## Exploiting SQLi ActiveRecord class on a vulnerable CodeIgniter version

Im doing a box from vulnhub, found that its running a version of CodeIgniter vulnerable to SQLi. https://www.cvedetails.com/cve/CVE-2015-5725/

Im having troubles exploiting the vuln line on system/database/DB_active_rec.php

    {         $this->ar_offset =$  offset;         $this->ar_offset = (int)$  offset;         return $this; }  https://github.com/bcit-ci/CodeIgniter/commit/0dde92def6b9f276f05ff77abb07ead318f9ec23 more or less, i have no idea where to start. ## How to bypass sanitization of < while exploiting a xss vulnerability? what ever is right to < is being deleted if i dont have a following >, else every thing in between < and > is being deleted. Is there a way to bypass this sanitization? ## Exploiting LFI with prefix I have a scenario as the following: <?php include("resource/" +$  _GET['vuln']); ?> 

And I’m trying to get RCE from this, or atleast acquire some interesting information.

I already looked at /etc/passwd and other important files, are there things I can do to bypass the resource/ prefix? (since it disables me from using php:// filters)

## Exploiting python pickle.loads to execute arbitrary code

I am trying to solve a challenge where I need to exploit python pickle library to execute malicious code.

This is the original code that came as a file

import pickle import time  function_shield.configure({    "policy": {        # 'block' mode => active blocking        # 'alert' mode => log only        # 'allow' mode => allowed, implicitly occurs if key does not exist        "outbound_connectivity": "block",        "read_write_tmp": "block",        "create_child_process": "block",    },    "token": "XXXXXXXX",    "disable_analytics": "true" })  def clock_page(past):    html = '<!DOCTYPE HTML>'\            + '<HTML>'\            + '<HEAD>'\            + '<TITLE>Timer</TITLE>'\            + '<LINK rel="stylesheet" href="https://fonts.googleapis.com/css?family=Orbitron">'\            + '<STYLE>'\            + 'body{background: black;}'\            + '.clock{position: absolute; top: 50%; left: 50%; transform: translateX(-50%) translateY(-50%); color: #17D4FE; font-size: 60px; font-family: Orbitron; letter-spacing: 7px;}'\            + '</STYLE>'\            + '</HEAD>'\            + '<BODY>'\            + '<DIV id="timer" class="clock" onload="showTime()"></DIV>'\            + '<SCRIPT>'\            + 'function showTime(){'\            + 'var future = Date.now() / 1000 | 0;'\            + 'var delta = future - ' + past + ';'\            + 'var time = delta.toString();'\            + 'document.getElementById("timer").innerText = time;'\            + 'document.getElementById("timer").textContent = time;'\            + 'setTimeout(showTime, 1000);'\            + '}'\            + 'showTime();'\            + '</SCRIPT>'\            + '</BODY>'\            + '</HTML>'    return html  class Epoch(object):    def __init__(self, timestamp):        self.ts = timestamp  #{Secret_code_Here}  def lambda_handler(event, context):    if (('multiValueHeaders' in event.keys()) and (json.dumps(event['multiValueHeaders']) != 'null')):        if ('cookie' not in event['multiValueHeaders'].keys()):            url = event['requestContext']['path']            epoch = Epoch('{:d}'.format(int(time.time())))            cookie = base64.b64encode(pickle.dumps(epoch))            return {                'isBase64Encoded': 0,                'statusCode': 302,                'headers': {                    'Content-Type': 'text/html; charset=utf-8',                    'Set-Cookie': cookie, # Server time may be different to browser time!                    'Location': url                },                'body': ''            }    epoch = pickle.loads(base64.b64decode(event['multiValueHeaders']['cookie'][0]))    return {        'isBase64Encoded': 0,        'statusCode': 200,        'headers': {'Content-Type': 'text/html; charset=utf-8'},        'body': clock_page(epoch.ts)    } 

There is epoch = pickle.loads(base64.b64decode(event['multiValueHeaders']['cookie'][0]))

It extracts the cookie, base64decodes it and finally unpickles. During unpickling we have to execute the malicious code so that it reads the source code of the file.

Later the value of epoch.ts is used.

The cookie generated by the server : gASVNgAAAAAAAACMD2xhbWJkYV9mdW5jdGlvbpSMBUVwb2NolJOUKYGUfZSMAnRzlIwKMTU3NzEwMTU4NZRzYi4=

When I try unpickling , it throws an error ModuleNotFoundError: No module named ‘lambda_function’. I tried using pickletools module to see the differences too.

What I know is I need to put the code inside _ reduce _ so that when the code is unpickled. It gets executed.

I have tried using the following code to get an exploit cookie. It works locally but it does not work with server instead shows internal server error. So, is there anything I am missing? How do I develop an exploit for this?

    def __init__(self, timestamp):         self.ts = timestamp      def __reduce__(self):         ts = '1388907849'         return (self.__class__, (ts, ))   def serialize_exploit():     shellcode = pickle.dumps(fakeEpoch('{:d}'.format(int(time.time()))))     return shellcode  def insecure_deserialize(exploit_code):     print(pickle.loads(exploit_code))   if __name__ == '__main__':     shellcode = serialize_exploit()     print("cookie: ")      print(base64.b64encode(shellcode))     print("Exploit working")     insecure_deserialize(shellcode)  

## Exploiting vulnerabilities in the C code

I’m preparing for an introductory information security examination in university and this is one of the examination questions on Secure Programming.

In such questions, I would usually catch for Buffer Overflow or Integer Overflow that lead to other consequences, but due to the context of the problem, I did not manage to find any vulnerabilities in this program.

Can someone help me out here with the questions? The answers are not provided by the school. Sorry in advance, the actual paper document is not formatted such that it allows copy over.

Here is the question.

## Exploiting Weak Permissions on OU in Active Directory?

I created an environment, where I allowed a user named demop with these four permissions

CreateChild
ListChildren
GenericWrite

on an OU named VulnerableOU? And, I have Meterpreter access to the user’s PC, so how can I exploit this behavior? Or in other words how this can be exploitable in real scenarios?

By these permissions it looks like we can create an object inside an OU but How? What tool should I use or maybe what PowerShell cmdlet should I use?

## Exploiting SQL-Injection Vulnerability in Oxid eShop CE 6.0.2 with SQLMAP

i installed Oxid eShop CE 6.0.2 on my local webserver to analyze the last sql-injection vulnerability in this webapp. I found out that it is possible to inject sql-code via the sorting-Parameter (GET). So with the following url, I am able to execute sql code (as you can see):

• localhost/oxid/test/source/en/Wakeboarding/Wakeboards/Wakeboard-SHANE.html?sorting=oxtitle|ASC,(SELECT%20sleep(20))

How can I exploit this vulnerability with SQLMAP?

## PHP | Exploiting incorrectly escaped mysql_query() or die(mysql_error()) be used to exfiltrate data?

I ran across some legacy code that uses mysql_query($sql) or die(mysql_error()) Was curious and noticed that with a correctly placed " in the email input … I am shown output from mysql_error() as a user. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"email@email.com""' at line 1  mysql_query('SELECT * FROM users WHERE users_email_address = "'.$  email.'") or die(mysql_error());  

I was able to crash the browser with email@email.com" OR "" = … since I’m assuming that caused an infinite loop

First part of question is … how would I exfiltrate information with this " condition I have found? Is there a special name for it other than SQL injection that I can read more about?

Second part of question is: The mysql_error output seems like it could be advantageous for a wannabe intruder, but I am unaware of the depth of information it could provide.

## Browser Exploiting – Using SyncManager to keep Service Workers alive forever

The authors claim to use the SyncManager Interface in order to keep Service Workers alive forever and thus turning the victim’s browser into a slave.

Is that really possible? I thought the sync process was always initiated by the client and there was no way for a server to force synchronization.

Thanks

## Fun crypto problem: Exploiting a vulnerable encryption scheme with Python

I came across a question asked here and here on the Crypto Stack Exchange site, and decided to analyze it as a kind of case study. To demonstrate the concept, I wrote a short python script depicting the proposed encryption scheme. It’s mostly list comprehensions or generator expressions and bitwise operations.

$$C=E_k(m)$$ $$C_\alpha = C\oplus m$$ $$C_\beta = \overline{C}$$ $$C_\Omega = C_\alpha\ ^\frown\ C_\beta$$

#!/usr/bin/env python3  from Crypto.Cipher import DES  m = b'secret!!' k = b'qwerty!!' E = DES.new(k, DES.MODE_ECB) C = E.encrypt(m)  C_alpha = int('0b'+''.join([f"{x:08b}" for x in C]), 2) ^ \           int('0b'+''.join([f"{x:08b}" for x in m]), 2)  C_beta  = int('0b'+''.join([f"{x:08b}" for x in C]), 2) ^ \           int('0b' + '1' * len(''.join([f"{x:08b}" for x in C])), 2)  C_omega = f"{C_alpha:064b}" + f"{C_beta:064b}"  if __name__ == '__main__':      print(C_omega) 

Then I ended up with this alternative version. If you want to try it out, save it as bad_scheme.py so it can work properly with the next script:

#!/usr/bin/env python3  from Crypto.Cipher import DES  m = b'secret!!' k = b'qwerty!!' E = DES.new(k, DES.MODE_ECB) C = E.encrypt(m)  def bitwise_xor(bits_a, bits_b):     bits_out = ''.join([str(int(x)^int(y)) for x, y in zip(bits_a, bits_b)])     return(bits_out)  def bitwise_complement(bits_in):     bits_out = ''.join([str(~int(x)+2) for x in bits_in])     return(bits_out)  def C_alpha():     bits_out = bitwise_xor(''.join([f"{x:08b}" for x in C]),                            ''.join([f"{x:08b}" for x in m]))     return(bits_out)  def C_beta():     bits_out = bitwise_complement(''.join([f"{x:08b}" for x in C]))     return(bits_out)  def C_omega():     bits_out = C_alpha() + C_beta()     return(bits_out)  if __name__ == '__main__':     print(C_omega()) 

And here’s what is essentially a working exploit of the (hypothetical) proposed encryption scheme’s vulnerability; demonstrating the plaintext can be revealed without the key. It imports the final ciphertext and the bitwise functions from the first script, and works backwards, and complements $$C_\beta$$ to get $$C$$ (because $$C_\beta$$ is essentially just $$\overline{C}$$), then $$C \oplus C_\alpha$$ to reveal $$m$$ without requiring $$k$$. So:

$$\overline{C_\beta}=C$$ $$C_\alpha \oplus C=m$$

#!/usr/bin/env python3  from bad_scheme import C_omega, bitwise_xor, bitwise_complement  def C_alpha():     bits_out = C_omega()[:int(len(C_omega())/2)]     return(bits_out)  def C_beta:     bits_out = C_omega()[int(len(C_omega())/2):]     return(bits_out)  def C():     bits_out = bitwise_complement(C_beta())     return(bits_out)  def m():     bits_out = bitwise_xor(C_alpha(), C_beta())     return(bits_out)  if __name__ == '__main__':     print(''.join([chr(int(m()[i:i+8],2)) for i in range(0,len(m()),8)])) 

So, there it is. Just thought I’d put it out there and see what everyone thinks, which style is better, what’s good about it, what’s bad about it, and what I can do to improve it.