Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The most obvious command injection ever seen.

The username and password for the login page are directly entered into a command line arguments for a binary. Yep, it's that simple.

The creator of the Siaberry software was not very responsive to the issue... Sometimes, people just refuse to make a legitimate fix for a vulnerability.

pMyAdmin is a well-known MySQL/MariaDB online management tool.

The CSRF vulnerability allows for arbitrary SQL to be executed.

This can be used to reset the admin password of the website and created an arbitrary write onto the operating system.

Overall, CSRF is much more dangerous than people realize...

The same-origin policy is what disallowing Facebook.com from making a request for the credit card details from Amazon. So, a bypass for this is very significant!

The background process, running in Google Chrome with all extensions, is a very privileged API. So privileged, in fact, that this can be leveraged to make a web request with the systems cookies to the domain and return the content!

In the end, be very careful with what extensions you download.

To start with, an API can be abused to delete arbitrary files. This is done by a classic directory traversal (../).

Stack based buffer overflow done by the concatenating of two strings :) Interesting never heard of this one before!

OS command injection in the administrative features via a server configuration.

Overall, a great article that goes into VERY deep technical details about the vulnerabilities!

IBM QRadar is an enterprise security information and event management (SIEM) product (just for perspective).

Quoted from the article: "This exploit chain abuses both components of the forensics application to bypass authentication and write a file to disk, and then it abuses a cron job to escalate privileges to root. QRadar has an Apache reverse proxy sitting in front of all its web applications, which routes requests according to the URL." So cool when 3 or 4 vulnerabilities turn into RCE!

To bypass authorization, the parameter forensicsManagedHostIps could be used. This was traditionally used for internal services, but also worked from the outside. Once this parameter was used on the authentication request, the cookies in the request were added as valid tokens.

The command injection was very normal; just injecting a parameter into an OS level command.

Finally, a cronjob (timed unix events) is abused to get from a low level shell to root.

The latest firmware of the router had hardcoded default credentials. These were found using a disassembler to take apart the firmware.

Besides the hardcoded creds, there was an OS command injection because of bad processing of a parameter. Additionally, throw in a reflected XSS and default telnet creds.

Not a great analysis of the bugs, but still something to go off of.

It seems that all NAS's and routers have default creds or OS command injection. Pattern matching for common vulns is a very important part of research!

The content-security-policy is a protection that helps with HTML injection and XSS flaws with a website. A bypass for the CSP would bypass all these restrictions.

This seems to be a parser issue, that allows the loading of some file, given a previous XSS bug.

This feels like black magic... Dive into the parsing details if you are looking for a good time!

This banking malware injects malicious JavaScript into the web page, without the user noticing. This works by manipulating the Windows GUI elements and simulating user input.

Overall, a fairly good analysis of the malware strain being used! I just thought that this was quite innovative.

A content delivery network (CDN) is a location where lots of data gets served from different geographical locations. So, compromising a CDN is a huge deal!

When requesting an NPM URL, it checks to see if the package has already been downloaded. If not, then it directly downloads it from NPM.

However, there are a few issues with the implementation. To start with, the library being used for opening the files keeps symbolic links. This gives you an arbitrary read over the CDN.

To get an arbitrary write, point a symlink to a file that has already been extracted. Although a mature implementation of tar this would not work, this is not work.

The attack also worked with hardlinks.

Wildcards are a way to use 1 or more characters to grab 0 or more characters. This sounds complicated but it is essentially a really powerful autocomplete feature.

Here are the possible wildcards:

• *: Matchs any number of characters, following the previous pattern entered.
• ?: Matches any single character.
• [ ]: Matches from a set of characters.
• -: Used within the brackets to denote a change of characters.
• ~: Expands to the name of your home directory. If you append another user's login name to the character, it refers to that user's home directory.

The asterisk, being a wildcard character, had some weird affects. For instance, when having a file, with the name '-rf', being include in a rm * command, it would append the flag -rf. This would then delete all of the directories within the location.

Essentially, unix will view file names as flag for commands. This happens with chown and chmod in this example.

Two other examples gave arbitrary command execution: parameter to tar (as a file) and rsync (as a file)

Not discussed in this article, but just using wildcards in general can be dangerous in scripts. You never know what you are getting yourself into!