Advanced SQLi exploitation with FILE_PRIV
We would like to open our blog notes on the practical implementation of the SQL-injections. And also we try to focus more attention on the practical aspects of web application security in the...
View ArticleFind new web bot [Jembot]
We have discovered a new kind of bot that spreads in the form of web shells, called Jembot.Source code:<?phpif(isset($_GET['jembot'])){echo "<body bgcolor=black><font color=cyan...
View ArticlePHP all getimage() bypass
Many PHP projects have image validation, based on getimagesize() function:http://php.net/manual/ru/function.getimagesize.phpThat function has an error, provides attacker to read Berkley DB format and...
View ArticlePostgreSQL (all) error-based XXE 0day
Recently we found and published at PHDays PostgreSQL 0day error-based XXE vulnerability.Currently it may be used by attacker to read parts of local files and make requests from DB server to intranet...
View ArticlePHP multiple headers bypass available again
Recenlty we wrote about universal PHP bypass for header() function.That trick is based on %0d byte instead of %0d%0a to split HTTP response.Bug was fixed as you can see at...
View ArticleError-based XXE exploitation trick
Exploiting of XXE vulnerabilities are difficult when you cannot view results XML document.Recent vulnerability in Postgres XXE are good example of this: entities resolved but not added to XML output....
View ArticleAdvanced mobile UI redressing attacks using gyroscope/accelerometer
When you hold a mobile phone in hand and put your finger on the screen area where you want to tap, you move phone a little.These deviations can be measured with a built-in gyroscope and accelerometer...
View ArticleClik here to view.
WordPress XMLRPC pingback additional issues
Vulnerability in WordPress XMLRPC pingback function was recently published:http://www.ethicalhack3r.co.uk/introduction-to-the-wordpress-xml-rpc-api/Basically this vuln can be used to scan opened ports...
View ArticleClik here to view.
Tomcat Servlet Examples threats
Tomcat application server by default contains "/examples" directory which has many example servlets and JSPs.We strongly recommend to disable public access to this directory by following security...
View ArticleClik here to view.
Analysis of CVE-2013-1048
Today we were very surprised by vulnerability CVE-2013-1048 in Apache web-server. This issue was described in Debian Security Advisory DSA-2637-1 by following notes:Hayawardh Vijayakumar noticed that...
View ArticleClik here to view.
Breaking escapeshellarg() news
PHP function escapeshellarg() is the most popular way to prevent OS Commanding threats during shell calls by escaping command arguments.But this function is not a panacea, and you should keep this in...
View ArticleExploiting server-side vulns as client-side?!!
Sounds terrible, does not it? This post is obviously of course ;)But sometimes this is effective attack vector, for example, whenever you can exploit any subdomain (news.your-target.com) but can not...
View ArticleHow XSS can defeat your digital signatures
Recently we exploited nice XSS vector in one of RBS (Remote Banking Service) system. This example shows very well how dangerous can be client-attack.Client after the authorization could sign electronic...
View ArticleWhen Integer cannot protect you from SQL injection?
It is assumed that the cast user data to a numeric type is fully protected from SQL injection vulnerabilities.Look at simple example:$action=$_GET['do'];$r=$db->query("select role".((int)$action)."...
View ArticleInsecure DNS records in top web projects
Last month ONsec_lab had discovered and reported about the same DNS issue in top web projects: live.com, facebook.com, yahoo.com, nokia.com, paypal.com, baidu.com, att.com and many others.DNS linked...
View ArticleClik here to view.
The mobile application's role in web application security audits
Modern web projects have also mobile applications.In terms of client-side model, mobile application is a client, like a browser.Server is web application: PHP/Java/RoR or another platform's code.Mobile...
View ArticleMemory dumper based on CVE-2014-0160
You already know about this bug of course:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160Just easy patch to original PoC: https://gist.github.com/ixs/10116537 60def hexdump(s):61 r...
View ArticleXXE OOB exploitation at Java 1.7+
Java since 1.7 patched gopher:// schema (thanks A.Polyakov for that https://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_Slides.pdf)But also patched HttpClient...
View ArticlePAM_steal plugin released
Typically pentest’s attack can be presented by the following schema:perimeter -> command execution -> privileges escalation -> ...The next step for pentesters is to gain privileges at other...
View ArticleWordPress 3.9.2- XXE through media upload (WAV ID3 tag)
Recently WordPress patched XXE vulnerability http://wordpress.org/news/2014/08/wordpress-3-9-2/ which were found during @ONsec_lab security audit of another one web-application.Now time to describe...
View ArticleIncreases the power of PAM steal module.
A year ago we released our PAM steal module.It's easiest and safest way to steal passwords and local privilege escalation.Basically it catch passwords from sudo/su and local services which used PAM.But...
View ArticleOne more useful PHP class for unserialize() bugs
In a hurry to share PHP common class for deserialization vulnerabilities.It's FileCookieJar class of Guzzle project.Look at its destructor...
View ArticleNew PHP extensions should be hardcoded :)
PHP 6 and PHP 7 are here.Many applications still using blacklist filtration for upload and other file operations files.Note, that now you should add ".php6" and ".php7" to this lists.Finally it will...
View ArticleUsing PHPMailer vulnerability to take the session
At the end of 2016 world was shocked by remote code execution exploit for PHPMailer. It's a very common 3rd party library which used by Drupal, WordPress, Joomla and numbers of others top web...
View Article