http://www.scanlesspci.com/
The Hacka Man
Thursday, April 3, 2008
Scanless PCI, Hurray
Sometime ago, i mentioned something about PCI and its credibility. In short i was saying that are all those PCI certified companies safe from attacks just because they are PCI certified? Today we witnessed something better, more cost effective, faster, least intrusive and for the best part? It does not even cost a single cent as compared to hackersafe or qualys, unless you subscribe for additinal service. Well, i had not personally register for the service, but i guess it will be much more proficient with the current pci standards. The setup up is simple, just copy and paste the codes to your side and that will do it. Check out
http://www.scanlesspci.com/
The Hacka Man
http://www.scanlesspci.com/
The Hacka Man
Wednesday, January 30, 2008
PIX/ASA Finesse 7.1 & 7.2 Privilege Escalation
I was trying to get into admin mode without the enable password during a penetration test and i came across a post by Terry where he describes a designing flaw in the PIX/ASA Finesse Operation System, version 7.1 and 7.2. Well, it was possible to escalate a normal level 0 user to a level 15 privilege user. The exploit is simple and it only works locally, at the console and remotely with Telnet. However, do note that it will NOT work if SSH, TACACS or Radius is implemented in the firewall. Below are the steps.
1. Login with your user level 0 account. Once logon, you will be prompted to enter the enable password which is the privilege password.
2. At this prompt if you move your cursor forward with a space or character(it doesn't matter if there are more then one), and then proceed to delete any spaces or characters, by holding down the backspace a second after deleting the last character it should immediately drop you into level 15 privilege-exec mode.
It had been tested on PIX 515E, Finesse version 7.2 and i had also tested it on the PIX 525.
The Hacka Man
1. Login with your user level 0 account. Once logon, you will be prompted to enter the enable password which is the privilege password.
2. At this prompt if you move your cursor forward with a space or character(it doesn't matter if there are more then one), and then proceed to delete any spaces or characters, by holding down the backspace a second after deleting the last character it should immediately drop you into level 15 privilege-exec mode.
It had been tested on PIX 515E, Finesse version 7.2 and i had also tested it on the PIX 525.
The Hacka Man
Wednesday, January 16, 2008
Web Attacker Toolkit
Sorry for the lack of updates. Been roaming around for the past 2 months and felt a little lazy in updating my blog. i was reading news on the internet today and i read something about a hacking toolkit that was able to compromise thousands of webservers and that caught my attention. Well, apparently the tool called the "Web Attacker Toolkit" can be bought from the Russian hacking group called Inex-Lux for a cheap price. All unpatched IE and Firefox browsers can be compromised, with a trojan silently being installed into the local PC without user knowing it. Once a trojan is installed, the game is over. After reading the news, of course i have upgraded my IE and my Firefox to the latest version to avoid any exploitation. Check out those three links below:
http://www.informationweek.com/news/showArticle.jhtml?articleID=186700539
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=472
http://informationweek.com/news/showArticle.jhtml?articleID=205603044
The Hacka Man
http://www.informationweek.com/news/showArticle.jhtml?articleID=186700539
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=472
http://informationweek.com/news/showArticle.jhtml?articleID=205603044
The Hacka Man
Sunday, December 2, 2007
.NET ViewState vulnerable to manipulation exploits
This past week i had a chance to audit a customer who is using microsoft's viewstate. So what is ViewState and why is it vulnerable? Well, ViewState is an ASP.NET feature that allows you to persist form properties when a page posts back to itself. ASP.NET takes the current state of all form controls and stores them as an encoded string in a hidden form field. The risk of View State is that an attacker might be able to view or modify these form values to accomplish a variety of attacks. So, the question is how do you modify and view the values in ViewState? To do so, you can download PortSwigger's latest burp proxy to accomplish the task of neccessary manipulation. View State appears in the HTML source as a hidden form field and it is using base64 encoding.
The latest version of burp proxy allows you to decode ViewState's base64 algorithm and view the clear contents inside, or you can also download ViewState decoder from Fritz Onion to ONLY view the contents inside. Check out the both links below:
http://www.dotnetspider.com/tools/ShowTool.aspx?ToolId=378
http://blog.portswigger.net/2007/06/viewstate-snooping.html
Because the customer is using some sort of VPN, i was unable to use PortSwigger's burp proxy for what ever reason. However, i managed to decode the ViewState using Viewstate Decoder.
To prevent attackers from manipulating View State, you can include a message authentication code (MAC). A MAC is essentially a hash of the data that ensures its integrity. You can enable the View State MAC on the machine, application, or page level. You can enable the MAC wherever you enable View State with this attribute:
enableViewStateMac="true"
To truly make sure ViewState is secured, you will need to encrypt the data with ViewStateEncryptionMode property set to true. This will prevent attackers from decoding and viewing data inside viewstate. To read more about ViewState security, check out the msdn link below:
http://msdn2.microsoft.com/en-us/library/ms178199.aspx
http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/
The Hacka Man
The latest version of burp proxy allows you to decode ViewState's base64 algorithm and view the clear contents inside, or you can also download ViewState decoder from Fritz Onion to ONLY view the contents inside. Check out the both links below:
http://www.dotnetspider.com/tools/ShowTool.aspx?ToolId=378
http://blog.portswigger.net/2007/06/viewstate-snooping.html
Because the customer is using some sort of VPN, i was unable to use PortSwigger's burp proxy for what ever reason. However, i managed to decode the ViewState using Viewstate Decoder.
To prevent attackers from manipulating View State, you can include a message authentication code (MAC). A MAC is essentially a hash of the data that ensures its integrity. You can enable the View State MAC on the machine, application, or page level. You can enable the MAC wherever you enable View State with this attribute:
enableViewStateMac="true"
To truly make sure ViewState is secured, you will need to encrypt the data with ViewStateEncryptionMode property set to true. This will prevent attackers from decoding and viewing data inside viewstate. To read more about ViewState security, check out the msdn link below:
http://msdn2.microsoft.com/en-us/library/ms178199.aspx
http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/
The Hacka Man
Sunday, November 25, 2007
Old School Oracle Auditing
I was again reading for hacking articles and one of the article "Simple Oracle Auditing" caught my attention. Well, its an old article but its still fun to read and learn from the gurus. Check it out guys: http://www.securityfocus.com/infocus/1689
The Hacka Man
The Hacka Man
Thursday, November 22, 2007
7 steps to better Solaris Network Settings
I was auditing one of our customer again and this time round, i managed to come up with a 7 step guide to better secure the TCP stack for Solaris. Well, you guys can add on for more.
1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2
2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter
To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands :
mv /usr/sbin/in.routed /export/home/cfgh/base
mv /usr/sbin/in.rdisc /export/home/cfgh/base
3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :
Setup files and environment:
touch /etc/init.d/exconfig
ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig
Edit file "/etc/init.d/exconfig" and add the following lines:
#!/bin/sh
# /etc/init.d/exconfig
RELEASE=`/usr/bin/uname -r`
release7 ()
{
/usr/sbin/ex -set /dev/ip ip_forwarding 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_send_redirects 0
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
id -a mqm > /dev/null 2>&1
if [ \$? -eq 0 ]
then
/usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
fi
}
release8 ()
{
/usr/sbin/ex -set /dev/ip ip6_forwarding 0
/usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip6_send_redirects 0
/usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
}
release6 ()
{
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
}
if [ \$RELEASE = "5.7" ]
then
release7
elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ]
then
release7
release8
elif [ \$RELEASE = "5.6" ]
then
release6
fi
4. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines :
#(
#if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
# mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
#else
# mcastif=$_INIT_UTS_NODENAME
#fi
#
#echo "Setting default Ipv4 interface for multicase:" \
# "add net 224.0/4: gateway $mcastif
#
#/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null
#)&
For Solaris 10
Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10
5. Denial of Service Prevention System Settings.
Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time
6. Prevent "core dump" generated by inetd as it may contain login information. This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line :
/usr/sbin/inetd -s &
to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t &
Note :
ulimit -c 0 : set the core file size to 0 byte
inetd -s -t : stand-alone server with tracing of all tcp connections
For Solaris 10
Create the script /etc/rc2.d/S72inetsvc-os10 as per below.
#cat /etc/rc2.d/S72inetsvc-os10
IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'`
/usr/sbin/route -n delete -interface "224.0/4" $IPADDR
/usr/sbin/svcadm enable inetd
/usr/sbin/inetadm -M tcp_trace=TRUE
#chmod 555 /etc/rc2.d/S72inetsvc-os10
7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print
The Hacka Man
1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2
2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter
To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands :
mv /usr/sbin/in.routed /export/home/cfgh/base
mv /usr/sbin/in.rdisc /export/home/cfgh/base
3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :
Setup files and environment:
touch /etc/init.d/exconfig
ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig
Edit file "/etc/init.d/exconfig" and add the following lines:
#!/bin/sh
# /etc/init.d/exconfig
RELEASE=`/usr/bin/uname -r`
release7 ()
{
/usr/sbin/ex -set /dev/ip ip_forwarding 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_send_redirects 0
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
id -a mqm > /dev/null 2>&1
if [ \$? -eq 0 ]
then
/usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
fi
}
release8 ()
{
/usr/sbin/ex -set /dev/ip ip6_forwarding 0
/usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip6_send_redirects 0
/usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
}
release6 ()
{
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
}
if [ \$RELEASE = "5.7" ]
then
release7
elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ]
then
release7
release8
elif [ \$RELEASE = "5.6" ]
then
release6
fi
4. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines :
#(
#if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
# mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
#else
# mcastif=$_INIT_UTS_NODENAME
#fi
#
#echo "Setting default Ipv4 interface for multicase:" \
# "add net 224.0/4: gateway $mcastif
#
#/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null
#)&
For Solaris 10
Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10
5. Denial of Service Prevention System Settings.
Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time
6. Prevent "core dump" generated by inetd as it may contain login information. This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line :
/usr/sbin/inetd -s &
to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t &
Note :
ulimit -c 0 : set the core file size to 0 byte
inetd -s -t : stand-alone server with tracing of all tcp connections
For Solaris 10
Create the script /etc/rc2.d/S72inetsvc-os10 as per below.
#cat /etc/rc2.d/S72inetsvc-os10
IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'`
/usr/sbin/route -n delete -interface "224.0/4" $IPADDR
/usr/sbin/svcadm enable inetd
/usr/sbin/inetadm -M tcp_trace=TRUE
#chmod 555 /etc/rc2.d/S72inetsvc-os10
7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print
The Hacka Man
Wednesday, November 21, 2007
Hacking Iphone the fun way
I got my iphone and i know there are exploits and vulnerabilities in it discovered by H.D Moore, creator of metasploit. However i wasn't too enthusiastic about the damage that this exploit can do but more into the fun aspect aspect of how to install new 3rd party application in phone. I know that you can install hacking tools too, but thats not my goal. Why install those tools when you can install it in the PC? Anyway, I managed to unlock the phone with a few help and of course start using it. It is the coolest phone out on the planet and of course with the video below, i managed to install more applications in my phone. Check it out.
The Hacka Man
The Hacka Man
Tuesday, November 20, 2007
Hacking SCADA
While i was in Dubai, i got a chance to visit one of our customers who was using SCADA. Back then, it was so new to me and i have no idea of how to actually audit it. Back here in Singapore, i got another chance to actually test and audit SCADA systems and this time round, i found a way to actually break the application and network apart. However, i have to be very careful during the audit, as one wrong move may affect the whole of Singapore.
So what is SCADA? SCADA stands for Supervisory Control and Data Acquisition and they are the systems that deliver water, power supply, gas and some other items to your home. Check out http://en.wikipedia.org/wiki/SCADA if you would love to read more about it. There had been incidents where SCADA systems had been hacked and information was stolen by terrorist. Also, internet worms like the Slammer worm also affected the systems and cause a total DoS. Why is all these happening? All i can say is either because those systems are exposed to the internet or they are using proprietary protocols and they think that they are safe from hackers and doesnt care about it. Those people working in SCADA are so wrong, they doesnt bother about security at all, and i guess its because something disturbing might have happen and only then they start to panic and need people like us to audit their systems.
SCADA uses their own proprietary protocols like DNP3, OPC, Modbus, DCS, etc, and its possible to use Wireshark to actually monitor the traffic and see how the handshaking process work. By observing the handshake, i realised that it was possible to perform man in the middle attacks, but of course would require developing of some tools to perform the job. Some other attacks that are possible include DoS, capturing of username and password, injecting worms and virus and many other old school techniques.
The problems with SCADA:
1. Windows & Linux Vulnerabilities
2. Not patched regularly – maximum uptime needed
3. Denial of Service Attack
4. Continuous string of reboot command
5. No Authentication
6. No Accounting
7. Traffic sent in clear text (username & password)
8. No encryption
To Pentest on SCADA systems, you can do the following:
1. Port Scanning
2. OS Fingerprinting
3. Vulnerability Scanning
4. Exploitation
5. Credentials Guessing
6. Sniffing
7. Fuzzing
Of course there are many other possibilities for pentesting SCADA systems. I for sure want another session with SCADA because it is so fun having to touch on mission critical systems that can affect the whole country. There are tons and tons of possibilities and problems with SCADA and i have just outline a few obvious ones. Of course, you got to be in the SCADA environment if you actually want to discover more possibilities, but then again, do we have such chances everyday?
The Hacka Man
So what is SCADA? SCADA stands for Supervisory Control and Data Acquisition and they are the systems that deliver water, power supply, gas and some other items to your home. Check out http://en.wikipedia.org/wiki/SCADA if you would love to read more about it. There had been incidents where SCADA systems had been hacked and information was stolen by terrorist. Also, internet worms like the Slammer worm also affected the systems and cause a total DoS. Why is all these happening? All i can say is either because those systems are exposed to the internet or they are using proprietary protocols and they think that they are safe from hackers and doesnt care about it. Those people working in SCADA are so wrong, they doesnt bother about security at all, and i guess its because something disturbing might have happen and only then they start to panic and need people like us to audit their systems.
SCADA uses their own proprietary protocols like DNP3, OPC, Modbus, DCS, etc, and its possible to use Wireshark to actually monitor the traffic and see how the handshaking process work. By observing the handshake, i realised that it was possible to perform man in the middle attacks, but of course would require developing of some tools to perform the job. Some other attacks that are possible include DoS, capturing of username and password, injecting worms and virus and many other old school techniques.
The problems with SCADA:
1. Windows & Linux Vulnerabilities
2. Not patched regularly – maximum uptime needed
3. Denial of Service Attack
4. Continuous string of reboot command
5. No Authentication
6. No Accounting
7. Traffic sent in clear text (username & password)
8. No encryption
To Pentest on SCADA systems, you can do the following:
1. Port Scanning
2. OS Fingerprinting
3. Vulnerability Scanning
4. Exploitation
5. Credentials Guessing
6. Sniffing
7. Fuzzing
Of course there are many other possibilities for pentesting SCADA systems. I for sure want another session with SCADA because it is so fun having to touch on mission critical systems that can affect the whole country. There are tons and tons of possibilities and problems with SCADA and i have just outline a few obvious ones. Of course, you got to be in the SCADA environment if you actually want to discover more possibilities, but then again, do we have such chances everyday?
The Hacka Man
Monday, November 19, 2007
Two factor authentication bypassed
It had been a long fortnight and i have not finished writing my report for various banks. It was really that much report to write and especially for one specific particular bank. I managed to bypass the security control mechanism setup by this bank and steal the username and password of any user.
Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security control mechanism and it was possible to capture the username and password of any user. I am sorry guys, i am not supposed to leak out any information here. It is very sensitive from the bank's point of view. The best part of the exploit was there was no XSS or sql injection or any sorts of vulnerability that facilitate this exploit. It was purely just information gathered during the passive information gathering exercise.
I was browsing their site and i discovered a section where some information could help me facilitate the research of writing the exploit. I had an albeit pedantic thought when i saw that particular section. I was thinking that with all that information, i am definitely able to bypass the security mechanism. However to do that, i would require someone else to write the code for me with my ideas. Nevertheless, within a week, i managed to come out with a PoC and display a great deal of demostration. Guys, i know you want to know the details, but i simply can't reveal anything because of the Non Disclosure Agreement I signed. All i can say is passive information gathering is a very important exercise when trying to attack huge organizaton and guys can spend hours and days writing a cool exploit, with me, all i need is total observation and i got the results i want with ease. Why bother to go all the way to do something difficult when something easy can be accomplished faster??
I would love to attach a screenshot of what i managed to captured, but then again, it is too sensitive. I am sorry, but just know that it is possible to bypass 2FA.
The Hacka Man
Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security control mechanism and it was possible to capture the username and password of any user. I am sorry guys, i am not supposed to leak out any information here. It is very sensitive from the bank's point of view. The best part of the exploit was there was no XSS or sql injection or any sorts of vulnerability that facilitate this exploit. It was purely just information gathered during the passive information gathering exercise.
I was browsing their site and i discovered a section where some information could help me facilitate the research of writing the exploit. I had an albeit pedantic thought when i saw that particular section. I was thinking that with all that information, i am definitely able to bypass the security mechanism. However to do that, i would require someone else to write the code for me with my ideas. Nevertheless, within a week, i managed to come out with a PoC and display a great deal of demostration. Guys, i know you want to know the details, but i simply can't reveal anything because of the Non Disclosure Agreement I signed. All i can say is passive information gathering is a very important exercise when trying to attack huge organizaton and guys can spend hours and days writing a cool exploit, with me, all i need is total observation and i got the results i want with ease. Why bother to go all the way to do something difficult when something easy can be accomplished faster??
I would love to attach a screenshot of what i managed to captured, but then again, it is too sensitive. I am sorry, but just know that it is possible to bypass 2FA.
The Hacka Man
Saturday, November 17, 2007
Image upload xss
Also, i stumble across an old blog post by rsnake where it was possible to execute XSS on an upload function.
http://ha.ckers.org/blog/20070603/image-upload-xss/
http://pstgroup.blogspot.com/2007/06/tipsimage-upload-xss.html
an example of something you might test for:
So you upload this file:
http://ha.ckers.org/image-xss/"onerror="alert('XSS')"a=".jpg
This ends up making the page look like:
![]()
The Hacka Man
http://ha.ckers.org/blog/20070603/image-upload-xss/
http://pstgroup.blogspot.com/2007/06/tipsimage-upload-xss.html
an example of something you might test for:
So you upload this file:
http://ha.ckers.org/image-xss/"onerror="alert('XSS')"a=".jpg
This ends up making the page look like:
The Hacka Man
Subscribe to:
Posts (Atom)
