Saturday 31 October 2009

Government sites SQLi vulnerabilities series I

Most of the Nepali government sites are not updated and also are pretty insecure. So here I have thought to list some of the hackable government sites.

Risk: Various

Dork: WTF? Figure yourself...



http://www.Can.gov.np:

Path: /web/vhosts/can.gov.np/httpdocs/

Vuln: SQLi



http://www.ccwb.gov.np

Vuln: SQLi



http://www.dfrs.gov.np:

Vuln: SQLi

Admin panel: http://www.dfrs.gov.np/admin/login.php



http://www.dhm.gov.np:

Vuln: SQLi

Admin panel: /dhmadmin



http://www.dvsdt.gov.np:

Vuln: SQLi



http://www.kathmandu.gov.np:

Vuln: SQLi



http://www.mofsc.gov.np:

Vuln: SQLi



http://www.moi.gov.np:

Vuln: SQLi



http://www.npc.gov.np:

Vuln: SQLi



http://tourismnepal.gov.np:

Vuln: SQLi



http://www.moe.gov.np

Vuln: SQLi



There are more vulnerable sites... These were just the examples... They are vulnerable to the most common exploit (SQL injection) which can be even done by fucking script kiddes. This post is the message to the government bodies to secure their site...



Below are sample PHP snippets from Can.gov.np



From index.php

<?

//session_start();

include "admin/dbconn.php";

//Global.php gets language setting and returns $SEL_LANGUAGE=en or np

include "global.php";

//Parameters depending on Language settings

include "myvar.php";

include "removetags.php";

?>



From one of the scripts(not disclosed to prevent script kiddies)

$queryParent="select $THE_SEC from tblsections where secid=$secid and attrib='P'";

$resultParent=mysql_query($queryParent);

$rowParent=mysql_fetch_row($resultParent);

$secName=$rowParent[0];

//Get Section Content

$queryParent="select $SEC_CONTENT from $ContentTable where secid=$secid and attrib='P' order by contentdate desc";

$resultParent=mysql_query($queryParent);

$rowParent=mysql_fetch_row($resultParent);

$secContent=str_replace("THE_ANT_SINGLE_QUOTE","'",$rowParent[0]);

$secContent=str_replace("opensection.secid:","**editedByMe**",$secContent);



From dbconn.php

<?

/*

$datahost = "localhost";

$dbusername = "root";

$dbuserpass = "";

$database = "can_gov_np";

*/



$datahost = "127.0.0.1";

$dbusername = "can";

$dbuserpass = "**EDITED**";

$database = "can_gov_np";





// Database Server Connection

$link = mysql_connect("$datahost", "$dbusername", "$dbuserpass")

or die("Could not connect : " . mysql_error());

// print "Connected successfully
";

// Database Connection

mysql_select_db("$database") or die("Could not select database");

// print "Database Selected successfully
";



?>


Thanks for reading this...
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)