Magento Shopping Cart 0day Exploit

Hi Friends,

Many of you already know that people try to do the things which provide them some fruits. likewise Carders trying to Exploit Shopping carts for getting into the transaction system in order to snatch people's money. Magento is a famous eCommerce CMS. this is the main target also as many of shopping sites are based on this CMS.

Here is a Recent exploit "obviously not found by me but code is mine." Which allows an attacker to change Username and Password of a site remotely. this is due to remote code Execution.

Exploit Code

and here are Results i got from Execution of the Script.

Bingoo !!

P.S: No any sites were harmed and Affected ones are reported already.

References:

• http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/

Magento Shopping Cart 0day Exploit

By: Adeel Chaudhary on: 02:13

Node JS & Command Execution

Introduction

Node.JS is a Cross Platform and Runtime Environment Where one can execute javascript code, outside the Web Browser. Node.JS is Very helpful but it has a couple of Killing features which make it very dangerous and hazardous for a web application. In this tutorial we are going to discuss one of them, Command Execution in Node.JS, You Folks must know what is Command Execution but just to be sure I’d like to tell you, Command Execution Vulnerabilities Allow an Attacker to run arbitrary Commands on a System through the Vulnerable Environment. I guess its enough for introcution.

Vulnerable Code

Here is vulnerable code which demonstrates the vulnerability in node js.

I’ll simply give the overview about where exactly its getting hectic. We are using exec function from child_process library, and executing parsedUrl.query.command, that is not getting filtered. Hence an attacker can execute any arbitrary commdn in order to hack into system. Let’s Save it and run it. Here is my script running.

Code is working without any error, let’s try to visit the url 127.0.0.1:8888 in browser as it is listening on port 8888.

Whoa, we got it working. Now its time to do some evil stuff. Let’s try to execute systeminfo, PING & Some other commands , that displays information about a computer.

#fig1

#fig2

#fig3

Okay fine, as it is clear from the above POC that its working exactly fine. In this context a developer must be careful while working with Node.JS files as its kinda more hectic and Evil than other languages.

About the Author

Muhammad Adeel is a Security researcher & Founder at Whitehat Conference Pakistan, he Blogs at http://urdusecurity.blogspot.com

Node JS & Command Execution

By: Adeel Chaudhary on: 06:53

Cross Site Tracing | WebAppSec

Hey Folks, Let's Have a little look over Cross Site Tracing though many of you know as it is simple and easiest way but still for some of you who don't know what it is. M gonna Demonstrate.

Introduction

XST (Cross Site Tracing) is combined Attack that includes HTTP TRACE METHOD and XSS Techniques. XST Allows an Attacker to see what data is being recieved at the other end of the request chain. its an old attack type that was discovered in the late of 2003. well i think its enough for now, Let's move to practical as always UrduSecurity do.

Cross Site Tracing

Well Guys First of all I need a Web server to whom I've to send the request so for this im gonna use my Localhost on port 81. and Let's Try to access it via curl.

curl -X TRACE 192.168.1.3:81

ok now let's see what is in response.

 

Umph As we can see TRACE in response so this method is allowed. Now Let's try to Add a new header if we can do it by using curl's -H option.

oh ?? injected :P , so this application is prone to xss attacks via Trace method that is inshort called Cross Site Tracing. If we don't see TRACE in response and see a source page then trace method is disabled.

Hope it's Clear.

Cross Site Tracing | WebAppSec

By: Adeel Chaudhary on: 04:08

TCP Wrappers in Linux

Introduction

Tcp Wrapper is a Library which provides control access and logging for the services over a server which accepts tcp connections.Most of the Linux Systems are compiled with tcp wrappers. it is a network filter ACL(access control list) that is used to filter the network access.

How TCP Wrappers Help?

• helps in system logging
• pattern matching access control
• verifies the hostname
• Protection against spoofing attacks

in these four ways tcp wrappers be helpful to us.

Explanation

 Now to check if a program is compiled with tcp wrapper we use following command.

ldd /path/to/program | grep wrap

and this is gonna provide us information if the service is compiled with wrapper library. See example Below.

as we can see that libwrap.so is dependency for sshd service.

Further we can use /etc/hosts.allow & /etc/hosts.deny Files to control system access. Let's Say i want to Deny all to access MySQL service and allow only Localhost. Following will be Configuration for it.

You can Set WildCard for it aswell to allow a list or a network. Let's say you want to allow a subnet as 192.168.*.* for SSH services.

 

In case of any queries Let me know. Thanks

TCP Wrappers in Linux

By: Adeel Chaudhary on: 07:53

CRLF Injection - Inject the Headers

CRLF Injection




Introduction

CRLF(Carriage Return Line Feed) Injection is another Web Application Vulnerability which occures due to improper input sanitization in headers fields of a website like, Location, User-agent, Max-Age etc. This vulnerability can cause some highly risky vulnerabilities like XSS, LFI Etc.

Scene Behind CRLF

CR & LF are 2 characters that indicates the end of a line. If we type something in any text Editor and just hit the ENTER key, the Editor automatically adds CR & LF at the End of That Line. as an Example See Below:



Sometimes You might have seen them written like this \r\n, This is Exactly what is CRLF. They are written as %0d%0a also when writing in hex.



Exploitation

Exploiting This Vulnerability is really easy and it has targeted high profile sites like google, yahoo, microsoft Etc. Ummm Let's Take an Example Page and send a request to it Then check the http request and response via Burp suite.

<html> <bod> <META http-equiv='Refresh' CONTENT="5;URL=http://google.com"> <font face='Lucida Console' size='7' color='maroon'> <h1 align="center"> UrduSecurity - Born to Lead </h1> </font> </body> </html>

Let's Save and visit this Page via browser. and intercept its http request & response via burp.

Request:



i just forwarded the request and response was something like this.



Then i manipulated the Location Header and replaced Google.com with My Localhost Address Hosted Script. See Below.

Script:

<html><h1> <font face='Lucida Console' size='7' color='maroon'><center>Welcome to HeLL</center></font> </h1></html>

Manipulated Response:



and after clicking forward i just saw that it amazingly redirected me to my localhost script instead of google as mentioned in code. see picture.



so in this way as we can clearly see that we are able to change and manipulate the http response and request using crlf injection. we further can add our own headers and other stuff if input is not being sanitized properly. We Have also an option to Inject CRLF into headers by doing uaing following payload cache-control= private%0d%0aNew-Header:Hacked%0d%0a , soin this way by applying CRLF technique we can inject it.

Remediations

Just sanitize the CRLF characters before they pass from header or also sanitize the encoding formates which let's crlf codes be injected into header.

CRLF Injection - Inject the Headers

By: Adeel Chaudhary on: 07:22

How Hackers Hidding Spam Codes Now

Introduction

Hi, Im Muhammad Adeel From UrduSecurity, here Im gonna describe a simplest way with a simple example that how now a days hackers are tricking the Search Engine bots in order to let them think that the injected code is not a spam or they can hide it in a realistic way so that the bots think that the code is legit.

Example

one of the best way to do the job is inserting our SPAM CODE between <div> tag with an ID or  Class. and Finally we have an option to add a Javascript to hide that DIV tag.

Trick:   We can use school level Math to Fool the engines and make a div tag Spammy, and to make ID to look different in javascript.

An Example code of the Described type of Attack Could be as follows.

Explanation

The idea is simple as we can see id=10 and we are accessing it through javascript by (5*2) . Malware generates a random number , lets say ('X'), and doubles the number then use it as spam <DIV> tag. Finally using the Multiplication Operator to let the Search Engine Bots think that its legit and trustworthy.

References

http://sans.org

http://resource.infosecinstitute.com

How Hackers Hidding Spam Codes Now

By: Adeel Chaudhary on: 20:09

Android Hacking: Hacking Debuggable Android Apps

Hello Readers, Whats Up? Hope You all should be fine enough to read this tutorial. As in previous Article I said that i'll demonstrate that how to attack debuggable android applications. So This tutorial is about Finding and Attacking Debuggable Android Applications.

Before i start the procedure Let's collect the requirements.

• Android Emulator
• Vulnerable APK Application
• apktool
• jdb debugger

and as in previous tutorial i told that Android Tamer Have all these tools so no need to be worry just start up your android tamer and if you don't have , get it now.

Checking For Vulnerable Apps

First of all we need to learn that how to check if an app is vulnerable or no. to check this we need to find either the app is debuggable or no. and how to do it? Here comes the Role of UrduSecurity. 

Just Download the vulnerable apk file from above given link and provide following command in your android tamer's terminal .

• apktool d Vulnerable.apk

after You have done it, You have to Check AndroidManifest.xml File in order to see either the app is debuggable or no. Provide the Following Command to do that.

• nano Vulnerable/AndroidManifest.xml

and if you see this Line there, android:debuggable="true" , viola This app is vulnerable and you can pentest it.

Exploiting the Vulnerable Application

Now that You've got a vulnerable android app, Let's exploit it. start up your android emulator and launch the application. your goal is to change the text Try Again into Hacked By [UrduSecurity]. but first we have to check dalvik vm ports listening on emulator. give following command.

• adb jdwp

okay now we have to find on which port our Vulnerable.apk is listening which you can find again by running the app and enumeratng the ports. Let's assume the app is litening on 1180 port so let's forward to this port and attach our terminal to the app using jdb debugger.

Now Let's Check the classes and methods of Vulnerable.apk and as our main class is com.example.debug.MainActivity$1 so we'll be checking the Methods of that class also. see below.

Now We have to set a break point at onClick(android.view.View) method so that we can step through it and exploit the vulnerability by debugging the app.

• stop in com.example.debug.MainActivity$1.onClick(android.view.View)

and then check the position where we are by entering locals in terminal. Finally we have to move next by using the keyword next. see below.

Please click on the app manually to re run the app as jdb don't provide this functionality here.

as in above figure , You have to step through all the steps untill you get the desired string, as we remember we have to replace Try Again with Hacked By UrduSecurity, so we found that string here. Now its time to step in the secret = "Try Again" String.

and finally its time to give command run , and you'll see that the app will automatically pop up our changed message that is: Hacked By [UrduSecurity]. 

Yahooooooo, we just hacked the app. We can do a lot of other intresting stuff like getting a remote shell on victim and so on which we'll show you in later tutorials. Hope You've enjoyed this tutorial.

References

• infosecinstitute.com
• androidtamer.com
• oracle.com
• askubuntu.com

Android Hacking: Hacking Debuggable Android Apps

By: Adeel Chaudhary on: 11:44

Android Hacking: Getting Started with Android Pentesting

Hello Fans, currently Busy with a lot of things and i got exams too so i'll be lazy in updating the blog, well let's start Android Hacking as its the hottest topic to be discussed these days. This tutorial is a simple walk through of Android, adb shell & other Android Pentesting tools an sources.

Let's start it , hope you'll enjoy these Articles.

Basically all the Android devices are based on Linux Platform so A HAcker Must be aware of Linux environment in order to Play with android pentesting. There is a famous Virtual Lab Named as "Android Tamer" you can directly Download it From the Below Site.

http://androidtamer.com

i strongly suggest this Lab because it contains almost many of the tools used for android pentesting and as Hacking also means to be in touch with open source so it contains all open source tools about android aswell and for other pentesting stuff too.


after you've got your android tamer Lab Live & working. Now its time to Start Pentesting.

Rooted android device will be always a core requirement for these tutorials.

Here Starts our first tutorial about playing with basic things in android with adb shell and getting information.

Enable USB Debugging Mode and Connect your android device with your android tamer Lab. Then do the same as shown in below screenshot.

if you've done it without any error , you should get a screen like this, that indicates that you got an adb shell on your android device.

Now that You are Connected with Your android device and Have a shell, Let's try to see the avaiable files there using "ls -l" command.

okay but till now we have only shell permissions, in order to gain root permissions we'll use 'su' command. see below.

Now we'll look at some files out there like gesture.key for Pattern Lock , as our pattern code is saved as salt sha-1 hashed form in gesture.key so let's look there.

and so on, Try to inspect it more via adb shell as we do in linux. and you'll get that where the data is stored basically and how the all stuff going ahead and working. in Next tutorial i'll Post How to debug and Find Vulnerable android applications.


Till Now if you have any problem , Let me know if i can solve.  Thanks

Android Hacking: Getting Started with Android Pentesting

By: Adeel Chaudhary on: 09:39

Bypass and Crack Android Pattern Lock

Hi Folks, Whats up? Hope You all guys will be fine shine. I'm now going to introduce you from a way to Bypass & Unlock android Pattern Lock. Hope You'll Like This Tutorial. Let's First Collect the Requirements.

Requirements

1. Rooted Android Device
2. ADB Shell & Files (Click to Download)
3. Windows or Linux Environment (Windows is Used in this tutorial)

So guys just check if you have requirements Then Let's start the Process of cracking of Pattern Lock. First of all Enable Debugging Mode on Your Android devices and connect it to your PC or Laptop, Then Just Extract the Files You've downloaded on your desktop and Move to the inner folder then press shift and Right Click and select open command window here. 

 

okay now You'll see a command line prompt. what you have to do is to type in.

• adb devices

This Command Will check if your device is connected properly to your PC or no, and Then You've to provide the following command to get an adb shell.

•  adb shell

Finally you should see something Like this after These Commands.

Fine , Now You've to get root access Which you can get By Typing in.

• su

and you'll be root user now. So What you Have to do now. Basically The Pattern Lock is saved at following place.

• /data/system/gesture.key

so We'll delete this file and password is Cracker / Bypassed, See Below Picture as example.

and if You've Done Everything same as i've done without any error, Congratulations. Your Lock is Cracked and Bypassed. Try to Unlock Your Android By any gesture and it'll get unlocked.


Need any Clarification or any question, Please Let me know via Email or Comments.

Thanks

Bypass and Crack Android Pattern Lock

By: Adeel Chaudhary on: 09:11

Hostifier - Dns Misconfiguration Detecter & Dns BruteForcer

Hello Dear Fans, Recently I've just Posted A tutorial on  How to Use Pentester ToolKit. Now I'm Here to Blog about My New Tool Which can scan thousands of email in couple of Mintes in order to brute force its domains & Check for DNS Misconfiguration.

Here is How to Get it & Use, I've Partitioned the Process in two parts,

For Linux

1. open Terminal & type: sudo git clone https://github.com/Chaudhary-Adeel/Hostifier.git 
2. now Type:  cd Hostifier
3. Now Type: python Hostifier.py

For  Windows

 
 Download Hostifier Here

1. Now Only Extract it & Run Hostifier.py using python

it Checks for dns Miconfiguration Aswell , if Any Subdomain.ExampleDomain.com has address 127.0.0.1 then it is vulnerable to dns Misconfigurtion.


if you have any Problem in Understanding it, Let me know.

Hostifier - Dns Misconfiguration Detecter & Dns BruteForcer

By: Adeel Chaudhary on: 05:20

Playing with Pentester-Toolkit on Windows & Linux

Hello Guys, As You all Know That Lately I've Launched My Own Tool For Web App Vuln Scanning Purposes, that is Pentester-ToolKit & You can Download it From the Link Given Below.

Download Pentester-Toolkit

Its Much Efficient and Supports a handsome number of Modern Day Attack Scanning So its very beneficial for Security researchers or Website Masters in order to Secure Their Websites From Modern Day Attacks. Also I'll Keep Updating it with New Tools for Making it more efficient for the People.

Scanning Options

Here is a List of Scans Which it can Do.

1. Check For Server Info
2. Check HTTPOnly Flag
3. Check X-Frame-Options
4. Check For X-XSS-Protection
5. Check X-Content-Type Options
6. Check SSL/TLS Security
7. Check Content Secret Policy
8. Check Access Control Flaws
9. Check XDownload Options
10. Check Cache Control Options
11. Check DNS MisConfiguration
12. Check BackUp Abusement
13. Check Remote Code Execution
14. Check Cross Site Scripting
15. Check Error Based SQLi
16. Check For Directory Traversal
17. check For HTTP Trace Methods
18. Check For All Attacks

How to Install

Now comes the Point of My writing this Tutorial Because I got Many Many requests from friends that Post a tutorial on How to Use This toolkit , So Here is the Procedure for Linux & Windows. 

ON Linux

 First of all Open Terminal on Your Linux Distro & Follow the Steps Given below.

1. sudo easy_install requests
2. git clone https://github.com/Chaudhary-Adeel/Pentester-Toolkit.git
3. cd Pentester-Toolkit
4. chmod +x *
5. python main.py

and Finally You'r Done with Using Pentester Toolkit, You'll see The Pentester Toolkit Screen interface waiting for you to Command it and Operate as u want.

ON Windows

On Windows You Have to Download Some Basic Things in Order to Use This Tool Kit, Here are Mentioned.

• Pentester ToolKit: Download Here 
• Python 2.7 : Download Here
• Python Setup Tools: Download Here

Now That You Have All the Stuff Ready, So Follow the Steps Below,

1. Extract & install Python 2.7
2. Now Extract & Copy Python Setup Tools in C:\ Directory
3. Now Open Command Prompt & Follow Steps
4. Move to Setup Tools Directory By this Command: cd setuptools-0.9.8
5. Now Give Command: python setup.py install 

It will install python setup-tools for and a directory named "Script" will be created in your python installation directory.For default installation path, this is newly created directory C:\Python27\Scripts.

Now Again Follow Steps

1. Give Following Command in Command Prompt: cd C:\Python27\Scripts
2. Now install requests By Following Command: easy_install.exe requests
3. After Doing this, Extract Pentester Toolkit in This Directory: C:\Python27
4. and Try to Execute This Command: python main.py
5. Bingooo You've Installed it Successfully 

If You Still Have Any Problem in it, Let me Know Via Comments. 

Thanks

 

Playing with Pentester-Toolkit on Windows & Linux

By: Adeel Chaudhary on: 23:44

Pentesting HttpOnly Cookies

Hello Readers, Currently I've Described an Introduction to HttpOnly Cookies. in This Video you'll Learn How to Check a website For Http Only Flag.





incase of Queries Comment down Below the Post.

Pentesting HttpOnly Cookies

By: Adeel Chaudhary on: 03:51

What & Why HttpOnly Flag

Greetings Gentel Men, I'm here to Give a Simple & Understandable concept of HttpOnly Falg. First time This Technique was used by MS-IE Developers in IE-6 with XP-sp1 Version.

HttpOnly

HttpOnly is an Additional Flag in Http Header Response named as set-cookie. and Usually using this httponly falg help in mitigating client side & server side Attacks.

Syntax:

 

Set-Cookie: name=UrduSecuirty; Max-Age=600; expires=01/04/2014; domain=urdusecurity.blogspot.com; path=/; secure; HttpOnly

Why HttpOnly

HttpOnly flag 'hypertext transfer protocol' response header is additional in, the cookie can't be accessed through consumer aspect script. As a result, a cross-site scripting flaw exists, and a user accidentally accesses a link that exploits this flaw even though the browser to a 3rd party cookie won't show.

 When we visit a web page and if We are Not able to see 'set-cookie' & 'HttpOnly' tags in response , be sure that website have no security becase its cookies can be stolen easily.

Setting HttpOnly Cookies

PHP => add this in PHP.ini

session.cookie_httponly = True

Python(CherryPy) =>add in Config File

session.cookie_httponly = True

Hope You Guys Enjoyed Reading this tutorial, its not briefly explained but its noob Friendly so that Every one can Understand. Soon I'l Post that how can we Access HttpOnly cookies Also. 

What & Why HttpOnly Flag

By: Adeel Chaudhary on: 01:13

Playing with DATA URL Tags in HTML

Hello Friends,

After a Long time I'm Just Writing a Blog Post but Believe me its Really Fun , and Very Very Deeper Im Gonna TAke you if you really Understood What I'm gonna Describe Below.

Let's Start, Basically Data_Urls in their Base64 Encoded Form can be Used For XSS Filter Bypass. and it gets Serious While working with Firefox & Opera. When Newly Opened Documents Retain Access for Opening Page (Loading Completely). So Attacker Can Easily Trigger XSS on These Semi-Loaded Tags.

<a target=_blank href="data:text/html,");alert(1)//">Click Me</a>

Even We Can Base64_Encode This Payload. But Google-Chrome Will Block Attacker's Trick , So he Got Limited Options in His Pocket.

 

Fun Starts Now

 Now What if a Specific xss Filter Knows about data and try to Filter/Reject The Payload?? We Can ByPass it Still Ofcourse!! 

I Found an Intresting Way to Bypass it and You Might Like it .

data:text/html;base64UrduSecurity,[Attack-Payload] - Firefox & Safari data:text/html:;base64,[Attack-Payload]
data:text/html:[A-Lot-of-White-Spaces];base64,[Attack-Payload]
data:text/html;base64,,[Attack-Payload] - Opera

and Here is Fully Designed Payload Ready !

data:text,html;<before>base64<after>,[base64content]

This TAble Might Help You Someday.

Hope You Guys will Like This Tutorial, Leave Your Feed BAck, In case of Any Queries Let me know.

Playing with DATA URL Tags in HTML

By: Adeel Chaudhary on: 08:56