Metallica Concert - Oct 30th, Bangalore

################################################
# Website: www.ticketgenie.in
# Date: 18.10.11
# Bug: XSS / SQLi / Multiple Vulnerabilities
###############################################

Special advisory dedicated to all metal heads and headbangers from all over the world. The concert tickets for Metallica's show at Bangalore, Palace grounds is available at TicketGenie website... The tickets started getting sold publicly 3 days back according to a news website. So you can pay for the ticket or get it for FREE :D

How many tickets do you want? :))

Want to track other people's tickets?

BONUS: Login page is vulnerable to bruteforce attacks, since there is no account lockout mechanism

We have not included Proof-of-Concept demonstrations as with other posts, since the pages can be abused to buy free tickets :))

A website which deals with financial information should be better protected than this... I am NOT going to trust Ticket Genie with my credit card, unless they show some improvement with security.

Cheers,
Kish

Exploit Pack - Another Open Source Security Framework

Hey y'all,

Exploit Pack is a New Framework by former CORE Security employee (Anibal Sacco), so I am not surprised he uses python for the engine... Core IMPACT uses a similar style. The GUI is Java based though, why oh why do people code in this memory intensive thing called Java, cut me some slack with the platform independence please...

OK, Python is very versatile for coding a framework (eg: Immunity's CANVAS)... but with IMPACT, CANVAS and Metasploit in the fray... especially MSF (has gained enormous feedback + support) which is why Rapid7 bought the framework and paid developers to continue the good work... As a fourth addition, it may or may not make it... but it will certainly be a learning experience for the "new business" entrepreneur.

Interestingly enough, Metasploit has super integrated in to the "security tools" (that we use regularly) and has cemented it's place as de-facto standard for client-side, phishing, churning new sploits, wifi pen testing, web application exploitation, even PBX systems can be attacked and with the new vSploit modules... being introduced, it just keeps getting better and better... CORE pwned MSF simply by integrating the framework itself in to IMPACT's arsenal. Currently IMPACT has over 2500 exploits and counting... :))

If I were to have mad assembly skills and I learnt exploit coding from CORE's internal resource - Gera, I would be coding exploits and selling them to ZDI hands down... Plus, the $2 USD bounty is very miniscule compared to Google, Facebook and other bug bounties :)

Now that I have reasoned out a lot of "cons", here's one big "pro"... When the users read these words "module editor that allows you to create your own custom exploits" (similar to MSF eXploit Builder by Jerome Athias). You can still edit the templates in CANVAS or MSF to do the same thing only in python / ruby respectively. Immunity had a similar plugin called visualsploit to build exploits graphically, but they stopped selling it soon after introducing it... Recently they started giving out VisualSploit with every CANVAS license...

Saw this a couple of days ago on Twitter. Good luck to him, he is talented... but is he business savvy? That's for us to wait and see...

Visit http://www.exploitpack.com for more details

Cheers,
Kish

Mexico CNN Website - Open redirect

########################################
# Website: http://mexico.cnn.com
# Date: 14.09.11
# Bug: Open Redirection Page
########################################

Click here for demo

I could use a r57shell with this to make it look more scary :)

Sidenote: GoDaddy has made an effort to make us look good, by putting up their default banner...hmmm !

Cheers,
Kish

New Google Dork (Thanks AXN!)

Presenting our own google dork, which stemmed from the AXN site goodies... To check whether a particular site uses jQuery extensively...

You can use this query...

intext: * jQuery 1.2.6 - New Wave Javascript * * Copyright (c)

You can check a specific website using the site operator...

Cheers,
Kish

AXN India - Exposed to the Internet

A simple google query did the trick... :D







This is not a great flaw by itself... the site's administration should not be enabled for all internet users (to play with and break the authentication)...We did not poke with the authentication scheme, hehe ;)



Update: We also found cron.php, install.php, xmlrpc.php, half a dozen email addresses, directory traversal (scripts, modules, profiles, themes, sites) and lots more...



Stopped playing for we didn't want to end up accidentally hacking the website :))

Bottom line: Functionally sound, security wise - bad idea?

Shouts to Jaymee ong... (marry me please !) and the eBuzz Team who's programme was being featured on AXN before I found the goodies :D

Money Image - Error Based SQLi

########################################
# Website: www.moneyimg.com
# Date: 11.07.11
# Bug: SQLi (SQL Injection)
########################################

Money Image is a website similar to Image shack :)

Click here for demo

Fix your input validation fellas !

Cheers,
Kish

Matasano Chargen - Redirection

########################################
# Website: www.matasano.com
# Date: 11.07.11
# Bug: Cross Site Scripting / Redirect
########################################

When reading their blog, you surf their services page, check out their RFP page and what comes up suddenly... a redirection page, hehe :D

>> Click here for redirect demo <<

This one was totally unintended, but fun nonetheless spotting bugs in a security company's website !

Cheers,
Kish

No research off late (Kosova Airlines)

We have not been doing a lot of research and poking lately, in websites or networks...

We will eventually find time, and start looking for throw aways (XSS / SQLi). Please understand that full disclosure is good for everybody, instead of security by obscurity.

In the meantime, check out the Kosova Airlines website at www.flyksa.com


Or you can access their database here. Need I say more about bad coding practices?

Cheers,
Kish