Skip to main content

Posts

Showing posts from January, 2018

Stored XSS in Wonder CMS- CVE-2017-14522

By- Samrat Das

Hi Readers

Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation
Title of the Vulnerability:  Stored XSS Common Vulnerability Scoring System: 7.0 Vulnerability Class: Injection Technical Details & Description: The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated:  CVE-2017-14522 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive).
WonderCMS doesn't require any configuration and can be simply unzipped and uploaded to your server/hosting provider. All da…

Host Header Injection In Wonder CMS - CVE-2017-14523

By- Samrat Das

Hi Readers
Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that it did not have any kind of security mechanism to filter the host redirections based on the HTTP header. Using this it became possible to perform host header injection attack.
Title of the Vulnerability:  Host Header Injection Common Vulnerability Scoring System: 7.0 Vulnerability Class: Injection Technical Details & Description: The application source code is coded in a way which allows arbitrary host header to be defined leading to redirection/ user url manipulation CVE ID allocated:  CVE-2017-14523 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive).
WonderCMS doesn't require any configuration and can be simply un…

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

By- Samrat Das

Hi Readers

Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github.
Curious to explore its functionalities, I downloaded and set it up in my local system.

After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this.

Title of the Vulnerability:  Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated:  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with P…

Web Services/ API Penetration Testing Part - 1

Hi Readers, today we will learn about another interesting part of Penetration Testing, this revolves around Security assessments of web services.
To start with let’s take a look at what web services are made of:
A web service is software composed of standardized XML messaging system.
The benefit of web services are since all of its communication is in XML, they are not restricted to any  operating system or programming languages
They are built on Web services are built on top of open standards such as TCP/IP, HTTP, Java, HTML, and XML.
Anatomy of Web Services
In simple language, any basic web services platform is a combination of XML and HTTP. They can be of: ·SOAP (Simple Object Access Protocol)·UDDI (Universal Description, Discovery and Integration)·WSDL (Web Services Description Language)

How does a Web Service Work
Web services depends on •             XML to tag the data ( as markup and syntax) •             SOAP to transfer a message •             WSDL to describe the availabilit…

Exploiting Browsers using PasteJacking and XSSJacking Vulnerability

Hi Readers, in the field of penetration testing, we all know attacks such as Clickjacking, Cross Site Scripting etc. These are attacks from most  OWASP Top 10 test cases.

Today we will look into some advanced attack vectors which have been lately around sometime but not all are aware of.

Pastejacking. The art of changing what you copy from web pages.

What is pastejacking?

• Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and change its content to something harmful without your knowledge.

• This feature can allow malicious websites to take over your computers’ clipboard.

• When you copy something and paste it to your clipboard, the website can run one or more commands using your browser.

• The method can be used to change the Clipboard contents.

• If you paste something directly to the Terminals!? Result: Lethal Commands Executed

To avoid paste jacking:

• Windows users need to check what is placed into your computers’ clipboard.

• Past…

Dark Web: Accessing the hidden content Part- 2

I2P Intro:

According to Wikipedia, The Invisible Internet Project (I2P) is an anonymous network layer that allows for  peer to peer communication via encrypting the user’s traffic and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world.

The software that implements this layer is called an “I2P router” and a computer running I2P is called an “I2P node“. I2P is free and open source.

I2P can be run both on Pc as well as android, here is a screeshot of I2P running on android device.


Image source: https://en.wikipedia.org/wiki/File:I2PAndroid-console-0.9.20.png

While tor lets you being anonymous and open sites hosted either publicly or dark sites ( with .onion) I2P’s focus on the other hand is creating its own internal internet is that the network isn’t accessible from a regular computer.

By installing the requisite I2P software, your computer can join I2P and begin routing traffic, just like a Tor middle relay as it creates distributed, dyna…

Dark Web: Accessing the hidden content Part- 1

Curiosity towards hidden and unknown things is natural to people.

For the general folks, Internet is existence of websites indexed via popular search engines like Google, however the Deep Dark web is beyond the traditional search engines which are hidden and inaccessible through standard web browsers.

It is an interesting fact to know that hardly only 4% of the internet is visible to the common people. That makes 96% of the internet is made up of “The Deep Web”!

The Deep Web hosts the “Dark Web,” a series of networks called “darknets” that overlay the public Internet but require specific software or authorization to access. As users can operate Darknets anonymously, it’s not hard to guess that these are the abode of various criminal activities. In fact, Darknet hosts a worldwide marketplace of illicit goods and services.

Top darkweb searches include child pornography followed by drug dealing, software hacking, currency counterfeit, stolen information from sensitive sources, weapon ma…

Thick Client Penetration Testing Tutorials - Part 5

For carrying out penetration testing assessments, our main aim has been to resolve the actual domain to the loopback IP address, by adding an entry to the hosts file.
Let us know consider a situation where the thick Client application does not send the request to a domain or a host name, then what happens?
We are stuck since it becomes impossible to make a host file entry.
Consider a thick client url like http://172.32.23.23:891/login. It cannot be mapped in hosts file without a valid pointing domain.
So lets do a workaround via configuring burp with the concept of Microsoft Loopback Adapter.
Prerequisites:
Two machines residing in the same network ,both having Burp Suite tool running One machine (the testing machine) should have Microsoft Loopback Adapter configured. The second machine acts as a gateway that forwards the requests to the internet. The loopback adapter helps deceiving the local machine. In absence of a real domain, all the application requests fired to the actual server are red…