Saturday 31 October 2009

Venus.com.np Security Disclosure

Venus.com.np Hackz:



Last 4 lines of .htaccess:

AuthType Basic

AuthName www.venus.com.np

AuthUserFile /home/venus/public_html/_vti_pvt/service.pwd

AuthGroupFile /home/venus/public_html/_vti_pvt/service.grp





Example of poor coding:

<?php

$inc = $_GET['page'] . '.php';

if ($inc == '.php') $inc = 'home.php';

//echo $inc;

?>


Nothing more to say. You know how vulnerable they are. Happy Hacking!!! :)

placementNepal.com Security Disclosure

I hate placementnepal.com and its parent hitechacademy. They say they have the best coder but their coders suck. Owning placementNepal.com was not a big deal as they don't know what security is and hence, can't secure themselves.



Interesting tables in the database of placementNepal:

clients

cusers

privileges

recruitusers

userprivileges

users

uusers



And they don't put your passwords encrypted in their database. So don't reuse your email accounts and other passwords in placementNepal.com.

Some sample login examples:

Email: Password

amrit_giri@hotmail.com: rrihchaa

rikesh_eikir@hotmail.com: haratimaan07

merhythm@hotmail.com: 24*365sweta



No more disclosure. Sorry to those whose emails were selected randomly...

Thank you and Happy Hacking... :)

Nepal telecom phpinfo() disclosure

Cyb3r Lord had previously posted the hacks that can be used to exploit NTC website. He also talked about php info in NTC site. However, he didn't share the contents of php info of NTC. So I thought to share it with you guys.



Code:

<?php

phpinfo();

?>



Some parts from it:



System Linux bhadrakali.ntc.net.np 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686

Build Date Jul 16 2008 19:54:37

Server API Apache 2.0 Handler

PHP.INI path /etc/php.ini

allow_url_fopen On On

expose_php On On

magic_quotes_gpc On On

magic_quotes_runtime Off Off

register_globals On On

safe_mode Off Off

SMTP seti.ntc.net.np seti.ntc.net.np



Why the hell are they keeping register_globals on; sucks... And why would they like to turn on allow_url_fopen. Learn some security. Other critical informations not disclosed over here.

Thanks

Hitechacademy Security Disclosure

Hi there,

in this post, I am going to disclose the security issues of hitech academy which gives computer training to many students. Though it says its one of the best from Nepal, it knows nothing about security. So I thought to disclose them...



Learn some coding Hitech guys, the manager had told me in my interview that he has got some best paid programmers from Nepal and you(means I) can't compete with them, so sorry for this time.



From index.php:

if(isset($_GET['action']))

{

include("includes/".$_GET['action'].".php");

}



WTF? Don't you know how to validate variables. Sucks... Poor coding.



From DBConnection file:

<?php



$dbuser="hitechac_hitech";

$dbpassword="hitech";

$database="hitechac_hitech";



$host = "localhost";





$ado=new data($host,$dbuser,$dbpassword,$database);

?>



From one of the functions file:

function adminLogin($username, $password)

{

global $ado;

global $userGroups;



$sql = "SELECT u.* FROM users u, usergroups ug WHERE u.username = '$username' AND u.password = '$password'

AND u.userGroupId = ug.id AND ug.name = 'admin'";

$result = $ado->exec($sql);



if ($ado->count_row($result) > 0)

{

//login successful



$row = $ado->fetch_array($result);



$_SESSION['userId'] = $row['id'];

$_SESSION['userFullname'] = $row['fullname'];

$_SESSION['userUsername'] = $row['username'];

$_SESSION['userGroupId'] = $row['userGroupId'];



$gResult = $userGroups->getById($row['userGroupId']);

$gRow = $ado->fetch_array($gResult);



$_SESSION['userGroupPower'] = $gRow['power'];

$_SESSION['userGroupName'] = $gRow['name'];



return true;

}

//invalid login

return false;

}



WTF? Don't you know SQLi vuln is very bad.



Hitech email login PHP script snippet:



<?

session_start();

if (isset($_POST['Submit']))

{

if ($_POST['username'] == "hitechemail" && $_POST['password'] == "emailhitech")

{

$_SESSION['userId'] = "hitech";

header("Location: index.php");

exit();

}

}

?>


LOL... passes in normal form. Learn to use md5(), hitech.



To Hitech Academy, please make corrections in the following informations from your site(Do not hide the truth from your clients; just say how lame you are...):



HiTech Academy is an institution established with the aim of providing (non-)quality education and training in the field of Basic (and Advance; remove this) Computing, Computer Accounting, Hardware and Networking, (Add insecure) Computer Programming, Web Designing, Tele-communications, English Language and Personality Development and a host of other allied subjects. It also provides job placement services to its students as well as other job seekers.

HimalTech [ISP] Security Disclosure

This is a minor one(at least I think). Himaltech is a ISP from Nepal (though I had never heard it). First think, don't host on Windows system; use free and open source Linux distro... They are cheaper, I think.



From index.php(exploitable snippet):

if(($p == "") && ($q != "")){

$filename = $q;

} elseif($p != ""){

$filename = $p."/content";

} else {

$filename = "home";

}

include($filename.$ext);



WTF? How are you making includes. Fucking noobish.



From one of the PHP scripts:



$query = "UPDATE newsFeed set date='". $_POST['dated'] ."' WHERE id='". $_POST['id'] ."'";



Oh hell. learn to validate the inputs. What would have happened if an evil user had submitted some malformed information.



Some configs from the functions.php:



<?php



$isp[lname] = "HimalTech Internet Services";

$isp[sname] = "HimalTech";

$isp[sup_tel] = "443-9541, 01-621-8615";

$isp[gen_tel] = "+977 (1) 44 39 541";

$isp[sup_email] = "support@himaltech.com";

$isp[gen_email] = "info@himaltech.com";





$radHost = "himaltech.com";

$radUser = "phpmgmt";

$radPass = "**EDITED**";

$radName = "radius";



$newsHost = localhost;

$newsUser = "himal";

$newsPass = "**EDITED**";

$newsName = "ht";

............

...........

?>


And some arrays:



$nas = array(

"69.88.8.94" => array("port" => 30, "name" => "Dhau"),

"10.0.0.3" => array("port" => 30, "name" => "vold_dhau"),

"202.161.146.197" => array("port" => 30, "name" => "old_dhau"),

"202.161.146.209" => array("port" => 30, "name" => "dhauold")

);



So that was the show on himaltech. Happy hacking!!! :)

Government sites SQLi vulnerabilities series I

Most of the Nepali government sites are not updated and also are pretty insecure. So here I have thought to list some of the hackable government sites.

Risk: Various

Dork: WTF? Figure yourself...



http://www.Can.gov.np:

Path: /web/vhosts/can.gov.np/httpdocs/

Vuln: SQLi



http://www.ccwb.gov.np

Vuln: SQLi



http://www.dfrs.gov.np:

Vuln: SQLi

Admin panel: http://www.dfrs.gov.np/admin/login.php



http://www.dhm.gov.np:

Vuln: SQLi

Admin panel: /dhmadmin



http://www.dvsdt.gov.np:

Vuln: SQLi



http://www.kathmandu.gov.np:

Vuln: SQLi



http://www.mofsc.gov.np:

Vuln: SQLi



http://www.moi.gov.np:

Vuln: SQLi



http://www.npc.gov.np:

Vuln: SQLi



http://tourismnepal.gov.np:

Vuln: SQLi



http://www.moe.gov.np

Vuln: SQLi



There are more vulnerable sites... These were just the examples... They are vulnerable to the most common exploit (SQL injection) which can be even done by fucking script kiddes. This post is the message to the government bodies to secure their site...



Below are sample PHP snippets from Can.gov.np



From index.php

<?

//session_start();

include "admin/dbconn.php";

//Global.php gets language setting and returns $SEL_LANGUAGE=en or np

include "global.php";

//Parameters depending on Language settings

include "myvar.php";

include "removetags.php";

?>



From one of the scripts(not disclosed to prevent script kiddies)

$queryParent="select $THE_SEC from tblsections where secid=$secid and attrib='P'";

$resultParent=mysql_query($queryParent);

$rowParent=mysql_fetch_row($resultParent);

$secName=$rowParent[0];

//Get Section Content

$queryParent="select $SEC_CONTENT from $ContentTable where secid=$secid and attrib='P' order by contentdate desc";

$resultParent=mysql_query($queryParent);

$rowParent=mysql_fetch_row($resultParent);

$secContent=str_replace("THE_ANT_SINGLE_QUOTE","'",$rowParent[0]);

$secContent=str_replace("opensection.secid:","**editedByMe**",$secContent);



From dbconn.php

<?

/*

$datahost = "localhost";

$dbusername = "root";

$dbuserpass = "";

$database = "can_gov_np";

*/



$datahost = "127.0.0.1";

$dbusername = "can";

$dbuserpass = "**EDITED**";

$database = "can_gov_np";





// Database Server Connection

$link = mysql_connect("$datahost", "$dbusername", "$dbuserpass")

or die("Could not connect : " . mysql_error());

// print "Connected successfully
";

// Database Connection

mysql_select_db("$database") or die("Could not select database");

// print "Database Selected successfully
";



?>


Thanks for reading this...

CyberSansar Database Disclosure

Not much important here (is old one) but still thought to share these. You know cybersansar.com is one of the most visited sites from Nepal and still its vulnerable to SQLi and XSS. They need to learn codings. Anyway today I am going to show you some old DB dumps of cybersansar.com (I think most of these are still the same at present, too.)
Lets start:

Cyber Sansar virtual host info:

####cybersansar.com

ServerAdmin webmaster@cybersansar.com
DocumentRoot /web/vhosts/cybernepal.com.np/httpdocs
ServerName cybersansar.com
ServerAlias www.cybersansar.com

##PHP / phpmyadmin
php_value register_globals "on"
Include /etc/apache/modules.d/vhosts_modphp
Include /etc/apache/modules.d/vhosts_phpmyadmin

## htpasswd
Include /etc/apache/extra/cybernepal_include


## ReWrite Module
RewriteEngine on
RewriteCond %{HTTP_HOST} !^202.79.32.62(:80)?$
RewriteCond %{HTTP_HOST} !^www.cybersansar.com(:80)?$
RewriteRule ^/(.*) http://www.cybersansar.com/$1 [L,R]
RewriteOptions inherit
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

ErrorLog /web/vhosts/cybernepal.com.np/logs/error.log
CustomLog /web/vhosts/cybernepal.com.np/logs/access.log common



DB Dumps:
INSERT INTO `logonuser` VALUES ('cardb', 'ptcn');
INSERT INTO `logonuser` VALUES ('admin', 'rajendra1');

Emails of artists:
Manoj Shrestha: manoz@manozshrestha.com
Nalina Chitrakar: nalina_chitrakar@hotmail.com
Girish: diseezgirish@hotmail.com
Pramod Upadhyaya: cabbageheart@hotmail.com
Sarisma Amatya: sarishmaamatya@hotmail.com
Deepesh Kishor Bhattarai: deepeshforever@hotmail.com
Prem Lama: lamaprem_7@hotmail.com
Avinash Ghishing: generation_np@hotmail.com
Sabin Rai: mesabin03@yahoo.com
Prashna Shakya: prashnas@gmail.com
Mausami Gurung: mausamigurung4@yahoo.com
Abhaya Subba: bacchus_21@yahoo.com
Sudin Pokhrel: itsda69@hotmail.com
Mingma Sherpa: feelmingma@hotmail.com
Resma Sunuwar: resmires@hotmail.com

I just selected few of them from DB. There were more... Also, the DB dump revealed phone numbers of around 116 singers/artists. Do not contact me to send you the phone numbers of the singers unless you have some genuine reason (hardcore fan, need to give me proof).

Tables in CyberSansar's DB:
adminlogin
artist_info
artist_info2
cs_adminuser
cs_menucategory
cs_model_info
cs_section
cs_wallpaper
discography
doc_ques_ans
doc_sub
logers
logonuser
org_para
phpwebgallery_caddie
phpwebgallery_categories
phpwebgallery_comments
phpwebgallery_config
phpwebgallery_favorites
phpwebgallery_group_access
phpwebgallery_groups
phpwebgallery_history
phpwebgallery_image_category
phpwebgallery_image_tag
phpwebgallery_images
phpwebgallery_rate
phpwebgallery_search
phpwebgallery_sessions
phpwebgallery_sites
phpwebgallery_tags
phpwebgallery_upgrade
phpwebgallery_user_access
phpwebgallery_user_cache
phpwebgallery_user_feed
phpwebgallery_user_group
phpwebgallery_user_infos
phpwebgallery_user_mail_notification
phpwebgallery_users
phpwebgallery_waiting
regis
tbl_movie_artist_profile
tbl_movie_person
tbl_movie_persontype
tbl_movie_profilesetup
test1
test2
vdb_artist_info
vdb_discography
vdb_music_category
vdb_video_info

So that's the end of the show... Feeling sleepy (its 12:23 AM already). Bye guys.
Thanks and Happy Hacking!!! :)

Tuesday 27 October 2009

IOE, Pulchowk website SQLi vulnerability


IOE.edu.np SQLi vulnerability:

Site: www.ioe.edu.np
Risk: Low[I just did it quickly and seems there's no critical data in the site]
Notified: NO
/*Action from Admin: N/A*/
Vulnerable file: You should figure it out easily
Exploit: The php script do not validate the inputs from user which can be used to compromise the database.
Solution: sam207 has written an article on it.

Just added this one to show how our security is? We don't care or we don't know how to...
Thank you.

Enasha SQLi vulnerability

Enasha.com SQLi vulnerability:

Site: www.enasha.com
Risk: Medium - High
Notified: YES
Action from Admin: N/A
Vulnerable file: Admins, check email
Exploit: The different pages do not validate the inputs from user which can be used to compromise the database.
Solution: sam207 has written an article on it.

Sample screenshot:

See the title of the site...

Laxmibank.com XSS/SQLi vulnerability

Laxmi Bank XSS/SQLi vulnerability:

Site: www.laxmibank.com
Risk: Medium - High
Notified: YES
Action from Admin: N/A
Vulnerable file: searchpage.asp
Exploit: The search doesn't sanitize the input from user. So it suffers from XSS. And moreover specially crafted SQL queries can be done through search box
Solution: sam207 has written an article on it.

Note that we have notified Laxmi Bank about this long time ago but they didn't give us any reply or didn't update themselves.

Nepal Telecom XSS vulnerability

Nepal Telecom XSS vulnerability:

Site: www.ntc.net.np
Risk: Low
Notified: YES
Action from Admin: N/A
Vulnerable file: /search/searchresult.php
Exploit: The search doesn't sanitize the input from user. So it suffers from XSS.
Solution: sam207 has written an article on it.

More message to NTC, you are open to a lot of problems. We got all the PSTN Bank user logins(we also know where to login from) and what's the point of putting phpinfo() online. We grabbed the PHP information from NTC. Also, why would you like to put apache manual on the website (though isn't a potential risk). Contact us if you want to know more vulnerabilities I think I shouldn't discuss over here.
Thank you.

Madhavnepal.com SQLi vulnerability

MadhavNepal.com SQLi vulnerability:

Site: www.madhavnepal.com
Risk: Low-Medium [you need to find admin panel and MySQL<5]
Notified: YES
Action from siteadmin: N/A
Vulnerable file: large_tasbir.php
Exploit: large_tasbir.php doesnot filter the id variable passed to it.
Example: We know so we don't post...
Solution: sam207 has written an article on it.

Sample screenshot:



Note that the site administrator has been notified with this vulnerability. Thank you.