Skip to main content

Posts

Command Injection Without Spaces

I came across a nice little command injection vulnerability while doing a bug bounty recently. The only catch was that I couldn't use any spaces in the commands. Let me go into the details...

Note: I can't post any details about the application as it was a private bounty program.

It all began with the page providing an input box for doing 'nslookup' of a domain or IP entered by the user.
A page like this always excites a bug bounty hunter as the application has to pass user's input to underlying system command to perform nslookup and present the output of that command in the browser. If the developer has made any mistake in validating and sanitizing the input, they inadvertently open the doors to attackers misusing this feature to execute arbitrary commands on the server.

So, when I saw the input box I started to explore and try to force the application in executing arbitrary commands.
I began with simple input google.com

My next automatic try was to input google.com &am…
Recent posts

Curious case of Yammer XSS

Microsoft recently (finally!!) started with their bug bounty program for some of the online services. Yammer is part of its scope. Noticing this I jumped on to find bugs in Yammer because it looked to be the easier of the targets. This post is about a strange stored XSS I found in Yammer apps which would have allowed non-admin users to steal cookies from admin users and also do other nasty stuff.

To begin with, Yammer is a private social network that helps employees collaborate across departments, locations and business apps. 

Once logged in to Yammer, any user can create and publish apps to the organization's Apps directory. This process does not require authorizations or approvals. Apps are published to the app directory some time after it is created.

Apps can be created from https://www.yammer.com/client_applications.
When registering the app, Yammer takes in Redirect URI value which is "the URL to redirect the user's browser to after the user has linked the application to…

Facebook, Only Me... really??

In my quest for finding bugs on the internet in my free time, I stumbled upon some information disclosure / privacy settings violation issues on Facebook and reported them promptly (after 2 months of discovery :P). Facebook took them seriously and responded promptly (again 1~2 months after the report) and fixed one of them. This entry describes how anyone could find out the information which you have entered in your profile but kept it hidden (Privacy settings == Only Me) just by becoming your friend. 

This is going to be the lamest / non-technical bug you are ever going to see. So brace yourself.

First, the victim has to set the information which he doesn't want to disclose with privacy settings as "Only Me".

Second, The attacker adds the victim as a friend. Remember, for this "attack" to work, the victim has to be the only friend in attackers friends list. Either the attacker creates a new profile and adds victim as a friend or unfriends all the friends but the …

Installing VMWare Player / Workstation on Kali Linux

This guide is for installing VMware Player or Workstation on Kali Linux. Although this is a simple task, I faced an issue with the kernel headers when launching VMware Player, hence this blog post.

I did these steps with VMware Player but same steps can be followed for Workstation.

1. First of all, download the VMware Player from https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/5_0

2. Make the downloaded file executable by navigating to the directory where you downloaded the bundle and execute:
chmod +x VMware-Player-5.0.1-894247.x86_64.bundle

3. Open Terminal and install the packages needed by VMware Player
apt-get install build-essential linux-headers-`uname -r` This will install the kernel headers of your current Linux kernel version.

4.After packages are installed, start the VMware Player installer
./VMware-Player-5.0.1-894247.x86_64.bundle This is pretty much it.

5.Launch the VMware Player by navigating to it from the main menu.

At this stage, I got an error say…

Passively Monitoring Network Traffic On Wireless Networks

Many times, during penetration tests, we have to monitor the data flowing inside the network. Achieving this on an Ethernet network is simple as we can just connect a network cable and be a part of the target network.  But that makes us accountable and someone from the network can find out that someone is monitoring the traffic. In wireless networks, we have an advantage of monitoring the network traffic passively.  The packets are freely flowing over the air and we just need to be able to see them. To be able to monitor network traffic, we must put our wireless adapter in Monitor mode. airmon-ng start wlan0 This will start the monitor mode on a virtual interface such as “mon0” To start dumping data from the target network, we need to know following things:
BSSID – MAC address of the Access Point Channel on which the Access Point working To find out these things, we can run airodump on all the channels. This will list all available wireless networks with various pieces of information for each…

Collection of CTF writeups

Last month, I took part in a CTF competition of nullcon. It was great, it was fun, and it was my first CTF. I had practiced a little and was thinking "lets do this and win!!" But when I started playing, it became very clear that the practice you do in-house is far different that what is needed in the CTFs. I had no experience of playing a CTF whatsoever and that hurt. After the CTF ended, I started reading writeups of previous CTFs organised around the world in many conferences. It is really an enlightening read how creative you have to be at times to figure out how to solve a level. That is why I have collected writeups from various CTF winning teams. Who knows what trick might give you a WINning moment in the next CTF. I present here a few writeups from my collection. Do let me know if I have missed a good one through the comments. Hope you enjoy and learn from them! 
Nullcon 2012 HackIM challengePlaid Parliment of Pwning << Writeups by team 'ppp' from various…

Metasploit's "other" utilities unleashed - I

Metasploit is a huge tool. When I started learning and playing with it, all I knew was use,set,exploit and run.
That was awesome and I was happy with that. But then, I came to know that many Metasploit  users don't even use the framework to its 50% capabilities. So I started exploring in the Metasploit directory and lo, so many utilities were sitting there begging me to use them! In this multi part series, I will introduce all these little gems that are packed in the Metasploit directory, ready to make your life a lot easier.

msfpayload
This is a command line utility in Metasploit, it is used for generating shellcode or a standalone payload which can be delivered to the victim for execution. Its real benefits are realized when developing new exploit modules and testing different types of shellcode with it.
The syntax for msfpayload is very simple.

Syntax:

Usage: ./msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar…