4 min
Exploits
You have no SQL inj--... sorry, NoSQL injections in your application
Everyone knows about SQL injections. They are classic, first widely publicized
by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate
query string params with SQL).
But who cares? SQL injections are so ten years ago. I want to talk about a
vulnerability I hadn't run into before that I recently had a lot of fun
exploiting. It was a NoSQL injection.
The PHP application was using MongoDB, and MongoDB has a great feature
[http://www.php.net//manual/en/mongocollection.find.
2 min
Exploits
Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability
Sophos Web Protection Appliance vs 3.8.1.1 and likely prior versions was
vulnerable to both a mass assignment attack which allowed privilege escalation,
as well as a remote command execution vulnerability as root available to admin
users. ZDI details the vuln here
[http://www.zerodayinitiative.com/advisories/ZDI-14-069/].
This Metasploit module exploits both vulnerabilities in order to go from an
otherwise unprivileged authenticated user to root on the box. This is
particularly bad because this
2 min
Government
GestioIP Authenticated Remote Command Execution module
GestioIP is an open-source IPAM (IP Address Management) solution available on
Sourceforge, written in Perl.
There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6
hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to
perform the ping and return the results to the user.
However, this library doesn't seem to support IPv6 hosts, so the developer uses
the ping6 utility to perform the ping of an IPv6 machine. The developer did
perform some validat
6 min
Nexpose
Integrating Nexpose Community and Metasploit Community in Backtrack 5 R2
I recently packaged up the new Nexpose release so that Backtrack users can have
an up-to-date version of Nexpose, straight from the Backtrack repos. This seemed
like a great time to also go over installing Nexpose Community and integrating
it with the already-installed Metasploit Community.
1. Getting Started
Before we get started, I would recommend grabbing a copy of Backtrack 5 R2
64-bit. The machine you want to use will need to have at a minimum 2GB of RAM
and at least 5GB space on the hard
5 min
Metasploit
Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering
As of a few days ago [https://github.com/rapid7/metasploit-framework/pull/98],
the Metasploit Framework has full read-only access to offline registry hives.
Within Rex you will now find a Rex::Registry namespace that will allow you to
load and parse offline NT registry hives (includes Windows 2000 and up),
implemented in pure Ruby. This is a great addition to the framework because it
allows you to be sneakier and more stealthy while gathering information on a
remote computer. You no longer need
