Sunday 29 November 2009

NewsOfNepal.com SQLi Vulnerability

www.newsofnepal.com is just pretty insecure and more pwnage could have been carried out. Thanks to Cyb3r Lord for allowing me to post the thing he found... F1 Soft is one of the top IT company in Nepal but when it comes to coding, they suck...
This one is another disclosure of one of the big sites from Nepal. So lets go on...
There are few scripts that forget to validate the inputs and we are not disclosing how the things are vulnerable because we are not for script kiddies. Using MySQL > 5 means we can extract tables and columns easily.
Some tables are:
admin
advertisement
polling_user
etc.
And some tables are:
admin_pass
admin_user
admin_email
under admin table.
Now on extracting pass, I saw it was base64 encoded(FUCK). Use other hashing like md5() to encrypt. You are PHP guys and you should have known base64_decode($hash) is gonna give us the pass...
Anyway below is the screenshot of the pwnage:



Thanks...

Saturday 28 November 2009

MOE.GOV.NP Multiple Vulnerability

Nothing much to say, www.moe.gov.np is the site of ministry of education which was rebuilt few months ago. But the site consists of multiple security breaches that can be used to own it.
So what are the vulnerabilities:
First, SQLi, second Insecure admin panel and third insecure session handling.
FuCK YoU to the developer for fucking insecure programming.
Now let me do some dumps:

File: clientConfigure.php
............
define("HOST","localhost");
define("USERNAME","moegov_moe");
define("PASSWORD","moepwd");
define("DBASE","moegov_moe");
............
............

File: cms.php
.........
switch($_GET["task"])
{
case "":
$query = "SELECT * FROM cms where publish='Y' and menuId=".$_GET["id"]; // sql
$sql = mysql_query($query);
//wtf? query without sanitizing GET variable, fuck...
..............
............
$query = "SELECT * FROM cms where publish='Y' and cmsId=".$_GET["contId"]; // sql
$rs=mysql_query($query) or die(mysql_error());
//again same fuck

File: index.php
Vuln to SQLi but good practice for file inclusions.

..........
......
switch($_GET["option"])
{
case "":
require_once("./clientIncludes/tabContent.php");
break;
case "download":
require_once("./option/download/download.php");
break;
...........
.....

File: admin/centreContent.php
// where is login session...
<?php
switch($_GET["option"]){
case "menu":
require_once("./option/menu/menu.php");
break;
case "user":
require_once("./option/user/user.php");
break;
......
...
?>

File: cpanel.config

#### NOTICE ####
# After manually editing any configuration settings in this file,
# please run '/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings'
# to fully update your server's configuration.

RS=x3
VALIASDIR=/etc/valiases
VFILTERDIR=/etc/vfilters
access_log=/usr/local/cpanel/logs/access_log
adminuser=cpanel
allow_server_info_status_from=
allowcpsslinstall=1
allowparkhostnamedomainsubdomains=0
allowparkonothers=0
allowperlupdates=0
allowremotedomains=0
allowresellershostnamedomainsubdomains=0
allowunregistereddomains=0
alwaysredirecttossl=0
apache_port=0.0.0.0:80
apache_ssl_port=0.0.0.0:443
autocreateaentries=1
awstatsbrowserupdate=0
awstatsreversedns=0
basename=cpanel
blockcommondomains=1
check_zone_syntax=1
conserve_memory=0
coredump=0
cpaddons_adminemail=
cpaddons_autoupdate=1
cpaddons_max_moderation_req_all_mod=99
cpaddons_max_moderation_req_per_mod=99
cpaddons_moderation_request=0
cpaddons_no_3rd_party=0
cpaddons_no_modified_cpanel=1
cpaddons_notify_owner=1
cpaddons_notify_root=1
cpredirect=Origin Domain Name
cpredirectssl=SSL Certificate Name
cpsrvd-domainlookup=0
cpsrvd-gzip=1
cycle=1
default_login_theme=cpanel
defaultmailaction=localuser
deny_quicksupport_password=0
disable_compiled_dnsadmin=0
disableipnscheck=0
disablequotacache=0
disablexfercpanel=0
discardformmailbccsubject=1
dnsadminapp=
dnslookuponconnect=0
docroot=/usr/local/cpanel/base
domainowner_mail_pass=0
dumplogs=1
emailpasswords=1
emailusers_diskusage_critical_contact_admin=1
emailusers_diskusage_critical_percent=90
emailusers_diskusage_full_contact_admin=1
emailusers_diskusage_full_percent=98
emailusers_diskusage_warn_contact_admin=1
emailusers_diskusage_warn_percent=80
emailusers_mailbox_critical_percent=90
emailusers_mailbox_full_percent=98
emailusers_mailbox_warn_percent=80
emailusersbandwidthexceed=1
emailusersbandwidthexceed70=0
emailusersbandwidthexceed75=0
emailusersbandwidthexceed80=1
emailusersbandwidthexceed85=0
emailusersbandwidthexceed90=0
emailusersbandwidthexceed95=1
emailusersbandwidthexceed97=0
emailusersbandwidthexceed98=0
emailusersbandwidthexceed99=0
engine=cpanel
enginepl=cpanel.pl
engineroot=/usr/local/cpanel
errorstostdout=1
exim-retrytime=60
eximmailtrap=1
extracpus=0
file_upload_max_bytes=unlimited
file_upload_must_leave_bytes=5
ftppasslogs=1
ftpserver=pure-ftpd
htaccess_check_recurse=2
ignoredepreciated=0
interchangever=disable
jaildefaultshell=0
keepftplogs=0
keeplogs=0
keepstatslog=0
loadthreshold=2
local_nameserver_type=bind
logchmod=0640
logout_redirect_url=
maildir=1
mailserver=courier
maxemailsperhour=0
maxmem=256
myname=cpaneld
mysql-version=5.0
mysqldebug=0
nativessl=1
nobodyspam=0
nosendlangupdates=0
nouserbackupwarn=0
numacctlist=50
php_max_execution_time=90
php_post_max_size=55M
php_register_globals=0
php_upload_max_filesize=50M
phploader=none
popbeforesmtpsenders=0
port=2082
product=cPanel
proxysubdomains=1
proxysubdomainsfornewaccounts=1
proxysubdomainsoverride=1
publichtmlsubsonly=0
python=/usr/bin/python2.4
referrerblanksafety=0
referrersafety=0
remotedomainscheck=1
remotewhmtimeout=35
resetpass=1
rollback=0
root=/usr/local/cpanel
showwhmbwusageinmegs=0
skipanalog=1
skipawstats=0
skipboxcheck=0
skipboxtrapper=0
skipbwlimitcheck=0
skipdiskcheck=0
skipformmail=1
skiphorde=0
skiphttpauth=0
skipmailman=0
skipmelange=1
skipnotifyacctbackupfailure=0
skipparentcheck=0
skiproundcube=0
skipspamassassin=0
skipspambox=0
skipsqmail=0
skipwebalizer=1
skipwhoisns=0
stats_log=/usr/local/cpanel/logs/stats_log
statsloglevel=1
statthreshhold=256
stunnel=/usr/sbin/stunnel
tcp_check_failure_threshold=3
urchinsetpath=
use_safe_quotas=1
useauthnameservers=0
usemailformailmanurl=1
usemysqloldpass=0
version=8.0


Feeling boring after the pwnage. Need to do mathematics assignment. That was the pwnage of moe.gov.np
They are pretty insecure. The method not disclosed over here but good hackers can find it. Sorry, script kiddies...
Thanks...

Saturday 14 November 2009

KhullaBazaar.com Shopping Site SQL Vulnerability

Site: www.khullabazaar.com
Risk: High [Critical informations can be stolen]
Notified: YES [in a way]
/*Action from Admin: N/A*/
Vulnerable file: You should figure it out easily
Exploit: The php script do not validate the inputs from user which can be used to compromise the database.
Solution: sam207 has written an article on it.

If any of the site admin is viewing this page, you can contact me or sam to know what's vulnerable and how to fix it. Don't take the pwnage negatively...
Thanks.

Monday 9 November 2009

DC-nepal.com Multiple Vulnerabilities

I got the link to the site from some nepali social networking site and was just testing the security issues of the site as the about us page stated that the people of DC-nepal are quite good in computer technology. I started with general web hacks and unfortunately found this site to be vulnerable to SQL injection and persistent cross site scripting. So I thought to share this with you guys.
SQLi:
http://www.dc-nepal.com/nepali_model.php?id=437
The id variable is not well sanitized so valid queries can be injected to the site. Since the MySQL version>5, its even more easier for hackers to get different credentials from the site.
Some tables:
admin
dc_classicfied

Login user/hash: laxman: hnz/uP1502jYsjqs//hCfg==
You need to decrypt the password and you can login from /admin.


Persistent XSS:
http://www.dc-nepal.com/nepali_model.php?id=437
The comment form doesn't filter any malicious so this can be used to drop executables and redirects.
Hope they make a quick fix. They were notified...