Having credentials for Umbraco CMS allows us to run a reverse shell. This time we will run the exploit (https://www.exploit-db.com/exploits/49488) How to 1. In searchsploit you can search for Umbraco exploits searchsploit umbraco Note: This indicates it works on 7.12.4 version. Since we have already admin credentials for this app Read more…
PhpTax is free software to do your U.S. income taxes. Tested under Unix environment. The program generates .pdfs that can be printed and sent to the IRS. http://sourceforge.net/projects/phptax/ An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. User tainted data is used Read more…
PHP library pChart 2.1.3 (and possibly previous versions) by default contains an examples folder, where the application is vulnerable to Directory Traversal and Cross-Site Scripting (XSS). This has been taken from (https://www.exploit-db.com/exploits/31173) Exploiting Directory Traversal 1. Visiting the application at (http://192.168.0.18/pChart2.1.3/examples/index.php), we get to the examples folder. 2. This tool Read more…
Mail Command Injection is an attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server Read more…
Server-side redirection vulnerabilities arise when an application takes user controllable input and incorporates it into a URL that it retrieves using a backend HTTP request. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a Read more…
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker Read more…
Command injection is one of the top 10 OWASP vulnerability. it’s an attack in which arbitrary commands of a host OS are executed through a vulnerable application. The attack is possible when a web application sends unsafe user data to the system shell function within the running script. This user Read more…
XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data XPath is a standard language. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate Read more…
Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. With blind SQL injection vulnerabilities, many techniques such as UNION attacks are not effective, because they rely Read more…
The HTTP response status code 302 Found is a common way of performing URL redirection. Permanent redirections These redirections are meant to last forever. They imply that the original URL should no longer be used, and replaced with the new one Code Text 301 Moved Permanently 308 Permanent Redirect Temporary Read more…
This trick works on any CMS you access. In case, you get the credentials either by brute force, disclosure, etc. This example uses Joomla! CMS Joomla Reverse shell 1. Having access to the account and being able to edit the template Go to Extensions – Templates – Templates 2. Select Read more…
https://wiki.owasp.org/index.php/Testing_for_Local_File_Inclusion The File Inclusion vulnerability allows an attacker to include a file within the system, this happens due to bad handling of user input. Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, the parameter might be able Read more…
This time we will be exploring RFI and read file explorer https://wiki.owasp.org/index.php/Testing_for_Remote_File_Inclusion RFI Remote file inclusion allows an attacker to include file remote (from the web servers point of view) possibly allowing code execution, denial of service, and data disclosure. Since RFI occurs when paths passed to “include” statements are Read more…
This happens when a cyber-criminal controls somebody else’s account by using credentials (session ID, username number, etc.) In this example I will demonstrate this technique using Mutillidae, we’ll create 2 accounts and highjack it. OWASP 2017 – “A5 – Broken Access Control” – Insecure Direct References – Via Account Highjacking Read more…
Log in to DVWA admin/password, Session IDs have 4 levels (low, medium, high, impossible) We will first inspect the low one. So, set the level to low Low This script is very basic and unsecure, due to the session ID is created in plaintext and uses the most common sequences. Read more…
I am writing this based on OWASP and the book “The Web Application Hacker’s Handbook”. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html Introduction The HTTP protocol is essentially stateless. It is based on a simple request-response model, in which each pair of messages represents an independent transaction. applications use HTTP cookies as the transmission mechanism for Read more…
This is a summary of some tips from “The Web Application Hackers Handbook” to test authentication mechanisms as well as recommendations for securing it, it think that book is a great resource for learning web app pentest. Brute-Forcible Login 1. Manually submit several bad login attempts for an account you Read more…
When an application is vulnerable to SQL injection and the results of the query are returned within the application’s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. Example of vulnerable URL http://vk9-sec.com/report.php?id=23’ order by Read more…
Basic of SQL for SQL Injection In this Tutorial we will discuss some basics of SQL queries and concentrate on queries and basics which will help us while different Phases of Injection. This will be like a crash course of SQL as per the requirements of SQL Injection. The Hierarchy Read more…