XSS and bypassing an Imperva WAF with JSFuck
Grumpy Admin here – been in work 20 mins, half a cup of coffee and I nearly throw it over someone when I saw what they were trying to do… It bad form, and perhaps a bit rude but with only a few mouthfuls of coffee I had to interrupt and educate this guy!
They wanted to get a list of all the groups in the domain for some reason, he didn’t explain his fully task though- often I have to ask the reason why they want to do something or the other as there might be a better way to do something.
But as I could see what he was doing and I knew a much faster way, being kind I decided to educate and share with him and now you. But going to be honest if you reading my blog you will know this so should know this is a moan not a teaching blog post! Perhaps use it as a case study to prove why people need to learn PowerShell in the office! After all I am a Grumpy Admin and I had to vent this!
The guy was typing stuff in to a black screen, which is always a good indication that something isn’t right! They had a TechNet page up with the syntax of DSQUERY up on his screen. Not saying DSQuery is a bad tool, or command just not the best tool for what he wanted to do at this time.
So we have to give the guy some credit there – but then when I saw him cut and paste the “CN=Remote Desktop Users,CN=Builtin,DC=Grid,DC=local” string out in to excel and then try to use excel to split the string to that the group name is naked, and then checking AD Users and Computers to establish the type of group it was (security, distribution) and get its scope. I nearly cried…. This mix of methods just makes me sad. Are people actually doing this, am I seeing what I am seeing?
Not bearing the pain I had to show him how to achieve his aim in PowerShell. This is something you learn in day one of PowerShell School, but I think people are scared to try and do things they are not comfortable with! Maybe this will show him that PowerShell shouldn’t be ignored any longer.
So I introduce this young chap to the get-adgroup cmdlet
get-adgroup -filter * | select -property Name,GroupCategory,GroupScope
Then just to bring him on a bit more I tack a export-csv on the end, he opens the csv file, makes sure the delimiter is correct and he is done! So much simpler… I think I have a new convert to PowerShell…
My good dead done, and another example where PowerShell is a very handy tool in the box of any admins these days. My advice if you need to do something search how to do it Powershell first rather than just rely on the old tools you know, that way you learn and it might save you some effort or make your solution better. After all IT admins are lazy!
Right better get back to work…