Monday, August 3, 2015

One payload to XSS them all !

Hi ,

Today I want to share my find in 2013 which is XSS in flash file was used in many websites (famous websites !).
the flash file was called sIFR (Scalable_Inman_Flash_Replacement)

Q: How I found it ?

A: Till today I was thinking that I am the first one who reported this issue in fact it is an old bug
That have CVE (Read more)

So let's talk about what I found , I was looking for bug in Adobe my exploire get me to

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=

 The (txt) was get simple text
 The (textcolor) was get a HTML color code 

I change (ADOBE PHOTOSHOP CS3) to XSS 

the page Show XSS  and when I make the payload 

Immm good the txt parameter show our text let's do HTML things .


http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

It is work !!! and I found XSS on Adobe . But I notice something in URL

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=
 It is look like path of file in (www.adobe.com) ,so I deleted the (wwwimages.adobe.com/) from URL 

and go to :


https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>





Xss show in the page I click on it and booom !


Please bear with me that I inject my name in code it was my start at bug bounty hhhhh :) .

So it was very good

Now I was think that (sIFR2.0.2) is Adobe product that I can found in other website

I make Dork to find others

there were too many website wait the surprise it was big one

Visa,AMEX,Blackberry,Stanford,Haravrd,and many Gov sites

Here is a samples :






































The PoC video : 


There are many others websites vulnerable .

Thanks for read .


Useful links : 
1-http://news.softpedia.com/news/sIFR-Vulnerability-Impacts-Adobe-BlackBerry-Visa-Amazon-and-Other-Sites-Video-427053.shtml
2-https://en.wikipedia.org/wiki/Scalable_Inman_Flash_Replacement
3-http://www.hackbusters.com/news/stories/18150-sifr-vulnerability-impacts-adobe-blackberry-visa-amazon-and-other-sites-video
4-http://www.youtube.com/watch?v=7WeIeJ_YYOQ

Saturday, August 1, 2015

Blind SQL inejction [Hootsuite]

Hi , I will start publish some of my findings

In 2014 I found Blind SQL injection at hootsuite subdomain (https://learn.hootsuite.com)

----------------------------------------------------------
Blind SQL Injection :
 Is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection 

---------------------------------------------------------
When I signup for new account and explore the site , I saw the photos of users connected to php file to show as profile image .

I copy the link and go to it

https://learn.hootsuite.com/view_profile_image.php?id=8807


it was good and the photo was  viewed well

Let's do magic things

https://learn.hootsuite.com/view_profile_image.php?id=8807'

the page was white totally white !!

this is look like SQLi I do many test and find out that it is blind sql injection

for example you can do simple test

1- https://learn.hootsuite.com/view_profile_image.php?id=8807 and 1=1 

OK !!

2- https://learn.hootsuite.com/view_profile_image.php?id=8807 and 1=2 

Error !! 






I did not have much experience in sqli that time so I used SQLMAP to make sure that it is blind or not .




Type: boolean-based blind ; 
Database :hootsuite_u_v2

So  I was right.

I made report and send with all info and details.

I got



 I was surprised that a security team  dose not know what is sql injection I sent file,parameter,payload,and type .

After many messages and replies they fixed the sqli in months and block me I think !! because they tell me the will see if they can add me in hall of fame . I waited and nothing did try to contact them but no replay so I left them .


Sometimes you should do bad things like leak the DB !!! .
There were 10k users or 100k I do not remember .
That is all about .

Thanks for read .

 Useful links :
1- https://www.owasp.org/index.php/Blind_SQL_Injection
2- https://en.wikipedia.org/wiki/SQL_injection 
3- https://www.acunetix.com/websitesecurity/blind-sql-injection/
4- https://hackerone.com/reports/21899
5- There are many cool articles and writes-up about SQLi you can look for.