I am not sure why I forgot to publish a comments about this before. Probably because I was busy with other things at the time. Anyways, as a lot of you guys already might know, HD Moore gave a presentation on Defcon about VXworks operating system and some security vulnerabilities that he identified during his investigation over a number of devices that use this operating system. A lot of the details have already been published by HD in the metasploit blog. However, I would like to add, people if you have not tested or use these modules on your pentests I will just say: DO IT!!
I remember one of the things that HD Moore mentioned starting his presentation at Defcon was: "Have you ever seen some high weired ports on your pentests and just because you did not know what the service was about you will move to the next service, well.."... I mean it was something like that. Well I remember having at least two pentests where I saw some of these VXworks ports and did not pay a lot of attention after playing with them a little bit. Shame on me... the UDP port 17185 does not ring a bell but after you read the info in the metasploit blog it will.
Well, I just wanted to throw this out there and since all the info is already posted out I will not waste your time anymore.
Happy hacking.
c4an.
Showing posts with label Tools. Show all posts
Showing posts with label Tools. Show all posts
Monday, November 15, 2010
Sunday, August 22, 2010
Cold Fusion article.cfm SQL injection
Hi,
This is another quick post. While browsing through the web and looking at specific pages that I wanted to test there was one website that had Cold Fusion 8 installed to manage content in it. I started playing with the pages and in less than 5 minutes of browsing a SQL injection pop up in front of me. At first I thought that this was only a programming problem on the web site that I was testing but after a digging a little bit more I find out that this is a persisten vuln in a lot of the cold fusion websites that you can find out there.
Now, this was already reported by someone as a problem before (I think it was reported in 2000) so I am not taking responsibility for its discovery and honestly this is so basic that who would like to take the responsibility for reporting this. If you want the details google. However, I wanted to post this article because it was amazing to me the number of sites that have this vuln . So here it comes:
Just look in google using the following query:
inurl:article.cfm
I will sugest that you also try not to touch .com sites and start with sites that are in other remote countries. Also try to test this on sites that use ssl so in case the site is monitored by an IDS or IPS it won't detect you.
The next thing that you have to do is identify all sites that are using something like this:
http://target/article.cfm?id=1
Next thing you know you can exploit a SQL injection or XSS just start playing after the parameter id. For example, the site that I was testing was really straight forward. Somthing like this:
http://target/article.cfm?id=1 UNION select 1,1,1,1,1,1,name from systables;--
And so on..
Have fun ;)
c4an.
This is another quick post. While browsing through the web and looking at specific pages that I wanted to test there was one website that had Cold Fusion 8 installed to manage content in it. I started playing with the pages and in less than 5 minutes of browsing a SQL injection pop up in front of me. At first I thought that this was only a programming problem on the web site that I was testing but after a digging a little bit more I find out that this is a persisten vuln in a lot of the cold fusion websites that you can find out there.
Now, this was already reported by someone as a problem before (I think it was reported in 2000) so I am not taking responsibility for its discovery and honestly this is so basic that who would like to take the responsibility for reporting this. If you want the details google. However, I wanted to post this article because it was amazing to me the number of sites that have this vuln . So here it comes:
Just look in google using the following query:
inurl:article.cfm
I will sugest that you also try not to touch .com sites and start with sites that are in other remote countries. Also try to test this on sites that use ssl so in case the site is monitored by an IDS or IPS it won't detect you.
The next thing that you have to do is identify all sites that are using something like this:
http://target/article.cfm?id=1
Next thing you know you can exploit a SQL injection or XSS just start playing after the parameter id. For example, the site that I was testing was really straight forward. Somthing like this:
http://target/article.cfm?id=1 UNION select 1,1,1,1,1,1,name from systables;--
And so on..
Have fun ;)
c4an.
Sunday, January 24, 2010
Metasploit: msfproxy, crawler and wmap
This is my first version of a ruby simple crawler. The main idea of this tool is to use it while interacting with the wmap database and populate the request table. Because this is my first version the database interaction is not as clean as I would like but I still believe it can be used. Now, I know for a fact that ET (creator of wmap) is already working on a crawler of its own with a lot of modularity and cleaner options. However since I already had this code with me I thought that it was a good idea to post it. Who knows maybe it will help someone :)
Things that you have to know before you start using this crawler is that it uses hpricot as its primary library. If hpricot is not installed it will use a function that I developed. Hpricot can be installed on ruby by typing:
sudo gem install hpricot
The first thing that you have to do is download the code and save it into the mf3/tools/ .
Now, there are two options to run the crawler and then being able to run wmap modules based on your discovery:
OPTION 1. Two consoles (you can any crawler with this option)
1. Open two separate consoles and go in both of them to the mf3/tools/ folder.
2. On the first console open a metasploit msfconsole and follow the steps bellow:
| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 320 exploits - 99 auxiliary
+ -- --=[ 217 payloads - 20 encoders - 6 nops
=[ svn r8140 updated 8 days ago (2010.01.16)
msf > cd tools
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create wm_req.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wm_req.db
msf > load db_wmap
[*] =[ WMAP v0.6 - et [ ] metasploit.com
[*] Successfully loaded plugin: db_wmap
msf > db_connect wm_req.db
[*] Successfully connected to the database
[*] File: wm_req.db
msf > ruby msfproxy.rb -w wm_req.db
3. On the second console run the following command:
ruby crawler.rb -h
Usage: crawler.rb
OPTIONS:
-a Print website structure
-c Create database to interact with wmap
-h Display this help information
-i
-j
-l Log visited websites in a text file /msf3/tools/crawler.log
-m Add discovered links to wmap database as targets. Options: -c or -w required
-n Print new possible targets during crawling
-p
-v Verbose
-w
ruby crawler.rb -i 127.0.0.1 -p 8080 -v -j 1 -t http://www.target.com/
4. After the crawler ends return to the metasploit console, stop the msfproxy and type the following
msf > wmap_targets -r
msf > wmap_run -e
OPTION 2. One console
____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v3.3.2-release [core:3.3 api:1.0]
+ -- --=[ 463 exploits - 218 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7808 updated 40 days ago (2009.12.10)
Warning: This copy of the Metasploit Framework was last updated 40 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating
msf > cd tools
msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create wm_req.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: wm_req.db
msf > load db_wmap
[*] =[ WMAP v0.6 - et [ ] metasploit.com
[*] Successfully loaded plugin: db_wmap
msf > db_connect wm_req.db
[*] Successfully connected to the database
[*] File: wm_req.db
msf > ruby crawler.rb -v -j 1 -w wm_req.db -t http://www.target.com/
.
.
.
msf > wmap_targets -r
msf > wmap_run -e
Hope this helps someone.
Thanks
c4an.
Subscribe to:
Posts (Atom)