Saturday, 26 December 2009

Nepal Bangladesh Bank SQLi vulnerability

The official website of Nepal Bangladesh Bank Limited www.nbbl.com.np suffers from Sql injection and hence can be compromised to get sensitive informations from it. Its 1 a.m midnight already here so I am lazy to post the dumps for now. If I happen to remember it next day, I shall post the dumps. For now, following are some information of the server:
current database: nbblcom_db 
user : nbblcom_admin@localhost
DB version: 4.1.22-standard
I am being too lazy at this time to bruteforce for the tables. Guys do yourself if you want to dig the site more.
Thanks. 

Wednesday, 23 December 2009

Neoteric Nepal SQL injection Vuln

Official website of Neoteric nepal suffers from sql injection vuln.
Some details:
ftp: ftp://ftp.neoteric.com.np/
ftp security: very secure
Vuln:SQL injection
Dump:
Table name: admin_user
id:pwd= not displayed for security
Scrnshot:


Hope they secure it soon
Regards,

National Information Technology Center site vulnerability

The official website of National Information Technology Center suffers from SQL injection and hence, the login information and other data can be taken away from the database. The worse part is that by uploading shell, one could not only deface nitc.gov.np but also other sites hosted on the server to name few: nepalgov.gov.np, hlcit.gov.np

Just amazed that the center has got so many computer engineers and they are vulnerable to such a simple hack. They need to learn the sense of security to build secure digitalized nepal. Also, what is the fucking point of putting the files in admin panel folder and letting users download from them. And guys, you need to learn to prevent index browsing (its so open) and also the usage of sessions in PHP...

Screenshot:




Thanks... and absolutely no offense to them. We just want the secure nepal.

Monday, 21 December 2009

Ketaketi.org(CLFN) SQL Injection vuln

The official website of CLFN (Ketaketi.org) suffers from sql injection attack in bsoftmore.php
A remote attacker can easily get over the site. (Not me actually, i didnt find the login page.) anyway i got the id and passes/ The id and passes are not shown for security here.
Some details:
Site:ketaketi.org
Vuln: SQL injection
Table name: user
Hope they fix it soon

Sunday, 20 December 2009

www.indianembassy.org.np SQLi vulnerability

www.indianembassy.org.np is the official website of Indian Embassy in Nepal and the site is vulnerable to common SQL injection vulnerability.
The site uses mysql version 4 so no information_schema. So I just did bruteforcing by coding small script in PHP to find the valid username/password combination but they are pretty guessable. I didn't think of defacing because it is an organization and defacing such organizations totally would be wrong thing but I posted a news in the site.
Below is the screenshot:





Absolutely no offense to indian embassy. But we hope you will be securing yourself after this pwnage.
Regards

Saturday, 19 December 2009

CCRC (ccrc.edu.np) SQLi Vulnerability

A sql injection vuln exists in ccrc college's website.
Details:
URL: http://ccrc.edu.np
FTP: ftp.ccrc.edu.np
FTP status: Very Secure (9.5/10)
SQL injection: Yes(8.5/10, since all critical datas can be extracted)

Dumps:
rajan:c647f23604314d5aa5bb53ad3def9303

Hope they fix it soon

ccma.edu.np SQLi vulnerability

Not much, but I thought to share it over here.
The official website of Chartered College of Management and Accounts, www.ccma.edu.np suffers from sql injection attack and hence can be used to extract critical data from the database. Check the site main page ccma home to see the vulnerability. I have made redirection to the nep sec blog.

Thanks

Thursday, 17 December 2009

Universal College(http://www.uc.edu.np) SQL injection Vuln

A sql Injection Vuln exists in Universal College's site. A remote attacker can easily get the pwd and login.

Some details:

Vuln Type: SQL injection

FTP: ftp://ftp.uc.edu.np/ (Proftpd 1.3.0 server//WL)

VULN RATING: 6/10 (SQL INJECTION), 8/10 (OLD FTP SERVER. MANY EXPLOITS ARE OUT THERE)

STATUS:Notified

Some proofs:

Table_names: login, user

Dumps:

Not_REVEALED for security

Screenshot of Logged in cpanel:
Hope they fix it down :D

Thursday, 10 December 2009

Internet Business Bureau Common SQL injection Vulnerability

I checked the IBB's portfolio and the sites it develops uses the same script and it is vulnerable to SQL injection. Check my previous post for more on knowing this:
http://nepsecvulns.blogspot.com/2009/12/party-popper-wwwpartypoppercomnp-sqli.html

The same mysql injection is valid but filtering takes so you need to bypass filters (not hard). I would recommend you to google for mysql injection cheatsheets and learn and practice hacking in these sites.

Nepali Hackers Are Not Dead, They Are Underground and Might Be At Your Root

Party Popper [www.partypopper.com.np] SQLi vulnerability

The site of Party Popper [www.partypopper.com.np] is vulnerable to SQL injection and various information can be stolen. The SQL filtering IDS are working to some extent but we can easily bypass such filters and I was able to do the same.
Anyway, this site has nothing much but still we think that such security flaws must be addressed so that nepali developers work on protecting from such vulnerabilities...
Some tables:
admin
content

Screenshot of logged admin panel:


Thanks. Admins can find the article by me at my site http://www.sampctricks.blogspot.com

Engineering express [www.engxpress.com.np] Multiple Vulnerabilities

The online website of The Engineering Express http://www.engxpress.com.np is pretty insecure with multiple vulnerabilities. It suffers from SQLi and insecure file upload vulnerability. Anyway below are some dumps from the website:
Few tables:
register
signin

Columns in signin table:
Username
Password


Fucking lots of SQLi...


Login process:

$stmt=sprintf("SELECT * FROM login WHERE username='%s' AND password='%s'",$usr, $pwd);
$dblink=DBset() ;//Connect to the database...
$result = DBquery($stmt, $dblink) ;//Send Query
$totresult = mysql_num_rows($result);
$row = mysql_fetch_object($result);

Page.php:
$stmt=sprintf("SELECT Content FROM page WHERE Id='%s'",$_GET['recordID']);
$dblink=DBset() ;//Connect to the database...

Other scripts are also vulnerable but I am too lazy to post them, too.

Screenshots:







Certainly no offense but you need to improve yourself...
Thanks!!!

Wednesday, 9 December 2009

Mero IT (www.meroit.com) SQL injection vulnerability

This was referred to me by my friend in the college and on viewing the site, I found it was vulnerable to common SQLi. The scripts do not validate the GET variables and hence we can inject SQL queries through URL GET parameters.

Some interesting tables:
admin
client
personal_client_details

Anyway below is the screenshot of the hacked admin panel located at /admin



So if you are the webadmin of meroit.com you can find the article at http://www.sampctricks.blogspot.com to secure your PHP scripts...
Thanks...

Monday, 7 December 2009

www.pea.edu.np simple JS hack

Ok this was given to me as a challenge by sam and he said that he was given information about this site by some friend of him. He said me about javascript hacking in admin panel and I started to dig up. And finally I found that it didn't require any login(even the login user/pass is easy one: admin/a). I then found that the upload feature was also insecure. I got the shell and I could have utilized to root the box but I didn't. I just thought to make defacement of pea.edu.np.

Some PHP dumps:

addnew.php:

//clearly reflects their poor coding way...
<?
$path = "../";
//$thePage = "home";
include $path."includes/adminhead.php";
include $path."includes/headeradmin.php";
if($_POST['ok'])
{

$date1=$_POST['Date1'];
$title=$_POST['Title'];

$newfile=returnfilename($_FILES['fileattach'],"downloads");

$sqlquery= "INSERT INTO downloads VALUES('','$date1','$title','$newfile')";
$rt1=mysql_query($sqlquery) or die(mysql_error());

if($rt1)
{
print "<script>document.location='download.php';</script>";

}


}
?>

settings.php:
<?

// Online
/**/
$hostname="localhost";
$username="peaedu_peaedu";
$password="delta2009";
$db="peaedu_peadb";


/* LOCAL *

$hostname="localhost";
$username="root";
$password="";
$db="pea_db";
*/
$connectme=mysql_connect($hostname,$username,$password);
?>


Now the screenshot of the defaced site:



Thanks for reading this... and to site developers, learn fucking sense of security...

myktm.com SQLi vulnerability

Vuln: SQLi
Serious label: 3/5 (as user/pass can be stolen)
Actually, this hack was reported to us by someone anonymous. We don't have any information about him/her but thanks and full credit goes to you. Anyway, I think many of you have heard about myKtm.com, their skiddish forum and their Nepal messenger. Though I appreciate their effort in creating first Nepali IRC server/channel (I think they are the first), they need to learn about security. They talk in the leet way but they are insecured and since there are thousands of users registered over there, password compromise can be easily done.

[+] Exploit: SQLi
[+] The script doesn't validate the user input which can be used to do SQL injections and steal the important data from the system.

Samples [might have been changed since then]:

username: hash: email

admin:b09048fc8f1a2ac608012c327c60f973:admin@nepalexpo.com
huribatas:2f1157cdad63b7035e5252880bf6f9cc:huribatas111@hotmail.com
LSD:9ae90ad18eb0e8cfde193df7d258c09b:Lsd@myktm.com [admin of myKtm]
uTosTan:e7aebaae36f8ba319d46a7142218ef1e:utostan@gmail.com [super admin of myKtm, not sure though]

Ok that was enough to disclose them. I hope they take it positively. I want them to secure themselves. Drop a comment if you are myKtm-er and I will be replying on how to secure it...

Saturday, 5 December 2009

www.myrepublica.com multiple SQLi and XSS vulnerabilities

Myrepublica is one of the newer magazines and the site http://www.myrepublica.com is their online site. They usually do news update and hence the site provides recent news and happenings easily to the website visitors... But, again they are not secured and suffer from normal SQLi injection vulnerabilities.
Here are some dumps from the table users.
Username: password: emailid

ameet:1dhakal2:ameet@myrepublica.com
bikash:bik31@:bikash@myrepublica.com
prem:1khanal2:prem@myrepublica.com
premdhakal:dhakal123:premdhakal@myrepublica.com
pawan:terobaumerobau:pawan148@yahoo.com

etc...

Sample screenshot:

Some fucking notes to them:
1) Don't fucking keep plain passes in DB
2) Don't fucking make re-use of the same password
3) Read sam207's article on securing this vulnerability...
4) You're giving us the location of admin panels. fuck you... learn the sense of security.

Sorry but you are so lame that I had to deface you. No offense to myrepublica team(actually I like your newspaper), this message is to the developers of the site....
EDIT: I also found the site search system to be vulnerable to cross site scripting vulnerability.
Thank you!!!

Tuesday, 1 December 2009

www.thehimalayantimes.com SQLi vulnerability

The himalayan times is one of the national daily newspapers from nepal and its site www.thehimalayantimes.com like other common nepali websites is also vulnerable to normal web hack. Its again lame SQL injection caused due to the poor coding level. I am having eye pain right now because of welding so I won't be posting much but anyway below is the SQLi hack...
the admin information can be stolen from admin table while tbl_member consists of registered user information so this may lead to secret private data stealing....
admin table consists of columns:
admin_user
admin_pass
admin_email
admin_fullname, etc.

So SQL query: SELECT * FROM admin
is going to give us everything on table admin...
And they are also using base64 encoding. I have said previously too that a single call to base64_decode() in PHP or using online base64 decoders (www.yellowpipe.com has one) we are gonna get the actual pass easily.
Some dumps:
user:pass:email for admin

sajy.j:Z0kzdDRQOXM=:sajyjacob@yahoo.com
bipul:YmlwdWxzMQ==:bipulendra.adhikari@gmail.com
ARUN:c2lsaWNh:monsterdom@gmail.com
etc.
You can try and get the dumps yourself; no more dumps.
Read the article I have written in my blog sampctricks.blogspot.com  http://sampctricks.blogspot.com/2009/05/securing-php-avoid-basic-exploits-and.html in order to remove these vulnerabilities. You have lots of them in your scripts.
Edit:
again it is F1 Soft work most probably and has got so many vulnerabilities. Admin panel is in a bit less used place but we can find it easily (No need to overthink and do bruteforcing for admin cp)... Also @THT admins, do not change location of admin panel rather secure your scripts...
Couldnot upload the screenshot because of slow net connection and my eye problem...

Thanks...