Posts

Hash Length Extension: The padding that killed your secret key

Image
Its been a while folks! but I'm back with another really interesting post, this time about how to abuse hashing algorithms or rather a certain style of hashing algorithms.

I'm going to try to teach you the analysis that gave birth to this very clever attack and to do that I need to talk a little about hashing algorithms and how they are constructed, I mean its not just coincidence that collisions in hashing functions are extremely rare.


Blogger.com and the mixed scripting vulnerability

Image
Blogger.com suffers from a mixed scripting/content vulnerability, this domain references multiple scripts and other content types from a non-https enabled channel.

Here's the report:

# Exploit Title: Multiple Mixed Scripting/Content Vulnerabilities in Blogger.com
# Google Dork:site:blogger.com
# Date: 09/1/12
# Exploit Author: k3170makan
# Vendor Homepage: https://www.blogger. com
# Software Link: https://www.blogger.com
# Version: current
# Tested on: Ubuntu 10.04 # site: ...

Practical Blind-Error Based SQL Injection

Image
Its me again! So in the previous post I talked about Blind-Error Based injection and basically showed the select query you can use to conditionally force errors while still leaking content from the database. This all happened from within a MySQL prompt, not much use to those who want to see the attack in action. Here I'm going to do just that, show you a practical example of the attack against an actual web application.

I'll be using the mod_security challenge set up by spiderlabs a about year ago. It may still ring all the mod_sec alarms but the purpose is not to threaten mod_sec---not yet---instead to show what the attack would look like in full swing.

Using Server Errors to Leak Password Hashes: Blind Error Based SQL Injection

Image
I don't know if this attack has been documented, or if its been documented this way before but I think its either going to be a good reminder to some penetration testers or at most another new way to leak information from a stubborn SQLi vulnerable server.

Some Database servers---in this example MySQL database servers---will not respond to run of the mill blind, error based or time based injection attacks. I'm talking about those that won't return any indication of your query evaluating either true or false, but will notify you of an erroneous query through either something being dumped on screen like 'system error' even returning a 500 HTTP status.

In this post I'll document a technique I just thought up for using the server errors to indicate either the true or false evaluation of an injected query.


Word Press Photo Plus Photo Search XSS/CSRF Vulnerability

The WordPress Photo Plus plugin suffers from a XSS/CSRF  Vulnerability.


# Exploit Title: Word Press Photo Plus, Photo Search XSS/CSRF Vulnerability
# Google Dork: inurl:plugins +inurl:wp-photo-album-plus +intext:"Photo Search"
# Date: 29/12/12
# Exploit Author: k3170makan
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Software Link: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Version: 4.8.11
# Tested on: Ubuntu 10.04

The new Wordpress Vuln and How to find its victims

Image
So an interesting little misconfiguration has reared its ugly head in some WordPress sites.The vulnerability effects all WordPress sites that make use of a plugin called "W3 Total Cache"---you can get it here---. 

In this post I'm going to discuss exactly what the vulnerability is and why its bad news and then I'll quickly discuss how to find some loot and show you some of the awesome loot you can dig out with something like this. Enjoy!


Information Gathering Techniques: Dig and DNS Servers

Image
"information is the negotiators greatest weapon" ...especially those who negotiate with network security ;) I used to think a security blog is all about writing about brand new attacks and dropping info on the coolest 0days. But if that's what security blogging was all about then we would not leave much opportunity for beginners to start out and experts to recap. So posts like this will always be necessary!  

This brings me to a new theme of post I'll be writing. I'll be talking about penetration testing and general assessment skills stuff that wanna be security professionals will consider valuable information, but don't fret those of you who are seasoned security researchers and penetration testers I'll make sure my perspective is quite orignal and encompasses things most security blogs don't cover too extensively.

So I hope you guys enjoy these posts!

This post in particular will be introducing the mindset(s) you should have when engaging on inform…

Google Web Cache and MITM attacks

Image
What on earth do these two things have to do with each other? Well before I can discuss that, I need to dig out another forgotten vulnerability, mixed scripting!

Mixed scripting happens when an application served via https references resources including CSS,XML,JS from domains that are not served via https so a typical example would look like this:


So why is this a problem? well because it means in a Man in the middle attack you can influence the behaviour of a trusted domain without mirroring the entire domain! You can have your victim---during a mitm attack---use the services on their trusted domain with out having to use sslstrip or other anit-ssl tech you don't need to touch anything on the ssl layer because the application inherently serves unauthenticated content to the user! All you really need to accomplish is mapping the unauthenticated domain to a machine under your control.

So then how does this tie into the Google Web Cache? It turns out google webcache also suffers fr…

Beating Trivial Server Side Filters With WebKit

Image
I've just started reading an awesome book and I thought I'd share some of my findings with you. I'll share the title of the book at the end of the post, and I must say its a must read for anyone trying to master XSS attacks.

That being said lets get down to business
Browser LanguagesLost in translation Quick question what languages does your browser parse or "recognize" for you language theorists and computer scientists out there? Did you answer HTML,HMTL+,HTML2.0,XHTML,JavaScript,VBScript,etc? Well then, you are supposed to be right, but in strict terms this is not entirely true! If the set of languages B---which is commonly understood as the browser language---is the set of languages containing HMTL,XHTML,JavaScript,etc. only then this not the language your browser recognizes. Your browser actually recognizes a lot more, in the case of WebKit browsers---especially Chrome, which is what I based my research on here---HTML*---including all HTML versions---is actua…

WebKit XSSAuditor : The XSS catalyst

Image
---Google:"Chrome 18 anti XSS bypass" and feel lucky ;)A while ago I released a bypass for the webkit XSSAuditor in Chrome, I thought I'd honor it with a blog post and discuss another danger the XSSAuditor presents to web application security. This 'danger' of XSS filters has been published in a very popular paper---http://www.collinjackson.com/research/xssauditor.pdf--- about some XSS filters. What I'm doing here is demonstrating whats described. XSSAuditor is part of WebKit's HTML parser and exists to try and mitigate reflected XSS attacks. Unfortunately because of how the auditor operates it can often have quite the opposite effect! In this post I'll explain the situations where XSSAuditor can actually have the adverse effect on a web application's protection against XSS attacks.

NoNoScript : ByPassing NoScript's XSS filters via Error Basd SQLi

Image
NoScript is a firefox add-on or `extension' in charge of stopping reflected XSS attacks. It operates by inspecting and auditing responses---much like other XSS filters---AND requests made by browsers.

Largely NoScript provides a great service, and manages to stop most attacks provided that the injection data is recognizable in the requests---meaning both POST and GET requests. Though because of how it works, when injection data
is not recognizable in requests, NoScript---and for that matter no other XSS filters---will be able to detect the attacks. This largely happens when data is injected in encrypted/hashed/encoded* format.

granted some encodings are accounted for in NoScript and other XSS filters, don't expect to get around the best XSS filters known to man by simply %-encoding your injection data!

One example of a XSS attack where payloads are injected in a way that is not
recognizable to NoScript is in SQL injections. Namely Error Based SQL injection. The following demo…

Reverse Engineering : it's not all its cracked up to be

A lot of people are still bewildered by Reverse Engineering. A lot of people are still wondering what it is and how on earth they can learn to do it. This post---hopefully---will break the mysticism around Reverse Engineering.
 before I can get into it I need to answer this question:
What is Reverse Engineering?Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation.[1] It often involves taking something (e.g., a mechanical device, electronic component, software program, or biological, chemical, or organic matter) apart and analyzing its workings in detail to be used in maintenance, or to try to make a new device or program that does the same thing without using or simply duplicating (without understanding) the original. ---- Wikipedia   What I'm going to talk about in this post is Reverse Engineering software.

Social Engineering : Exploiting the Human

Image
Oh no its another blog post about social engineering run away! lols No! This post about the way I personally approach social engineering and the mindset one should have to be able to create new and unexpected methods of extracting information from a target.

Your goal is to get information from a target, the problem you have is that this target is not just going to hand you this information---though in some rare cases it will be this easy---. How do you get the target from a state where it doesn't want to give you this information to a state where it'll willingly hand over the information to you? I think about it in terms of 5 steps:

GooDork v2.2.1 : Custom User-Agents and More Results

Image
The new version of the GooDork is out. I've decided to give you guys a crash course in using the new features.









GooDork : Super Charging your Google Hacking

Image
I recently started work on a very exciting project called GooDork in its most basic function this python script allows you to run google dorks straight from your command line.

Though its real power lies what it allows you to do with the results from a google dork.

Bit shifting blind injection : Simplified!

Image
I've recently been investigating Blind SQL injection, and have become quite fond of the practice. I stumbled upon a new technique documented by http://h.ackack.net (see here http://h.ackack.net/faster-blind-mysql-injection-using-bit-shifting.html) that used Bit shifting to guess the bits that make up the chars of the information you are trying to extract from the database.

I then came up with a modification to the method to try and make it simpler and hopefully allow the development of an even faster method (which im still working on) . My method uses the XOR bitwise operation to simplify the output and operation of the attack.

Thought relatively simple methods, they still require a comfortable understanding of the binary number system and can be frustrating to use. The method I'm about to show you can be performed with minimal understanding of the binary number system. This is because you don't need to convert in and out of binary while performing the attack.

Creativity : The only real Hacking tool

this a post from my old blog, i wanted to add it to this one because I really enjoyed writting it :)


People use hacking tools because they believe it helps them hack, but in actual fact a lot of the times all they are doing
Is helping you, convince yourself that YOU are performing a hack.

How to shoot in the dark: Improved Blind SQLi

Image
I really like this method, i feel that it should replace the method you are currently used for blind injection if you aren't using this one!


Blind SQL injection is all about knowing how to ask the right questions. The problem is you have to ask alot of questions before finding out something useful! And we also know most of the time we are trying to find out things like passwords/password hashes, usernames or emails and these things are just simply saved as a bunch of characters in a table somewhere.

The conventional Blind injection will have you probing every character of a given, guessing every possible character in the ascii table until you manage to get the right one. Worst case this will take 127 requests per character!

But there is a a faster way, which uses the way characters are represented to guess them faster.

Injecting Insert statements: MySQL error based injection

Image
One night while banging injection payloads into a random page I suddenly found myself in an insert statement! This is when I got the idea to use insert statements for MySQL error based injection vectors.
Some people might be wondering why on earth would one would want to inject an insert? Would that even work?
The answer is YES! you can use INSERT statements to leak data via Error based injection much like people already do using SELECT statements

Ordering Remote File inclusion via e-mail

I just briefly discussed Local File Inclusion in this article and more importantly to that you can use to turn an LFI into an Remote File Inclusion (or Remote Code injection)

This method, abuses the way e-mail is stored on Linux servers, (when a certain kind of Mail Delivery Agent is in use) and helps to propagate a RFI attack on a server with a LFI vulnerability, or create an RFI attack vector when one doesn't exist