Manage multiple clients with scripts

For a penetration test, most checking procedures are standardized and routine. Don’t you ever feel tired by typing nmap, Nessus, or Saint every single time when you start the test? Are you still feeling safe and rational to type ‘cd’ a thousand times for changing directories to manage your projects? Even if you upgraded yourself proudly and start using some funny GUI interface from Nexpose or Tenable, you will still suffer from managing them manually. Those automated tools will no longer helpful or customizable when you meet an standard crappy IPS that blocks typical scanning.

Manual assessment is your own value position to distinguish yourself from others in terms of skills, knowledge and speed! But the term “manual” are often over used by companies. It doesn’t mean you have to spend your time and effort to keep typing ls and cd on the keyboards with your bloody hand but your mental power to think of an alternate route to penetrate into the system. Here is a handy script I written for myself to save my time, make a penetration test in a more organized manner and help you focus on a real hacking but not typing.

read more

Add multiple user in linux

http://www.cyberciti.biz/tips/linux-how-to-create-multiple-users-accounts-in-batch.html

for i in seq 1 30; do echo -n “group$i:group$i:” echo -n $i | awk ‘{printf 1;printf “%03d”, $1;}’ echo :506:Student user:/home/user$i:/bin/bash

done

read more

Google API and XHR request

Google api: http://code.google.com/apis/ajax/playground/

XHR request:

function loadXMLDoc(url)
{
        if (window.XMLHttpRequest)
        {// code for IE7+, Firefox, Chrome, Opera, Safari
                jsonhttp=new XMLHttpRequest();
        }
        else
        {// code for IE6, IE5
                jsonhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        jsonhttp.open("GET",url,false);
        jsonhttp.send(null);
        document.write("Response from mysql:</br>");
        document.write(jsonhttp.responseText);
        return(JSON.parse(jsonhttp.responseText));
}
var result = loadXMLDoc('the_request.php');

read more

Non-persistant XSS in Horde

These days we tried to find some vulnerability in webmail.ie.cuhk.edu.hk. And we found that it consist of xss vulnerability for us to spoof the same webmail address with injection in URL. It is already an old issue mentioned back to year 2006 in version 2 of Horde, however we come back to the xss injection again in version 4.1.3.

The most updated version of horde IMP is: 4.2.x with one following major security updated had already fix the problem by implementation of filtering HTML entities in URL input:

–Add protection against CSRF attacks.

webmail.ie.cuhk.edu.hk use IMP: H3 (4.1.3) according to https://webmail1.ie.cuhk.edu.hk/horde/imp/test.php

As the horde server had encountered several url injection problems, we made a list of proof of concepts as follow. Although all of the url are easy be covered by normal user, it’s work very well combined with social network applications:

  1. Fake return address: It will return to my own site after user had visit the legitimate problem page. https://webmail1.ie.cuhk.edu.hk/horde/services/problem.php?return_url=https://personal.ie.cuhk.edu.hk/~tks008/iewebmail.html

  2. Fake login frame: It require user to login to the real webmail first, and then we insert a login frame in the content. https://webmail1.ie.cuhk.edu.hk/horde/index.php?url=http://personal.ie.cuhk.edu.hk/~tks008/iewebmail.html

read more

Instruction Set Architecture

So base on different machine/computer architecture, there are following Instruction Set we need to learn. Thanks to John  von Neumann, I guess the types of machines is actually reduced by him.

IA-64 (Itanium)

MIPS

IBM 700/7000 series

–System/390

–z/Architecture

Power Architecture

read more