<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">

 <title>Shivam Singh</title>
 <link href="https://shivam043.github.io/atom.xml" rel="self"/>
 <link href="https://shivam043.github.io/"/>
 <updated>2018-05-18T19:28:59+00:00</updated>
 <id>https://shivam043.github.io</id>
 <author>
   <name>Shivam Singh</name>
   <email>shivam043@gmail.com</email>
 </author>

 
 <entry>
   <title>Security Research Work for Directi Part2</title>
   <link href="https://shivam043.github.io/2017/01/12/Directi2.html"/>
   <updated>2017-01-12T00:00:00+00:00</updated>
   <id>https://shivam043.github.io/2017/01/12/Directi2</id>
   <content type="html">&lt;p&gt;This post is regarding critical vulnerability i found on directi’s codechef.com&lt;/p&gt;

&lt;h2 id=&quot;proof-of-concept&quot;&gt;Proof of Concept&lt;/h2&gt;

&lt;p&gt;Earlier,I have reported a critical vulnerability(directory traversal) in the main domain(codechef.com).This time I thought of looking into the subdomains of codechef.com.&lt;br /&gt;
Through subdomain bruteforcing one domain caught my attention https://mail.codechef.com. &lt;br /&gt;
So,started looking for some juicy stuffs through dir-buster. &lt;br /&gt;
Got 200ok response from info.php file.&lt;br /&gt;
OWASP-A6 (https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure) &lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s11.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Disclosure of phpinfo server file:&lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s12.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s13.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;&lt;/p&gt;

&lt;h2 id=&quot;sql-injectioncritical-&quot;&gt;SQL-INJECTION(CRITICAL) &lt;br /&gt;&lt;/h2&gt;
&lt;p&gt;https://www.owasp.org/index.php/SQL_Injection
Through some googling, I found that mail.codechef.com was using sendy email newsletter application.&lt;br /&gt;
Two vulnerabilities were available publicly through exploit database of sql-injection.Here is the screenshot-&amp;lt;/br&amp;gt;
Url-https://www.exploit-db.com/exploits/31898 &lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s14.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;
mail.codechef.com is using a vulnerable version  of sendy.&lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s14.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;&lt;/p&gt;

&lt;p&gt;Url-&amp;gt;https://mail.codechef.com/app?i= [vulnerable-sql-injection-point] &lt;br /&gt;
Sqlmap confirms the sql-injection.This is a critical vulnerability which can compromise the server.
Fix-Upgrade to the latest version &lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s15.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;&lt;br /&gt;&lt;/p&gt;
&lt;h2 id=&quot;cross-site-scripting-&quot;&gt;CROSS-SITE SCRIPTING-&lt;/h2&gt;
&lt;p&gt;https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Inserting a javascript payload in the redirect parameter leads to its execution.&lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s16.png&quot; alt=&quot;Here is the screenshot:&quot; /&gt;&lt;br /&gt;&lt;/p&gt;

</content>
 </entry>
 
 <entry>
   <title>Apnaghar</title>
   <link href="https://shivam043.github.io/2016/12/28/Apnaghar.html"/>
   <updated>2016-12-28T00:00:00+00:00</updated>
   <id>https://shivam043.github.io/2016/12/28/Apnaghar</id>
   <content type="html">&lt;h3 id=&quot;this-post-is-a-project-made-on-python-framework-flask&quot;&gt;This post is a project made on Python Framework Flask&lt;/h3&gt;

&lt;h2 id=&quot;about&quot;&gt;About&lt;/h2&gt;

&lt;h4 id=&quot;apnaghar-is-a-webapp-build-on-python-framework-flask-which-helps-user-to-choose-properties-listings-based-on-locationcompare-property-rateschat-with-the-owner-of-the-property-and-filter-the-properties-by-locationluxury-and-price&quot;&gt;Apnaghar is a webapp build on Python Framework Flask which helps user to choose properties listings based on location,compare property rates,chat with the owner of the property and filter the properties by location,luxury and price&lt;br /&gt;&lt;/h4&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/shivam043/ApnagharModified&quot;&gt;Project Link&lt;/a&gt;&lt;br /&gt;&lt;/p&gt;

</content>
 </entry>
 
 <entry>
   <title>Security Research Work for Directi Part1</title>
   <link href="https://shivam043.github.io/2016/10/11/Directi1.html"/>
   <updated>2016-10-11T00:00:00+00:00</updated>
   <id>https://shivam043.github.io/2016/10/11/Directi1</id>
   <content type="html">&lt;h1 id=&quot;this-post-is-regarding-critical-vulnerability-i-found-on-directis-codechefcomwas-awarded-a-bug-finder-t-shirt-and-a-1000-laddus-as-a-part-of-rewarding-system&quot;&gt;This post is regarding critical vulnerability i found on directi’s codechef.com.Was Awarded a bug finder t-shirt and a 1000 laddus as a part of rewarding system.&lt;/h1&gt;

&lt;h2 id=&quot;proof-of-concept&quot;&gt;Proof of Concept&lt;/h2&gt;

&lt;p&gt;I started digging using burpsuite for session mishandling and idor but found nothing.&lt;br /&gt;
On going deeper using a Google Dork (Advanced Search Technique on Google) site:www.codechef.com inurl:”php” &lt;br /&gt;
Executing the dork above on Google gives me these results:&lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/dork.png&quot; alt=&quot;A Screenshot of the google dork&quot; /&gt;&lt;/p&gt;

&lt;p&gt;So, I got 3 results with same URL Scheme&lt;br /&gt;
www.codechef.com/download.php?file=[vulnerable]&lt;br /&gt;
I figured out that the “file” parameter is the File Name which got downloaded automatically. So, It quickly reminds me that this kind of URL Scheme is possibly vulnerable to Directory Traversal. &lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s1.png&quot; alt=&quot;A Screenshot of the local file dowbload&quot; /&gt;&lt;/p&gt;

&lt;p&gt;After browsing the URL above, something popped out and asked me to download a file and here’s the content of the file I have downloaded.&lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s2.png&quot; alt=&quot;A Screenshot of the etc file which i have downloaded&quot; /&gt;&lt;/p&gt;

&lt;p&gt;I also viewed etc/profile ,etc/services,server configuration file,php configuration file and many others files like backup files which contain sensitive data.&lt;br /&gt;
&lt;img src=&quot;https://shivam043.github.io/public/blog/s3.png&quot; alt=&quot;Here’s downloaded files(It is possible to download more system files)&quot; /&gt;&lt;/p&gt;

</content>
 </entry>
 
 <entry>
   <title>LiveStreamer</title>
   <link href="https://shivam043.github.io/2016/04/06/livestreamer.html"/>
   <updated>2016-04-06T00:00:00+00:00</updated>
   <id>https://shivam043.github.io/2016/04/06/livestreamer</id>
   <content type="html">&lt;p&gt;LiveStreamer is a python script that streams live channel in a webpage 
&lt;a href=&quot;https://github.com/shivam043/LiveStreamer&quot;&gt;link to project&lt;/a&gt;&lt;br /&gt;&lt;/p&gt;

&lt;h2 id=&quot;running-the-script&quot;&gt;Running the script&lt;/h2&gt;
&lt;p&gt;&lt;img src=&quot;https://shivam043.github.io/public/blog/livestreamer.png&quot; alt=&quot;A Screenshot of the script in action&quot; /&gt;&lt;/p&gt;

</content>
 </entry>
 
 <entry>
   <title>GoComic Downloader</title>
   <link href="https://shivam043.github.io/2015/01/27/gocomic.html"/>
   <updated>2015-01-27T00:00:00+00:00</updated>
   <id>https://shivam043.github.io/2015/01/27/gocomic</id>
   <content type="html">&lt;p&gt;GoComicDownloader is a python script that downloads new comics which are added daily to the website &lt;a href=&quot;https://gocomics.com&quot;&gt;GoComic&lt;/a&gt;
&lt;br /&gt;&lt;a href=&quot;https://github.com/shivam043/GoComicDownloader&quot;&gt;link to project&lt;/a&gt;&lt;/p&gt;

&lt;h2 id=&quot;running-the-script&quot;&gt;Running the script&lt;/h2&gt;
&lt;p&gt;&lt;img src=&quot;https://shivam043.github.io/public/blog/bruteforce-cyberoam-shell.png&quot; alt=&quot;A Screenshot of the script in action&quot; /&gt;&lt;/p&gt;

</content>
 </entry>
 

</feed>
