Showing posts with label Crimemachine. Show all posts
Showing posts with label Crimemachine. Show all posts

Tuesday, March 19, 2013

Remote File Inclusion - Papa Johns Pizza

################################################
# Website: www.papajohnspizza.in
# Date: 20.03.13
# Bug: File Inclusion (Remote / Local)
###############################################



And please guys make your website a little secure, it shouldn't take 'just' 20 minutes for server pwnage (sic)... Do your homework on the login page, scripting on the client side and remove the plugins that are not necessary... More importantly allocate a budget towards securing your website, because your WWW is your brand image on the Internet.

Cheers,
Kish

Tuesday, January 17, 2012

Happy NY2012 - Directory Traversal

Shouts to all the people who tell me, directory traversal / listing is NOT important.

Additional shouts to people who tell me, how their website "security" budget is cramped, but they can do endless scans of their intranet, internal network and desktops for compliance, year on year! :)

################################################
# Website: www.mmasuperstore.com.au
# Date: 18.01.12
# Bug: Database PWNage
###############################################

If only you guys had invested a portion of the money you spent on design towards security, this day would not have arrived!


But, Enjoy while it lasts... Consider this to be more publicity :))


Directory Traversal Vuln - MMA Super Store


WP Config File - MMA Super Store

What you have to learn from this incident is invest in security... as much or a portion of your design budget. Test the website with QA & Security instead of designing eye candy and flashing banners for "affiliate" dollars in mind!

When you run an online store and sell merchandise, please provide the "level of security" promised in your privacy statement instead of keeping things adhoc and designing a flashy website. The Internet is not a secure place, the Internet was not designed with adequate security.

Directory traversal is often overlooked and Websites don't get the attention they deserve, in 2012, that's a bad statistic !

Cheers,
Kish

Tuesday, October 18, 2011

Metallica Concert - Oct 30th, Bangalore

################################################
# Website: www.ticketgenie.in
# Date: 18.10.11
# Bug: XSS / SQLi / Multiple Vulnerabilities
###############################################

Special advisory dedicated to all metal heads and headbangers from all over the world. The concert tickets for Metallica's show at Bangalore, Palace grounds is available at TicketGenie website... The tickets started getting sold publicly 3 days back according to a news website. So you can pay for the ticket or get it for FREE :D


How many tickets do you want? :))



Want to track other people's tickets?

BONUS: Login page is vulnerable to bruteforce attacks, since there is no account lockout mechanism

We have not included Proof-of-Concept demonstrations as with other posts, since the pages can be abused to buy free tickets :))

A website which deals with financial information should be better protected than this... I am NOT going to trust Ticket Genie with my credit card, unless they show some improvement with security.

Cheers,
Kish

Thursday, October 6, 2011

Exploit Pack - Another Open Source Security Framework

Hey y'all,

Exploit Pack is a New Framework by former CORE Security employee (Anibal Sacco), so I am not surprised he uses python for the engine... Core IMPACT uses a similar style. The GUI is Java based though, why oh why do people code in this memory intensive thing called Java, cut me some slack with the platform independence please...

OK, Python is very versatile for coding a framework (eg: Immunity's CANVAS)... but with IMPACT, CANVAS and Metasploit in the fray... especially MSF (has gained enormous feedback + support) which is why Rapid7 bought the framework and paid developers to continue the good work... As a fourth addition, it may or may not make it... but it will certainly be a learning experience for the "new business" entrepreneur.

Interestingly enough, Metasploit has super integrated in to the "security tools" (that we use regularly) and has cemented it's place as de-facto standard for client-side, phishing, churning new sploits, wifi pen testing, web application exploitation, even PBX systems can be attacked and with the new vSploit modules... being introduced, it just keeps getting better and better... CORE pwned MSF simply by integrating the framework itself in to IMPACT's arsenal. Currently IMPACT has over 2500 exploits and counting... :))

If I were to have mad assembly skills and I learnt exploit coding from CORE's internal resource - Gera, I would be coding exploits and selling them to ZDI hands down... Plus, the $2 USD bounty is very miniscule compared to Google, Facebook and other bug bounties :)

Now that I have reasoned out a lot of "cons", here's one big "pro"... When the users read these words "module editor that allows you to create your own custom exploits" (similar to MSF eXploit Builder by Jerome Athias). You can still edit the templates in CANVAS or MSF to do the same thing only in python / ruby respectively. Immunity had a similar plugin called visualsploit to build exploits graphically, but they stopped selling it soon after introducing it... Recently they started giving out VisualSploit with every CANVAS license...

Saw this a couple of days ago on Twitter. Good luck to him, he is talented... but is he business savvy? That's for us to wait and see...

Visit http://www.exploitpack.com for more details

Cheers,
Kish

Wednesday, September 14, 2011

Mexico CNN Website - Open redirect

########################################
# Website: http://mexico.cnn.com
# Date: 14.09.11
# Bug: Open Redirection Page
########################################


Click here for demo

I could use a r57shell with this to make it look more scary :)

Sidenote: GoDaddy has made an effort to make us look good, by putting up their default banner...hmmm !

Cheers,
Kish

Monday, July 11, 2011

New Google Dork (Thanks AXN!)

Presenting our own google dork, which stemmed from the AXN site goodies... To check whether a particular site uses jQuery extensively...

You can use this query...
intext: * jQuery 1.2.6 - New Wave Javascript * * Copyright (c)


You can check a specific website using the site operator...

Cheers,
Kish

AXN India - Exposed to the Internet

A simple google query did the trick... :D







This is not a great flaw by itself... the site's administration should not be enabled for all internet users (to play with and break the authentication)...We did not poke with the authentication scheme, hehe ;)



Update: We also found cron.php, install.php, xmlrpc.php, half a dozen email addresses, directory traversal (scripts, modules, profiles, themes, sites) and lots more...



Stopped playing for we didn't want to end up accidentally hacking the website :))

Bottom line: Functionally sound, security wise - bad idea?

Shouts to Jaymee ong... (marry me please !) and the eBuzz Team who's programme was being featured on AXN before I found the goodies :D

Money Image - Error Based SQLi

########################################
# Website: www.moneyimg.com
# Date: 11.07.11
# Bug: SQLi (SQL Injection)
########################################

Money Image is a website similar to Image shack :)

Click here for demo


Fix your input validation fellas !

Cheers,
Kish

Matasano Chargen - Redirection

########################################
# Website: www.matasano.com
# Date: 11.07.11
# Bug: Cross Site Scripting / Redirect
########################################

When reading their blog, you surf their services page, check out their RFP page and what comes up suddenly... a redirection page, hehe :D

>> Click here for redirect demo <<


This one was totally unintended, but fun nonetheless spotting bugs in a security company's website !

Cheers,
Kish

Wednesday, June 29, 2011

No research off late (Kosova Airlines)

We have not been doing a lot of research and poking lately, in websites or networks...

We will eventually find time, and start looking for throw aways (XSS / SQLi). Please understand that full disclosure is good for everybody, instead of security by obscurity.

In the meantime, check out the Kosova Airlines website at www.flyksa.com


Or you can access their database here. Need I say more about bad coding practices?

Cheers,
Kish

Thursday, December 30, 2010

ISS - Internet Security Systems?

I have great respect for the guys at ISS X-Force... You guys are the best, nothing personal :)

Although, I'm certain they wouldn't approve of this screenshot here...


Vuln URL: hxxp://webapp.iss.net/Search.do

On Behalf of Crimemachine, Wish You (Our Readers) a Happy New Year Guys

We are Back ! ;)

Wednesday, July 28, 2010

Talk about facebook funnies

http://graph.facebook.com/566543089 -> now that's funny ! :D

{
"id": "566543089",
"name": "Leo Fu",
"first_name": "Leo",
"last_name": "Fu",
"link": "http://www.facebook.com/people/Leo-Fu/566543089",
"gender": "male",
"locale": "zh_HK"
}


One more just to make sure, we can still rely on facebook ;)

nyaaaa, what's that : http://graph.facebook.com/676543089

{
"id": "676543089",
"name": "Michael Seng",
"first_name": "Michael",
"last_name": "Seng",
"link": "http://www.facebook.com/people/Michael-Seng/676543089",
"gender": "male",
"locale": "en_US"
}


Since when did we need a Opera or Firefox for facebook, lol ! :D

Cheers,
Kish

Monday, June 7, 2010

OWASP - Zone Transfer?

OWASP's domains ending with .org and .com are vulnerable to DNS Zone Transfer... Is it because, they preach only web security? That they never bothered to touch the network side of things ?

Besides being a security - preacher type website, they must have done a basic pen-test routine of their website before hosting... Network FAIL :D

NSLookup - From command line
bt ~ # nslookup
> set type=any
> owasp.org
Server: 192.168.19.2
Address: 192.168.19.2#53

Non-authoritative answer:
owasp.org mail exchanger = 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org mail exchanger = 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org mail exchanger = 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org mail exchanger = 10 ASPMX.L.GOOGLE.COM.
owasp.org mail exchanger = 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org mail exchanger = 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org mail exchanger = 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org nameserver = ns2.secure.net.
owasp.org nameserver = ns1.secure.net.

Authoritative answers can be found from:
> owasp.com
Server: 192.168.19.2
Address: 192.168.19.2#53

Non-authoritative answer:
owasp.com nameserver = ns1.ispc.org.
owasp.com nameserver = ns1.mv.net.
owasp.com nameserver = ns2.ispc.org.
owasp.com nameserver = ns3.ispc.org.
>exit

DIG - From command line

bt ~ # dig owasp.org axfr @ns1.secure.net

; <<>> DiG 9.3.2-P1 <<>> owasp.org axfr @ns1.secure.net
; (1 server found)
;; global options: printcmd
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080369 86400 7200 2592000 86400
owasp.org. 86400 IN A 216.48.3.18
owasp.org. 86400 IN NS ns1.secure.net.
owasp.org. 86400 IN NS ns2.secure.net.
owasp.org. 86400 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN MX 30 ASPMX2.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX3.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX4.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 30 ASPMX5.GOOGLEMAIL.COM.
owasp.org. 86400 IN MX 10 ASPMX.L.GOOGLE.COM.
owasp.org. 86400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
*.owasp.org. 86400 IN CNAME owasp.org.
ads.owasp.org. 86400 IN A 216.48.3.26
austin.owasp.org. 86400 IN CNAME owasp.org.
calendar.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
docs.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
es.owasp.org. 86400 IN A 216.48.3.18
forums.owasp.org. 86400 IN A 216.48.3.19
google6912a08c3a8cdf0b.owasp.org. 86400 IN CNAME GOOGLE.COM.
groups.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
jobs.owasp.org. 86400 IN CNAME owasp.org.
lists.owasp.org. 86400 IN A 216.48.3.22
lists.owasp.org. 86400 IN MX 10 ml1lists.owasp.org.
localhost.owasp.org. 86400 IN A 127.0.0.1
mail.owasp.org. 86400 IN CNAME ghs.GOOGLE.COM.
ml1lists.owasp.org. 86400 IN A 216.48.3.30
registration.owasp.org. 86400 IN CNAME owasp.org.
stage.owasp.org. 86400 IN A 216.48.3.20
voip.owasp.org. 86400 IN A 216.48.3.22
www.owasp.org. 86400 IN CNAME owasp.org.
owasp.org. 86400 IN SOA ns1.secure.net. hostmaster.secure.net. 2007080369 86400 7200 2592000 86400
;; Query time: 529 msec
;; SERVER: 192.220.124.10#53(192.220.124.10)
;; WHEN: Mon Jun 7 19:15:40 2010
;; XFR size: 32 records (messages 1)

OWASP must be glad that we didn't use 31337 stuff like Revhosts ;))

You guys must learn from ISECOM - Check this out

bt ~ # dig isecom.org axfr @ns222.pair.com

; <<>> DiG 9.3.2-P1 <<>> isecom.org axfr @ns222.pair.com
; (1 server found)
;; global options: printcmd
; Transfer failed.

That should be the type of output generally when you poke a website preaching security...

If you are bored and clarifying a few things with a website like OWASP next time, try running a few tools from the command line, gives you lols :))

Cheers,
Kish

Thursday, January 7, 2010

MIT Press - XSS - Happy new year to one and all !

######################################
# Website: www.mit.edu
# Date: 08.01.10
# Bug: Cross Site Scripting (XSS)
#####################################

Search box vulnerable to XSS... after September, got really bored of XSS/SQL/RFI... that's why I took a break... but still, couldn't resist taking a shot at MIT Press ;)

So here goes the first post, for the new year - 2010

Vuln URL: hxxp://mitpress.mit.edu/catalog/search/default.asp


Click here for XSS demo

Solution: Try and validate input ... it's not good practice to let XSS through, for I recently investigated cases where XSS was used to install malicious code on to client systems for further access.

Cheers,
Kish :)

Sunday, September 20, 2009

XSS in Linuxmafia website - Today's lulz

#########################
# Website: www.linuxmafia.com
# Date: 21.09.09
# Bug: Cross Site Scripting (XSS)
########################

Vuln URL: hxxp://www.linuxmafia.com/kb/

Sorry folks, I am lazy to post a screenshot for this one... just a quickie, if you will...

Click here for the demo

Click here for another demo (this one's a bit serious)

Cheers,
Kish

Wednesday, August 26, 2009

Advisory Updates: Q2 2009, and a bit more...

Even though a spectacular hack was pulled off on Imageshack, they've not fixed their bug yet.

The lazy developers behind the Indian Premier League (oh reely??) have not fixed their XSS and SQLi bugs either... In 2009 if you want to see a demo, of a site allowing "delete method" in databases please visit them :))

ZDNet that writes the special 0-day column, apart from regular security ramblings is "yet" to fix their bug, and Dancho danchev, one of the authors from their team is still replying to mail...

Adobe atleast fixed their bug even though it was late, and I applaud their security team / devs for their store.

Electronic arts
and blogarama haven't fixed their bugs just like the others, no I am not surprised

Probably, I'll write the next / final advisory update for this year in 3 to 4 months from now... Keep your eyes open !

Cheers :)
Kish

Whitehouse.gov - One for the "lulz"

#########################
# Website: www.whitehouse.gov
# Date: 27.08.09
# Bug: Cross Site Scripting (XSS)
########################

Vuln URL: hxxp://www.whitehouse.gov

Click here for the demo

LOL ! Please put some of your resources to work ;)

Cheers,
Kish !

ESPN Shop - XSS

#########################
# Website: www.espnshop.com
# Real gear for Real "XSS" fans
# Date: 27.08.09
# Bug: Cross Site Scripting (XSS)
########################

Vuln URL: hxxp://www.espnshop.com


Click here for the demo

Learn input validation, and try to use it :)

Cheers,
Kish !

P.S: This was found and reported to ESPN in late 2008, but they're very active as you can see.

Wednesday, July 8, 2009

Hakin9 - Issue (03/2009) - Review

Thanks to the Hakin9 Team for sending me a copy for review. This issue of Hakin9 comes with a new set of articles on various topics such as Bruteforce, Malware analysis, and Examining malicious PDF documents.

Unless you're just starting off or don't know about bruteforce you can skip the introduction to the article, but the relevance of information is really good in terms of description of various types of attacks. The article talks about the latest technique called GPU cracking.

There's also another interesting article detailing the reverse engineering of digital certificate on Windows. Web security enthusiasts are not left out, with an article covering burp proxy's intruder with examples.

For the system administrators there's some constructive information in the article on defeating AVs. There's additionally the CD that comes along with the magazine features Ad-aware anniversary edition (free) along with a few demo-games such as Portsign, which is a hacker game similar to Uplink from Introversion software.

Apart from these there's the usual book review on "IPv6 Security" from Cisco Press, a section on emerging threats, a few ads spread out through the magazine, and a good interview from Nicholas Percoco, the head of Spiderlabs, Trustwave's research team.

Thursday, June 25, 2009

Electronic Arts - XSS vulnerability

#########################
# Website: www.ea.com
# Date: 25.06.09
# Bug: XSS
########################

Vuln URL: hxxp://www.ea.com



Click here for the demo

FIFA 09 and the online game play rocks, but your website ?... not really ! pffft ...

Cheers :)
Kish