Socks 5 client support for twisted

Posted on in Programming • Tagged with Python, Twisted, Socks5, Programming, Security • 5 min read

I recently forked twisted-socks to add SOCKS 5 support for my GoogleScraper in order to scraper Google pages asynchronously. Obviously I needed SOCKS5 support to anonymize the parallel requests such that I can scrape more pages simultaneously.

I tested the code for SOCKS4 and SOCKS4a with a local TOR proxy and twistd -n socks and the SOCKS5 protocol with the dante socks proxy server on my VPS. So I guess the basic functionality should be working by now. GSSAPI (Kerberos) support is planned.

Here is the socksclient code, which is also available on my github repository:

# Copyright (c) 2011-2013, The Tor Project
# See LICENSE for the license.

# Updated on 25.01.14-28.01.14 to add SOCKS 5 support.
# Cleaned some parts of the code and abstracted quite a bit to handle the most important SOCKS5
# functionality like
# - username/password authentication
# - gssapi authentication (planned)
# - CONNECT command (the normal case, there are others: UDP ASSOCIATE and BIND, but they aren't as important. Maybe I will add them
#   in the future. If anyone wants to implement them, the basic structure is already here and the SOCKSv5ClientProtocol should be
#   rather easy extensible (how the actual connection, listening for incoming connections (BIND) and …

Continue reading

Wordpress comment form with bootstrap v3.0.2

Posted on in Programming • Tagged with Bootstrap, Comment, Programming, Form, Wordpress • 2 min read

Hey everybody!

In this short article I will explain how I designed my wordpress theme's comment section with bootstrap 3.0.2. For the most recent changes, you find my theme on github. If you want to see a live demo, just inspect the comment form on this site. It uses exactly this bootstrap styled form I am discussing here.

In order to follow the content's of this blog post, you should have basic experience with PHP and HTML/CSS.

The Problem

The tricky question here is, whether we can use a action or filter hook to manipulate the comment form to our liking, or if we have to use and modify the original comment_form() function directly. Our goal is to decorate the form with some bootstrap widget classes and use the bootstrap grid layout. We want to obtain a horizontal form, such as demonstrated here. After a quick search, I found the function comment_form( $args, $post_id); in the wordpress codex. While it looks promising on the first glimpse, some hindrances become clear after further thinking through. The function's description says:

Most strings and form fields may be controlled through the $args array passed into the function, while you may …


Continue reading

A tale of a twofold broken wordpress captcha plugin

Posted on in Programming • Tagged with Captcha, Security, Programming, Exploit • 17 min read

Last Edit (Effective: 7th November 2013)

It seems like the plugin authors updated the security of the plugin. All the bottom blog entry deals with version 3.8.7. In this new paragraph, I will look whether these recent updates to version 3.8.8 added the necessary security to prevent conducting an...

  • Attack vector one: Parsing the captcha logic.
  • Attack vector two: Reversing the decode() function and just reading the solution from the hidden fields.

Let's get started:

At line 942 of the plugin code (The start of the function that generates the captcha) we see that the password isn't longer a static clear text password, it is built dynamically every 24 hours with the function cptch_generate_key(), that I will show here for your convenience:

// Functionality of the captcha logic work for custom form
if ( ! function_exists( 'cptch_display_captcha_custom' ) ) {
    function cptch_display_captcha_custom() {
        global $cptch_options, $cptch_time;

        if ( ! isset( $cptch_options['cptch_str_key'] ) )
            $cptch_options = get_option( 'cptch_options' );
        if ( $cptch_options['cptch_str_key']['key'] == '' || $cptch_options['cptch_str_key']['time'] < time() - ( 24 * 60 * 60 ) )
            cptch_generate_key();
        $str_key = $cptch_options['cptch_str_key']['key'];

Let's see if the new function cptch_generate_key() is sufficiently random enough. Here is the function code:

/* generate key */
if ( ! function_exists( 'cptch_generate_key' ) ) {
    function cptch_generate_key( $lenght = 15 ) {
        global $cptch_options;
        /* Under the string $simbols you write all …

Continue reading

No 2. - flash-album-gallery: persistent XSS exploitet with help of XSRF leading to remote code execution.

Posted on in Programming • Tagged with Exploit, Programming, Bug, Security, Xss, Rce • 12 min read

PLUGIN: http://wordpress.org/plugins/flash-album-gallery/
AFFECTED VERSION: 3.01
DOWNLOADS: 840,714
RISK: MEDIUM/HIGH

The following blog post addresses a critical (chain) of security issues in the version 3.01 of flash-album-gallery
which eventually leads to remote code execution. The exploit is not completely automatically and needs a minimal amount
of social engineering. Nevertheless I rate the danger at a medium/high level {Probably even worse than a fully automatable SQL injection).

First of all, I need to say that the plugin code lacks a fair amount of secure programming techniques and has inherent design flaws as far
as I can say this [I am not a software engineer, I do security as a hobby]. Assumingly, this is a direct result of heterogenous and
evolutionary growth of the software.
I researched flash-album-gallery mainly in June 2013 and after some weeks I found a CSRF vulnerability in combination with
a stored XSS. But on the same time I was preparing to contact the author and reveal my findings, I noticed a new version and
the bug seemed to be found by an independent researcher. See below the lines Fix: vulnerability with albums and Fix: XSS bugs reported by Ken …


Continue reading

Create anonymous identites with fakenamegenerator.com and Python

Posted on in Programming • Tagged with Programming • 3 min read

Introduction

Woah, it has been a hell of a long time since I posted my last contribution (I feel like I always begin my blog post with these introductory words). However, today I want to show you how to forge random identites with a site called fakenamegenerator.com. I use Python 3 and a unoffical branch of socksipy,  a nice module which enables you to tunnel TCP/IP streams through a remote server, commonly used to disguise your real IP address. There are three availabe modes, SOCKS4, SOCKS5 and HTTP. In this blog post, I use SOCKS5, since I install TOR and route my requests through a local proxy sitting on 127.0.0.1:9050.

Why and what

The team behind fakenamegenerator.com writes on their site:

Name: Names are generated by randomly pulling a first and a last name out of a database. The database was compiled from public domain sources. [...]

Street address: The house number is a randomly generated number. The street name is pulled from a database of plausible street names for the state/country being generated. Odds are that the generated street address is not valid.

City, state, and postal code: We have compiled a …


Continue reading

GoogleScraper.py - A simple python module to parse google search results.

Posted on in Programming • Tagged with Google, Scraping, Programming, Security • 14 min read

UPDATE on 18th February 2014:

This python module has now its own github repository!

The plugin can extract

  • All links
  • Link titles
  • The description/caption below the links

and has the following features:

  • Advanced proxy support for SOCKS4/4a/5 and HTTP PROXY
  • Multithreading
  • XPATH parsing
  • Supports almost all search parameters

Please note that this is by no means a permanent version! Heavy structural changes will be implemented in the near future (I'll experiment with asynchronous networking for instance). But on this site, I will always host a working version with instructions how to use it, such that visitors can always use the script!

1. Edit (07.01.2013):

  • Using requests instead of urllib
  • Added random User Agents for every new search.
  • Cleaned the code
  • Implemented foundation to combine with proxychains

Original Blog Post

Sample output after searching for 'cats are not cute' (sorry) with 100 results per page on 3 ascending pages: results.txt

I always was in need of a fast and reliable working python module to query the google search engine. The google API is rubbish, because they just give you maximally 36 results. This is completly inacceptable!

So, I looked further and found http://code.google …


Continue reading