Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The people are RIPSTech do incredible research into the web application security space, particularly with open source PHP applications.
- Moodle is a widely-used open-source e-Learning software allowing for teachers and students to digitally manage activities.
- There is a section of code that uses the 'eval' function (evaluates PHP code directly). However, the developers had some forethought that this may be an issue. So, a filter was created using the regex '-+/*%>:^\~ '.
- The regex will replace all placeholders with a value of 1 recursively, then gives each 1 a random value.
- After bypassing this restriction by nesting curly braces, a several comments were used in order to break out of the rest of the PHP code.
- Filters are really hard deal to do correctly! Even after acknowledging the first bug a bypass was created for the next three patches!
- The most obvious command injection ever seen.
- The username and password for the login page are directly entered into a command line arguments for a binary. Yep, it's that simple.
- The creator of the Siaberry software was not very responsive to the issue... Sometimes, people just refuse to make a legitimate fix for a vulnerability.
- pMyAdmin is a well-known MySQL/MariaDB online management tool.
- The CSRF vulnerability allows for arbitrary SQL to be executed.
- This can be used to reset the admin password of the website and created an arbitrary write onto the operating system.
- Overall, CSRF is much more dangerous than people realize...
- The same-origin policy is what disallowing Facebook.com from making a request for the credit card details from Amazon. So, a bypass for this is very significant!
- The background process, running in Google Chrome with all extensions, is a very privileged API. So privileged, in fact, that this can be leveraged to make a web request with the systems cookies to the domain and return the content!
- In the end, be very careful with what extensions you download.
- To start with, an API can be abused to delete arbitrary files. This is done by a classic directory traversal (../).
- Stack based buffer overflow done by the concatenating of two strings :) Interesting never heard of this one before!
- OS command injection in the administrative features via a server configuration.
- Overall, a great article that goes into VERY deep technical details about the vulnerabilities!
- IBM QRadar is an enterprise security information and event management (SIEM) product (just for perspective).
- Quoted from the article: "This exploit chain abuses both components of the forensics application to bypass authentication and write a file to disk, and then it abuses a cron job to escalate privileges to root. QRadar has an Apache reverse proxy sitting in front of all its web applications, which routes requests according to the URL." So cool when 3 or 4 vulnerabilities turn into RCE!
- To bypass authorization, the parameter forensicsManagedHostIps could be used. This was traditionally used for internal services, but also worked from the outside. Once this parameter was used on the authentication request, the cookies in the request were added as valid tokens.
- The command injection was very normal; just injecting a parameter into an OS level command.
- Finally, a cronjob (timed unix events) is abused to get from a low level shell to root.
- The latest firmware of the router had hardcoded default credentials. These were found using a disassembler to take apart the firmware.
- Besides the hardcoded creds, there was an OS command injection because of bad processing of a parameter. Additionally, throw in a reflected XSS and default telnet creds.
- Not a great analysis of the bugs, but still something to go off of.
- It seems that all NAS's and routers have default creds or OS command injection. Pattern matching for common vulns is a very important part of research!
- The content-security-policy is a protection that helps with HTML injection and XSS flaws with a website. A bypass for the CSP would bypass all these restrictions.
- This seems to be a parser issue, that allows the loading of some file, given a previous XSS bug.
- This feels like black magic... Dive into the parsing details if you are looking for a good time!
BackSwap malware finds innovative ways to empty bank accounts
WeLiveSecurity Reference →Posted 6 Years Ago- This banking malware injects malicious JavaScript into the web page, without the user noticing. This works by manipulating the Windows GUI elements and simulating user input.
- Overall, a fairly good analysis of the malware strain being used! I just thought that this was quite innovative.
- A content delivery network (CDN) is a location where lots of data gets served from different geographical locations. So, compromising a CDN is a huge deal!
- When requesting an NPM URL, it checks to see if the package has already been downloaded. If not, then it directly downloads it from NPM.
- However, there are a few issues with the implementation. To start with, the library being used for opening the files keeps symbolic links. This gives you an arbitrary read over the CDN.
- To get an arbitrary write, point a symlink to a file that has already been extracted. Although a mature implementation of tar this would not work, this is not work.
- The attack also worked with hardlinks.
