image – File Upload Vulnerability SVG

I am currently doing a bug bounty program and was testing the company’s file upload functionality. After meddling with the functionality for a while, I was able to change the extension of the uploaded file to ‘.svg’ using burpsuite. I have read tons of article saying that .svg files is equal to XSS. In my case I was not able to fully upload svg file since the server is checking the content of the file. I have change the ‘Content-Type’ to image/svg and the file is uploaded, but when I change the content of the file with XML Tags, the server denied my upload. I found out that in order for the file to be uploaded successful, the beginning of the content type should be ‘…JFIF’ which is a metadata to describe that the content is JPEG/PNG and is interchangable. I have tried appending the SVG XML tag after the metadata and has successfully uploaded it to the server, but when the image is opened, a square image appeared and my XML tags are not being executed.

Is there any way I could bypass this image content to be able to execute XML? Is there any metada for SVG perhaps?

vulnerability scanners – My active scans ends almost instantly on Burp Suite 2

I’ve got a problem. Before I came to Burp Suite. I tested Zap Owasp on 2 web application. Now I want to do the same with Burp Suite so I can compare the results. Here’s my approach.

To launch an attack, I :

  • right-click on my target that I previously enriched manually and with the crawl.
  • click on “scan”.
  • put scan type to “crawl and audit”.
  • configure my active scan with a library that seems complete.
  • add the different user accounts for the login page.
  • launch the scan.

However, this one finishes almost instantaneously each time. I can try several libraries by default, put them all at the same time, nothing to do. The scan is done instantaneously. I have the impression that it doesn’t manage to connect. Maybe he can’t recognize the login page. I know that on Zap Owasp you had to indicate the POST request to connect and the parameters. Also, it took at least one hour for the tests to finish. I find the difference in execution time very suspicious and in any case the number of requests made is clearly not the same of course.

Do you have any idea where my problem could come from?

Thank you in advance for your help :]

permissions – Ensure ‘Adjust memory quotas for a process’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE’ vulnerability for Windows 2008 R2 SQL

I have a MSSQL Windows 2008 R2 server. Vulnerability for “Ensure ‘Adjust memory quotas for a process’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE'” has been found. Current settings on my server are:
‘mssqlserver’
‘mssqlfdlauncher’
‘administrators’
‘sqlserversqlagentuser$$mssqlserver’
‘network service’
‘local service’
The CIS Microsoft Windows Server 2008 R2 Benchmark, and all other sources I have found, says remediation is to remove everything except administrators, network service, and local service. What are the possible outcomes if the other values are removed? If there are adverse side effects, how could I restore the original user/group security settings for this policy?

redhat – Does the BootHole Vulnerability Effect Grub1 or Only Grub2?

I’ve been doing some reading on BootHole to help understand our attack surface and see everything talking about GRUB2, but nothing about GRUB “Legacy” or GRUB1. Wondering if it has tested against this older version of the bootloader. Older distros (RHEL5 & 6) used GRUB1 and am just curious if they have been proven unaffected by BootHole. I can’t be the only one thinking this, but haven’t been able to find anyone talking about it.

vulnerability – Learning about Exploitation using VMs. What vulnerabilities should I be implementing?

Recently, I’ve been working on a project to learn a little bit about the exploitation of vulnerable systems (kind of like vulnhub). Problem is, I want to do it DIY (learn more about configuration / setup this way), but I don’t really know what vulnerabilities to implement on a “victim” Debian machine that I will “attack” with Kali Linux (all in VMs at the moment).

What I’m looking for: Vulnerabilities that are seen commonly in real-world production environments. Misconfigurations or bugs in common programs / operating systems. I want to simulate something realistic — not too vulnerable yet still vulnerable enough to exploit and learn something. That’s not necessarily to say that Remote Code Exec and Priv Esc are unwanted; I just want to limit the number of those kinds of vulns to make my attack paths more interesting.

In other words, what general kinds of exploits or programs (OpenSMTPD, PHP stuff, etc.) that have historically been pretty vulnerable are there that I can install / configure onto my vulnerability lab and play around with? If applicable, a corresponding CVE would be really helpful too. Shoot me with your recommendations.

How to determine possible SQL injection vulnerability?

I ran the OWASP SQL injection scanner tool on a website’s sign-in page I formerly operated and two vulnerable parameters displayed. The first parameter was “returnURL” and the second one was “isLogin” showing POST DATA: IsLogin=true AND 1=1 —

What does this mean and how do I exploit this for testing purposes and ultimately fix the potential error? Should I use a Kali tool such as MySQL or do you have other suggestions?

tls – Is there a security vulnerability in setting a public DNS entry to a private IP Address?

I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc.domain.com, def.domain.com, etc.). I hope to use nginx to do this routing.

Is is possible/secure/recommended to register a private IP address (specifically of my home server within the wireguard network, i.e. 10.27.0.1/24) in a public DNS (e.g. google DNS), so that if you run ping abc.domain.com you would get back 10.27.0.1? I found a few questions that answer a question that are close to this one (this one covers private IP for public DNS for MX records, this one talks about having A records without much mention of VPN), and the overall picture I get from these links is that it is possible, but not technically perfect since a hacker gets a small piece of info about your local network (wireguard network is 10.27.0.1/24…isn’t this relatively a moot point given it’s behind wireguard, assuming I have all of the usual safety checks in place (no remote ssh (root or otherwise) unless on wireguard network, fail2ban, no password authentication for ssh, etc.)?

This IP (10.27.0.1) would be only accessible through the wireguard network, so I don’t think it would expose the services to the internet. I want to do this so that I don’t have to setup local DNS entries on each device, as I don’t believe this is possible on a phone, and it would be ideal to make one change (i.e. set the DNS entry to 10.27.0.1) and then have each device just running a simple DNS query for abc.domain.com. This would also have the added benefit of only opening the wireguard port, and keeping the firewall closed for 80 + 443.

A corollary of this question is how best do you manage certs/ssl if this is possible? I managed to get certbot working by temporarily exposing port 80 on my server to acquire the certs for abc.domain.com, and then closing 80 to only access the webserver via wireguard through the wireguard port + nginx. I can already see one downside to this method – having to manually open port 80 everytime certbot wants to get new certificates (I believe by default this is every 60 days). I understand that wireguard is approximately as secure as SSL/HTTPS, but for my personal OCD I would prefer to have the connection secured through https on top of wireguard. I’m somewhat iffy on the details of managing certs for wildcards, but could I do it with my main domain.com (that is pointing to a internet facing site) and have it propagate to the subdomains, allowing it to be renewed through that? (this question seems to indicate so)

My goal long term is to expand this into a network that includes family/close friends as a type of ‘intranet’ for sharing photos and using other self-hosted services.

My nginx config file (abc.conf) looks something like this:

server {

  server_name abc.domain.com;
  # DNS Entry of abc.domain.com is 10.27.0.1, which is the local IP for the wireguard network
  # SHOULD NOT be accessible outside of wireguard network

  location / {
      proxy_pass http://127.0.0.1:8000; #Redirects to local service on port 8000
  }


    listen (::):443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot

    // SSL Certs provided by certbot (removed manually)
    // .
    // .
    // .

}

dnd 5e – Is a vampire’s specific vulnerability to holy water redundant?

Seems to be.

So, the first thing that came to mind was: maybe the vampire stops being an Undead when it is in Bat form? But no, it doesn’t.

Its statistics, other than its size and speed, are unchanged.

Notably, “Type” is one of the monster statistics, so even in Bat form it remains an Undead.

Are there vampires that are not undead?

Again: not as far as I am aware. All vampires in Curse of Strahd are undead as far as I remember and I don’t know of any Vampire that is not undead in published adventures.

I also don’t know of any RAW way to change the damage type of Holy Water, unless by some DM fiat on the rules about Damage Improvisation.

I also don’t know of any way a Vampire could change its type while remaining a Vampire.

So, yes, within published material, it seems to be a redundant text. However, it may be applicable under some house-rules or under content published in the future.

It may be intentional – to make clear that Holy Water is really, really effective against Vampires – or it may be an oversight from the writers and editors. Either way, no harm done, I believe.


Super edge-case

As discussed in the comments, there is an edge case where this might (very weak might – it still is up to DM interpretation) show up. A Druid player character turned into a Vampire. From the Monster Manual:

The game statistics of a player character transformed into a vampire spawn and then a vampire don’t change, except that the character’s Strength, Dexterity, and Constitution scores become 18 if they aren’t higher. In addition, the character gains the vampire’s damage resistances, darkvision, traits, and actions.

So, a Druid turned into Vampire would still have Wild Shape, from my reading, and would have the Regeneration feature from the vampires.

Then, it could use Wild Shape, which changes the creature type, becoming a Beast (or something else like Elementals for Moon Circle). Wild Shape then states

You retain the benefit of any features from your class, race, or other source and can use them if the new form is physically capable of doing so.

So, now it is up to the DM: is the new form physically capable of the improved regeneration provided by the vampirism? If (big if) the DM accepts that it does, then you now got a Beast with Vampire’s Regeneration. Holy Water would not deal radiant damage, but would deal some damage (improvised damage), and would still stop the regeneration. Is this intended? I highly doubt.

Microsoft Issues Patch in Critical RCE Vulnerability in Windows DNS Server

Microsoft has issued a patch over critical remote code execution vulnerability in Windows DNS Server.

authentication – Is revealing phone number during OTP verification process consifered vulnerability?

One of the common way of implementing 2FA is using phone number Text message or Call with OTP. As I can see, usually web services show something like “OTP was sent to the number +*********34”. Is is done because revealing the number is considered a vulnerability?
If yes, then which one, is it described anywhere?
I guess it has something to do with not wanting to show too much info about the user. This info might be used be social engineering, but maybe there is something else?

Having a link to a trusted location with the description would be great as well.