XSS and bypassing an Imperva WAF with JSFuck
Grumpy Admin is Grumpy! We have a very tight IT ship internally, no thanks to me – I recently did a win10 client deployment and locked my users down, so they can’t just install any old stuff they want on the laptops. Limited to an approved list of software. Software that wasn’t on the base image, is pushed out via SCCM, with some elements being available via the Software Center for people to install as required. For example, Firefox and Chrome are optional installs via the SCCM software Center. No admin rights needed, they click install, chrome gets installed! Nice
My biggest mistake was giving users a means to request new software titles to be added to the Software Center in SCCM via the Service Desk as long as there is business justification or requirements of course!
As you know a lot of programs these days, don’t provide MSI installations files. They are setup.exe. This ok, if you want silent installs via SCCM you have to create a script install. So I always try to find MSI’s as they are easier and faster to install via SCCM.
It early on a Tuesday afternoon, and that horrible outlook program ding in my ear! Someone raised a service ticket to install WinSCP portable, to copy files to a Linux box – I’m like really, the request was PORTABLE, they can just download the zip file, extract and run no permissions required, why the hell request it be added to the store! Cheers! I want to drink my coffee in peace. Doing work makes Grumpy Admin grumpy!
As such a professional, I like to deliver just what they asked for, as redundant and stupid as it might be to people who are in the know!
So I had a quick hunt around to see if I could find an MSI to install this WinSCP portable application? Nope, didn’t expect there to be, there is an exe installer but the portable is just a zip file as any IT guy would expect! A few individual install .bat files etc for SCCM, but no MSI.
Right…. fine…. let’s just create my own MSI installer cause as you know Grumpy Admin like doing shit!
There properly a better way of doing it but meh! I want to make an MSI that installs the portable WinSCP program so I can easily deploy it in the Software Centre on SCCM!
The first hit on google for creating a MSI for SCCM deployment gave me this product
Advance Installer 13.1 from an outfit called Caphyon.
Now they only have a 30-day trial or freeware, I think its freeware but if you want the professional features it activates a trial… meh! Quick and simple is what Grumpy Admin needs, let do it!
The first thing I see on their home page is an endorsement from Atlassian, so I know this actually going to be good right off the bat!
Now I download the product and install. Some pretty pictures to show you!
Yep, we all seen a Next, Next, Next install… so moving on… I sure you guys know how to do that!
My impressions seem good, as we know we like Grumpy Admin to be happy! Speed is the thing here; I want to close this ticket down ASAP to get back to reading other stuff or studying for my Exam!
The install is simple, and painless, I won’t expect anything else from the installer of an installer maker to be honest!
The whole application looks great, and feels really polished and is looks very simple to use. There are hoover tips which tell you exactly what to do and use!
I create a new project with the wizard, I figured this was best – with clear concise instructions, I quickly make my way to the detailed project screen.
I change the wording here – very simple, it basically tells you what to write!
I locate the folder where the WinSCP Portable is stored, currently in my download folder.
Here I have the option to create a silent install! I choose this, as this is basically what I want when deploying stuff from SCCM!
EULA just make me grumpy, we all understand why they are there! but meh!
This creates my project and then drops in to a brilliant editor so that I can modify the required bits and bobs, for this quick and simple installer. Things like changing the installed path where WinSCP will be installed.
At this point I need to modify the location of the portable file, this is easy with the program! A new folder and some drag and drop! All done, nothing else funky needs to be done. I ensure the version number is included. This is in case there an upgrade in the future! I also change the Icon and other simple stuff, the features here are very rich for a freeware product! I am impressed so far!
I click build and it’s done! Wow, no problems, instant build first time…. I am speeding though this ticket! I open the output folder!
Simple and copy to my SCCM server!
As you can see from the screenshots it’s easy to create the SCCM application!
I publish in my store, and bang! It works after testing it etc, No issues quick and simple! Thank you so much Advance Installer!
My Service Desk Ticket is Closed, and I can do more interesting stuff! Naturally
Ticket closed down in less than 10 Mins. That is good turnaround time, I hope this isn’t a trend, actually doing work instead of adding it to my list. I needed the distraction tbh! Studying for CISSP is draining!
I will 100% be keeping this little tool on my machine for future usage! I would go so far as to recommend it as something to keep in the tool box! If you look at the features of this program
It is feature complete and as you progress in the levels of the product! They do everything! I am actually very impressed, with the most expensive flavour version supporting SCCM 2016 deployment out of the box! This is so much easier than using install shield and visual studio or App Deploy.