forest/tserof-nosnoj: tserof_nosnoj

tserof_nosnoj

Find a file

forest 2cd68908fd Merge remote-tracking branch 'origin/master'		2023-05-27 15:51:30 -05:00
presentation	pres	2023-05-27 15:50:58 -05:00
.gitignore	re-organize	2023-05-21 02:00:56 -05:00
build_docker.sh	re-organize	2023-05-21 02:00:56 -05:00
docker-compose.yml	re-organize	2023-05-21 02:00:56 -05:00
Dockerfile	re-organize	2023-05-21 02:00:56 -05:00
findings.md	Update 'findings.md'	2023-05-21 21:28:17 +00:00
i-had-fun-making-this	cleanup	2023-05-20 23:44:27 -05:00
main.go	blah it still doesn't work. wtf	2023-05-21 15:19:41 -05:00
payload.js	remove greenhouse	2023-05-21 02:22:30 -05:00
payload.xml	pres	2023-05-27 15:50:58 -05:00
payload2.js	remove greenhouse	2023-05-21 02:22:30 -05:00
ReadMe.md	Update 'ReadMe.md'	2023-05-21 21:26:33 +00:00

What happen?

sequentialread.com custom reverse proxy detects vore reaper and returns custom XML

 		if strings.Trim(request.URL.Path, "/") == "rss" {
 			log.Printf("GET /rss from %s\n", ip)
 			if ip == "198.74.6.203" || ip == "69.61.2.229" || ip == "192.168.0.1" {
 				payloadDotXML, err := os.ReadFile("payload.xml")
 				if err != nil {
 					log.Printf("tserof_nosnoj 500 can't os.ReadFile(\"payload.xml\"):  %s\n\n", err)
 					http.Error(responseWriter, "500 Internal Server Error", 500)
 					return
 				}
 				hash := md5.Sum(payloadDotXML)
 				responseWriter.Header().Add("Content-Type", "text/xml; charset=utf-8")
 				responseWriter.Header().Add("Content-Length", strconv.Itoa(len(payloadDotXML)))
 				responseWriter.Header().Add("etag", fmt.Sprintf("%x", hash[0:8]))
 				responseWriter.Write(payloadDotXML)
 				return
 			}
 		}

XML has an HTML script tag embedded inside a field that vore uses https://git.cyberia.club/forest/tserof-nosnoj/src/branch/master/payload.xml#L14
XSS payload executes on vore.website, greeting the j3s user https://git.cyberia.club/forest/tserof-nosnoj/src/branch/master/payload.js