Saturday, 26 December 2009

Nepal Bangladesh Bank SQLi vulnerability

The official website of Nepal Bangladesh Bank Limited www.nbbl.com.np suffers from Sql injection and hence can be compromised to get sensitive informations from it. Its 1 a.m midnight already here so I am lazy to post the dumps for now. If I happen to remember it next day, I shall post the dumps. For now, following are some information of the server:
current database: nbblcom_db 
user : nbblcom_admin@localhost
DB version: 4.1.22-standard
I am being too lazy at this time to bruteforce for the tables. Guys do yourself if you want to dig the site more.
Thanks. 

Wednesday, 23 December 2009

Neoteric Nepal SQL injection Vuln

Official website of Neoteric nepal suffers from sql injection vuln.
Some details:
ftp: ftp://ftp.neoteric.com.np/
ftp security: very secure
Vuln:SQL injection
Dump:
Table name: admin_user
id:pwd= not displayed for security
Scrnshot:


Hope they secure it soon
Regards,

National Information Technology Center site vulnerability

The official website of National Information Technology Center suffers from SQL injection and hence, the login information and other data can be taken away from the database. The worse part is that by uploading shell, one could not only deface nitc.gov.np but also other sites hosted on the server to name few: nepalgov.gov.np, hlcit.gov.np

Just amazed that the center has got so many computer engineers and they are vulnerable to such a simple hack. They need to learn the sense of security to build secure digitalized nepal. Also, what is the fucking point of putting the files in admin panel folder and letting users download from them. And guys, you need to learn to prevent index browsing (its so open) and also the usage of sessions in PHP...

Screenshot:




Thanks... and absolutely no offense to them. We just want the secure nepal.

Monday, 21 December 2009

Ketaketi.org(CLFN) SQL Injection vuln

The official website of CLFN (Ketaketi.org) suffers from sql injection attack in bsoftmore.php
A remote attacker can easily get over the site. (Not me actually, i didnt find the login page.) anyway i got the id and passes/ The id and passes are not shown for security here.
Some details:
Site:ketaketi.org
Vuln: SQL injection
Table name: user
Hope they fix it soon

Sunday, 20 December 2009

www.indianembassy.org.np SQLi vulnerability

www.indianembassy.org.np is the official website of Indian Embassy in Nepal and the site is vulnerable to common SQL injection vulnerability.
The site uses mysql version 4 so no information_schema. So I just did bruteforcing by coding small script in PHP to find the valid username/password combination but they are pretty guessable. I didn't think of defacing because it is an organization and defacing such organizations totally would be wrong thing but I posted a news in the site.
Below is the screenshot:





Absolutely no offense to indian embassy. But we hope you will be securing yourself after this pwnage.
Regards

Saturday, 19 December 2009

CCRC (ccrc.edu.np) SQLi Vulnerability

A sql injection vuln exists in ccrc college's website.
Details:
URL: http://ccrc.edu.np
FTP: ftp.ccrc.edu.np
FTP status: Very Secure (9.5/10)
SQL injection: Yes(8.5/10, since all critical datas can be extracted)

Dumps:
rajan:c647f23604314d5aa5bb53ad3def9303

Hope they fix it soon

ccma.edu.np SQLi vulnerability

Not much, but I thought to share it over here.
The official website of Chartered College of Management and Accounts, www.ccma.edu.np suffers from sql injection attack and hence can be used to extract critical data from the database. Check the site main page ccma home to see the vulnerability. I have made redirection to the nep sec blog.

Thanks

Thursday, 17 December 2009

Universal College(http://www.uc.edu.np) SQL injection Vuln

A sql Injection Vuln exists in Universal College's site. A remote attacker can easily get the pwd and login.

Some details:

Vuln Type: SQL injection

FTP: ftp://ftp.uc.edu.np/ (Proftpd 1.3.0 server//WL)

VULN RATING: 6/10 (SQL INJECTION), 8/10 (OLD FTP SERVER. MANY EXPLOITS ARE OUT THERE)

STATUS:Notified

Some proofs:

Table_names: login, user

Dumps:

Not_REVEALED for security

Screenshot of Logged in cpanel:
Hope they fix it down :D

Thursday, 10 December 2009

Internet Business Bureau Common SQL injection Vulnerability

I checked the IBB's portfolio and the sites it develops uses the same script and it is vulnerable to SQL injection. Check my previous post for more on knowing this:
http://nepsecvulns.blogspot.com/2009/12/party-popper-wwwpartypoppercomnp-sqli.html

The same mysql injection is valid but filtering takes so you need to bypass filters (not hard). I would recommend you to google for mysql injection cheatsheets and learn and practice hacking in these sites.

Nepali Hackers Are Not Dead, They Are Underground and Might Be At Your Root

Party Popper [www.partypopper.com.np] SQLi vulnerability

The site of Party Popper [www.partypopper.com.np] is vulnerable to SQL injection and various information can be stolen. The SQL filtering IDS are working to some extent but we can easily bypass such filters and I was able to do the same.
Anyway, this site has nothing much but still we think that such security flaws must be addressed so that nepali developers work on protecting from such vulnerabilities...
Some tables:
admin
content

Screenshot of logged admin panel:


Thanks. Admins can find the article by me at my site http://www.sampctricks.blogspot.com

Engineering express [www.engxpress.com.np] Multiple Vulnerabilities

The online website of The Engineering Express http://www.engxpress.com.np is pretty insecure with multiple vulnerabilities. It suffers from SQLi and insecure file upload vulnerability. Anyway below are some dumps from the website:
Few tables:
register
signin

Columns in signin table:
Username
Password


Fucking lots of SQLi...


Login process:

$stmt=sprintf("SELECT * FROM login WHERE username='%s' AND password='%s'",$usr, $pwd);
$dblink=DBset() ;//Connect to the database...
$result = DBquery($stmt, $dblink) ;//Send Query
$totresult = mysql_num_rows($result);
$row = mysql_fetch_object($result);

Page.php:
$stmt=sprintf("SELECT Content FROM page WHERE Id='%s'",$_GET['recordID']);
$dblink=DBset() ;//Connect to the database...

Other scripts are also vulnerable but I am too lazy to post them, too.

Screenshots:







Certainly no offense but you need to improve yourself...
Thanks!!!

Wednesday, 9 December 2009

Mero IT (www.meroit.com) SQL injection vulnerability

This was referred to me by my friend in the college and on viewing the site, I found it was vulnerable to common SQLi. The scripts do not validate the GET variables and hence we can inject SQL queries through URL GET parameters.

Some interesting tables:
admin
client
personal_client_details

Anyway below is the screenshot of the hacked admin panel located at /admin



So if you are the webadmin of meroit.com you can find the article at http://www.sampctricks.blogspot.com to secure your PHP scripts...
Thanks...

Monday, 7 December 2009

www.pea.edu.np simple JS hack

Ok this was given to me as a challenge by sam and he said that he was given information about this site by some friend of him. He said me about javascript hacking in admin panel and I started to dig up. And finally I found that it didn't require any login(even the login user/pass is easy one: admin/a). I then found that the upload feature was also insecure. I got the shell and I could have utilized to root the box but I didn't. I just thought to make defacement of pea.edu.np.

Some PHP dumps:

addnew.php:

//clearly reflects their poor coding way...
<?
$path = "../";
//$thePage = "home";
include $path."includes/adminhead.php";
include $path."includes/headeradmin.php";
if($_POST['ok'])
{

$date1=$_POST['Date1'];
$title=$_POST['Title'];

$newfile=returnfilename($_FILES['fileattach'],"downloads");

$sqlquery= "INSERT INTO downloads VALUES('','$date1','$title','$newfile')";
$rt1=mysql_query($sqlquery) or die(mysql_error());

if($rt1)
{
print "<script>document.location='download.php';</script>";

}


}
?>

settings.php:
<?

// Online
/**/
$hostname="localhost";
$username="peaedu_peaedu";
$password="delta2009";
$db="peaedu_peadb";


/* LOCAL *

$hostname="localhost";
$username="root";
$password="";
$db="pea_db";
*/
$connectme=mysql_connect($hostname,$username,$password);
?>


Now the screenshot of the defaced site:



Thanks for reading this... and to site developers, learn fucking sense of security...

myktm.com SQLi vulnerability

Vuln: SQLi
Serious label: 3/5 (as user/pass can be stolen)
Actually, this hack was reported to us by someone anonymous. We don't have any information about him/her but thanks and full credit goes to you. Anyway, I think many of you have heard about myKtm.com, their skiddish forum and their Nepal messenger. Though I appreciate their effort in creating first Nepali IRC server/channel (I think they are the first), they need to learn about security. They talk in the leet way but they are insecured and since there are thousands of users registered over there, password compromise can be easily done.

[+] Exploit: SQLi
[+] The script doesn't validate the user input which can be used to do SQL injections and steal the important data from the system.

Samples [might have been changed since then]:

username: hash: email

admin:b09048fc8f1a2ac608012c327c60f973:admin@nepalexpo.com
huribatas:2f1157cdad63b7035e5252880bf6f9cc:huribatas111@hotmail.com
LSD:9ae90ad18eb0e8cfde193df7d258c09b:Lsd@myktm.com [admin of myKtm]
uTosTan:e7aebaae36f8ba319d46a7142218ef1e:utostan@gmail.com [super admin of myKtm, not sure though]

Ok that was enough to disclose them. I hope they take it positively. I want them to secure themselves. Drop a comment if you are myKtm-er and I will be replying on how to secure it...

Saturday, 5 December 2009

www.myrepublica.com multiple SQLi and XSS vulnerabilities

Myrepublica is one of the newer magazines and the site http://www.myrepublica.com is their online site. They usually do news update and hence the site provides recent news and happenings easily to the website visitors... But, again they are not secured and suffer from normal SQLi injection vulnerabilities.
Here are some dumps from the table users.
Username: password: emailid

ameet:1dhakal2:ameet@myrepublica.com
bikash:bik31@:bikash@myrepublica.com
prem:1khanal2:prem@myrepublica.com
premdhakal:dhakal123:premdhakal@myrepublica.com
pawan:terobaumerobau:pawan148@yahoo.com

etc...

Sample screenshot:

Some fucking notes to them:
1) Don't fucking keep plain passes in DB
2) Don't fucking make re-use of the same password
3) Read sam207's article on securing this vulnerability...
4) You're giving us the location of admin panels. fuck you... learn the sense of security.

Sorry but you are so lame that I had to deface you. No offense to myrepublica team(actually I like your newspaper), this message is to the developers of the site....
EDIT: I also found the site search system to be vulnerable to cross site scripting vulnerability.
Thank you!!!

Tuesday, 1 December 2009

www.thehimalayantimes.com SQLi vulnerability

The himalayan times is one of the national daily newspapers from nepal and its site www.thehimalayantimes.com like other common nepali websites is also vulnerable to normal web hack. Its again lame SQL injection caused due to the poor coding level. I am having eye pain right now because of welding so I won't be posting much but anyway below is the SQLi hack...
the admin information can be stolen from admin table while tbl_member consists of registered user information so this may lead to secret private data stealing....
admin table consists of columns:
admin_user
admin_pass
admin_email
admin_fullname, etc.

So SQL query: SELECT * FROM admin
is going to give us everything on table admin...
And they are also using base64 encoding. I have said previously too that a single call to base64_decode() in PHP or using online base64 decoders (www.yellowpipe.com has one) we are gonna get the actual pass easily.
Some dumps:
user:pass:email for admin

sajy.j:Z0kzdDRQOXM=:sajyjacob@yahoo.com
bipul:YmlwdWxzMQ==:bipulendra.adhikari@gmail.com
ARUN:c2lsaWNh:monsterdom@gmail.com
etc.
You can try and get the dumps yourself; no more dumps.
Read the article I have written in my blog sampctricks.blogspot.com  http://sampctricks.blogspot.com/2009/05/securing-php-avoid-basic-exploits-and.html in order to remove these vulnerabilities. You have lots of them in your scripts.
Edit:
again it is F1 Soft work most probably and has got so many vulnerabilities. Admin panel is in a bit less used place but we can find it easily (No need to overthink and do bruteforcing for admin cp)... Also @THT admins, do not change location of admin panel rather secure your scripts...
Couldnot upload the screenshot because of slow net connection and my eye problem...

Thanks... 

Sunday, 29 November 2009

NewsOfNepal.com SQLi Vulnerability

www.newsofnepal.com is just pretty insecure and more pwnage could have been carried out. Thanks to Cyb3r Lord for allowing me to post the thing he found... F1 Soft is one of the top IT company in Nepal but when it comes to coding, they suck...
This one is another disclosure of one of the big sites from Nepal. So lets go on...
There are few scripts that forget to validate the inputs and we are not disclosing how the things are vulnerable because we are not for script kiddies. Using MySQL > 5 means we can extract tables and columns easily.
Some tables are:
admin
advertisement
polling_user
etc.
And some tables are:
admin_pass
admin_user
admin_email
under admin table.
Now on extracting pass, I saw it was base64 encoded(FUCK). Use other hashing like md5() to encrypt. You are PHP guys and you should have known base64_decode($hash) is gonna give us the pass...
Anyway below is the screenshot of the pwnage:



Thanks...

Saturday, 28 November 2009

MOE.GOV.NP Multiple Vulnerability

Nothing much to say, www.moe.gov.np is the site of ministry of education which was rebuilt few months ago. But the site consists of multiple security breaches that can be used to own it.
So what are the vulnerabilities:
First, SQLi, second Insecure admin panel and third insecure session handling.
FuCK YoU to the developer for fucking insecure programming.
Now let me do some dumps:

File: clientConfigure.php
............
define("HOST","localhost");
define("USERNAME","moegov_moe");
define("PASSWORD","moepwd");
define("DBASE","moegov_moe");
............
............

File: cms.php
.........
switch($_GET["task"])
{
case "":
$query = "SELECT * FROM cms where publish='Y' and menuId=".$_GET["id"]; // sql
$sql = mysql_query($query);
//wtf? query without sanitizing GET variable, fuck...
..............
............
$query = "SELECT * FROM cms where publish='Y' and cmsId=".$_GET["contId"]; // sql
$rs=mysql_query($query) or die(mysql_error());
//again same fuck

File: index.php
Vuln to SQLi but good practice for file inclusions.

..........
......
switch($_GET["option"])
{
case "":
require_once("./clientIncludes/tabContent.php");
break;
case "download":
require_once("./option/download/download.php");
break;
...........
.....

File: admin/centreContent.php
// where is login session...
<?php
switch($_GET["option"]){
case "menu":
require_once("./option/menu/menu.php");
break;
case "user":
require_once("./option/user/user.php");
break;
......
...
?>

File: cpanel.config

#### NOTICE ####
# After manually editing any configuration settings in this file,
# please run '/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings'
# to fully update your server's configuration.

RS=x3
VALIASDIR=/etc/valiases
VFILTERDIR=/etc/vfilters
access_log=/usr/local/cpanel/logs/access_log
adminuser=cpanel
allow_server_info_status_from=
allowcpsslinstall=1
allowparkhostnamedomainsubdomains=0
allowparkonothers=0
allowperlupdates=0
allowremotedomains=0
allowresellershostnamedomainsubdomains=0
allowunregistereddomains=0
alwaysredirecttossl=0
apache_port=0.0.0.0:80
apache_ssl_port=0.0.0.0:443
autocreateaentries=1
awstatsbrowserupdate=0
awstatsreversedns=0
basename=cpanel
blockcommondomains=1
check_zone_syntax=1
conserve_memory=0
coredump=0
cpaddons_adminemail=
cpaddons_autoupdate=1
cpaddons_max_moderation_req_all_mod=99
cpaddons_max_moderation_req_per_mod=99
cpaddons_moderation_request=0
cpaddons_no_3rd_party=0
cpaddons_no_modified_cpanel=1
cpaddons_notify_owner=1
cpaddons_notify_root=1
cpredirect=Origin Domain Name
cpredirectssl=SSL Certificate Name
cpsrvd-domainlookup=0
cpsrvd-gzip=1
cycle=1
default_login_theme=cpanel
defaultmailaction=localuser
deny_quicksupport_password=0
disable_compiled_dnsadmin=0
disableipnscheck=0
disablequotacache=0
disablexfercpanel=0
discardformmailbccsubject=1
dnsadminapp=
dnslookuponconnect=0
docroot=/usr/local/cpanel/base
domainowner_mail_pass=0
dumplogs=1
emailpasswords=1
emailusers_diskusage_critical_contact_admin=1
emailusers_diskusage_critical_percent=90
emailusers_diskusage_full_contact_admin=1
emailusers_diskusage_full_percent=98
emailusers_diskusage_warn_contact_admin=1
emailusers_diskusage_warn_percent=80
emailusers_mailbox_critical_percent=90
emailusers_mailbox_full_percent=98
emailusers_mailbox_warn_percent=80
emailusersbandwidthexceed=1
emailusersbandwidthexceed70=0
emailusersbandwidthexceed75=0
emailusersbandwidthexceed80=1
emailusersbandwidthexceed85=0
emailusersbandwidthexceed90=0
emailusersbandwidthexceed95=1
emailusersbandwidthexceed97=0
emailusersbandwidthexceed98=0
emailusersbandwidthexceed99=0
engine=cpanel
enginepl=cpanel.pl
engineroot=/usr/local/cpanel
errorstostdout=1
exim-retrytime=60
eximmailtrap=1
extracpus=0
file_upload_max_bytes=unlimited
file_upload_must_leave_bytes=5
ftppasslogs=1
ftpserver=pure-ftpd
htaccess_check_recurse=2
ignoredepreciated=0
interchangever=disable
jaildefaultshell=0
keepftplogs=0
keeplogs=0
keepstatslog=0
loadthreshold=2
local_nameserver_type=bind
logchmod=0640
logout_redirect_url=
maildir=1
mailserver=courier
maxemailsperhour=0
maxmem=256
myname=cpaneld
mysql-version=5.0
mysqldebug=0
nativessl=1
nobodyspam=0
nosendlangupdates=0
nouserbackupwarn=0
numacctlist=50
php_max_execution_time=90
php_post_max_size=55M
php_register_globals=0
php_upload_max_filesize=50M
phploader=none
popbeforesmtpsenders=0
port=2082
product=cPanel
proxysubdomains=1
proxysubdomainsfornewaccounts=1
proxysubdomainsoverride=1
publichtmlsubsonly=0
python=/usr/bin/python2.4
referrerblanksafety=0
referrersafety=0
remotedomainscheck=1
remotewhmtimeout=35
resetpass=1
rollback=0
root=/usr/local/cpanel
showwhmbwusageinmegs=0
skipanalog=1
skipawstats=0
skipboxcheck=0
skipboxtrapper=0
skipbwlimitcheck=0
skipdiskcheck=0
skipformmail=1
skiphorde=0
skiphttpauth=0
skipmailman=0
skipmelange=1
skipnotifyacctbackupfailure=0
skipparentcheck=0
skiproundcube=0
skipspamassassin=0
skipspambox=0
skipsqmail=0
skipwebalizer=1
skipwhoisns=0
stats_log=/usr/local/cpanel/logs/stats_log
statsloglevel=1
statthreshhold=256
stunnel=/usr/sbin/stunnel
tcp_check_failure_threshold=3
urchinsetpath=
use_safe_quotas=1
useauthnameservers=0
usemailformailmanurl=1
usemysqloldpass=0
version=8.0


Feeling boring after the pwnage. Need to do mathematics assignment. That was the pwnage of moe.gov.np
They are pretty insecure. The method not disclosed over here but good hackers can find it. Sorry, script kiddies...
Thanks...

Saturday, 14 November 2009

KhullaBazaar.com Shopping Site SQL Vulnerability

Site: www.khullabazaar.com
Risk: High [Critical informations can be stolen]
Notified: YES [in a way]
/*Action from Admin: N/A*/
Vulnerable file: You should figure it out easily
Exploit: The php script do not validate the inputs from user which can be used to compromise the database.
Solution: sam207 has written an article on it.

If any of the site admin is viewing this page, you can contact me or sam to know what's vulnerable and how to fix it. Don't take the pwnage negatively...
Thanks.

Monday, 9 November 2009

DC-nepal.com Multiple Vulnerabilities

I got the link to the site from some nepali social networking site and was just testing the security issues of the site as the about us page stated that the people of DC-nepal are quite good in computer technology. I started with general web hacks and unfortunately found this site to be vulnerable to SQL injection and persistent cross site scripting. So I thought to share this with you guys.
SQLi:
http://www.dc-nepal.com/nepali_model.php?id=437
The id variable is not well sanitized so valid queries can be injected to the site. Since the MySQL version>5, its even more easier for hackers to get different credentials from the site.
Some tables:
admin
dc_classicfied

Login user/hash: laxman: hnz/uP1502jYsjqs//hCfg==
You need to decrypt the password and you can login from /admin.


Persistent XSS:
http://www.dc-nepal.com/nepali_model.php?id=437
The comment form doesn't filter any malicious so this can be used to drop executables and redirects.
Hope they make a quick fix. They were notified...

Saturday, 31 October 2009

Venus.com.np Security Disclosure

Venus.com.np Hackz:



Last 4 lines of .htaccess:

AuthType Basic

AuthName www.venus.com.np

AuthUserFile /home/venus/public_html/_vti_pvt/service.pwd

AuthGroupFile /home/venus/public_html/_vti_pvt/service.grp





Example of poor coding:

<?php

$inc = $_GET['page'] . '.php';

if ($inc == '.php') $inc = 'home.php';

//echo $inc;

?>


Nothing more to say. You know how vulnerable they are. Happy Hacking!!! :)

placementNepal.com Security Disclosure

I hate placementnepal.com and its parent hitechacademy. They say they have the best coder but their coders suck. Owning placementNepal.com was not a big deal as they don't know what security is and hence, can't secure themselves.



Interesting tables in the database of placementNepal:

clients

cusers

privileges

recruitusers

userprivileges

users

uusers



And they don't put your passwords encrypted in their database. So don't reuse your email accounts and other passwords in placementNepal.com.

Some sample login examples:

Email: Password

amrit_giri@hotmail.com: rrihchaa

rikesh_eikir@hotmail.com: haratimaan07

merhythm@hotmail.com: 24*365sweta



No more disclosure. Sorry to those whose emails were selected randomly...

Thank you and Happy Hacking... :)

Nepal telecom phpinfo() disclosure

Cyb3r Lord had previously posted the hacks that can be used to exploit NTC website. He also talked about php info in NTC site. However, he didn't share the contents of php info of NTC. So I thought to share it with you guys.



Code:

<?php

phpinfo();

?>



Some parts from it:



System Linux bhadrakali.ntc.net.np 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686

Build Date Jul 16 2008 19:54:37

Server API Apache 2.0 Handler

PHP.INI path /etc/php.ini

allow_url_fopen On On

expose_php On On

magic_quotes_gpc On On

magic_quotes_runtime Off Off

register_globals On On

safe_mode Off Off

SMTP seti.ntc.net.np seti.ntc.net.np



Why the hell are they keeping register_globals on; sucks... And why would they like to turn on allow_url_fopen. Learn some security. Other critical informations not disclosed over here.

Thanks

Hitechacademy Security Disclosure

Hi there,

in this post, I am going to disclose the security issues of hitech academy which gives computer training to many students. Though it says its one of the best from Nepal, it knows nothing about security. So I thought to disclose them...



Learn some coding Hitech guys, the manager had told me in my interview that he has got some best paid programmers from Nepal and you(means I) can't compete with them, so sorry for this time.



From index.php:

if(isset($_GET['action']))

{

include("includes/".$_GET['action'].".php");

}



WTF? Don't you know how to validate variables. Sucks... Poor coding.



From DBConnection file:

<?php



$dbuser="hitechac_hitech";

$dbpassword="hitech";

$database="hitechac_hitech";



$host = "localhost";





$ado=new data($host,$dbuser,$dbpassword,$database);

?>



From one of the functions file:

function adminLogin($username, $password)

{

global $ado;

global $userGroups;



$sql = "SELECT u.* FROM users u, usergroups ug WHERE u.username = '$username' AND u.password = '$password'

AND u.userGroupId = ug.id AND ug.name = 'admin'";

$result = $ado->exec($sql);



if ($ado->count_row($result) > 0)

{

//login successful



$row = $ado->fetch_array($result);



$_SESSION['userId'] = $row['id'];

$_SESSION['userFullname'] = $row['fullname'];

$_SESSION['userUsername'] = $row['username'];

$_SESSION['userGroupId'] = $row['userGroupId'];



$gResult = $userGroups->getById($row['userGroupId']);

$gRow = $ado->fetch_array($gResult);



$_SESSION['userGroupPower'] = $gRow['power'];

$_SESSION['userGroupName'] = $gRow['name'];



return true;

}

//invalid login

return false;

}



WTF? Don't you know SQLi vuln is very bad.



Hitech email login PHP script snippet:



<?

session_start();

if (isset($_POST['Submit']))

{

if ($_POST['username'] == "hitechemail" && $_POST['password'] == "emailhitech")

{

$_SESSION['userId'] = "hitech";

header("Location: index.php");

exit();

}

}

?>


LOL... passes in normal form. Learn to use md5(), hitech.



To Hitech Academy, please make corrections in the following informations from your site(Do not hide the truth from your clients; just say how lame you are...):



HiTech Academy is an institution established with the aim of providing (non-)quality education and training in the field of Basic (and Advance; remove this) Computing, Computer Accounting, Hardware and Networking, (Add insecure) Computer Programming, Web Designing, Tele-communications, English Language and Personality Development and a host of other allied subjects. It also provides job placement services to its students as well as other job seekers.

HimalTech [ISP] Security Disclosure

This is a minor one(at least I think). Himaltech is a ISP from Nepal (though I had never heard it). First think, don't host on Windows system; use free and open source Linux distro... They are cheaper, I think.



From index.php(exploitable snippet):

if(($p == "") && ($q != "")){

$filename = $q;

} elseif($p != ""){

$filename = $p."/content";

} else {

$filename = "home";

}

include($filename.$ext);



WTF? How are you making includes. Fucking noobish.



From one of the PHP scripts:



$query = "UPDATE newsFeed set date='". $_POST['dated'] ."' WHERE id='". $_POST['id'] ."'";



Oh hell. learn to validate the inputs. What would have happened if an evil user had submitted some malformed information.



Some configs from the functions.php:



<?php



$isp[lname] = "HimalTech Internet Services";

$isp[sname] = "HimalTech";

$isp[sup_tel] = "443-9541, 01-621-8615";

$isp[gen_tel] = "+977 (1) 44 39 541";

$isp[sup_email] = "support@himaltech.com";

$isp[gen_email] = "info@himaltech.com";





$radHost = "himaltech.com";

$radUser = "phpmgmt";

$radPass = "**EDITED**";

$radName = "radius";



$newsHost = localhost;

$newsUser = "himal";

$newsPass = "**EDITED**";

$newsName = "ht";

............

...........

?>


And some arrays:



$nas = array(

"69.88.8.94" => array("port" => 30, "name" => "Dhau"),

"10.0.0.3" => array("port" => 30, "name" => "vold_dhau"),

"202.161.146.197" => array("port" => 30, "name" => "old_dhau"),

"202.161.146.209" => array("port" => 30, "name" => "dhauold")

);



So that was the show on himaltech. Happy hacking!!! :)

Government sites SQLi vulnerabilities series I

Most of the Nepali government sites are not updated and also are pretty insecure. So here I have thought to list some of the hackable government sites.

Risk: Various

Dork: WTF? Figure yourself...



http://www.Can.gov.np:

Path: /web/vhosts/can.gov.np/httpdocs/

Vuln: SQLi



http://www.ccwb.gov.np

Vuln: SQLi



http://www.dfrs.gov.np:

Vuln: SQLi

Admin panel: http://www.dfrs.gov.np/admin/login.php



http://www.dhm.gov.np:

Vuln: SQLi

Admin panel: /dhmadmin



http://www.dvsdt.gov.np:

Vuln: SQLi



http://www.kathmandu.gov.np:

Vuln: SQLi



http://www.mofsc.gov.np:

Vuln: SQLi



http://www.moi.gov.np:

Vuln: SQLi



http://www.npc.gov.np:

Vuln: SQLi



http://tourismnepal.gov.np:

Vuln: SQLi



http://www.moe.gov.np

Vuln: SQLi



There are more vulnerable sites... These were just the examples... They are vulnerable to the most common exploit (SQL injection) which can be even done by fucking script kiddes. This post is the message to the government bodies to secure their site...



Below are sample PHP snippets from Can.gov.np



From index.php

<?

//session_start();

include "admin/dbconn.php";

//Global.php gets language setting and returns $SEL_LANGUAGE=en or np

include "global.php";

//Parameters depending on Language settings

include "myvar.php";

include "removetags.php";

?>



From one of the scripts(not disclosed to prevent script kiddies)

$queryParent="select $THE_SEC from tblsections where secid=$secid and attrib='P'";

$resultParent=mysql_query($queryParent);

$rowParent=mysql_fetch_row($resultParent);

$secName=$rowParent[0];

//Get Section Content

$queryParent="select $SEC_CONTENT from $ContentTable where secid=$secid and attrib='P' order by contentdate desc";

$resultParent=mysql_query($queryParent);

$rowParent=mysql_fetch_row($resultParent);

$secContent=str_replace("THE_ANT_SINGLE_QUOTE","'",$rowParent[0]);

$secContent=str_replace("opensection.secid:","**editedByMe**",$secContent);



From dbconn.php

<?

/*

$datahost = "localhost";

$dbusername = "root";

$dbuserpass = "";

$database = "can_gov_np";

*/



$datahost = "127.0.0.1";

$dbusername = "can";

$dbuserpass = "**EDITED**";

$database = "can_gov_np";





// Database Server Connection

$link = mysql_connect("$datahost", "$dbusername", "$dbuserpass")

or die("Could not connect : " . mysql_error());

// print "Connected successfully
";

// Database Connection

mysql_select_db("$database") or die("Could not select database");

// print "Database Selected successfully
";



?>


Thanks for reading this...

CyberSansar Database Disclosure

Not much important here (is old one) but still thought to share these. You know cybersansar.com is one of the most visited sites from Nepal and still its vulnerable to SQLi and XSS. They need to learn codings. Anyway today I am going to show you some old DB dumps of cybersansar.com (I think most of these are still the same at present, too.)
Lets start:

Cyber Sansar virtual host info:

####cybersansar.com

ServerAdmin webmaster@cybersansar.com
DocumentRoot /web/vhosts/cybernepal.com.np/httpdocs
ServerName cybersansar.com
ServerAlias www.cybersansar.com

##PHP / phpmyadmin
php_value register_globals "on"
Include /etc/apache/modules.d/vhosts_modphp
Include /etc/apache/modules.d/vhosts_phpmyadmin

## htpasswd
Include /etc/apache/extra/cybernepal_include


## ReWrite Module
RewriteEngine on
RewriteCond %{HTTP_HOST} !^202.79.32.62(:80)?$
RewriteCond %{HTTP_HOST} !^www.cybersansar.com(:80)?$
RewriteRule ^/(.*) http://www.cybersansar.com/$1 [L,R]
RewriteOptions inherit
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

ErrorLog /web/vhosts/cybernepal.com.np/logs/error.log
CustomLog /web/vhosts/cybernepal.com.np/logs/access.log common



DB Dumps:
INSERT INTO `logonuser` VALUES ('cardb', 'ptcn');
INSERT INTO `logonuser` VALUES ('admin', 'rajendra1');

Emails of artists:
Manoj Shrestha: manoz@manozshrestha.com
Nalina Chitrakar: nalina_chitrakar@hotmail.com
Girish: diseezgirish@hotmail.com
Pramod Upadhyaya: cabbageheart@hotmail.com
Sarisma Amatya: sarishmaamatya@hotmail.com
Deepesh Kishor Bhattarai: deepeshforever@hotmail.com
Prem Lama: lamaprem_7@hotmail.com
Avinash Ghishing: generation_np@hotmail.com
Sabin Rai: mesabin03@yahoo.com
Prashna Shakya: prashnas@gmail.com
Mausami Gurung: mausamigurung4@yahoo.com
Abhaya Subba: bacchus_21@yahoo.com
Sudin Pokhrel: itsda69@hotmail.com
Mingma Sherpa: feelmingma@hotmail.com
Resma Sunuwar: resmires@hotmail.com

I just selected few of them from DB. There were more... Also, the DB dump revealed phone numbers of around 116 singers/artists. Do not contact me to send you the phone numbers of the singers unless you have some genuine reason (hardcore fan, need to give me proof).

Tables in CyberSansar's DB:
adminlogin
artist_info
artist_info2
cs_adminuser
cs_menucategory
cs_model_info
cs_section
cs_wallpaper
discography
doc_ques_ans
doc_sub
logers
logonuser
org_para
phpwebgallery_caddie
phpwebgallery_categories
phpwebgallery_comments
phpwebgallery_config
phpwebgallery_favorites
phpwebgallery_group_access
phpwebgallery_groups
phpwebgallery_history
phpwebgallery_image_category
phpwebgallery_image_tag
phpwebgallery_images
phpwebgallery_rate
phpwebgallery_search
phpwebgallery_sessions
phpwebgallery_sites
phpwebgallery_tags
phpwebgallery_upgrade
phpwebgallery_user_access
phpwebgallery_user_cache
phpwebgallery_user_feed
phpwebgallery_user_group
phpwebgallery_user_infos
phpwebgallery_user_mail_notification
phpwebgallery_users
phpwebgallery_waiting
regis
tbl_movie_artist_profile
tbl_movie_person
tbl_movie_persontype
tbl_movie_profilesetup
test1
test2
vdb_artist_info
vdb_discography
vdb_music_category
vdb_video_info

So that's the end of the show... Feeling sleepy (its 12:23 AM already). Bye guys.
Thanks and Happy Hacking!!! :)

Tuesday, 27 October 2009

IOE, Pulchowk website SQLi vulnerability


IOE.edu.np SQLi vulnerability:

Site: www.ioe.edu.np
Risk: Low[I just did it quickly and seems there's no critical data in the site]
Notified: NO
/*Action from Admin: N/A*/
Vulnerable file: You should figure it out easily
Exploit: The php script do not validate the inputs from user which can be used to compromise the database.
Solution: sam207 has written an article on it.

Just added this one to show how our security is? We don't care or we don't know how to...
Thank you.

Enasha SQLi vulnerability

Enasha.com SQLi vulnerability:

Site: www.enasha.com
Risk: Medium - High
Notified: YES
Action from Admin: N/A
Vulnerable file: Admins, check email
Exploit: The different pages do not validate the inputs from user which can be used to compromise the database.
Solution: sam207 has written an article on it.

Sample screenshot:

See the title of the site...

Laxmibank.com XSS/SQLi vulnerability

Laxmi Bank XSS/SQLi vulnerability:

Site: www.laxmibank.com
Risk: Medium - High
Notified: YES
Action from Admin: N/A
Vulnerable file: searchpage.asp
Exploit: The search doesn't sanitize the input from user. So it suffers from XSS. And moreover specially crafted SQL queries can be done through search box
Solution: sam207 has written an article on it.

Note that we have notified Laxmi Bank about this long time ago but they didn't give us any reply or didn't update themselves.

Nepal Telecom XSS vulnerability

Nepal Telecom XSS vulnerability:

Site: www.ntc.net.np
Risk: Low
Notified: YES
Action from Admin: N/A
Vulnerable file: /search/searchresult.php
Exploit: The search doesn't sanitize the input from user. So it suffers from XSS.
Solution: sam207 has written an article on it.

More message to NTC, you are open to a lot of problems. We got all the PSTN Bank user logins(we also know where to login from) and what's the point of putting phpinfo() online. We grabbed the PHP information from NTC. Also, why would you like to put apache manual on the website (though isn't a potential risk). Contact us if you want to know more vulnerabilities I think I shouldn't discuss over here.
Thank you.

Madhavnepal.com SQLi vulnerability

MadhavNepal.com SQLi vulnerability:

Site: www.madhavnepal.com
Risk: Low-Medium [you need to find admin panel and MySQL<5]
Notified: YES
Action from siteadmin: N/A
Vulnerable file: large_tasbir.php
Exploit: large_tasbir.php doesnot filter the id variable passed to it.
Example: We know so we don't post...
Solution: sam207 has written an article on it.

Sample screenshot:



Note that the site administrator has been notified with this vulnerability. Thank you.