JadeCrew

Greetings to all JadeCrew members,

# Title: UNDP Maldives - SQLi
# Bug Reported to vendor: April 14 2010
# Bug found: Hackintosh
# Vulnerable Link: http://www.mv.undp.org http://undp.org.mv
# Special Greetings: syman, Aseel, kidman & to All members of JadeCrew

I had been waiting for the much awaited launch of this website, the previous open-source CMS ColdFusion of UNDP Maldives was terrorized by a lot of turkish hackers and spamming on their host. The newer site was launched after winning an auction bidding by a Web designing Company though failing miserably on the security of the website, we Jadecrew Team are proud to secure this website as well to protect it against the hackers who cause a real threat. Please fix the Bugs at the earliest and secure the site.

Above picture shows username and encrypted password

Regards

Hackintosh

http://jadecrew.org/blog

IFRAME handling vulnerability in http://egov.mv/

On 09/04/2010 Hackintosh identified a vulnerability in http://egov.mv and published at JadeCrew – Facebook: http://www.facebook.com/group.php?v=wall&gid=251247146129 .

So I credit him for finding the vulnerability. After sometime fiddling around with the URL, I thought the following maybe a way to exploit this vulnerability.

# Title: [PAPER] IFRAME handling vulnerability in http://egov.mv/
# Bug Reported to vendor: April 12 2010
# Bug found: Hackintosh # Potential Exploiting Method: Syman (t0mbe)
# Vulnerable Link: http://egov.mv
# Special Greetings: Hackintosh, kidman & This opptunity is to thank all JadeCrew readers!
# Paper by: Syman(t0mbe)
# This paper is written for educational purpose and to create awareness among users.

-[0x1 Introduction]-
The vulnerability by itself does not give you much of a choice. Also, I am not too sure about the name of the “vulnerability” because it doesn’t exactly fit to any of I know but it loosely fits most to the category of IFRAME vulnerability.

-[0x2 Vulnerability]-
#Vulnerable URL: https://citizen.egov.mv/g2cweb/EService.aspx?URL={SCAM PAGE}
What we find here is that URL parameter [temporarily] includes any given page to its content. Now at a glance we find this may not be a potential threat at all!

You may first visit the below given URL to understand further about the paper:
https://citizen.egov.mv/g2cweb/EService.aspx?URL=http://%74%69%6e%79%75%72%6c%2e%63%6f%6d/%79%63%6a%75%79%76%68

Some browsers may not properly decode the encoded URL: They may try https://citizen.egov.mv/g2cweb/EService.aspx?URL=http://tinyurl.com/ycjuyvh

Above is an example of this attack in progress.

Above is a screenshot of attack in progress.

-[0x3 Content]-
As a proof of concept (PoC) I have included a simple form which asks for one’s sensitive data. Provided PoC is just to let readers understand the impact of the attack. The actual remote file could be found at: http://jadecrew.org/vuln-proof/egov.html
Now since we are talking about http://egov.mv people trust it. And they do not question the judgment of providing sensitive data. Upon successful exploitation of this vulnerability a user can be “(completely?)” blind-folded since Address Bar of your browser would contain SSL certificate too.

-[0x4 Exploiting]-
Well, what did we do here? It’s a very simple exploitation. I just created a form-based HTML which blends well to the content of http://egov.mv and included into Eservice.aspx?URL={www.jadecrew.org/egov-exploit.html}.
And there we go, our content is included in http://egov.mv.

Now this is the point where an attacker would use Social Engineering techniques in to making a victims pass sensitive data to the specially crafted page of the attacker.
At this point it all depends on how far actually an attacker is willing to go. An attacker may use simple techniques of URL obscuring such as encoding URLs or converting to HEX or even purchase a domain which closely resembles to a legitimate egov.mv website.

In this PoC I have used simple technique of obscuring the URL. I first converted the URL to a [tinyURL – I always liked this name ;)] and then encoded using HEX.
https://citizen.egov.mv/g2cweb/EService.aspx?URL=http://%74%69%6e%79%75%72%6c%2e%63%6f%6d/%79%63%6a%75%79%76%68

-[0x5 What is really going on now?]-
An attacker (spammer?) would send mass e-mails or use other spamming techniques into tricking users fill the crafted form. When a victim enters sensitive data to the attacker’s form, they are stored at the remote host where attacker has hosted his phishing page for stealing personal data. In our case it would be our modified page for stealing bank accounts.

-[0x6 Impact of the Attack]-
Well, this kind of attack heavily depends on the attacker. One may even use much larger scale of attacking methods by exploiting very minor vulnerabilities as this one. And it all depends on an attacker’s imagination to steal which type of data. It could be from your telephone number being stolen to identity theft.
Hoping to see it fixed soon!

Users should always be very aware of such attacks.
I hope that JadeCrew’s readers are aware of such scams and learnt a little something more today also!

Greetings to: HackinTosh, Kidman and readers and followers!
Syman – t0mbe
Jade.crew@gmail.com
http://www.jadecrew.org

# Title: Presidency Maldives - SQLi
# Bug Reported to vendor: April 09 2010
# Bug found: Hackintosh
# Vulnerable Link: http://www.presidencymaldives.gov.mv
# Special Greetings: t0mbe, aseel & All members of JadeCrew

screenshots show username and password.

Regards
JadeCrew
http://www.jadecrew.org

# Title: Maldives Stock Exchange - blind SQLi
# Bug Reported to vendor: April 01 2010
# Bug found: Hackintosh
# Vulnerable Link: http://www.mse.com.mv
# Special Greetings: t0mbe, All members of JadeCrew

Regards
JadeCrew
http://www.jadecrew.org

# Title: Dhiraagu Web Portal - SQLi
# Bug Reported to vendor: April 09 2010
# Bug found: Syman(t0mbe)
# Vulnerable Link: http://www.dhiraagu.com.mv
# Special Greetings: Hackintosh, kidman & to All members of JadeCrew

A vulnerability has been identified at Dhiraagu web portal. Detailed bug report has been sent to Dhiraagu.

Updates would be followed as soon dhiraagu - web portal is patched.

Currently for Proof of Concept:

Screen shot: Dump of username:passwords including (admin a/c)

Update:

#  09/04/2010 - Vulnerability has been fixed by vendor

Regards
JadeCrew
http://www.jadecrew.org

Hello, we thought we shall add Telecommunications Authority of Maldives in our defaced archive despite it has been defaced about 1000 years back when Roman empire was ruling the most of the Europe continent. (I guess?)

Anyway, I frankly do believe that any government website needs to be properly maintained and broadcasting a defaced index page is very disappointing!

Below is a screenshot as well as here is the link. You may see it for yourself!: http://www.tam.gov.mv/index.php

Oh, and yes we know the page automatically does redirect to CAM (Communication Authority of Maldives) but this is a louder call to at least take up few minutes from whoever’s busy schedule and to remove the defaced website from *.gov.mv domain names as this! =)…

Well said, didn’t I?

Greeting to Hackintosh, ent3rp|se (Long lost h4×0r?) and beloved JadeCrew Members !

Since tvm was designed by lemorios, we searched for other gov hosts running same panel and hit mab.gov.mv, to my surprise it too had the same password. Then again, I found www.mfda.gov.mv running same cms, but I guess i was too late? someone else had defaced the website and its down.

Credits - t0mbe, Aseel & JadeCrew

The site was previously hacked by i-mad on 17th May & the webmaster fixed it I guess? however, I thought i would check it again, saw some sqli errors as usual. So here it is again, after we posted a screen shot of the SQLi, the site was moved to a dedicated server from Dhiraagu. Irony is? the webmaster still kept the same bugs and kept admin panel .htaccess protected with same panel password? silly me? I never thought anyone would do that.

Credits : t0mbe , JadeCrew

Good day to all of you!

We were able to successfully retrieve data from Ministry of Health - Maldives database while swiftly bombarding www.health.gov.mv website. Oops -

Databases we were able to access were: MOH, Health ministry “intranet_db”, “healthweb_base” and the DB_username is = “anil” (maybe the webmaster?) . Please refer me with the e-mail address next time ;).

Either way, I was able to successfully penetrate and retrieve critical information of Health ministry including Username/Password, e-mail, contact.

Here are few fruitful databases which exisited:

Examples of Information Retrieved: contact_id,Name,section,office,Intercom,Office_tel,Res_tel,Mobile,email,pic,username,password,level,contact_id,division,section,phone,fax,e-mail

People: id,name,username,password

Databases: db_intranet,healthweb_base,moh

Location of MySQL: /var/lib/mysql/

Since pictures speaks a thousand words, and I am very lazy to type further more right now below are the screenshots of Health Ministry website during the attack.

Greetings: Hackintosh, JadeCrew Members!

Proof of Attack on www.health.gov.mv

Note: No files were Added, Modified or deleted ( No defacements! ) I think we deserve a thank you! Lol..!

Regards

t0mbe (Syman)

JadeCrew Team!

It was just a random SQLi, but the things i started to find inside the wamp server fascinated me, as the server admin didn’t bother much about the security.

I was able to load Windows Sam File with MySQL injection. (SAM) is a database stored as a registry file in Windows NT, Windows 2000, and later versions of Windows. It stores users’ passwords in a hashed format (in LM hashNTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. (source wikipedia)

The mysql database connect info were left open inside the wamp /www/ folder in just a .txt file? now who on earth would do that?  but yeah like the webmaster says who cares as long as the mysql connection is accepted from localhost. Lets not blame the webmasters, silly me? why SQL inject in the first place when their myphpadmin was accessible without any password? I just had to find the correct path.

I was able to inject a backdoor using Mysql outfile without logging into admin panel and run CMD commands smoothly! dear webmaster, please check and remove the user - admin from your server users. Using the CMD backdoor i was able to view all the files inside the windows server without connecting to RDP. The old Haveeru web source was also inside it!