SQLi Data Exfiltration via DNS
Did you know you can use DNS queries to exfiltrate data from a database via SQLi? No? Then continue reading! I'll walk through some techniques you can use to enumerate and exfiltrate data from a DB server via blind SQLi. On a recent web app test, I encountered a...
Maintaining Session States in .NET Apps With Burp
During a recent web app test, I encountered a situation when I would be randomly logged out of the application when running sqlmap. I wasn't manipulating any of the session cookies and the logouts happened at random times. I needed a way to detect when I got logged...
Capturing SQL Server User Hash with SQLi
On a recent external web app pen test, I found a possible SQL injection vulnerability using the Burp Scanner. One of the tests triggered an A record lookup for the Burp Collaborator server. In the screenshot below, we can see the test that triggered the finding....
Getting a Handle on Large Parameter Sets
During a recent web app engagement, I wanted to run some of the Burp Scanner automated checks, but I was confronted with several issues. First, this particular application did not respond kindly to manipulation of the session cookies. The application and its single...
Getting to the (Actual) Goal
While certainly not a new topic, there has been plenty of discussion recently around the goals of pen testing. Many believe that getting DA is the be-all and end-all of an engagement. Others think it might be a valid finding, but falls short of meeting the actual...
Beyond Net User – Part 2: DS Commands
In the previous post we discussed some of the limitations of Net commands. Most notably, the output limitation (doesn't show all groups) and it doesn't allow for flexible searching. In this post we'll discuss the DS commands to get around these limitations. DSGet,...
Beyond Net User – Part 1: Limitations of the “Net” commands
I've had a number of cases where the Windows "net user", "net group", and "net localgroup" have failed me. I've had SQLMap fail to give the last line of "net user" output, I've had "net group /domain" not give me the full names (I still don't get how that failed!). On...
Better FDE Passphrase with macOS FileVault
I use full disk encryption (FDE) on all my laptops and portable media. I like to have a very strong passphrase for these, one that is even stronger than that for my user accounts. Let's be realistic, very very few people are going to use a 60 character passphrase for...
3 Years of DirecTV User-Agent Command Injection
I found a bug in one of my DirecTV devices in 2015 after I got DirecTV. DirecTV didn't have a bug bounty program at that time so I used it as a demo in my classes. When AT&T bought DirecTV it then fell under AT&T's bug bounty, which is awarded quarterly. I...
Doll Hacking: The Good, The Bad(words) and the Ugly (features)
The age of internet connected toys is upon us. Increasingly, we are seeing children's toys connected to the internet, commonly through an app. I recently purchased a My Friend Cayla (http://www.myfriendcayla.com/) for uh…testing. I wanted to test the security of the...
No spam. No junk. Just notifications on new content.