root via XSS on ZeroNights from positive
November 25 in St. Petersburg hosted a conference ZeroNights , dedicated to computer security. One of the reports was called " root via XSS ". Author Denis Baranov (leading expert of Positive Technologies ).
In short:
It is noteworthy that the XSS demonstrated has a lot in common with the Denwer vulnerability that I discovered back in 2006 . But here's the trick: in that 2006, I wrote about this on the site of SekLab (owned by Positive Technologies ). But they did not publish a note there. Letters of the response have not survived, unfortunately. But the approximate text was: “By Denwer, connections from the outside are prohibited by default, only locally. We see no particular danger in this. ” Oh, time, oh, mores! Or really time has changed the way people think about a similar situation. Or, I just did not manage to serve this news in the right sauce.
In short:
- use XSS vulnerability in Denwer to insert your script into the admin browser
- use its browser to access phpMyAdmin (the database accepts connections only locally)
- having got access, we will fill in a web shell which will be executed with the rights of the local administrator (Denwer with such rights is started)
It is noteworthy that the XSS demonstrated has a lot in common with the Denwer vulnerability that I discovered back in 2006 . But here's the trick: in that 2006, I wrote about this on the site of SekLab (owned by Positive Technologies ). But they did not publish a note there. Letters of the response have not survived, unfortunately. But the approximate text was: “By Denwer, connections from the outside are prohibited by default, only locally. We see no particular danger in this. ” Oh, time, oh, mores! Or really time has changed the way people think about a similar situation. Or, I just did not manage to serve this news in the right sauce.
')
Source: https://habr.com/ru/post/133565/
All Articles