Jsoftware

Wednesday, February 1, 2012

TinKode-US Army full disclosure again

9:25 PM Admin No comments

US Army full disclosure again

Posted by isrtinkode on February 19, 2010

                                /\                                    (_) |
                               /  \   _ __ _ __ ___  _   _   _ __ ___  _| |
                              / /\ \ | '__| '_ ` _ \| | | | | '_ ` _ \| | |
                             / ____ \| |  | | | | | | |_| |_| | | | | | | |
                            /_/    \_\_|  |_| |_| |_|\__, (_)_| |_| |_|_|_|
                                                      __/ |
                                                     |___/

The United States Army is the branch of the United States Military responsible for land-based military operations. It is the largest and oldest established branch of the U.S. military and is one of seven uniformed services. The modern Army has its roots in the Continental Army which was formed on 14 June 1775, before the establishment of the United States, to meet the demands of the American Revolutionary War. Congress created the United States Army on 14 June 1784 after the end of the war to replace the disbanded Continental Army. The Army considers itself to be descended from the Continental Army and thus dates its inception from the origins of that force.
Vulnerable link: http://onestop.army.mil
This website is vulnerable to MSSQL Injection. With this vulnerability i can see / extract all things from databases.
Testing:

Ok, in this picture we can see all main informations about webserver.

Main information:

#Version: Microsoft SQL Server 2000 - 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2 #censored #censored #censored

All databases:

[0] censored [1] master [2] tempdb [3] model [4] msdb [5] AHOS [6] AHIT_WEB [7] AHOS_HQD [8] AHOS_WL [9] HEAT [10] REF_DB [11] ReportDB [12] USAREUR_TEST [13] YARDI_CONV [14] HOMES_IFS [15] HOMES_CDB_USAREUR [16] HOMES_WHSE [17] HUACFSDIS102148 [18] PINEA4CASTLE [19] HOMES_CDB [20] GFOQ_Development [21] ARTI02036THS003 [22] BISM5843235S301 [23] CDAR0413DPWS001 [24] CHAB000639BS002 [25] FRSA1050WHDS212 [26] GGDE0032284S005 [27] GRAF0244HOUS001 [28] HDCS3980WHDS204 [29] Spotlight [30] LEDW0003SWFS002 [31] LEDW0252GSWS003 [32] NHQA4106WDAS101 [33] PANS2913GSTS001 [34] PION0011414S601 [35] SEMI0022DPWS002 [36] SULL0255WMAS001 [37] VCAM0107HOUS001 [38] WARN7114279S003 [39] WETZ8876222S210 [40] WIAF1023221S001 [41] LEDW0252GSWS001 [42] BUCHAHOMES01 [43] CASEA4KORHOU068 [44] GREE305APDPW001 [45] HNRYA4KOA4HG086 [46] HUMPA1KODPWH014 [47] RICH123A0PHO001 [48] SCHOU01A4DPWHMS [49] TORIDPWA4177105 [50] WAIN224DB003153 [51] YONGA4KODPHD995 [52] ZAMADPWA0067011 [53] ANADA1HOMES [54] APGRA0GAG-HOMES [55] BENNA0I32214251 [56] BLISSVDPW1HS001 [57] BRAGA4PWAJ18145 [58] CARSDPWXAPS0002 [59] DAEN3104WKLS005 [60] DAMIAP06 [61] DIXXAPRDPW00001 [62] DRUMA001VA11202 [63] DUGWITA4HOMES [64] EUSTDB13HOMES01 [65] FS-HOMES01 [66] FTBELVOIR_S001 [67] GAHSGHOMES [68] GORDDBRCP001 [69] HAMIA1206DPW008 [70] HAWTA0HOMES [71] HIALA0KOA4HG170 [72] HOODA0DPWSYS003 [73] IRWIIMA0HOMES3 [74] JACKDLEHOMES [75] KNOXDBOSNT2 [76] KS-HSG-HOMES

We can access information_schema, so let’s see the tables from principal database “censored”

[0] comd_list [1] dtproperties [2] Faqs [3] Faqs_Categories [4] Forms [5] forms_base [6] gBase [7] gBase_OLD [8] gCountries [9] gHousing_offices [10] gHousing_offices-old [11] gStates [12] Housing_off_post [13] Housing_phone_qr [14] mgr_login [15] mgr_login_OLD [16] mgr_login_passwords [17] mgr_login_save [18] MgrCorner_Configuration [19] MgrCorner_Configuration_ID [20] must_know [21] must_know_cat [22] Must_know_OLD [23] sysconstraints [24] syssegments [25] UPH [26] UPH_OLD [27] uph_photo_text [28] uph_photo_tours [29] uph_photos [30] v_mapview [31] V_RankView [32] vHousingAreas [33] vhqd_vrtours [34] VIEW_housing [35] VIEW_phototours [36] VIEW_vrtours [37] vMapFiles [38] vMapOrder [39] vPhotoFiles [40] vPlan [41] vPlanFiles [42] vRank [43] vRankDesc [44] vRankRankDesc [45] waitlist [46] waitlist_items

Now, here are some interesting tables, like censored.

Here i found censored columns, with :

#censored #censored

wtf!

That it’s all! Bye, TinKode…

TinKode-Kaspersky Portugal Full Disclosure

9:22 PM Admin No comments

Kaspersky Portugal Full Disclosure

Posted by isrtinkode on February 19, 2010

                     _   __                              _
                    | | / /                             | |
                    | |/ /  __ _ ___ _ __   ___ _ __ ___| | ___   _
                    |    \ / _` / __| '_ \ / _ \ '__/ __| |/ / | | |
                    | |\  \ (_| \__ \ |_) |  __/ |  \__ \   <| |_| |
                    \_| \_/\__,_|___/ .__/ \___|_|  |___/_|\_\\__, |
                                    | |                        __/ |
                                    |_|                       |___/

                                                                                  #owned by c0de.breaker

In one evening, when i searched a antivirus, I entered on the official kaspersky website of Portugal from mistake.
Link: www.kaspersky.com.pt
Kaspersky, from what i know has been hacked by “unu” with MySQLi.
So I said to try to see if I could find a vulnerability!
After 5 minutes of searching, I found something interesting, namely::

Warning: censored() [function.censored]: Query failed: ERROR: syntax error at or near "\" at character 306 in /home1/_sites/wwwkasperskycompt/kaspersky/PHP/IfDBRevendedoresKaspersky.phpclass on line 121 ERRO na execucao da query getRevendedors ERROR: syntax error at or near "\" at character 306

censored() : That means as he use a censoredSQL database.
First time, i checked to see if is injectable, and if i can extract something.
The answer:
———————————————————–

———————————————————–
So I can make censoredSQL Injection!
What I extracted?
I wasn’t concerned about the content, I only “got” the names of databases, tables and columns.

#Principal Database: censored #User: censored #Version: censoredSQL 8.1.11 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)

#Other Databases

1 censored 2 template1 3 template0 4 monitoring 5 estkaspersky 6 horde 7 licence 8 hardwareipbrick 9 acessosclientes 10 licencefmota 11 temp 12 dbdoc 13 webcalendar 14 ipbox 15 adcav 16 jpleitao2 17 funambol 18 gaia 19 cinel2 20 makeupdate 21 tempdefaultconfig

#The tables from censored database (number:458)

1 table_base_idxml73 2 table_ass_idxml73_idtab1025 3 liga_tipoent_categoria 4 liga_subcat_categoria 5 classif_entidades 6 ignora 7 categoria_entidade 8 site 9 subcategoria_entidade 10 tabela_gestao_ipcontactos 11 ipcontactos_lang_files 12 utilizador_externo 13 webcal_sincro 14 pga_queries 15 pga_forms 16 pga_scripts 17 pga_reports 18 pga_schema 19 pga_layout 20 avaliar 21 estadorec1 22 liga_resultado_tarefa 23 webcal_user 24 utilizadores_operacao 25 webcal_entry 26 webcal_entry_repeats 27 webcal_entry_repeats_not 28 webcal_entry_user 29 webcal_entry_ext_user 30 webcal_user_pref 31 webcal_user_layers 32 exhumationprice 33 webcal_site_extras 34 webcal_reminder_log 35 webcal_group 36 table_base_idxml13 37 webcal_group_user 38 webcal_view 39 webcal_view_user 40 gravetype 41 webcal_entry_log 42 webcal_categories 43 webcal_config 44 cemeterysection 45 solucao 46 ipdoclanguages 47 ipdoctranslation 48 ipdocsentences 49 ipdocpages 50 ipdocpagetranslation 51 table_base_idxml15 52 table_ass_idxml15_idtab51 53 lockcodigos 54 assunto 55 table_base_idxml16 56 subassunto 57 table_ass_idxml16_idtab68 58 entidades2 59 coordenadas_estado 60 dados_infantarios 61 coordenadas_estadopr 62 codigo_accaopr 63 table_base_idxml17 64 raca 65 table_base_idxml18 66 table_base_idxml19 67 table_base_idxml20 68 table_base_idxml14 69 distrito 70 concelho ... 439 accaopr 440 table_base_idxml79 441 estadopr 442 funcaoproc 443 funcaopr 444 table_ass_idxml79_idtab1183 445 table_ass_idxml79_idtab1190 446 table_ass_idxml79_idtab1191 447 table_ass_idxml79_idtab1192 448 table_ass_idxml79_idtab1193 449 table_ass_idxml77_idtab1194 450 table_base_idxml78 451 table_ass_idxml80_idtab1216 452 table_base_idxml81 453 table_ass_idxml81_idtab1228 454 table_base_idxml70 455 table_base_idxml82 456 documento 457 revisaodoc 458 table_ass_idxml82_idtab1257

#Me: Ma gandesc, daca tot este una din cele mai mari compani din lume care asigura protectia poate a multor milioane de utilizatori prin produsele sale,
de ce nu au grija de propria securitatea in primul rand? Acest lucru poate fi si din cauza firmelor care creaza aceste website-uri intr-un timp foarte scurt pe sume exagerat de mari…
Cam atat.
~Where is a will, there is a way

TinKode-Kaspersky Thailand Full Access

9:19 PM Admin No comments

Kaspersky Thailand Full Access

Posted by isrtinkode on February 19, 2010

 _  __                             _                                _
| |/ /                            | |              /\              (_)
| ' / __ _ ___ _ __   ___ _ __ ___| | ___   _     /  \   __ _  __ _ _ _ __
|  < / _` / __| '_ \ / _ \ '__/ __| |/ / | | |   / /\ \ / _` |/ _` | | '_ \
| . \ (_| \__ \ |_) |  __/ |  \__ \   <| |_| |  / ____ \ (_| | (_| | | | | |
|_|\_\__,_|___/ .__/ \___|_|  |___/_|\_\\__, | /_/    \_\__, |\__,_|_|_| |_|
              | |                        __/ |           __/ |
              |_|                       |___/           |___/

                     #Kaspersky Thailand full access@c0de.breaker

Ok… As you might remember, some time ago, I gained access into Kaspersky Portugal.
Now I found another vulnerable parameter in Kaspersky Thailand.
Because the mod_security was ON, it was hard for me to make the injection, and in order to extract tables,colums,etc you must have a vast knowledge about how to filter some things.
Testing: