Ryan McFarland writes on his blog: “Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started.”
Category: Security
Security related news
“How we broke PHP, hacked Pornhub and earned $20,000”
This is a very interesting read on how Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide) were able to find a PHP unserialize bug to exploit and gain remote code execution on Pornhub. Pornhub’s bug bounty program is at Hackerone In stead of actively attacking Pornhub, they took another road and attacked what Pornhub is built upon: PHP.
Read MoreBinary webshell through OPcache in PHP 7
GoSecure wrote up a new PHP exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, it’s possible to bypass certain hardening techniques that disallow the file write access in the web directory. This could be used by an attacker to execute his own malicious code in a hardened environment.
This new PHP 7 OPcache attack vector is an additional exploitation technique tailored to specific hardened environments. It is not a universal vulnerability affecting PHP applications. With the arrival of PHP 7.0 in major distributions such as Ubuntu 16.04, this attack vector reinforces even more the need to audit your code for file upload vulnerabilities and to be wary of potentially dangerous server configuration.
Cracking PHP rand()
Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling
rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().
This is a very interesting read about how PHP rand() works, and how to attack & crack it. The post ends with the following conclusion:
Joomla websites abused as open proxy for Denial-of-Service attacks
Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. Even though the Googlemaps plugin vulnerability plugin_googlemap2_proxy.php was released over one and a half (1,5) years ago, I still see these DoS-attacks happening on a regular basis…
Exploit PHP’s mail() to get remote code execution
Exploit PHP’s mail() function to perform remote code execution, under rare circumstances.
Increase in SQL injection attacks
Summer vacation’s over? More and more SQL injection attacks observed
Since a week or so, I notice a huge increase in SQL injection attacks on various websites. Anyone else seeing the same SQL injection attacks lately? This increased SQL injection activity – on various web sites and databases – has the following characteristics:
Read MoreHow to test SMTP Authentication and StartTLS
How to test SMTP authentication and StartTLS using the command line?
When investigating SMTP authentication issues, particular over TLS encrypted SMTP connections, it’s always handy if you are able to test the SMTP authentication and StartTLS connection. Preferably from your command line. This post shows you how to test SMTP servers, verify SMTP authentication and StartTLS encrypted connections from the Linux and Windows command line.
Read MoreprettyPhoto DOM based XSS
prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
Read MoreA Penetration Tester’s Guide to IPMI and BMCs
HD Moore wrote an excellent article on penetration testing IPMI and BMC’s. The article is based on various work of Dan Farmer and provides Metasploit penetration testing examples.
Read MoreGrep for forensic log parsing and analysis on Windows Server IIS
How to use GnuWin32 ported tools like grep.exe and find.exe for forensic log file analysis in Windows Server. In this article I’ll give some real live examples of using these ported GnuWin tools like grep.exe for logfile analysis on Windows servers. The article provides three example, as an alternative to LogParser, because finding spam scripts fast is often very important.
Unauthorized Access: Bypassing PHP strcmp()
The following was posted to the Web Security Mailinglist: Unauthorized Access: Bypassing PHP strcmp(). A way to bypass PHP’s strcmp() binary safe string comparison function.
“htaccess files should not be used for security restrictions”
Acunetix’ Bogdan Calin wrote an article explaining why .htaccess files should not be used to secure sensitive data: htaccess files should not be used for security restrictions.
Read More