Posts by: zigoo

Yahoo! RCE Detector WebPwn3r Released.

Yahoo! RCE Detector WebPwn3r Released.




Hello Everyone,

Today blog post is about WebPwn3r 🙂

For those who never heared about WebPwn3r, let me introduce it to you.

WebPwn3r is a Web Applications Security Scanner coded in Python to help Security Researchers to scan Multiple links in the same time against Remote Code/Command Execution & XSS Vulnerabilities.

You can extract the URL’s from Burp Suite and save it in list.txt then pass it to WebPwn3r.

You can also use your own crowler to gather URL’s for a certain domain or a random domains, and save it in list.txt then pass it to WebPwn3r.

In it’s Public Demo version, WebPwn3r got below Features:

1- Scan a URL or List of URL’s
2- Detect and Exploit Remote Code  Injection Vulnerabilities.
3- ~ ~ ~ Remote Command  Execution Vulnerabilities.
4- ~ ~ ~ Typical XSS Vulnerabilities.
5- Detect WebKnight WAF.
6- Improved Payloads to bypass Security Filters/WAF’s.
7- Finger-Print the backend Technologies.

The tool is under a heavy development 🙂

Demo Video for the tool:

Success Stories:


To download the Tool: Unvalidated Redirection Vulnerability. Unvalidated Redirection Vulnerability.


Would you trust a link from your security vendor? Absolutely Yes! But imagine your security vendor is asking you to download a malware!

During my researches on I found “Unvalidated Redirection Vulnerability ” that could be used by attackers to trick users into visitng Malicious web-sites!

To demonstrate the impact of such vulnerabilities I made a video to simulate a black-hat method to use this vulnerability to spread a Malware.

Video POC:

The consequences of unfixing of such vulnerability are critical
  • Wide infection – since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to
  • Very bad reputation for Kaspersky company.
  • Your most trusted resource “Your Antivirus” will be your worst enemy! Would you trust anything else!
And many other consequences. The vulnerability was reported to Kaspersky web-team and is now fixed. Unrestricted File Upload Vulnerability. Unrestricted File Upload Vulnerability.

Critical vulnerability in Twitter allows attacker to upload Unrestricted Files

Twitter Acknowledged me on their Hall of Fame for finding and reporting Two Vulnerabilities in their web site.

Those two vulnerabilities are:

1- Unrestricted File Upload Vulnerability.


The POC:

When an application does not validate or improperly validates file types before uploading files to the system, called Unrestricted File upload vulnerability.
Such flaws allow an attacker to upload and execute arbitrary code on the target system which could result in execution of arbitrary HTML and script code or system compromise.

2- Unvalidated Redirection Vulnerabilit

This vulnerability could be used by Attackers to conduct Phishing and malware spreading attacks against Twitter users.

Link to Twitter Hall Of Fame:

Yahoo! Remote Command Execution Vulnerability.

Yahoo! Remote Command Execution Vulnerability.

Hello Everyone,

This is my first writeup for the blog, which I choose to be about “Yahoo Remote Code Execution” Vulnerability.

The case started with a “Remote PHP Code Injection” vulnerability that later escalated to “Remote Command Execution”.

Vulnerability Link:$Vulnerability




The server got many other Yahoo! sub-domains!

What is “Remote PHP Code Injection” ?

Simply, PHPCI occurs when user-supplied(GET/POST) values of the parameters are reflected inside eval() function, that vulnerability  allows attackers to execute PHP code such as system(“id”) or any other php function/code.


That said, I was able to inject PHP code by manuplating the value of the parameter “sid”.

In the beginning I tried to check the directories and files by “dir” using the SYSTEM function:${@print(system(“dir”))}


Indeed I need a better view!, so I tried with system(“ls -la”) But!?
It didn’t work! it does not accept any spaces in the url!!

what Actually I need a good proof of concept to explain to Yahoo! Security Team how dangerous is this vulnerability, despite the number of Yahoo! sub-domains hosted on the same server.
So I tried to bypass that issue by some tricks including URL ENCODING the space with %20 but it didn’t work. Same result with double URL encoding!


I also tried to go arround by using the function file_get_contents(“”) but this one dosen’t work because of the folder permissions, did you say do it in /tmp ?!

I thought of:

1- uploading “” which is a bind connection script, into /tmp directory

2- Execute it to make a bind connection with the server


3- Receive the connection from the server on Netcat and now I will be free to run whatever Commands 😀

But actually Netcat is a Hacking tool! it also could be detected by any simple AV/IDS on the system! this could corrupt the whole thing!
I’ve to go for another solution.

Thanks to Ahmed Abul-Ela and Ibrahim Mosaad I was able to execute commands using system($_POST[‘x2’])


<form method=”POST” action=”${@print(system($_POST[‘x2’]))}“>
<input type=”text” name=”x2″>
<input type=”submit”></form>

Also by using  system($_SERVER[‘HTTP_USER_AGENT’]) and then inject my commands inside the userAgent.

Yea I know there have been other good tricks such as using readfile(“/etc/passwd”) and many more, despite the adrenaline I had, but as you know those ideas never come to mind when you need it 😀

Sample POC for the Vulnerability [Allowed by Yahoo! to be public]:


Jan 20, 2014 at 6:39 PM – Intial Report to Yahoo! Security Team.

Jan 20, 2014 at 6:56 PM – Update 1 sent to Yahoo! that server kernel was old one with a well known “Local Privilage Esclation” vulnerability which means an attacker with such vulnerability can gain ROOT ACCESS to the server!!!!

Jan 21, 2014 at 6:44 PM – Yahoo! Acknowledged the vulnerability and pushed a Fix for it.


Thanks to Yahoo! Security team for the fast fix release.

BTW No news about the bounty yet!

Follow me:

2 of 2