K?t h?p Open Redirect trong vi?c khai th�c l? h?ng b?o m?t

K?t h?p Open Redirect trong vi?c khai th�c l? h?ng b?o m?t

open redirect Vulnerability Write-up xss

Ch��ng tr?nh Bug Bounty c?a Google (VRP) th�?ng xuy�n nh?n ��?c c�c b�o c�o l?i c� �? c?p t?i open redirect (chuy?n h�?ng m?). M?c d� b?n th�n ch�ng kh�ng ��?c xem x�t l� l? h?ng b?o m?t, ch�ng t�i nh?n ra r?ng open redirect c� th? ��?c s? d?ng �? khai th�c c�c l? h?ng kh�c nh� XSS ho?c OAuth Token Disclosure.
Read More

Unknown Pada 15:26 Komentar

C?nh b�o v? l? h?ng b?o m?t XSS ch�a ��?c v� trong WordPress

C?nh b�o v? l? h?ng b?o m?t XSS ch�a ��?c v� trong WordPress

0-day Security WordPress xss

Theo ngu?n tin c?nh b�o t? group HVA th? WordPress �ang d�nh l? h?ng b?o m?t Stored XSS c?c k? nghi�m tr?ng t?i ph?n b?nh lu?n v� b�i vi?t (c? th? l� ? ti�u �? c?a b�i vi?t). T? �? x�c nh?n l?i b?ng c�ch ki?m th? v?i phi�n b?n WordPress 4.6.1 tr�n Localhost.

L? h?ng ?nh h�?ng t?i c�c phi�n b?n t? 4.6.1 tr? xu?ng (t?c l� bao g?m c? phi�n b?n m?i nh?t). Hi?n t?i ph�a WordPress ch�a c� b?n c?p nh?t n�o.

V?i hai l? h?ng XSS n�y, hacker ho�n to�n c� th? t?i web-shell l�n trang web c?a b?n. Xem video demo trong b�i vi?t n�y �? h?nh dung ��?c m?c �? nguy hi?m.
Read More

Unknown Pada 17:40 Komentar

L? h?ng b?o m?t Cross-Site-Scripting (XSS) c� g? nguy hi?m?

L? h?ng b?o m?t Cross-Site-Scripting (XSS) c� g? nguy hi?m?

CSRF Hacking and Security xss

M?i khi ��ng nh?ng b�i writeup v? m?t l? h?ng XSS ��?c ph�t hi?n tr�n m?t trang web n�o ��, t�i bi?t s? c� nh?ng ng�?i nh?ch m�p c�?i kh?y v? l�c �� trong �?u h? s? ngh?:

• "C�i l?i XSS n�y th? c� c�i qu�i g? nguy hi?m c� ch??"
• "Ngo�i vi?c hi?n l�n m?t h?p tho?i th? XSS l�m ��?c c�i �?ch g? n?a kh�ng?"
• "M?t l? h?ng v? v?n th�i m�. � m� hi?n h?p tho?i c?ng ��?c g?i l� l? h?ng h??"
• ...

V?y th?, XSS c� g? nguy hi?m?

Thay v? vi?t ra �?ng l? thuy?t nh�m ch�n, ch�ng ta s? c�ng xem x�t nh?ng h?nh th?c t?n c�ng khai th�c XSS �? ��?c �p d?ng trong th?c ti?n. N�i tr�?c �? nh?ng b?n n�o c?n ch�a bi?t v? XSS th? n�n Google xem n� l� g? tr�?c khi �?c ti?p b�i vi?t n�y nha.
Read More

Unknown Pada 06:02 Komentar

T�i �? hack VietDesigner.net v� Kenhsinhvien.vn nh� th? n�o?

T�i �? hack VietDesigner.net v� Kenhsinhvien.vn nh� th? n�o?

CSRF Write-up xss

H�nh tr?nh truy t?m l? h?ng b?o m?t

Tr�?c h?t, t? xem x�t �?c �i?m chung c?a c? hai trang web n�y:

1. ��y �?u l� 2 di?n ��n l?n (m?c ti�u c�ng l?n, c�ng nhi?u ng�?i d�ng th? c�ng t? l? thu?n v?i s? nguy hi?m c?a m?t l?i b?o m?t ��?c ph�t hi?n).
2. C�ng s? d?ng n?n t?ng Xenforo.
3. C�ng s? d?ng m?t add-on gi?ng nhau �? t?o tr?nh chuy?n h�?ng li�n k?t.

Trong 3 �?c �i?m n�y th? �i?u th? 3 ch�nh l� m?u ch?t:

• http://kenhsinhvien.vn/redirect/?url=https://junookyo.blogspot.com/
• http://forum.vietdesigner.net/redirect/?url=https://junookyo.blogspot.com/

T?i sao t? bi?t r?ng 2 trang c�ng d�ng m?t add-on? Ngo�i vi?c d?a theo c?u tr�c li�n k?t, th? t? xem m? ngu?n trang chuy?n h�?ng c?a c? 2 v� c�ng m?t th?y t? kh�a quan tr?ng sau:

T?m t? kh�a �� tr�n Google:

Nh� v?y c� th? �o�n ��?c 2 di?n ��n kia �ang s? d?ng add-on t?o tr?nh chuy?n h�?ng t�n l� "GoodForNothing Url Anonymizer" (sau n�y �? �?i t�n th�nh GoodForNothing Link Proxy).
Read More

Unknown Pada 05:45 Komentar

T�i �? hack phimmoi.net nh� th? n�o? - Ph?n 2

T�i �? hack phimmoi.net nh� th? n�o? - Ph?n 2

J2TeaM Path Disclosure Write-up xss

H�m nay v?a ��ng m?t tu?n t�nh t? ng�y t? hack phimmoi.net (24/06), ch? sau �� hai ng�y - 26/06, t? ti?p t?c ph�t hi?n ra 2 l? h?ng b?o m?t ti?p theo thu?c sub-domain c?a phimmoi.net

C�u chuy?n b?t �?u

Ng�y 26/06, trong l�c v�o xem phim t?i phimmoi, t? ch?t �? ? c�i banner qu?ng c�o ? c?t b�n ph?i. V? �ang s? d?ng uBlock n�n t? kh� ng?c nhi�n khi th?y v?n c� m?t banner hi?n th?.

T? li?n nh?n ph?i chu?t v�o banner v� sao ch�p li�n k?t:

http://uniad.phimmoi.net/publisher/go/?bannerid=673&zoneid=3&dtime=1467368202&ctype=CPD&domain=phimmoi.net&verify=fe8043c8f4e38373918ba129a804b5d4&href=http%3A%2F%2Fcuuam.360game.vn%2Fintro%2Fcackpg3%2Flanding%2Findex.html%3Futm_source%3DBanner%26utm_medium%3DPhimmoi.net%26utm_content%3DPhimmoi.net_PlayerPage_Right1_300x600

S? d?ng t�nh n�ng Split URL (ng?t c�c tham s?) v� URLdecode c?a Hackbar:

http://uniad.phimmoi.net/publisher/go/
?bannerid=673
&zoneid=3
&dtime=1467368202
&ctype=CPD
&domain=phimmoi.net
&verify=fe8043c8f4e38373918ba129a804b5d4
&href=http://cuuam.360game.vn/intro/cackpg3/landing/index.html?utm_source=Banner&utm_medium=Phimmoi.net&utm_content=Phimmoi.net_PlayerPage_Right1_300x600

V? l� URL c?a m?t banner qu?ng c�o n�n hi?n nhi�n ��y l� m?t tr?nh chuy?n h�?ng li�n k?t. Sau khi th?c hi?n ch�t nghi�n c?u nh?, t? ph�t hi?n ra trong c�c tham s? c?a URL th? ch? c� tham s? href l� b?t bu?c (required). Nh� v?y, t? ho�n to�n c� th? l?i d?ng tr?nh chuy?n h�?ng n�y �? tr? t? b?t c? li�n k?t n�o t? mu?n. V� d?:

http://uniad.phimmoi.net/publisher/go/?href=https://junookyo.blogspot.com
Read More

Unknown Pada 07:47 Komentar

T�i �? hack trang SinhVienIT.net nh� th? n�o?

T�i �? hack trang SinhVienIT.net nh� th? n�o?

CSRF Write-up xss

L? h?ng b?o m?t XSS tr�n sinhvienit.net

M?t ng�y �?p tr?i, t? l�n Google ki?m link t?i Visual Studio. Nh� th�?ng l?, SVIT (sinhvienit.net) v� VNZ (vn-zoom.com) lu�n �?ng top khi t?m ki?m m?y ph?n m?m... cr@ck. Kh?i ph?i suy ngh?, t? li?n nh?n v�o m?t link c� th? tin t�?ng (l� trang n�o th? c�c b?n c?ng bi?t r?i �?y, li�n quan t?i b�i vi?t m�).
Read More

Unknown Pada 05:52 Komentar