easieroscommerce

223LocatingExploitsandFindingTargetsSolutionsinthischapter:LocatingExploitCodeLocatingVulnerableTargetsLinkstoSitesChapter6SummarySolutionsFastTrackFrequentlyAskedQuestions452_Google_2e_06.
qxd10/5/0712:52PMPage223IntroductionExploits,aretoolsofthehackertrade.
Designedtopenetrateatarget,mosthackershavemanydifferentexploitsattheirdisposal.
Someexploits,termedzerodayor0day,remainundergroundforsomeperiodoftime,eventuallybecomingpublic,postedtonewsgroupsorWebsitesfortheworldtoshare.
WithsomanyWebsitesdedicatedtothedistributionofexploitcode,it'sfairlysimpletoharnessthepowerofGoogletolocatethesetools.
Itcanbeaslightlymoredifcultexercisetolocatepotentialtargets,eventhoughmanymodernWebapplicationsecurityadvisoriesincludeaGooglesearchdesignedtolocatepotentialtargets.
Inthischapterwe'llexploremethodsoflocatingexploitcodeandpotentiallyvulnerabletargets.
Thesearenotstrictly"darkside"exercises,sincesecurityprofessionalsoftenusepublicexploitcodeduringavulnerabilityassessment.
However,onlyblackhatsusethosetoolsagainstsystemswithoutpriorconsent.
LocatingExploitCodeUntoldhundredsandthousandsofWebsitesarededicatedtoprovidingexploitstothegen-eralpublic.
Blackhatsgenerallyprovideexploitstoaidfellowblackhatsinthehackingcommunity.
Whitehatsprovideexploitsasawayofeliminatingfalsepositivesfromauto-matedtoolsduringanassessment.
Simplesearchessuchasremoteexploitandvulnerableexploitlocateexploitsitesbyfocusingoncommonlingousedbythesecuritycommunity.
Othersearches,suchasinurl:0day,don'tworknearlyaswellastheyusedto,butoldstandbyslikeinurl:sploitsstillworkfairlywell.
Theproblemisthatmostsecurityfolksdon'tjusttrolltheInternetlookingforexploitcaches;mostfrequentahandfulofsitesforthemoremainstreamtools,venturingtoasearchengineonlywhentheirbookmarkedsitesfailthem.
WhenitcomestimetotrolltheWebforaspecicsecuritytool,Google'sagreatplacetoturnrst.
LocatingPublicExploitSitesOnewaytolocateexploitcodeistofocusontheleextensionofthesourcecodeandthensearchforspeciccontentwithinthatcode.
Sincesourcecodeisthetext-basedrepresenta-tionofthedifcult-to-readmachinecode,Googleiswellsuitedforthistask.
Forexample,alargenumberofexploitsarewritteninC,whichgenerallyusessourcecodeendingina.
cextension.
Ofcourse,asearchforletype:ccreturnsnearly500,000results,meaningthatweneedtonarrowoursearch.
Aqueryforletype:cexploitreturnsaround5,000results,mostofwhichareexactlythetypesofprogramswe'relookingfor.
BearinginmindthatthesearethemostpopularsiteshostingCsourcecodecontainingthewordexploit,thereturnedlistisagoodstartforalistofbookmarks.
Usingpage-scrapingtechniques,wecanisolatethesesitesbyrunningaUNIXcommandsuchas:grepCachedexploit_le|awk–F"–"'{print$1}'|sort–uwww.
syngress.
com224Chapter6LocatingExploitsandFindingTargets452_Google_2e_06.
qxd10/5/0712:52PMPage224againstthedumpedGoogleresultspage.
Usinggood,old-fashionedcutandpasteoracom-mandsuchaslynx–dumpworkswellforcapturingthepagethisway.
Theslightlypolishedresultsofscraping20resultsfromGoogleinthiswayareshowninthelistbelow.
download2.
rapid7.
com/r7-0025securityvulns.
com/leswww.
outpost9.
com/exploits/unsorteddownloads.
securityfocus.
com/vulnerabilities/exploitspacketstorm.
linuxsecurity.
com/0101-exploitspacketstorm.
linuxsecurity.
com/0501-exploitspacketstormsecurity.
nl/0304-exploitswww.
packetstormsecurity.
nl/0009-exploitswww.
0xdeadbeef.
infoarchives.
neohapsis.
com/archives/packetstormsecurity.
org/0311-exploitspacketstormsecurity.
org/0010-exploitswww.
critical.
ltsynnergy.
net/downloads/exploitswww.
digitalmunition.
comwww.
safemode.
org/les/zillion/exploitsvdb.
dragonsoft.
com.
twunsecure.
altervista.
orgwww.
darkircop.
org/securitywww.
w00w00.
org/les/exploits/UndergroundGoogling…GoogleForensicsGooglealsomakesagreattoolforperformingdigitalforensics.
Ifasuspicioustoolisdiscoveredonacompromisedmachine,it'sprettymuchstandardpracticetorunthetoolthroughaUNIXcommandsuchasstrings–8togetafeelforthereadabletextintheprogram.
Thisusuallyrevealsinformationsuchastheusagetextforthetool,partsofwhichcanbetweakedintoGooglequeriestolocatesimilartools.
Althoughobfus-cationprogramsarebecomingmoreandmorecommonplace,thecombinationofstringsandGoogleisverypowerful,whenusedproperly—capableoftakingsomeofthemysteryoutofthevastnumberofsuspicioustoolsonacompromisedmachine.
www.
syngress.
comLocatingExploitsandFindingTargetsChapter6225452_Google_2e_06.
qxd10/5/0712:52PMPage225LocatingExploitsViaCommonCodeStringsSinceWebpagesdisplaysourcecodeinvariousways,asourcecodelistingcouldhavepracti-callyanyleextension.
APHPpagemightgenerateatextviewofaCle,forexample,makingtheleextensionfromGoogle'sperspective.
PHPinsteadof.
C.
Anotherwaytolocateexploitcodeistofocusoncommonstringswithinthesourcecodeitself.
Onewaytodothisistofocusoncommoninclusionsorheaderlereferences.
Forexample,manyCprogramsincludethestandardinput/outputlibraryfunctions,whicharereferencedbyanincludestatementsuchas#includewithinthesourcecode.
Aquerysuchas"#include"exploitwouldlocateCsourcecodethatcontainedthewordexploit,regardlessofthele'sextension.
Thiswouldcatchcode(andcodefragments)thataredisplayedinHTMLdocuments.
Extendingthesearchtoincludeprogramsthatincludeafriendlyusagestatementwithaquerysuchas"#include"usageexploitreturnstheresultsshowninFigure6.
1.
Figure6.
1SearchingforExploitCodewithNonstandardExtensionsThissearchreturnsquiteafewhits,nearlyallofwhichcontainexploitcode.
Usingtraversaltechniques(orsimplyhittingupthemainpageofthesite)canrevealotherexploitsortools.
NoticethatmostofthesehitsareHTMLdocuments,whichourpreviousletype:cwww.
syngress.
com226Chapter6LocatingExploitsandFindingTargets452_Google_2e_06.
qxd10/5/0712:52PMPage226querywouldhaveexcluded.
Therearelotsofwaystolocatesourcecodeusingcommoncodestrings,butnotallsourcecodecanbetintoanice,neatlittlebox.
Somecodecanbenaileddownfairlyneatlyusingthistechnique;othercodemightrequireabitmorequerytweaking.
Table6.
1showssomesuggestionsforlocatingsourcecodewithcommonstrings.
Table6.
1LocatingSourceCodewithCommonStringsLanguageExtension(Optional)SampleStringasp.
net(C#)Aspx""C#Cs"usingSystem;"classc++Cpp"#include"stdafx.
h""JavaJ,JAVclasspublicstaticJavaScriptJS""PerlPERL,PL,PM"#!
/usr/bin/perl"PythonPy"#!
/usr/bin/env"VBScript.
vbs""VisualBasicVb"PrivateSub"Inusingthistable,aletypesearchisoptional.
Inmostcases,youmightndit'seasiertofocusonthesamplestringssothatyoudon'tmisscodewithfunkyextensions.
LocatingCodewithGoogleCodeSearchGoogleCodeSearch(www.
google.
com/codesearch)canbeusedtosearchforpublicsourcecode.
Inadditiontoallowingqueriesthatincludepowerfulregularexpressions,codesearchintroducesuniqueoperators,someofwhicharelistedinTable6.
2.
Table6.
2GoogleCodeSearchOperatorsOperatorDescriptionExampleleSearchforspecictypesofles.
le:jsParameterscanincludelenames,extensions,orfullpathnames.
packageSearchwithinaspecicpackage,oftenpackage:linux.
*.
tar.
gzlistedasaURLorCVSservernamebuggywww.
syngress.
comLocatingExploitsandFindingTargetsChapter6227Continued452_Google_2e_06.
qxd10/5/0712:52PMPage227Table6.
2GoogleCodeSearchOperatorsOperatorDescriptionExamplelangSearchforcodewritteninspeciclanguageslang:"c++"licenseSearchforcodewrittenunderspeciclicenseslicense:gplCodesearchisanaturalalternativetothetechniqueswecoveredintheprevioussection.
Forexample,inTable6.
1weusedthewebsearchterm"#include"tolocatepro-gramswrittenintheCprogramminglanguage.
Thissearchiseffective,andlocatesCcode,regardlessoftheleextension.
ThissamequerycouldbereformattedasacodesearchquerybysimplyremovingthequotesasshowninFigure6.
2.
Figure6.
2CodeSearchusedtolocateHeaderStringsIfwe'retryingtolocateCcode,itmakesmoresensetoquerycodesearchforlang:corlang:c++.
Althoughthismayfeelanawfullotlikesearchingbyleextension,thisisabitmoreadvancedthanaleextensionsearch.
Google'sCodeSearchdoesadecentjobofana-lyzingthecode(regardlessofextension)todeterminetheprogramminglanguagethecodewaswrittenin.
CheckoutthesecondhitinFigure6.
2.
Asthesnippetclearlyshows,thisisCcode,butisembeddedinanHTMLle,asrevealedbythelename,perlos390.
html.
Asmanyresearchersandbloggershavereported,GoogleCodeSearchcanalsobeusedtolocatesoftwarethatcontainspotentialvulnerabilities,asshowninTableTable6.
3.
www.
syngress.
com228Chapter6LocatingExploitsandFindingTargets452_Google_2e_06.
qxd10/5/0712:52PMPage228Table6.
3GoogleCodeSearchesforVulnerableCodeGoogleCodeSearchQueryDescriptionAuthorlang:php(echo|print).
*\$_(GET|POST|CodewhichIliaAlshanetskyCOOKIE|REQUEST)displaysuntrustedvariablespassedGET/POSTorcookies.
ClassicXSS(Cross-Sitescripting)vulnerability.
Username:174175176177Password:178TheselinesshowtypicalHTMLcodeandrevealusernameandpasswordpromptsthataredisplayedtotheuser.
Basedonthiscode,aquerysuchas"username:""password:"wouldseemreasonable,exceptforthefactthatthisqueryreturnsmillionsofresultsthatarenotevenclosetothetypesofpageswearelookingfor.
Thisisbecausethecolonsinthequeryareeffectivelyignoredandthewordsusernameandpasswordarefartoocommontouseforevenabasesearch.
Oursearchcontinuestoline191ofindex.
php,shownhere:191echofooter();ThislineprintsafooteratthebottomoftheWebpage.
Thislineisafunction,anindi-catorthatitisusedmanytimesthroughtheprogram.
Acommonfooterthatdisplaysonsev-eralCuteNewspagescouldmakeforaverynicebasequery.
We'llneedtouncoverwhatexactlythisfooterlookslikebylocatingthecodefortheechofooterfunction.
Runningacommandsuchasgrep–rechofooter*willsearcheveryleineachdirectoryforthewordechofooter.
Thisreturnstoomanyresults,asshowninthisabbreviatedoutput:j0hnnys-Computer:j0hnny$grep-rechofooter*inc/about.
mdu:echofooter();inc/addnews.
mdu:echofooter();inc/categories.
mdu:echofooter();inc/editnews.
mdu:echofooter();inc/editnews.
mdu:echofooter();inc/editusers.
mdu:echofooter();inc/functions.
inc.
php:echofooter();inc/functions.
inc.
php://Function:echofooterinc/functions.
inc.
php:functionechofooter(){inc/help.
mdu:echofooter();Mostofthelinesreturnedbythiscommandarecallstotheechofooterfunction,notthedenitionofthefunctionitself.
Oneline,however,precedesthewordechofooterwiththewordfunction,indicatingthedenitionofthefunction.
Basedonthisoutput,weknowthattheleinc/functions.
inc.
phpcontainsthecodetoprinttheWebpagefooter.
Although240Chapter6LocatingExploitsandFindingTargetswww.
syngress.
com452_Google_2e_06.
qxd10/5/0712:52PMPage240thereisagreatdealofinformationinthisfunction,asshowninFigure6.
17,certainthingswillcatchtheeyeofanydecentGooglehacker.
Forexample,line168showsthatcopyrightsareprintedandthattheterm"Poweredby"isprintedinthefooter.
Figure6.
17TheechofooterFunctionRevealsPotentialQueryStringsAphraselike"Poweredby"canbeveryusefulinlocatingspecictargetsduetotheirhighdegreeofuniqueness.
Followingthe"Poweredby"phraseisalinktohttp://cutephp.
com/cutenews/andthestring$cong_version_name,whichwilllistthever-sionnameoftheCuteNewsprogram.
Tohaveaveryspecic"Poweredby"searchtofeedGoogle,theattackermusteitherguesstheexactversionnumberthatwouldbedisplayed(rememberingthatversion1.
3.
1ofCuteNewswasdownloaded)ortheactualversionnumberdisplayedmustbelocatedinthesourcecode.
Again,grepcanquicklylocatethisstringforus.
Wecaneithersearchforthestringdirectlyorputanequalsign(=)afterthestringtondwhereitisdenedinthecode.
Agrepcommandsuchasgrep–r"\$cong_ver-sion_name="*willdothetrick:johnny-longs-g4root$grep-r"\$cong_version_name="*inc/install.
mdu:\$cong_version_name="CuteNewsv1.
3.
1";inc/options.
mdu:fwrite($handler,"*>Loginform"CertainversionsofWordPresscontainXSSinurl:"wp-login.
php"vulnerabilities.
inurl:"comment.
phpserendipity"CertainversionsofSerendipityarevulner-abletoSQLinjection.
"PoweredbyAJ-Forkv.
167"AJ-Forkv.
167isvulnerabletoafullpathdis-closure.
"PoweredbyMegabook*"inurlCertainversionsofMegaBookareproneto:guestbook.
cgimultipleHTMLinjectionvulnerabilities.
"Poweredbyyappa-ng"Certainversionsofyappa-ngcontainanauthenticationvulnerability.
"ActiveWebcamPage"inurl:8080CertainversionsofActiveWebCamcontaindirectorytraversalandXSSvulnerabilities.
"PoweredbyA-CART"CertainversionsofA-CARTallowforthedownloadingofcustomerdatabases.
"OnlineStore-PoweredCertainversionsofProductCartcontainbyProductCart"multipleSQLinjectionvulnerabilities.
"PoweredbyFUDforum"CertainversionsofFUDforumcontainSQLinjectionproblemsandlemanipulationproblems.
"BosDatesCalendarSystem"BosDates3.
2hasanSQLinjection"poweredbyBosDatesv3.
2vulnerability.
byBosDev"www.
syngress.
com244Chapter6LocatingExploitsandFindingTargetsContinued452_Google_2e_06.
qxd10/5/0712:52PMPage244Table6.
4continuedVulnerableWebApplicationExamplesfromtheGHDBGoogleQueryVulnerabilityDescriptionintitle:"EMUMAIL-Login"EMUWebmailversion5.
0and5.
1.
0contain"PoweredbyEMUWebmail"XSSvulnerabilities.
intitle:"WebJeff-FileManager"WebJeff-Filemanager1.
xhasadirectoryintext:"login"intext:Pass|PAssetraversalvulnerability.
inurl:"messageboard/Forum.
asp"CertainversionsofGoSmartMessageBoardsufferfromSQLinjectionandXSSproblems.
"1999-2004FuseTalkInc"Fusetalkforumsv4aresusceptibletoXSS-site:fusetalk.
comattacks.
"2003DUwareAllRightsReserved"CertainversionsofmultipleDUwareprod-uctssufferfromSQLinjectionandHTMLinjection.
"ThispagehasbeenautomaticallyCertainversionsofPleskServergeneratedbyPleskServerAdministrator(PSA)containinputAdministrator"validationerrors.
inurl:ttt-webmaster.
phpTurbotrafctraderNitrov1.
0suffersfrommultiplevulnerabilities.
"Copyright2002AgustinCertainversionsofCoolPHPsufferfromDondoScripts"multiplevulnerabilities.
"PoweredbyCubeCart"CubeCart2.
0.
1hasafullpathdisclosureandSQLinjectionproblem.
"IdealBBVersion:0.
1"-idealbb.
comIdealBB0.
1isreportedpronetomultipleunspeciedinputvalidationvulnerabilities.
"PoweredbyYaPigV0.
92b"YaPiGv0.
92bisreportedtocontainanHTMLinjectionvulnerability.
inurl:"/site/articles.
aspidcategory="CertainversionsofDwc_Articlessufferfrompossiblesqlinjections.
letype:cgiinurl:nbmember.
cgiCertainversionsofNetbillingnbmember.
cgicontainsaninformationdis-closurevulnerability.
"PoweredbyCoppermineCopperminePhotoGalleryCopperminePhotoGallery"PhotoGallery1.
0,1.
1,1.
2,1.
2.
1,1.
3,1.
3.
1and1.
3.
2containsadesignerrorthatmayallowuserstocastmultiplevotesforapic-ture.
"PoweredbyWowBB"CertainversionsofWowBBarereportedly-site:wowbb.
comaffectedbymultipleinputvalidationvul-nerabilities.
www.
syngress.
comLocatingExploitsandFindingTargetsChapter6245Continued452_Google_2e_06.
qxd10/5/0712:52PMPage245Table6.
4continuedVulnerableWebApplicationExamplesfromtheGHDBGoogleQueryVulnerabilityDescription"PoweredbyocPortal"-demoCertainversionsofocPortalisaffectedbya-ocportal.
comremoteleincludevulnerability.
inurl:"slxweb.
dll"CertainversionsofSalesLogixcontainauthenticationvulnerability.
"PoweredbyDMXReadySiteChassisCertainversionsoftheDMXReadySiteManager"-site:dmxready.
comChassisManageraresusceptibletotworemotelyexploitableinputvalidationvul-nerabilities.
"PoweredbyMyBlog"intext:FuzzyMonkeyMyBlogversions1.
15-1.
20"FuzzyMonkey.
org"arevulnerabletomultipleinputvalidationvulnerabilities.
inurl:wiki/MediaWikiMediaWikiversions1.
3.
1-6arereportedpronetoacross-sitescriptingvulnerability.
Thisissuearisesduetoinsufcientsanitiza-tionofuser-supplieddata.
"inurl:/site/articles.
aspidcategory="Dwc_Articlesversionpriortov1.
6suffersfromSQLinjectionvulnerabilities.
"Enterip"inurl:"php-ping.
php"Certainversionsofphp-pingmaybepronetoaremotecommandexecutionvulnerabil-ities.
intitle:welcome.
to.
hordeCertainversionsofHordeMailsufferfromseveralvulnerabilities.
"BlackBoard1.
5.
1-f|2003-4BlackBoardInternetNewsboardSystembyYvesGoergen"v1.
5.
1isreportedpronetoaremoteleincludevulnerability.
inurl:"forumdisplay.
php"+"PoweredvBulletin3.
0.
0.
4isreportedvulnerabletoaby:vBulletinVersion3.
0.
0.
.
4"remoteSQLinjectionvulnerability.
inurl:technoteinurl:main.
cgiCertainversionsofTechnotesufferfroma*lename=*remotecommandexecutionvulnerability.
"running:Nucleusv3.
1"Multipleunspeciedvulnerabilities-.
nucleuscms.
org-demoreportedlyaffectNucleusCMSv3.
1.
"drivenby:ASPMessageBoard"InfuseumASPMessageBoard2.
2.
1csuffersfrommultipleunspeciedvulnerabilities.
"ObtenezvotreforumAztek"CertainversionsofAtztekForumareprone-site:forum-aztek.
comtomultipleinputvalidationvulnerabilities.
www.
syngress.
com246Chapter6LocatingExploitsandFindingTargetsContinued452_Google_2e_06.
qxd10/5/0712:52PMPage246Table6.
4continuedVulnerableWebApplicationExamplesfromtheGHDBGoogleQueryVulnerabilityDescriptionintext:("UBB.
threads6.
2"UBB.
Threads6.
2.
*-6.
3.
*containsaone|"UBB.
threads6.
3")intext:characterbruteforcevulnerability.
"You*notlogged*"-site:ubbcentral.
cominurl:/SiteChassisManager/CertainversionsofDMXReadySiteChassisManagersufferfromSQLandXSSvulnera-bilities.
inurl:directorypro.
cgiCertainversionsofDirectoryProsufferfromdirectorytraversalvulnerabilities.
inurl:cal_make.
plCertainversionsofPerlCalallowsremoteattackerstoaccesslesthatresideoutsidethenormallyboundingHTMLrootdirec-tory.
"PoweredbyPowerPortalv1.
3"PowerPortal1.
3isreportedvulnerabletoremoteSQLinjection.
"poweredbyminibb"miniBBversionspriorto1.
7farereported-site:www.
minibb.
net-intext:1.
7fvulnerabletoremoteSQLinjection.
inurl:"/cgi-bin/loadpage.
cgiuser_id="CertainversionsofEZshopperallowDirectorytraversal.
intitle:"ViewImg"inurl:viewimg.
phpCertainversionsofthe'viewing.
php'scriptdoesnotproperlyvalidateuser-suppliedinputinthe'path'variable.
+"PoweredbyInvisionPowerInivisionPowerBoardv2.
0.
0-2.
0.
2suffersBoardv2.
0.
0.
2"fromanSQLinjectionvulnerability.
+"PoweredbyphpBB2.
0.
6.
.
10"phpbb2.
0.
6-20.
10isvulnerabletoSQL-phpbb.
com-phpbb.
plInjection.
ext:phpintext:"PoweredbyCertainversionsofPHPNewsManagerarephpNewManVersion"vulnerabletoadirectorytraversalproblem.
"PoweredbyWordPress"CertainversionsofWordPressare-htmlletype:php-demovulnerabletoafewSQLinjectionqueries.
-wordpress.
org-bugtraqintext:Generated.
by.
phpix.
1.
0PHPixv1.
0suffersfromadirectorytraversalinurl:$mode=albumvulnerability.
inurl:citrix/metaframexp/default/CertainversionsofCitrixcontainanXSSlogin.
aspClientDetection=OnvulnerabilityinawidelyusedversionoftheirWebInterface.
www.
syngress.
comLocatingExploitsandFindingTargetsChapter6247Continued452_Google_2e_06.
qxd10/5/0712:52PMPage247Table6.
4continuedVulnerableWebApplicationExamplesfromtheGHDBGoogleQueryVulnerabilityDescription"SquirrelMailversion1.
4.
4"SquirrelMailv1.
4.
4containsaninclusioninurl:srcext:phpvulnerability.
"IceWarpWebMail5.
3.
0"IceWarpWebMail5.
3.
0containsmultiple"PoweredbyIceWarp"cross-sitescriptingandHTMLinjectionvul-nerabilities.
"PoweredbyMercuryBoard[v1"MercuryBoardv1containsanunspeciedvulnerability.
"deleteentries"inurl:CertainversionsofAspJarcontainaawadmin/delete.
aspthatmayallowamalicioususertodeletearbitrarymessages.
allintitle:aspjar.
comguestbookCertainversionsoftheASPJarguestbookcontainaninputvalidationvulnerability.
"poweredbyCubeCart2.
0"BrookyCubeCartv2.
0ispronetomultiplevulnerabilitiesduetoinsufcientsanitiza-tionofuser-supplieddata.
Powered.
by:.
vBulletin.
Version.
.
.
3.
0.
6vBulletin3.
0.
6isreportedpronetoanarbi-traryPHPscriptcodeexecutionvulnera-bility.
letype:phpintitle:"paNewsv2.
0b4"PaNewsv2.
0b4isreportedpronetoaremotePHPscriptcodeexecutionvulnera-bility.
"PoweredbyCoppermineCopperminePhotoGalleryversions1.
0,1.
1,PhotoGallery"("v1.
2.
2b"|1.
2,1.
2.
1and1.
2.
2barepronetomultiple"v1.
2.
1"|"v1.
2"|"v1.
1"|"v1.
0")inputvalidationvulnerabilities,someofwhichmayleadtoarbitrarycommandexe-cution.
powered.
by.
instaBoard.
version.
1.
3InstaBoardv1.
3isvulnerabletoSQLInjection.
intext:"PoweredbyphpBB2.
0.
13"phpBB2.
0.
13withinstalledCalendarProinurl:"cal_view_month.
php"|inurl:MODarevulnerabletoSQLinjection"downloads.
php"attacks.
intitle:"myBloggie2.
1.
1.
.
2—myBloggiev2.
1.
1-2.
1.
2isaffectedbybymyWebland"multiplevulnerabilities.
intitle:"osTicket::SupportCertainversionsofosTicketcontainsseveralTicketSystem"vulnerabilities.
inurl:sphpblogintext:"PoweredbySimplePHPBlogv0.
4.
0isvulnerabletoSimplePHPBlog0.
4.
0"multipleattacksincludingfullpathdisclo-sure,XSSandotherdisclosures.
www.
syngress.
com248Chapter6LocatingExploitsandFindingTargetsContinued452_Google_2e_06.
qxd10/5/0712:52PMPage248Table6.
4continuedVulnerableWebApplicationExamplesfromtheGHDBGoogleQueryVulnerabilityDescriptionintitle:"PowerDownload"PowerDownloadversion3.
0.
2and3.
0.
3("PowerDownloadv3.
0.
2"|containsaremoteexecutionvulnerability.
"PowerDownloadv3.
0.
3")-site:powerscripts.
org"portailphpv1.
3"inurl:"index.
phpPortailPHPv1.
3suffersfromanSQLafche"inurl:"PortailPHP"injectionvulnerability.
-site:safari-msi.
com+intext:"poweredbyMyBBosCommerceallowlocalmysql.
php-displayleenumeration.
inurl:sysinfo.
cgiext:cgiSysinfo1.
2.
1allowsremotecommandexecu-tion.
inurl:perldiver.
cgiext:cgiCertainversionsofperldiver.
cgiallowXSS.
inurl:tmssql.
phpext:phpmssqlCertainversionsoftmssql.
phpallowremotepearadodb-cvs-akbkcodeexecution.
"poweredbyphpphotoalbum"|CertainversionsofPHPphotoalbumallowinurl:"main.
phpcmd=album"localleenumerationandremote-demo2-pitanjeexploitation.
inurl:resetcore.
phpext:phpCertainversionsofe107containmultiplevulnerabilities.
"ThisscriptwascreatedbyPhp-Php-ZeroNetv1.
2.
1containsmultipleZeroNet""Script.
Php-ZeroNet"vulnerabilities.
"YouhavenotprovidedasurveyPHPSurveyor0995allowsSQLinjection.
identicationnumintitle:"HelpDesk""IfyouneedPHPHelpdesk0.
6.
16allowsremoteadditionalhelp,pleaseemailexecutionofarbitrarydata.
helpdeskat"inurl:database.
php|inurl:info_WoltlabBurningBoard2.
xcontainsdb.
phpext:php"DatabaseV2.
*"multiplevulnerabilities.
"BurningBoard*"intext:"ThissiteisusingphpGraphy"|phpGraphy0911allowsXSSanddenialofintitle:"myphpgraphysite"service.
intext:"PoweredbyPCPIN.
com"CertainversionsofPCPINChatallowSQL-site:pcpin.
com-ihackstuffinjection,loginbypassandarbitrarylocal-"workswith"-ndlawinclusion.
www.
syngress.
comLocatingExploitsandFindingTargetsChapter6255Continued452_Google_2e_06.
qxd10/5/0712:52PMPage255Table6.
4continuedVulnerableWebApplicationExamplesfromtheGHDBGoogleQueryVulnerabilityDescriptionintitle:"X7ChatHelpCenter"|X7Chat"forCprograms.
GoogleCodeSearchGoogle'sCodeSearch(www.
google.
com/codesearch)canbeusedtosearchinsideofprogramcode,butitcanalsobeusedtondprogrammingawsthatleadtovulnerabilities.
www.
syngress.
com260Chapter6LocatingExploitsandFindingTargets452_Google_2e_06.
qxd10/5/0712:52PMPage260LocatingMalwareGoogle'sbinarysearchfeaturecanbeusedtoproleexecutables,butitcanalsobeusedtolocatelivemalwareontheweb.
SeeH.
D.
Moore'ssearchengineathttp://metasploit.
com/research/misc/mwsearch.
LocatingVulnerableTargetsAttackerscanlocatepotentialtargetsbyfocusingonstringspresentedinavulnerableapplication'sdemonstrationinstallationprovidedbythesoftwarevendor.
Attackerscanalsodownloadandoptionallyinstallavulnerableproducttolocatespecicstringstheapplicationdisplays.
Regardlessofhowastringisobtained,itcaneasilybeconvertedintoaGooglequery,drasticallynarrowingthetimeadefenderhastosecureasiteafterapublicvulnerabilityannouncement.
LinkstoSiteswww.
sensepost.
com/research/wikto/Wikto,anexcellentGoogleandWebscanner.
www.
cirt.
net/code/nikto.
shtmlNikto,anexcellentWebscanner.
http://packetstormsecurity.
com/Anexcellentsitefortoolsandexploits.
IliaAlshanetskyhttp://ilia.
ws/archives/133-Google-Code-Search-Hackers-best-friend.
htmlNiteshDhanjanihttp://dhanjani.
com/archives/2006/10/using_google_code_search_to_.
htmlChrisShietthttp://shiett.
org/blog/2006/oct/google-code-search-for-security-vulnerabilitiesStephendeVrieshttp://www.
securityfocus.
com/archive/107/447729/30/0MichaelSutton'sBlog:http://portal.
spidynamics.
com/blogs/msutton/archive/2006/09/26/How-Prevalent-Are-SQL-Injection-Vulnerabilities_3F00_.
aspxhttp://portal.
spidynamics.
com/blogs/msutton/archive/2007/01/31/How-Prevalent-Are-XSS-Vulnerabilities_3F00_.
aspxwww.
syngress.
comLocatingExploitsandFindingTargetsChapter6261452_Google_2e_06.
qxd10/5/0712:52PMPage261JoseNazario'spageonGoogleCodeSearchinsecuritystats:http://monkey.
org/~jose/blog/viewpage.
phppage=google_code_search_statsStaticCodeAnalysiswithGooglebyAaronCampbell:http://asert.
arbornetworks.
com/2006/10/static-code-analysis-using-google-code-search/HDMoore'sMalwareSearchhttp://metasploit.
com/research/misc/mwsearchQ:CGIscanningtoolshavebeenaroundforyearsandhavelargescandatabaseswithcon-tributionsfrommanyhackers.
What'stheadvantageofusingGoogle,whichdependsonasitehavingbeencrawledbyGooglebotDoesn'tthatgivefewerresultsA:Althoughthisistrue,Googleprovidessomelevelofanonymitybecauseitcanshowthecachedpagesusingthestrip=1parameter,sotheattacker'sIP(blackorwhite)isnotloggedattheserver.
CheckouttheNiktocodeinChapter12,whichcombinesthepowerofGooglewiththeNiktodatabase!
Q:ArethereanygenerictechniquesforlocatingknownvulnerableWebapplicationsA:TrycombiningINURL:["parameter="]withFILETYPE:[ext]andINURL:[scriptname]usinginformationfromthesecurityadvisory.
Insomecases,versioninformationmightnotalwaysappearonthetarget'spage.
Ifyou'researchingforversioninformation,rememberthateachdigitcountsasaword,so1.
4.
2isthreewordsaccordingtoGoogle.
Youcouldhitthesearchwordlimitfast.
AlsorememberthatforGoogletoshowaresult,thesitemusthavebeencrawledearlier.
Ifthat'snotthecase,tryusingamoregenericsearchsuchas"poweredbyXYZ"tolocatepagesthatcouldberunningaparticularfamilyofsoftware.
www.
syngress.
com262Chapter6LocatingExploitsandFindingTargetsFrequentlyAskedQuestionsThefollowingFrequentlyAskedQuestions,answeredbytheauthorsofthisbook,aredesignedtobothmeasureyourunderstandingoftheconceptspresentedinthischapterandtoassistyouwithreal-lifeimplementationoftheseconcepts.
Tohaveyourquestionsaboutthischapteransweredbytheauthor,browsetowww.
syngress.
com/solutionsandclickonthe"AsktheAuthor"form.
452_Google_2e_06.
qxd10/5/0712:52PMPage262