Hacking the University of Skolkovo and "neighboring" sites
I thought that there was enough recording in the personal blog / twitter / VK, but not enough. Here the main thing is publicity, so the census.
For the first time in my life I am writing about a compromised resource. Although, there have been cases N times larger ...
Prehistory
There is a university like OtUS - Open University Skolkovo. Was (is) before only in Moscow, now opens in Tomsk / St. Petersburg. Actually, they came to us with a presentation, motivated (although very cool guys came, inspired me to enter, considering that I am skeptical about Skolkovo), so that they would come, etc. I went to fill out an application and just worked a habit ...
Upload of custom files with the absence of properly configured .htaccesss
Outcome: full access to source codes, materials, applications for admission and databases of the following sites:
And like some, I do not remember.
But, students have nothing to do with it, I didn’t even dig deeper, looked at the architecture of the resource, the database, a couple of source codes (I’ve never seen such a code in my life, I’ll tell you about captcha under the cut, govnokod # 1 just) and informed the support.
Database
Passwords are stored in pure form. At that time there were about 1.5k + users with various personal data.
Folder owners / web processes
All sites under one user (both the web server process and folders) // in principle, partially forgivable, not hosting
Source code apply.openu
This is just zvizdets. This I have never seen anywhere. I will tell you about the promised captcha ...
They had drawn 30 pictures with the image of codes (I suspect there were no image distortions in paint), one of which was randomly issued to the user (which one was not fixed). And on the server side ...
Stupidly wired captcha codes. We accept the request, run the cycle through the whole array , find a match - captcha is valid.
It's just me, about the level of the code :) and everything is in the same spirit.
I truly believe that this cabinet will be removed with giblets and the manual will take care not only of the beautiful design, but also of the safety of its resources. At the moment, the personal account is closed, since the acceptance of applications is closed and I have published a post with a clear conscience. // I was told a little why everything is so “bad”, but apparently a thrashing is needed, and everything will be different
Students of successful training, I hope the course program will be at a decent level (as the stories were in Moscow time)
')
upd: as noted by Old_Chroft , the registration form was simply commented out in html. Captcha codes in pictures:
http://apply.openu.ru/cap/1.gif
http://apply.openu.ru/cap/2.gif
http://apply.openu.ru/cap/3.gif
...
http://apply.openu.ru/cap/29.gif
http://apply.openu.ru/cap/30.gif
Can be compared with the source above
For the first time in my life I am writing about a compromised resource. Although, there have been cases N times larger ...
Prehistory
There is a university like OtUS - Open University Skolkovo. Was (is) before only in Moscow, now opens in Tomsk / St. Petersburg. Actually, they came to us with a presentation, motivated (although very cool guys came, inspired me to enter, considering that I am skeptical about Skolkovo), so that they would come, etc. I went to fill out an application and just worked a habit ...
Upload of custom files with the absence of properly configured .htaccesss
Outcome: full access to source codes, materials, applications for admission and databases of the following sites:
- openu.ru - Skolkovo Open University
- apply.openu.ru - Selection of students at the Open University Skolkovo
- eskolkovo.ru - DO at Skolkovo Open University
- blog.eskolkovo.ru - it seems to be the same as openu.ru
- edu.opensingularity.ru - Open University of Singular Technologies
And like some, I do not remember.
But, students have nothing to do with it, I didn’t even dig deeper, looked at the architecture of the resource, the database, a couple of source codes (I’ve never seen such a code in my life, I’ll tell you about captcha under the cut, govnokod # 1 just) and informed the support.
The purpose of the post is to be 100% sure that after this publication this student admission script will be removed forever.
(albeit with the administrator, we talked a little on this topic). But so as not to be forgotten as usual, with the thought - it works and it’s ok (as it happens in the CIS), we will make a control shot.Database
Passwords are stored in pure form. At that time there were about 1.5k + users with various personal data.
Folder owners / web processes
All sites under one user (both the web server process and folders) // in principle, partially forgivable, not hosting
Source code apply.openu
This is just zvizdets. This I have never seen anywhere. I will tell you about the promised captcha ...
They had drawn 30 pictures with the image of codes (I suspect there were no image distortions in paint), one of which was randomly issued to the user (which one was not fixed). And on the server side ...
$c1 = $_REQUEST['thecode']; $i = 0; $names[]="GH4BFRO"; $names[]="EWRHJ42"; $names[]="JSWDWQ5"; $names[]="REJ5JN4"; $names[]="JFUJN47"; $names[]="WFEW4B2"; $names[]="QSDY68M"; $names[]="BNMCF9J"; $names[]="VBDXIN5"; $names[]="RVXSBT5"; $names[]="XCHJN5S"; $names[]="UETRJ65"; $names[]="VBNH3UA"; $names[]="VBRJM4Z"; $names[]="RSNZGWE"; $names[]="GHFTGRO"; $names[]="AZWDWQ5"; $names[]="EWUBN42"; $names[]="AQW5JN4"; $names[]="JF66N47"; $names[]="GHJW4B2"; $names[]="QS45V8M"; $names[]="BCVAF9J"; $names[]="5VASIN5"; $names[]="CVBZBT5"; $names[]="X3CZN5S"; $names[]="UBN2RJ6"; $names[]="VBNHR4Z"; $names[]="VBBNM4Z"; $names[]="QWSX2IX"; ... for ($i ==0; $i < 30; $i++) { if ($c1 == $names[$i]) { ... Stupidly wired captcha codes. We accept the request, run the cycle through the whole array , find a match - captcha is valid.
It's just me, about the level of the code :) and everything is in the same spirit.
I truly believe that this cabinet will be removed with giblets and the manual will take care not only of the beautiful design, but also of the safety of its resources. At the moment, the personal account is closed, since the acceptance of applications is closed and I have published a post with a clear conscience. // I was told a little why everything is so “bad”, but apparently a thrashing is needed, and everything will be different
Students of successful training, I hope the course program will be at a decent level (as the stories were in Moscow time)
')
upd: as noted by Old_Chroft , the registration form was simply commented out in html. Captcha codes in pictures:
http://apply.openu.ru/cap/1.gif
http://apply.openu.ru/cap/2.gif
http://apply.openu.ru/cap/3.gif
...
http://apply.openu.ru/cap/29.gif
http://apply.openu.ru/cap/30.gif
Can be compared with the source above
Source: https://habr.com/ru/post/137196/
All Articles