Spentera Blog

Bypassing Anti Frida on Android

This article explores a powerful technique to overcome these defenses: patching native libraries. By directly modifying the application's core components, we can effectively circumvent anti-Frida mechanisms and gain deeper insights into the app's functionality.

General

Windows Red Team Lab Review

Students will be given remote desktop access to student machines that are connected to the Windows Active Directory with least privilege, and privilege escalation on student machine is part of challenge.

Exploit Development

Zahir Accounting Enterprise Plus 6 <= build 10b 0day Exploit Vulnerability Discovery

Zahir Accounting adalah software akuntansi yang sangat banyak digunakan oleh tingkatan SOHO (Small Office Home Office) di Indonesia. Selain harganya yang terjangkau, Zahir memiliki fitur yang lebih dari cukup untuk menyelesaikan pencatatan akuntansi yang tanggung, dalam arti mampu menyisir tingkat menengah ke bawah dan juga mampu menghadapi tantangan akuntansi yang

Security Advisory

FileRun: Blind SQL Injection Vulnerability

We discovered a vulnerability during a pentest in a file sharing web application named FileRun. It allows us to access files anywhere through a self-hosted secure cloud storage, backup and sharing files for photos, videos, files and more. The Vulnerability The vulnerability was discovered after the authentication. After we logged

Exploit Development

CyberLink LabelPrint: Buffer Overflow

It’s been a while since our last post about exploitation. This time, we try to explain a stack-based overflow on Cyberlink LabelPrint, a tool to assist in designing labels for CD / DVD covers. It is included in the installation of Cyberlink Power2Go, PowerDVD, and Power Producer software and

Exploit Development

ALLPlayer: Buffer Overflow (SEH Unicode)

After playing around with unicode stack overflow, I try to do it on an application called AllPlayer. The techniques used are not much different, so the result will be the same as the previous exploits. It seems that this application is never updated by the developer, despite being widely used.

Web Security

NetGain Enterprise Manager: Authentication Bypass / Local File Inclusion

We discovered a vulnerability on NetGain Enterprise Manager (ver. 7.2.647) during a pentest. We believe that this vulnerability is quite rare and worth to share. Local File Inclusion Normal Request: POST /u/jsp/log/download_do.jsp HTTP/1.1 Host: 192.168.0.21:8081 User-Agent: Mozilla/

Tutorials

SMB Exploit (MS17-010) dengan EternalBlue dan DoublePulsar

EternalBlue dapat digunakan untuk melakukan eksploitasi pada layanan Server Message Block (SMB) tanpa membutuhkan proses otentikasi. Kemudian ditambah dengan menggunakan DoublePulsar untuk mengirim sekaligus mengeksekusi malicious Dynamic-Link Libraries (DLL) atau raw shellcode pada komputer korban. Berikut contoh percobaan eksploitasi pada layanan Server Message Block (SMB) menggunakan EternalBlue dan DoublePulsar. Percobaan

Security Advisory

Wordpress: Multiple Vulnerabilities in Simple Login Log Plugin

We discovered a vulnerability in a WordPress plugin called Simple Login Log Plugin. Vulnerability: Authenticated Blind SQL Injection, Source IP Address Manipulation Affected Version: 1.1.1 (below version may be affected as well) Patched Version: Not available yet (vendor already contacted but no response) Blind SQL Injection =================== Affected URL:

Walkthrough

Hackfest 2016 Orcus Walkthrough

This is a write up for Hackfest 2016 Orcus found in Vulnhub, just to fill my leisure time! Download here Hackfest 2016 Orcus Nmap root@kali:~# nmap -sC -sV -p- 192.168.1.108 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-25 20:41 WIB Nmap scan report

Security Advisory

NetGain Enterprise Manager: 'Ping' Command Injection

We discovered a vulnerability on NetGain Enterprise Manager (ver. 7.2.562) during a pentest. We believe that this vulnerability is quite rare and worth to share. Description: Command injection is an attack in which the purpose is execution of arbitrary commands on the host operating system via a vulnerable

Security Advisory

Wordpress Profile Builder Plugin: Stored XSS

Simple stored Cross Site Scripting (XSS) found in WordPress Profile Builder Plugin version 5.2.7 and below. This is just a PoC example, just fill in the minimum password length field with [code]8″><script>alert(1)</script>[/code] After we save the

Walkthrough

TAKE DOWN Mr-Robot: 1

Yesterday, I opened Vulnhub.com and there was challenge from Mr Robot. The same TV series will be released soon in the month of July 2016. So here it goes, in a fast manner ? Objective: find three hidden keys Netdiscover Nmap As nmap says, port 80 and 443 are open.

Security Advisory

Centreon Enterprise Server 2.3.3 - 2.3.9-4: Blind SQL Injection

We discovered the vulnerability when we’re looking for alternate software in network monitoring. We know and we love Nagios, and so the Centreon, they provide a very nice interface of Nagios. Centreon provide nice features and ease of use when you’re dealing with network monitoring. The backend

Security Advisory

PC Media Antivirus: Insecure Library Loading Vulnerability

PC Media Antivirus (PCMAV) is an AV software made in Indonesia. It’s quite popular back in 2006 since many virus creators in Indonesia actively spread viruses, and infecting most computers. At the time, some people started to claim a special AV to detect viruses, some of which are

Security Advisory

SmadAV: Null Pointer Dereference Vulnerability

We discovered that SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that is processed into smadengine.dll. The successful exploitation of this vulnerability could potentially result a crash on the application, since it will refer to a null pointer,

Security Advisory

Trend Micro Control Manager: SQL Injection Vulnerability

Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input

Security Advisory

webERP: SQL Injection

webERP (ver. 4.08.4) is a mature open-source ERP system providing best practice, multi-user business administration and accounting tools over the web. The vulnerability we discovered sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu.

Security Advisory

Trend Micro InterScan Messaging Security Suite: Multiple Vulnerabilities

We discovered that Trend Micro InterScan Messaging Security Suite is vulnerable to Cross Site Scripting and Cross-site Request Forgery. Proof of Concept The vulnerabilities POC are as follow: Cross-site Scripting (CVE-2012-2995) (CWE-79) Persistent/Stored XSS hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"<script>

Security Advisory

gtAkademik Gamatechno: SQL Injection and Persistent XSS

We discovered that gtAkademik Gamatechno web application is susceptible to SQL Injection and Cross-site Scripting (XSS). Stored/Persistent XSS The web application allows an attacker to inject XSS script inside the database (stored), because there is no sanitation process. There are 2 modules affected by XSS: Message Module and Update

Security Advisory

Ezhometech Ezserver: Stack Overflow Vulnerability

EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may be exploited to cause a denial of service or arbitrary code execution. Vulnerability Details Buffer overflow condition exist in URL handling, sending long GET request to the server on port 8000 will cause server process to

Security Advisory

Hexamail Server: Persistent XSS Vulnerability

Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email. Vulnerability Description Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or

Exploit Development

CyberLink Power2Go: Unicode Stack Overflow

The proof of concept of the vulnerability has been released on 9 December 2011, and no further announcement from CyberLink. I tried to coordinate the issue until they didn’t contact me anymore. A week after our last email, they updated the product, and yes it’s Power2Go

Security Advisory

Distinct TFTP Server: Directory Traversal Vulnerability

Overview Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. We discovered that version 3.10 is susceptible to directory traversal attack. Attackers can exploit this vulnerability to retrieve or upload files outside the TFTP server root directory. Software Description From Distinct website: Distinct Intranet Servers,

Tutorials

Directory Traversal with DotDotPwn (HTTPS Mode)

This is my experience when I was dealing with some applications that have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding a vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when doing a pentest on my client. So,