Skip navigation

Monthly Archives: May 2016

Shellcode Database

http://shell-storm.org/shellcode/ is a large library of ready-made shellcode for different situations.

PHP Backdoors Collection

Need some nice webshells?  Your target is using PHP?  Try out this collection of PHP Backdoors!

How Not to do Responsible Disclosure

A security researcher in Florida has been arrested after exposing SQLi vulnerabilities in an election-related webapp, but apparently, he didn’t have any sort of permission to do so.

 

OOPS!

The Panama Papers Database Now Downloadable

https://cloudfront-files-1.publicintegrity.org/offshoreleaks/csv.zip

Check it out, folks.

FBI can’t decide if Ransomware should be paid off or not

Last October, the FBI Special Agent in charge of Cyber and Counterintelligence stated that the FBI typically advises people to “pay the ransom“, but now the FBI is advising people to NOT pay the ransom.

 

Which is it, lads?

ASUS Memory Management Exploit Dropped

http://rol.im/asux/

 

Introduction to Cross-Site Scripting

Google offers an application security education page about XSS.  If you’re new to it, or just want to get more in-depth and determine how to mitigate it, give it a read.

https://www.google.com/about/appsecurity/learning/xss/

BSides Charlotte CTF

BSides Charlotte was a great time and the people were fantastic. The CTF was awesome, because we (Mother Russia) won and had a blast with the Network King of the Hill-style competition.

Mother Russia of Great Victorious

Great #1 Victory

Technical Details

So, I feel a little bit ashamed, but I spent the first hour and a half thinking that I was in netsec hell and was hitting a firewall or something, because NMAP was running extremely slowly (57 minutes for a /24), but it turned out that I was scanning an entirely wrong network.

After getting some good targets, I saw a lot of port 80.  Most only had to default Apache pages, but one had a Drupal instance installed.  The scoring mechanism required for teams to deface the front page of the web servers with <team>TeamName</team> tags, so this looked promising.  My teammate pointed out that a Metasploit module existed for that version of Drupal (Drupalgeddon).  In our case, it created an admin user and popped a meterpreter session with low privilege.

After logging in to the Drupal instance, it became clear that there was a lot of competition for the front page, but we used a secret weapon to swing the competition in our favor.  Many teams were outright banning and blocking the other teams’ admin users, which I found to be a silly idea, because they would just create a new user and it would be a game of whack-a-mole.  Instead of blocking or banning users, I simply removed their admin privileges, posted our flag and babysat the users page to remove new users’ permissions.  After a while, even the facilitator of the CTF was asking how we were blocking access and assumed that we had rooted the box and were using IP Tables.  Because it allowed for users to still browse all of the pages, many assumed that it was simply a network glitch when their posts didn’t work. As a result, they didn’t create new users and moved on the other targets, giving us a WIDE lead.  The network was a target-rich environment, with quite a few open ports, but MS08-067 actually saved the day on quite a few of them.  There were many boxes, but the Drupal incident was really my highlight of it all.

It was a fun CTF and a wonderful conference, so I want to give greetz to @th3mojo@c0ncealed, and everyone who helped run @BsidesCLT.

XSS-as-a-Service?

XSS Hunter looks like a promising project.  By allowing for users to own a custom subdomain dedicated to hosting XSS callbacks, it offers a clean, user-friendly interface for probing pages with XSS.  It allows for easy fingerprinting of targets and organizes all of the information, to help keep track of which pages are vulnerable and what types of info they yield.  I’m very excited to see where this goes.

https://xsshunter.com/features

Blind XSS in GoDaddy’s Internal Customer Support System

“…the issue was that the GoDaddy customer support application pulled data from a shared database that my XSS payload was stored in and then reflected it insecurely into the page – causing this XSS vulnerability.”

https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/

An InfoSec researcher was playing around when registering his GoDaddy account and set his name to a Cross-Site Scripting payload, as a joke.  Months later, there was an issue that required contacting GoDaddy’s support line, but it soon became apparent that the “joke” would actually allow a malicious actor to take control of any GoDaddy support representative’s session and do anything with their permissions.

TL;DR: Read the page, it’s short and to-the-point