Monday, 12 April 2010

Cybersansar vulnerability re-exposed

One of the most visited sites from Nepal, CyberSansar.com is vulnerable to lots of serious injections like SQLi and XSS but today here I'm going to post the SQL injection in the site. I hope they will try to fix the site after reading this post. No offense at all to them. Moreover, the MySQL version is greater than 5 so its easier for the attacker to steal the database information.
User: database => cybernepal3@localhost:cybernepal_3
Tables:
album_detail
album_master
album_person_related
art_gallery
art_gallery_image
art_gallery_path
art_grp_tag_gal
art_tag_gallery
art_tag_photo
art_tags
article_person_related
author
bachelor_user_logon
bc_category_para
bc_final_person_profile
bc_person_profile
bc_photo_folder
bc_profile_list
bc_profile_para
contest_master
contest_question_detail
contest_question_master
cs_birthday_wish
discography
ethnicity_para
ev_gallery
ev_gallery_image
ev_gallery_path
ev_grp_tag_gal
ev_person_related
ev_tag_gallery
ev_tag_photo
ev_tags
event_master
event_para_person_related
event_type
gallery
gallery_image
gallery_path
group_list
grp_tag_gal
job
org_para
org_type
person_persontype
person_taghion
photographer
popular_models
pr_category_para
pr_gallery_image
pr_hion
pr_person_detail
pr_person_profile
pr_persontype
pr_persontype_para
pr_photos
pr_profile_list
pr_profile_para
pr_question_related
pr_subcategory_para
pr_users
profile
profile1
profile_persontype
register_users
section
song_genre_related
song_orginal_singer_related
song_person_related
srw_login
srw_news
tag
tag_article
tag_gallery
tag_list
tag_photo
tags
user_logon
users
users_artist
vdb_music_category
vdb_video_info
vdb_video_info_backup
video_feature_singer_related
video_genre_related
video_orginal_singer_related
video_person_related
wallpaper
wallpaper_gallery 
I'm lazy to dump each column's data lol. Anyway, its just the message to CS how insecure they are.
Hope they fix this soon.

6 comments:

  1. and of course, happy new year 2067 in advance.

    ReplyDelete
  2. I appreciate the good service you are doing by pointing out security flaws for free for nepali websites and companies.

    HOWEVER ..haha you claim you are the "first hacker group" ? Really? Well I assume you guys don't know the history of hacker groups in Nepal. I was a founding member of one of the earliest hacker groups in Nepal. Of course these days I am not in Nepal..so I am talking about things that happened 5-8 years ago. However there was another hacker group before we existed and later we did merge into one super group. Of course I don't like to brag that much considering that you guys are probably pumping out more XSS/SQL injection vulns than we probably did. However we had some really cool high profile hacks that were beyond compromising web security.

    Now a word of advice. If you want to become hardcore hackers than you need to have deep knowledge of computer science, programming and operating systems. Hell even "psychology", and mind warfare are essential weapons. Now being a hacker isn't just about security. It is a mindset and a lifestyle. While me and others seem to have strayed away from the "scene" that we once helped create as a strong underground movement it is great to see capable youngsters like you guys fill in our shoes. I probably sound like I am rambling and bragging a lot but the Nepali hacking scene has a wonderful history and I hope you guys don't forget us regardless of how lame or proficient we might have been. Not speaking for myself but I had the good fortune of getting to know one of the most technically proficient and intelligent friends whom I have mostly lost in time.

    ReplyDelete
  3. Hello there Anonymous,
    thanks for your wonderful comments. I'm curious to know about the hacker group that existed before 5-8 years ago and if any member of it is still active, it would be great to merge with them and create a new community.
    Please give us the information about your hacker group so that I can add a new text label here in the blog.
    And also thanks for you wonderful advice and yeah we're trying to create the great proficient community here in Nepali hacking underground scene. I hope you read these comments and drop me an email about you and your group.
    Thanks a lot.

    ReplyDelete
  4. And yeah of course, we respect any hackers group that existed before but I could not get any information about any Nepali hacker groups in the net.

    ReplyDelete
  5. Extended use

    http://pastebin.com/fCC1fABd

    ReplyDelete
  6. YOu guys should check this out !

    http://www.youtube.com/watch?v=Tv9cfI5s9rk

    ReplyDelete