
Steps to reproduce you'll find later (below). Checking admin's account - we should be somewhere here:
Steps to reproduce you'll find later (below). Checking admin's account - we should be somewhere here:
Well... TBH - I don't know what about you - my backups are very often called x_< script alert... (and you know the full filename at this step I hope ;) so...)
I believe - we "managed". ;)
Let's move forward ("to the source" ;)):
I was looking for some "analogy" in the code (so 'grep is always your friend' ;)) and that's how I landed here:
... and here...
... and here ... :)
So after 'a while' I landed (with my 'super grep' ;)) here (... as a "tester" user. :).
Reading:
For me - it looks like an incident. ;7
I decided to verify it ;] (as usual ;} )
Here we go:
What do you think about iframe tag? :)
...and...
Our winner is the Title here! (Congrats!11 ;] )
Continuing 'this scenario' (read as:
- normal-user can inject html/js +
- ... and iframe;
- 'as an admin' (*later) we can "for example"...):
Well... "Welcome!" ;)
So in the end of the day... you should be somewhere here:
:)
As this bug is pretty simple... :) '"poc code" won't be published' (aka "there's no point for IT" ;))
Commercial version of the scanner mentioned in last post is still not publicly available so far. Sorry.
Got a question for more targeted attack/pentest scenarios? Try here.
See you next time! ;)
Cheers
Brak komentarzy:
Prześlij komentarz