Monday, 19 August 2013


Image XSS is very interesting concept...Inspired by Saumil Shah's one of video, I decided to try it out and it worked well!..Interesting!..

Just for reference am putting these things here on my blog.

First this we will need simple "GIF" Extension File, why????? because it simply starts with : GIF89a
Anything after this will be your actual GIF Image file contents.

Idea here is to create our GIF file in such a way that it will be valid file as well as it should have Malicious Javascript embedded into..!

If we create GIF file (test.gif) as below through Hex Editor :

If it would be Java Script, GIF89a will be considered as a Variable, /*....../* will be comments 
=0 will be assigned to GIF89a .... which means....there are 2 Lines of javascript code, 1 for assigning value 0 to variable and second part after semi colon will act as malicious script!!!

But currently it is just an Image!....not a java script...what if we create test.html file with below content :

Now you can place all pieces together and will get something like :

<script src="GIF89a/*.......*/=0;alert("eXploi13r Here")">

It is self explanatory...!!!!

Be aware, simple GIF Images may contain, malicious scripts....!!! :)

HP Data Protector 6.1 EXEC_CMD Remote Code Execution Pen-test (CD not working!)

While working on penetration testing exercise we found that, Vulnerability in HP Data Protector.
Exploit is available in metasploit, But we found some interesting thing, where we successfully exploited this vulnerability but after getting Shell, We found that simple "CD" command was not working!! Rest of commands were working as expected.....

Being a Linux Admin before, I wanted to find solution in order to work it out!... ;)

Below is exploit details as available in Metasploit module ...

HP Data Protector 6.1 EXEC_CMD Remote Code Execution

We tried to use all available Shells, and hell...none of them worked except "cmd/unix/bind_perl"
After getting shell, we were able to execute anything but "CD" was not working!!!!...
Checked manually in /bin it was there, whatever we put after "cd" and "pwd" path will be / only!!!!

It was annoying, So first time in life I had to go through MAN pages for "CD" command, and found references for command "fchdir" .... seems helpful hmm..

Tried changing through "chdir" --> Attempt Failed...

Finally I had to execute below commands :
cd /etc
fchdir /etc

It worked well, and finally able to change directories as we wanted!....nothing extraordinary but just wanted to have note about this little experience.