Showing posts from December, 2012

Practical Blind-Error Based SQL Injection

Its me again! So in the previous post I talked about Blind-Error Based injection and basically showed the select query you can use to conditionally force errors while still leaking content from the database. This all happened from within a MySQL prompt, not much use to those who want to see the attack in action. Here I'm going to do just that, show you a practical example of the attack against an actual web application.

I'll be using the mod_security challenge set up by spiderlabs a about year ago. It may still ring all the mod_sec alarms but the purpose is not to threaten mod_sec---not yet---instead to show what the attack would look like in full swing.

Using Server Errors to Leak Password Hashes: Blind Error Based SQL Injection

I don't know if this attack has been documented, or if its been documented this way before but I think its either going to be a good reminder to some penetration testers or at most another new way to leak information from a stubborn SQLi vulnerable server.

Some Database servers---in this example MySQL database servers---will not respond to run of the mill blind, error based or time based injection attacks. I'm talking about those that won't return any indication of your query evaluating either true or false, but will notify you of an erroneous query through either something being dumped on screen like 'system error' even returning a 500 HTTP status.

In this post I'll document a technique I just thought up for using the server errors to indicate either the true or false evaluation of an injected query.

Word Press Photo Plus Photo Search XSS/CSRF Vulnerability

The WordPress Photo Plus plugin suffers from a XSS/CSRF  Vulnerability.

# Exploit Title: Word Press Photo Plus, Photo Search XSS/CSRF Vulnerability
# Google Dork: inurl:plugins +inurl:wp-photo-album-plus +intext:"Photo Search"
# Date: 29/12/12
# Exploit Author: k3170makan
# Vendor Homepage:
# Software Link:
# Version: 4.8.11
# Tested on: Ubuntu 10.04

The new Wordpress Vuln and How to find its victims

So an interesting little misconfiguration has reared its ugly head in some WordPress sites.The vulnerability effects all WordPress sites that make use of a plugin called "W3 Total Cache"---you can get it here---. 

In this post I'm going to discuss exactly what the vulnerability is and why its bad news and then I'll quickly discuss how to find some loot and show you some of the awesome loot you can dig out with something like this. Enjoy!

Information Gathering Techniques: Dig and DNS Servers

"information is the negotiators greatest weapon" ...especially those who negotiate with network security ;) I used to think a security blog is all about writing about brand new attacks and dropping info on the coolest 0days. But if that's what security blogging was all about then we would not leave much opportunity for beginners to start out and experts to recap. So posts like this will always be necessary!  

This brings me to a new theme of post I'll be writing. I'll be talking about penetration testing and general assessment skills stuff that wanna be security professionals will consider valuable information, but don't fret those of you who are seasoned security researchers and penetration testers I'll make sure my perspective is quite orignal and encompasses things most security blogs don't cover too extensively.

So I hope you guys enjoy these posts!

This post in particular will be introducing the mindset(s) you should have when engaging on inform…

Google Web Cache and MITM attacks

What on earth do these two things have to do with each other? Well before I can discuss that, I need to dig out another forgotten vulnerability, mixed scripting!

Mixed scripting happens when an application served via https references resources including CSS,XML,JS from domains that are not served via https so a typical example would look like this:

So why is this a problem? well because it means in a Man in the middle attack you can influence the behaviour of a trusted domain without mirroring the entire domain! You can have your victim---during a mitm attack---use the services on their trusted domain with out having to use sslstrip or other anit-ssl tech you don't need to touch anything on the ssl layer because the application inherently serves unauthenticated content to the user! All you really need to accomplish is mapping the unauthenticated domain to a machine under your control.

So then how does this tie into the Google Web Cache? It turns out google webcache also suffers fr…


Show more