Creating a Quick PoC for an Exploit with Docker

We will create a quick PoC for an exploit for a wordpress vulnerability. I’ll be emphasizing more on the process than the vulnerability itself. For this demo, we will be exploiting an old content injection vulnerability. You can read about its technical details here, https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html.

In short, the exploit only requires to send a rest API call to the wordpress application.

To stage the demo, we will:

  • Setup a container that runs vulnerable version of WordPress-4.7. We’ll create a wordpress/mysql stack with docker compose.
  • Make an HTTP POST request with a new content that overwrites the original post. I will use HTTPie tool. You may choose any tool you’re familiar with, eg: curl, Postman, Insomnia.

Pre-requisite:

  • You must have Docker already installed. Running the command “docker version” from CLI should return server version.
  • You have an HTTP client that can make json HTTP post. I already have HTTPie on my Mac. I installed with “brew install httpie”

Create a directory.

Save the following file as ‘docker-compose.yml’:

Within the same directory run the following command:

You should see Docker downloading images and spinning up the servers. Once finished you should be able to browse to http://localhost:8080 from your browser. Follow the instructions to finish the installation (by entering site name, username, password, fake email). Then you will see the admin dashboard. Go to Settings > Permalinks and choose the second option to enable pretty links. Open another browser window or new tab and browse to http://localhost:8080 again. You should see your blog and a Hello World post.

To start exploit, run the following command from the shell/terminal to overwrite the post content.

Now browse the site again and observe the “Hello World” blog post content has changed.

To end the PoC, press Ctrl+C on the docker-compose terminal.

Using tshark to Decrypt SSL/TLS Packets

I’m going to walk you through the process of decoding SSL/TLS traffic from a pcap file with the server’s private key using tshark (command-line version of Wireshark). You can, of course, always use ssldump for the same purpose.

I assume you know how SSL/TLS works, and basic understanding of how Wireshark works, and why we use it.

I will start with getting a sample encrypted traffic that includes the handshake part (important for decryption later). For that purpose, we are going to use openssl command to generate a pair of server certificate and key. And then run the HTTPS server with openssl’s s_server command on port 4443 (or any other port you may like) using the generated certificate and key. Then we will issue a GET request to HTTPS server via curl. In the mean time, we will collect the traffic with tshark and will save the data into ssltest.pcap file.

At this point, we should have the file called ssltest.pcap from tshark, and server.crt/server.pem from openssl commands.

Next, we are going to read the pcap file and decode the traffic.

In Wireshark GUI, we can follow “SSL stream” that will dump the ASCII output from the stream. How are we going to do it with tshark?

You will see the output similar to below:

Making SQL Queries

This article is to summarize how do we make SQL queries using different languages and their methods. Making connection to the database will not be covered here.

In the examples, we will be querying “SELECT * FROM employees where eid =and dept =”

It is not recommended to use SQL statements without placeholders in order to reduce the risk of SQL injection.

Java

In Java, we can use JDBC, Hibernate, or some other database frameworks to interact with databases. Generally, I would prefer to use methods that allow me to insert “values” into an sql query. With JDBC, we can use PreparedStatement method. There is also createStatement method, where you insert user-supplied values into the query directly.

Basically the flow looks like this:

  1. Get a “Connection” object, with DriverManager
  2. From “Connection” object, we create a “Statement” object with sql statement.
  3. From the statement object, we generate “ResultSet”.

PHP

PHP has more methods to interact with database. It also depends on the module the php interpreter is built with. We can use MySQL extension, PostgreSQL extension, or ADODB or PDO as generic abstraction interfaces.

With mysqli extension

NOTE: Why mysqli instead of mysql command? If we are using MySQL v4.1.3 and above, PHP manual recommends to use mysqli which is an improved version. Reference.

With PostgreSQL extension

With ADODB

With PDO

KDE 4.8, Google Chrome and the Proxy

My KDE was just upgraded to v4.8 from v4.7.x. Privoxy was also configured on the same PC, just to strip some codes. Google Chrome is configured to use the Privoxy proxy on port 8118.

After the upgrade, Google Chrome has failed to connect to internet. At the same time, Firefox was working perfectly with or without using privoxy.

I tried to capture the packets on the local interface and on port 8118, and got nothing coming in. I wasn’t still sure what’s happening, and even tried to re-compile the privoxy, and tweak some of its settings. It was still not working.

Then, I needed to check KDE’s config file where it stores the proxy settings, as Google Chrome uses KDE’s settings. And there, the proxy is stored as “http://127.0.0.1 8118”, with a space between the host and the port. In version 4.7.x, it uses http://: format to store. Google Chrome fails to parse the setting. The config file is located under ~/.kde4/share/config/kioslaverc.

In order to make things work, I needed to manually tweak that line back to v4.7.x format, or exec Google Chrome with –proxy-server setting.

YQL, Python, and Yahoo Finance

YQL is the way to get information from Web Services using SQL-like queries. It also provides us a console where we can test our queries and generate the REST query. To see how it works, just go to the console page, and enter the following as the YQL statement:

And set the output to either “XML” or “JSON”, and click “Test”. I personally prefer JSON and will continue to use JSON throughout the example. I unchecked the “Diagnostics” and emptied the text field next to “JSON”.

The command will fetch the information related to the stock quote FFIV (F5 Networks, NASDAQ) from Yahoo Finance. Inside “Formatted View” window, you will see the result like this:

Below that text field, we can find the REST statement which we can use to send query to the server. It looks like this for our query:

This is how we can fetch stock information using YQL and receive information in JSON. Since this is a public data, we can directly send the REST, otherwise we need the API keys to access the data.

Let’s see how we can fetch the information via Python.

That should print the whole JSON response. We can use simplejson module to parse the result. It looks like this:

The python statements are pretty much self-explanatory.

Here’s another example from Yahoo, to get stock information from open data tables.

SSL and HTTP Basic Authentication

In general, when I want to force the browser to access certain part of my website via https if the request is made with http, I would put a .htaccess inside that web directory.

But when I want to protect the directory with HTTP Basic Auth, it creates double authentication. I’ll expand this section after I captures the headers.

As a quick workaround, I use this hack in .htaccess

Haiku OS

Haiku is another open source operating system, and IMO we can say it continues from where BeOS left off. I haven’t had a chance to try BeOS, but read about what it was supposed to do and some beautiful screenshots. BeOS was a closed source OS, and some loyal users tried to re-create the OS under OpenSource license.

And there came Haiku OS, an open source OS, and it released its alpha version on 09/2009. It is written in C++. The ISO image, as well as qemu/vmware images are now available to download. I just did a test run via their live CD image, and I would say I’m quite impressed. I wish it’d continue to R2 release soon.


A Walk in the Clouds

I’ve moved this site over to the cloud servers, by Rackspace from my previous shared host. Actually I was looking for a cloud server and cloud space so that I can play with Hadoop. I found Amazon EC servers and S3, but their services charges are expensive for me. While searching for alternatives, CloudServers caught my attention.

It is cheaper than Amazon services, but at the moment I don’t think I can test Hadoop on CloudServer and with CloudSpace. I’m using it more like a virtual private server, that gives me “root” access. The good thing is you can modify the resources as you wish, so I would say it’s quite scalable. You are also charged by hours (uptime). Rackspace will also charge you even if you turn off the machine. They will not charge after we have deleted the server. If you want to test something for a project, you can just subscribe for desired amount of memory and disk space. And delete the server after it’s been used. We will only be charged for those period. That’s the flexibility that I prefer.

I’ll see what I can do with my server, and update the blog again.

Kudos to ICA (Singapore)

Recently I’ve applied for entry visas for four of my relatives, about two or three weeks in advanced, and the visas have been approved by ICA.

Just one a day before the flight, one of my relatives has learnt that her daughter (2 years old) need to obtain visa and air tickets. I opened up the SAVE application website and made the application for the baby. Travel arrangements have already been made, and they were worried that the visa approval might be late, and they would have to rearrange the flights. It usually takes one business day to process. But to my surprise, ICA approved the visa within 3 hours after submission, and it has relieved all the worries of the families.

I really would like to give my heartfelt thank the officers at ICA who are working hard and understanding the need for urgency.

To those who want to submit visa application from the web:

  • Online visa application can be found on the home page of ICA, which is http://www.ica.gov.sg
  • Or do a seach on the google for “save singapore”, and follow the links.
  • Please have your Singpass ready. If you don’t have one, it’s a good idea to make a request at http://www.singpass.gov.sg.
  • The application will require a fee of S$30, which is payable by eNETS (Visa/Master)
  • Please have the applicants information ready. Most data can be found on the passport, plus current address in home country, educational qualification. And a digital photo.

Standard Chartered Bank, Singapore

Last week, I went to a branch to open XtraSaver account. As usual, their personal banking consultant asked me if I wanted to open their Supersalary account. I said no and told him I just wanted XtraSaver account. Then he tried to open an account for me, and suddenly he had to see his manager for some verification. About three minutes later, he told me that the burmese are disallowed to open an account. Well, they were not supposed to tell me this, and they had a right to disapprove my application without giving any reason. But it was good to hear their reason for the reject.

I just left the bank, and checked online website to see if they have any written information about this. I couldn’t find it and I sent them an email inquiring about account opening, stating my nationality and residential status.

A few days later, a girl called me and asked me to open an account at Six Battery Road. I was surprised, and she arranged me an appointment with the staff at the branch.

It was my fault I didn’t check thoroughly with her, and I blamed myself for trusting Standard Chartered Bank again. This time, I wasn’t told the reason, and I was only told due to some policies. It might the same reason. I’m not interested in their policies. All I know is Standard Chartered Bank just wasted my time and resources. The bank doesn’t seem to have connections/communication between their departments. Although I wasn’t allow to open the saving/checking account, he asked me if I was interested in Fixed Deposits. Huh. I’m done with that bank. I also should warn the nationality of Myanmar should not be wasting time going to the bank and open an account.

I understand that the burmese people can be rejected by any US or Europe financial institutions due to sanctions. If this is the case, my enquiry should be returned with negative reply so that I wouldn’t waste my time going to the standard chartered bank.