Saturday, 28 November 2009

MOE.GOV.NP Multiple Vulnerability

Nothing much to say, www.moe.gov.np is the site of ministry of education which was rebuilt few months ago. But the site consists of multiple security breaches that can be used to own it.
So what are the vulnerabilities:
First, SQLi, second Insecure admin panel and third insecure session handling.
FuCK YoU to the developer for fucking insecure programming.
Now let me do some dumps:

File: clientConfigure.php
............
define("HOST","localhost");
define("USERNAME","moegov_moe");
define("PASSWORD","moepwd");
define("DBASE","moegov_moe");
............
............

File: cms.php
.........
switch($_GET["task"])
{
case "":
$query = "SELECT * FROM cms where publish='Y' and menuId=".$_GET["id"]; // sql
$sql = mysql_query($query);
//wtf? query without sanitizing GET variable, fuck...
..............
............
$query = "SELECT * FROM cms where publish='Y' and cmsId=".$_GET["contId"]; // sql
$rs=mysql_query($query) or die(mysql_error());
//again same fuck

File: index.php
Vuln to SQLi but good practice for file inclusions.

..........
......
switch($_GET["option"])
{
case "":
require_once("./clientIncludes/tabContent.php");
break;
case "download":
require_once("./option/download/download.php");
break;
...........
.....

File: admin/centreContent.php
// where is login session...
<?php
switch($_GET["option"]){
case "menu":
require_once("./option/menu/menu.php");
break;
case "user":
require_once("./option/user/user.php");
break;
......
...
?>

File: cpanel.config

#### NOTICE ####
# After manually editing any configuration settings in this file,
# please run '/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings'
# to fully update your server's configuration.

RS=x3
VALIASDIR=/etc/valiases
VFILTERDIR=/etc/vfilters
access_log=/usr/local/cpanel/logs/access_log
adminuser=cpanel
allow_server_info_status_from=
allowcpsslinstall=1
allowparkhostnamedomainsubdomains=0
allowparkonothers=0
allowperlupdates=0
allowremotedomains=0
allowresellershostnamedomainsubdomains=0
allowunregistereddomains=0
alwaysredirecttossl=0
apache_port=0.0.0.0:80
apache_ssl_port=0.0.0.0:443
autocreateaentries=1
awstatsbrowserupdate=0
awstatsreversedns=0
basename=cpanel
blockcommondomains=1
check_zone_syntax=1
conserve_memory=0
coredump=0
cpaddons_adminemail=
cpaddons_autoupdate=1
cpaddons_max_moderation_req_all_mod=99
cpaddons_max_moderation_req_per_mod=99
cpaddons_moderation_request=0
cpaddons_no_3rd_party=0
cpaddons_no_modified_cpanel=1
cpaddons_notify_owner=1
cpaddons_notify_root=1
cpredirect=Origin Domain Name
cpredirectssl=SSL Certificate Name
cpsrvd-domainlookup=0
cpsrvd-gzip=1
cycle=1
default_login_theme=cpanel
defaultmailaction=localuser
deny_quicksupport_password=0
disable_compiled_dnsadmin=0
disableipnscheck=0
disablequotacache=0
disablexfercpanel=0
discardformmailbccsubject=1
dnsadminapp=
dnslookuponconnect=0
docroot=/usr/local/cpanel/base
domainowner_mail_pass=0
dumplogs=1
emailpasswords=1
emailusers_diskusage_critical_contact_admin=1
emailusers_diskusage_critical_percent=90
emailusers_diskusage_full_contact_admin=1
emailusers_diskusage_full_percent=98
emailusers_diskusage_warn_contact_admin=1
emailusers_diskusage_warn_percent=80
emailusers_mailbox_critical_percent=90
emailusers_mailbox_full_percent=98
emailusers_mailbox_warn_percent=80
emailusersbandwidthexceed=1
emailusersbandwidthexceed70=0
emailusersbandwidthexceed75=0
emailusersbandwidthexceed80=1
emailusersbandwidthexceed85=0
emailusersbandwidthexceed90=0
emailusersbandwidthexceed95=1
emailusersbandwidthexceed97=0
emailusersbandwidthexceed98=0
emailusersbandwidthexceed99=0
engine=cpanel
enginepl=cpanel.pl
engineroot=/usr/local/cpanel
errorstostdout=1
exim-retrytime=60
eximmailtrap=1
extracpus=0
file_upload_max_bytes=unlimited
file_upload_must_leave_bytes=5
ftppasslogs=1
ftpserver=pure-ftpd
htaccess_check_recurse=2
ignoredepreciated=0
interchangever=disable
jaildefaultshell=0
keepftplogs=0
keeplogs=0
keepstatslog=0
loadthreshold=2
local_nameserver_type=bind
logchmod=0640
logout_redirect_url=
maildir=1
mailserver=courier
maxemailsperhour=0
maxmem=256
myname=cpaneld
mysql-version=5.0
mysqldebug=0
nativessl=1
nobodyspam=0
nosendlangupdates=0
nouserbackupwarn=0
numacctlist=50
php_max_execution_time=90
php_post_max_size=55M
php_register_globals=0
php_upload_max_filesize=50M
phploader=none
popbeforesmtpsenders=0
port=2082
product=cPanel
proxysubdomains=1
proxysubdomainsfornewaccounts=1
proxysubdomainsoverride=1
publichtmlsubsonly=0
python=/usr/bin/python2.4
referrerblanksafety=0
referrersafety=0
remotedomainscheck=1
remotewhmtimeout=35
resetpass=1
rollback=0
root=/usr/local/cpanel
showwhmbwusageinmegs=0
skipanalog=1
skipawstats=0
skipboxcheck=0
skipboxtrapper=0
skipbwlimitcheck=0
skipdiskcheck=0
skipformmail=1
skiphorde=0
skiphttpauth=0
skipmailman=0
skipmelange=1
skipnotifyacctbackupfailure=0
skipparentcheck=0
skiproundcube=0
skipspamassassin=0
skipspambox=0
skipsqmail=0
skipwebalizer=1
skipwhoisns=0
stats_log=/usr/local/cpanel/logs/stats_log
statsloglevel=1
statthreshhold=256
stunnel=/usr/sbin/stunnel
tcp_check_failure_threshold=3
urchinsetpath=
use_safe_quotas=1
useauthnameservers=0
usemailformailmanurl=1
usemysqloldpass=0
version=8.0


Feeling boring after the pwnage. Need to do mathematics assignment. That was the pwnage of moe.gov.np
They are pretty insecure. The method not disclosed over here but good hackers can find it. Sorry, script kiddies...
Thanks...

5 comments:

  1. cpanel.config posted for you to see how cpanel.config is, doesn't contain anything juicy(though gives us the idea of config of server)...

    ReplyDelete
  2. Wow man how did you do that. Can you give me some hint. Wow i love it.

    ReplyDelete
  3. wow its great.
    did u think is it possible to alter any information regarding site with that information. Can you change any information of that site?
    thank you.

    ReplyDelete
  4. yeah its possible to deface them and change the index pages. but we don't want to go for lame defacements.

    ReplyDelete
  5. Almost all sites, you claim to hack, belong to the same server, it seems that you have access to the ftp of these sites either by social engineering or someone 'inside' the system providing you the access code or you being the one inside the system.

    If this is the case, then I wonder if this is called 'hacking'!!! except the social one ;)

    Anyway, Happing hacking and all the best.

    ReplyDelete