Remote File Inclusion - Papa Johns Pizza

################################################
# Website: www.papajohnspizza.in
# Date: 20.03.13
# Bug: File Inclusion (Remote / Local)
###############################################

>> Click here for the File Inclusion - Demo <<

And please guys make your website a little secure, it shouldn't take 'just' 20 minutes for server pwnage (sic)... Do your homework on the login page, scripting on the client side and remove the plugins that are not necessary... More importantly allocate a budget towards securing your website, because your WWW is your brand image on the Internet.

Cheers,
Kish

Metallica Concert - Oct 30th, Bangalore

################################################
# Website: www.ticketgenie.in
# Date: 18.10.11
# Bug: XSS / SQLi / Multiple Vulnerabilities
###############################################

Special advisory dedicated to all metal heads and headbangers from all over the world. The concert tickets for Metallica's show at Bangalore, Palace grounds is available at TicketGenie website... The tickets started getting sold publicly 3 days back according to a news website. So you can pay for the ticket or get it for FREE :D

How many tickets do you want? :))

Want to track other people's tickets?

BONUS: Login page is vulnerable to bruteforce attacks, since there is no account lockout mechanism

We have not included Proof-of-Concept demonstrations as with other posts, since the pages can be abused to buy free tickets :))

A website which deals with financial information should be better protected than this... I am NOT going to trust Ticket Genie with my credit card, unless they show some improvement with security.

Cheers,
Kish

Mexico CNN Website - Open redirect

########################################
# Website: http://mexico.cnn.com
# Date: 14.09.11
# Bug: Open Redirection Page
########################################

Click here for demo

I could use a r57shell with this to make it look more scary :)

Sidenote: GoDaddy has made an effort to make us look good, by putting up their default banner...hmmm !

Cheers,
Kish

New Google Dork (Thanks AXN!)

Presenting our own google dork, which stemmed from the AXN site goodies... To check whether a particular site uses jQuery extensively...

You can use this query...

intext: * jQuery 1.2.6 - New Wave Javascript * * Copyright (c)

You can check a specific website using the site operator...

Cheers,
Kish

AXN India - Exposed to the Internet

A simple google query did the trick... :D







This is not a great flaw by itself... the site's administration should not be enabled for all internet users (to play with and break the authentication)...We did not poke with the authentication scheme, hehe ;)



Update: We also found cron.php, install.php, xmlrpc.php, half a dozen email addresses, directory traversal (scripts, modules, profiles, themes, sites) and lots more...



Stopped playing for we didn't want to end up accidentally hacking the website :))

Bottom line: Functionally sound, security wise - bad idea?

Shouts to Jaymee ong... (marry me please !) and the eBuzz Team who's programme was being featured on AXN before I found the goodies :D

Money Image - Error Based SQLi

########################################
# Website: www.moneyimg.com
# Date: 11.07.11
# Bug: SQLi (SQL Injection)
########################################

Money Image is a website similar to Image shack :)

Click here for demo

Fix your input validation fellas !

Cheers,
Kish

Matasano Chargen - Redirection

########################################
# Website: www.matasano.com
# Date: 11.07.11
# Bug: Cross Site Scripting / Redirect
########################################

When reading their blog, you surf their services page, check out their RFP page and what comes up suddenly... a redirection page, hehe :D

>> Click here for redirect demo <<

This one was totally unintended, but fun nonetheless spotting bugs in a security company's website !

Cheers,
Kish

No research off late (Kosova Airlines)

We have not been doing a lot of research and poking lately, in websites or networks...

We will eventually find time, and start looking for throw aways (XSS / SQLi). Please understand that full disclosure is good for everybody, instead of security by obscurity.

In the meantime, check out the Kosova Airlines website at www.flyksa.com


Or you can access their database here. Need I say more about bad coding practices?

Cheers,
Kish

ISS - Internet Security Systems?

I have great respect for the guys at ISS X-Force... You guys are the best, nothing personal :)

Although, I'm certain they wouldn't approve of this screenshot here...


Vuln URL: hxxp://webapp.iss.net/Search.do

On Behalf of Crimemachine, Wish You (Our Readers) a Happy New Year Guys

We are Back ! ;)

Talk about facebook funnies

http://graph.facebook.com/566543089 -> now that's funny ! :D

{
"id": "566543089",
"name": "Leo Fu",
"first_name": "Leo",
"last_name": "Fu",
"link": "http://www.facebook.com/people/Leo-Fu/566543089",
"gender": "male",
"locale": "zh_HK"
}

One more just to make sure, we can still rely on facebook ;)

nyaaaa, what's that : http://graph.facebook.com/676543089

{
"id": "676543089",
"name": "Michael Seng",
"first_name": "Michael",
"last_name": "Seng",
"link": "http://www.facebook.com/people/Michael-Seng/676543089",
"gender": "male",
"locale": "en_US"
}

Since when did we need a Opera or Firefox for facebook, lol ! :D

Cheers,
Kish

MIT Press - XSS - Happy new year to one and all !

######################################
# Website: www.mit.edu
# Date: 08.01.10
# Bug: Cross Site Scripting (XSS)
#####################################

Search box vulnerable to XSS... after September, got really bored of XSS/SQL/RFI... that's why I took a break... but still, couldn't resist taking a shot at MIT Press ;)

So here goes the first post, for the new year - 2010

Vuln URL: hxxp://mitpress.mit.edu/catalog/search/default.asp


Click here for XSS demo

Solution: Try and validate input ... it's not good practice to let XSS through, for I recently investigated cases where XSS was used to install malicious code on to client systems for further access.

Cheers,
Kish :)

XSS in Linuxmafia website - Today's lulz

#########################
# Website: www.linuxmafia.com
# Date: 21.09.09
# Bug: Cross Site Scripting (XSS)
########################

Vuln URL: hxxp://www.linuxmafia.com/kb/

Sorry folks, I am lazy to post a screenshot for this one... just a quickie, if you will...

Click here for the demo

Click here for another demo (this one's a bit serious)

Cheers,
Kish

Advisory Updates: Q2 2009, and a bit more...

Even though a spectacular hack was pulled off on Imageshack, they've not fixed their bug yet.

The lazy developers behind the Indian Premier League (oh reely??) have not fixed their XSS and SQLi bugs either... In 2009 if you want to see a demo, of a site allowing "delete method" in databases please visit them :))

ZDNet that writes the special 0-day column, apart from regular security ramblings is "yet" to fix their bug, and Dancho danchev, one of the authors from their team is still replying to mail...

Adobe atleast fixed their bug even though it was late, and I applaud their security team / devs for their store.

Electronic arts and blogarama haven't fixed their bugs just like the others, no I am not surprised

Probably, I'll write the next / final advisory update for this year in 3 to 4 months from now... Keep your eyes open !

Cheers :)
Kish

Whitehouse.gov - One for the "lulz"

#########################
# Website: www.whitehouse.gov
# Date: 27.08.09
# Bug: Cross Site Scripting (XSS)
########################

Vuln URL: hxxp://www.whitehouse.gov

Click here for the demo

LOL ! Please put some of your resources to work ;)

Cheers,
Kish !

ESPN Shop - XSS

#########################
# Website: www.espnshop.com
# Real gear for Real "XSS" fans
# Date: 27.08.09
# Bug: Cross Site Scripting (XSS)
########################

Vuln URL: hxxp://www.espnshop.com


Click here for the demo

Learn input validation, and try to use it :)

Cheers,
Kish !

P.S: This was found and reported to ESPN in late 2008, but they're very active as you can see.

Electronic Arts - XSS vulnerability

#########################
# Website: www.ea.com
# Date: 25.06.09
# Bug: XSS
########################

Vuln URL: hxxp://www.ea.com



Click here for the demo

FIFA 09 and the online game play rocks, but your website ?... not really ! pffft ...

Cheers :)
Kish

XSS in Blogarama

#########################
# Website: www.blogarama.com
# Date: 29.05.09
# Bug: XSS
########################

Vuln URL: hxxp://www.blogarama.com


Click here for the demo

Fix input validation in your website...

Cheers :)
Kish

XSS in Adobe's Store

#############################
# Website: www.abobe.com
# Date: 17.05.09
# Bug: XSS
############################

Vuln URL: hxxps://store3.adobe.com


Click here to see the demo

Fix your input validation, and make shopping with adobe a good memory for the customer.

Cheers :)
Kish

HTML Injection in ZDNET

############################
# Website: http://blogs.zdnet.com
# "Say hello to the experts"
# Bug: HTML Injection, XSS
# Date: 03.05.09
############################

Vuln URL: hxxp://blogs.zdnet.com


Click here to see the demo

Please advise people about web-application vulnerabilities, after you've fixed them ! *coughs*

Talking about input validation, their email form is a bad example... and can I use it to send my friend an email ? You bet... it's free email spoofing service, courtesy of ZDnet ;))

Cheers,
Kish

SQLi and XSS vulnerabilities in IPL website

###################################
# Website: www.iplt20.com
# (includes spoils from pulselive.com)
# Bug: XSS, and SQLi
# IPL T20 - Indian(or is it English) Premier League
# Date: 29.04.09
###################################

Vuln URL: hxxp://www.iplt20.com



Click here for SQLi demo

There were also 26 injectable spots other than this, and there's XSS in URI, Path, and Forms, can't post too many screenshots... you see ;)

What's more you can insert, update, and delete tables in their DB :))

Happy hunting, Cheers!