Stored XSS to Full Information disclosure

Hello pals,

During research of terapeak.com I found that Bulk Research name is vulnerable to XSS attack.

Note:You need to subscribe for Terapeak Profession account.

POC:

After digging more I’ve found that by that token you can get full information of that user like:

Email Address, Full Name, Member ID, Subscription Type, and other info. as well

The request to get user details:

Response:

Thank you!!

 

IDOR – Execute JavaScript into anyone account

Hey guys,

New blog post about critical IDOR issue which I found in terapeak.com which allows attackers to change any user information and delete any saved bulk search remotely through one’s own account by just changing the Token id in Put and DELETE Request.

The request for change and save search info looks like:

It was observed that by simply changing the value of <token=> in the above URL, it is possible to change user info and delete search and save for the user associated with that particular Token.

Original Request:

Edited Request:

XSS

So I found stored XSS in saved search:

An attacker can plot IDOR attack to change user saved search with a XSS payload and when user will access his account XSS will pop-up.

Thanks for reading!  Happy Hunting 🙂

 

 

All About Hackerone Private Program Terapeak

Hi folks!!

Here is a new blog post – all about Hackerone private program Terapeak.

One day I got private invitation from Hackerone and started digging in that, as I was trying to come back in bug bounty. I thought this was the right time to get some reputation. After spending sometime I found some XSS, CSRF, IDOR’s, SQLI etc.

I reported all the issues on Hackerone and started waiting for the response. I was not having good reputation at that time and that was the only hope for me to get new invitations and start afresh on bug bounty.

Sadlly, it wasn’t a good start as my first IDOR was a duplicate where one can execute java-script into anyone’s account and the reward for that bug was $5000.

Finally 🙂 all bugs got triage and I was like 😀

It was over five months and yet I was not getting any updates.  Then I got some bounty from Terapeak for XSS and for other smaller bugs, but still critical bugs like IDOR’s, CSRF, SQLI  were triage and I was getting no reply.

After contacting Hackerone I got to know that they will get back soon but nothing in my favour. Then I met Adam Bacchus in Nullcon India and shared everything with him. He assured me his best and I was told that he would be updating me but still there was no reply from Terapeak. There was no reply in spite of my repeated communication with Terapeak and Terapeak security members. Then a ray of hope arose when I got an update from Adam Bacchus that terapeak is waiting for their sales manager who will decide the budget for bounty and I was to wait for at least two weeks. Months passed but nothing happened !

And then I started chatting with Jason Kabaker and he updated me that Terapeak is coming back and will start rewarding patient hackers only. Till date there is no update on my hackerone profile. I lost all my hope and thought to write a blog post about the situation. And I asked Hackerone team for the approval and as per the Hackerone disclosure guidelines, hackers can publicly disclose if the response time is over months.

I acknowledge all of the hard work you guys did at HackerOne to try and rectify the situation.

So here are some of the bugs which I’ve found:

Critical IDOR – Cancel any user subscription, Edit subscription, Add subscription

So with this IDOR I was able to change subscription and delete subscription of any user.

Request:

so we just need to change <email> with a victim mail and we can remove Terapeak MySales Pro subscription from his/her id.
2039653 is a subcription id so we don’t need to change it.

Reflected XSS

I found XSS in serach box of terapeak.

go to http://www.terapeak.com/worth/search

IDOR in Change Email

I was testing for change email option and I found that for change email you need to submit a request on https://support.terapeak.com/hc/en-us/requests/new?ticket_form_id=64245&contact=form

Fill the form subject should be to change email.
Attacker can send the following request and change User email as there is no verification.

anonymous_requester_email%5D=shubhamgupta109.1995@gmail.com is vulnerable for IDOR attack, attacker need to change email to user email.

To verify that i did the same test on my account and Armaan Pathan Account.

Impact :

An attacker can basically plot a IDOR attack which would change the default email of the user and this would led to account takeover.

Thanks for reading I want you guys to share this as much as possible.

 

Multiple vulnerabilities in Oracle EBS

I’m writing about multiple vulnerabilities which have been found while testing for private program.

After the enumeration I got to know that xyz.com is using Oracle EBS so I’ve found multiple vulnerabilities in that.

SQL Injection

Description:

It was observed that page biccfgd2.jsp is vulnerable to SQL injection, which may lead to application compromise. An attacker may add, modify and delete data of application.

Impact:

An attacker may perform wide range of attacks that can be delivered via SQL injection, including reading or modifying critical application data and interfering with application logic. Further this vulnerability can be exploited to escalate privileges.

POC:

I setup the Netcat and run the following query:

 

As can be seen a http request was made from the vulnerable server to our attacking machine.

XML External Entity Injection

Description:

It was observed that the current installation of WFMs is vulnerable to XML External Entity attack AKA XXE, which may lead to sensitive information disclosure and data exfiltration as well as Server Side Request Forgery.

Impact:

An attacker may perform wide range of attacks such as reading system local files containing sensitive information or use the server as a proxy to perform further attacks such as port scan and exploit other nodes on the same network.

POC:

Setup netcat listener, login with SOCSupervisor user and go to the following link:

After modifying the request

As can been seen a request has been initiated from the server to our attacking machine

 

Multiple XSS 

It was observed that the ip parameter of printers.php page is vulnerable to cross site scripting attack. Cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way.

http://wfms-test-db.stc.com.sa:8010/OA_HTML/jtfwcall.jsp?areacode=<script>alert(/xss/)</script>

Thanks for reading above vulnerabilities and hope that these were useful. 🙂

 

 

Svg XSS in Unifi v5.0.2

This is another finding in Unifi Controller.

Description:

I have found a persistent xss vulnerability on Unifi Controller that allows attackers steal user’s cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains “xmlns=http://www.w3.org/1999/xhtml”, then the page will render the content of the xml as html , so resulting on a xss vulnerability.

Many of the websites now allow svg files to be uploaded under images category . But did they filtered the content of svg file before placing it on the server ? The answer is ummm…? . To verify this answer what i did is created a svg file with a XSS vector below and started testing the websites that allow images.

Demo:

http://guptashubham.com/poc.svg

Reproduce:

1). While logged on unifi controller go to https://localhost:8443/manage/site/urrhpg78/maps
2). In image upload the poc.svg
3). After click in “Upload File”.
4). After uploaded the file open image.
5). See the xss alert.

Direct link:

Direct link will be something like

https://localhost:8443/file/s/urrhpg78/map/ID

unifi_controller_5-0-2_beta_svg_xss

I found the same bug in some other Applications you can have a look at Jasminder Pal Singh blog. This bug is also affecting demo.ubnt.com

Fix:

A simple fix for this vulnerability is blocking SVG files upload, in case this isn’t possible a good method is interpret the SVG file, don’t allowing the upload if it contains HTML or invalid tags.

Exploit Scenario:
Like in the http://guptashubham.com/stored-xss-in-unifi-v4-8-12-controller this attack would require valid admin credentials, so a this will be viable just to one admin attack another.

Big Thanks to @93c08539 for the bounty 🙂 and helping me alot.

 

Stored XSS in UniFi v4.8.12 Controller

I’m writing about a stored XSS which I found on Unifi controller v4.8.12

Description:
The XSS happen in the admin page of Unifi controller v4.8.12 (Stand Alone or CloudKey). In this exploit it was possible to inject HTML and Javascript content in the admin page. The attack required the attacker to have valid credentials, so this exploit will work just from one admin to another

I was checking unifi website for some possible bugs but was not able to find anything good there then i started playing with unifi controller and some Ubiquiti device which i got from ubnt to test.

I started looking for xss on controller but nothing found!! 🙁

I decided to search further, the devices DB. Then i plugged in Unifi AP AC Lite device, I found that the controller don’t filter the devices name for HTML special characters.

POC:
Step 1: Download Unifi v4.8.12 Controller (any OS should work)
Step 2: Open UniFi Controller then it will take some second to start.
Step 3: Now setup your server by providing admin name, password etc.
Step 4: Plug your Unifi AP AC Lite device (any Unifi equipment should work).
Step 5: Change your device name to xss payload in my case i’m using "><img src=x onerror=prompt(1)>
Step 6: Go to Statistics and boom xss will prompt.
Step 7: $$$ Profit!!!

unifi_v4-8-12_xss_

I’ve attached screen shot of the same.

There isn’t any filter applied to the user input, so this exploit could be used widely.

Possible exploitation:

There isn’t any direct attack that could be used in this exploit, because the attacker need to be admin, otherwise he would be unable to change the devices names. However the attacker (a admin) could use this to exploit on other admin.

One possible use is to steal other admin password, once the password is hashed in the database, he could use the password captured in the XSS attack (maybe using prompt or fake login page) and try some others services, if the victim re-utilizes passwords (what you shouldn’t) he can exploit other services.

Special Thanks To: @93c08539

Best Regard
Shubham

 

Swf XSS (Dom Based Xss)

Hey Folks,

I was working in UBNT for bounty and i found several xss there so i’m sharing one of the cool xss.

In the above code the FlashVar parameter “bridgeName” is passed to the ExternalInterface.call method without filtering. It is possible to pass JavaScript code via the bridgeName parameter that will be executed when the vulnerable function is called (when the page loads).

Proof of Concept :

As proof of concept the following URL will inject the JavaScript code “alert(1)” to illustrate the flaw:

https://store.ubnt.com/skin/adminhtml/default/default/media/editor.swf?bridgeName=1\%22]%29%29;alert%281%29}catch%28e%29{alert%281%29}//

store.ubnt.com xss

Some other path:

Bug is fixed now.

Best Regard
Shubham

 

Xss filter bypass in Yahoo dev.flurry.com

Hi,
I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.
While researching and working on yahoo bug bounties i’ve found some cool xss.

This is not the actual filter bypass I just found a way to enter javascript and run it.

This is tricky one
During research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.

You can’t use <,>,;,', you will get error like that New company name is invalid.

But I found a way to bypass this we can’t use <,>,' in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.

But there is also filter the xss will not trigger. so I tried too many things including eval() but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!

Go to Applications > Alerts

Then xss will trigger.

Step_4

Thanks for reading.

 

XSS on Flickr

Howdy friends,

Today I’m going to show you how I got Flickr XSS Vulnerability. I’ve been spending time lately playing with Flickr.

First as usual I created flickr group with some random words <"lol">
To my bad luck there was filtration.

then i started digging with that and i found a way to execute my javascript.

Steps:

  1. Create a group with a name <img src=x onerror=prompt(1)>"
  2. Add someone to the group
  3. when user will click on leave group xss will prompt.

tumblr_inline_o1hf1h51P71t8my73_250

Note: As i told you there was filtration but when a user try to leave that group filtration does not work and xss get executed.

Flickr.Xss

It was reported to yahoo and then after 10 days i got reply from them “Triaged” , then after some more days they rewarded me by 400$ for this finding :v
And they put my name on their hall of fame page

Yahoo Hall Of Fame

Video Demo:

Thanks to Yahoo security team.