Tuesday, March 19, 2013

Remote File Inclusion - Papa Johns Pizza

################################################
# Website: www.papajohnspizza.in
# Date: 20.03.13
# Bug: File Inclusion (Remote / Local)
###############################################



And please guys make your website a little secure, it shouldn't take 'just' 20 minutes for server pwnage (sic)... Do your homework on the login page, scripting on the client side and remove the plugins that are not necessary... More importantly allocate a budget towards securing your website, because your WWW is your brand image on the Internet.

Cheers,
Kish

Tuesday, January 17, 2012

Happy NY2012 - Directory Traversal

Shouts to all the people who tell me, directory traversal / listing is NOT important.

Additional shouts to people who tell me, how their website "security" budget is cramped, but they can do endless scans of their intranet, internal network and desktops for compliance, year on year! :)

################################################
# Website: www.mmasuperstore.com.au
# Date: 18.01.12
# Bug: Database PWNage
###############################################

If only you guys had invested a portion of the money you spent on design towards security, this day would not have arrived!


But, Enjoy while it lasts... Consider this to be more publicity :))


Directory Traversal Vuln - MMA Super Store


WP Config File - MMA Super Store

What you have to learn from this incident is invest in security... as much or a portion of your design budget. Test the website with QA & Security instead of designing eye candy and flashing banners for "affiliate" dollars in mind!

When you run an online store and sell merchandise, please provide the "level of security" promised in your privacy statement instead of keeping things adhoc and designing a flashy website. The Internet is not a secure place, the Internet was not designed with adequate security.

Directory traversal is often overlooked and Websites don't get the attention they deserve, in 2012, that's a bad statistic !

Cheers,
Kish

Tuesday, October 18, 2011

Metallica Concert - Oct 30th, Bangalore

################################################
# Website: www.ticketgenie.in
# Date: 18.10.11
# Bug: XSS / SQLi / Multiple Vulnerabilities
###############################################

Special advisory dedicated to all metal heads and headbangers from all over the world. The concert tickets for Metallica's show at Bangalore, Palace grounds is available at TicketGenie website... The tickets started getting sold publicly 3 days back according to a news website. So you can pay for the ticket or get it for FREE :D


How many tickets do you want? :))



Want to track other people's tickets?

BONUS: Login page is vulnerable to bruteforce attacks, since there is no account lockout mechanism

We have not included Proof-of-Concept demonstrations as with other posts, since the pages can be abused to buy free tickets :))

A website which deals with financial information should be better protected than this... I am NOT going to trust Ticket Genie with my credit card, unless they show some improvement with security.

Cheers,
Kish

Thursday, October 6, 2011

Exploit Pack - Another Open Source Security Framework

Hey y'all,

Exploit Pack is a New Framework by former CORE Security employee (Anibal Sacco), so I am not surprised he uses python for the engine... Core IMPACT uses a similar style. The GUI is Java based though, why oh why do people code in this memory intensive thing called Java, cut me some slack with the platform independence please...

OK, Python is very versatile for coding a framework (eg: Immunity's CANVAS)... but with IMPACT, CANVAS and Metasploit in the fray... especially MSF (has gained enormous feedback + support) which is why Rapid7 bought the framework and paid developers to continue the good work... As a fourth addition, it may or may not make it... but it will certainly be a learning experience for the "new business" entrepreneur.

Interestingly enough, Metasploit has super integrated in to the "security tools" (that we use regularly) and has cemented it's place as de-facto standard for client-side, phishing, churning new sploits, wifi pen testing, web application exploitation, even PBX systems can be attacked and with the new vSploit modules... being introduced, it just keeps getting better and better... CORE pwned MSF simply by integrating the framework itself in to IMPACT's arsenal. Currently IMPACT has over 2500 exploits and counting... :))

If I were to have mad assembly skills and I learnt exploit coding from CORE's internal resource - Gera, I would be coding exploits and selling them to ZDI hands down... Plus, the $2 USD bounty is very miniscule compared to Google, Facebook and other bug bounties :)

Now that I have reasoned out a lot of "cons", here's one big "pro"... When the users read these words "module editor that allows you to create your own custom exploits" (similar to MSF eXploit Builder by Jerome Athias). You can still edit the templates in CANVAS or MSF to do the same thing only in python / ruby respectively. Immunity had a similar plugin called visualsploit to build exploits graphically, but they stopped selling it soon after introducing it... Recently they started giving out VisualSploit with every CANVAS license...

Saw this a couple of days ago on Twitter. Good luck to him, he is talented... but is he business savvy? That's for us to wait and see...

Visit http://www.exploitpack.com for more details

Cheers,
Kish

Wednesday, September 14, 2011

Mexico CNN Website - Open redirect

########################################
# Website: http://mexico.cnn.com
# Date: 14.09.11
# Bug: Open Redirection Page
########################################


Click here for demo

I could use a r57shell with this to make it look more scary :)

Sidenote: GoDaddy has made an effort to make us look good, by putting up their default banner...hmmm !

Cheers,
Kish

Monday, July 11, 2011

New Google Dork (Thanks AXN!)

Presenting our own google dork, which stemmed from the AXN site goodies... To check whether a particular site uses jQuery extensively...

You can use this query...
intext: * jQuery 1.2.6 - New Wave Javascript * * Copyright (c)


You can check a specific website using the site operator...

Cheers,
Kish

AXN India - Exposed to the Internet

A simple google query did the trick... :D







This is not a great flaw by itself... the site's administration should not be enabled for all internet users (to play with and break the authentication)...We did not poke with the authentication scheme, hehe ;)



Update: We also found cron.php, install.php, xmlrpc.php, half a dozen email addresses, directory traversal (scripts, modules, profiles, themes, sites) and lots more...



Stopped playing for we didn't want to end up accidentally hacking the website :))

Bottom line: Functionally sound, security wise - bad idea?

Shouts to Jaymee ong... (marry me please !) and the eBuzz Team who's programme was being featured on AXN before I found the goodies :D