Posts by bperry

4 min Exploits

You have no SQL inj--... sorry, NoSQL injections in your application

Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL). But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection. The PHP application was using MongoDB, and MongoDB has a great feature [

2 min Exploits

Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability

Sophos Web Protection Appliance vs and likely prior versions was vulnerable to both a mass assignment attack which allowed privilege escalation, as well as a remote command execution vulnerability as root available to admin users. ZDI details the vuln here []. This Metasploit module exploits both vulnerabilities in order to go from an otherwise unprivileged authenticated user to root on the box. This is particularly bad because this

2 min Government

GestioIP Authenticated Remote Command Execution module

GestioIP is an open-source IPAM (IP Address Management) solution available on Sourceforge, written in Perl. There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6 hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to perform the ping and return the results to the user. However, this library doesn't seem to support IPv6 hosts, so the developer uses the ping6 utility to perform the ping of an IPv6 machine. The developer did perform some validat

5 min Metasploit

Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering

As of a few days ago [], the Metasploit Framework has full read-only access to offline registry hives. Within Rex you will now find a Rex::Registry namespace that will allow you to load and parse offline NT registry hives (includes Windows 2000 and up), implemented in pure Ruby. This is a great addition to the framework because it allows you to be sneakier and more stealthy while gathering information on a remote computer. You no longer need