This website uses cookies to ensure you get the best experience. More Information...


Bypassing insufficient blacklisting

Brief introduction Operating system (OS) command injection attack is a variant of code injection attacks which are considered a major security threat that in fact, is classified as No. 1 on the 2013 OWASP top ten web security risks [1]. There are many types of code injection attacks including: SQL injection [2] Cross Site Scripting […]

IBM WebSphere Java Deserialization (RCE) – Metasploit Module

Identified Vulnerability through Nessus According to Nessus, the following critical vulnerability exists on target IBM WAS and was exploited by sending a crafted Java object. Vulnerability Information CVE ID: CVE-2015-7450 Description: Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via […]

Undetectable Metasploit WAR

A possible attack path during a penetration test is having access to the administrative console of a JAVA Application Server (like WAS, JBOSS and Tomcat) installed on a Windows server with default or guessable (e.g. through brute-force) administrative credentials. The idea was to upload a Metasploit generated WAR application in order to successfully compromise the […]

Fast Forward Brute-Forcing Apache Tomcat 6/7/8

Intro Apache Tomcat web administrative interface often stands as a primary target during a Penetration Test due to its promising potential in case of compromise. That is why, Tomcat 6 (and above versions) implements – by default – an “anti-bruteforcing” security mechanism (LockOutRealm*). While experimenting with this feature, I’ve identified a way around that improves […]

Client Side Penetration Testing – T&T Part 2

Upon being able to contact the target and sound legitimate, we should be able to have a binary executed through persuasive and undetectable techniques. Below we discuss some of these techniques: PowerPoint presentation with embedded .exe A legitimate and undetectable by AntiVirus method to deliver an executable (if the executable itself is undetectable of course), […]

Client Side Penetration Testing – T&T Part 1

Most client-side attacks are based on delivering emails to the target, nevertheless by underestimating the need to build an adequate “trust level” towards the target, there’s a fair chance that the exercise will fail even at this early state. Below we will begin by listing some techniques, considerations, and tips on how to successfully deliver […]

Using UDF in Penetration Testing Part 2

Before continuing, we are assuming – again – that we have already gained access to a MySQL administration interface (the way we did that, is out of the scope of this post) and we want to acquire a command shell in order to penetrate further into the system. Finally, we are assuming that the MySQL […]

Using UDF in Penetration Testing

During a penetration test, we might throw ourselves into a situation where we have SQL administrative access only. As usual, we want to dive deeper into the network. Sometimes the only way to accomplish that is to execute commands on the system that serves the current SQL server. If the server happens to be an […]

Multiple vulnerabilities identified on Aircrack-ng

About a month ago I identified four vulnerabilities in Aircrack-ng suite. A brief but technical description may be found below. Furthermore, references on the proof-of-concept exploit code and the OSI advisory maybe be found at the end of this article. CVE-2014-8322 One of them could lead to remote code execution. Specifically in aireplay’s tcp_test function […]