Freelancer - the story of one pentest
This story began in the early autumn evening. And it began with the fact that one of the companies involved in solving tests and writing diplomas for negligent students, completely decided to transfer their activities to the network space. Already ahead of time the offices around the city were closed, and all the performers of the works were invited to the new web site. I received this invitation and the hero of our story. From all that happened, he concluded - now he is a freelancer. For many reasons, he did not like his new role. He disliked the site, due to which he lost his usual part-time job, decently helping the poor student, and was forced to pay for the opportunity to leave a proposal for the order. And what do we sometimes want to do with things we hate? That's right, break! This thought occurred to our freelancer. The evening promised to be interesting.
Now the Freelancer and all his knowledge of the principles of web security were useful. Neither did the reading of the profile hub, nor numerous articles from the Internet, nor small practical experiences go free. Now he was no longer a Freelancer, but a Pentester, as we will call him in our narrative. It was decided to start with the search form on one of the first pages. So ... Sqli, no, but XSS ... Maybe! There was filtering in the field, but it was not strict, something could be done. This is where the real interest in exploring the resource begins! About 15 minutes was spent on developing the attack vector and here it is - such long-awaited “Oops!” Appeared on the screen in the alert window. But the subsequent events of Pentester were even a little upset - there was a steady active XSS in the username field. It was a shame to fight the usual passive XSS so much time, when on the next page there was nothing to disguise the possibility of code injection into the order tape - to the home page of the site! Evil thoughts were spinning in my head, and what if ... No. Pentester was not going to exploit the holes found. Satisfied with himself, he sat down to write a report to the administration of the resource. But it would be too boring a story, if it were destined to end here.
The person who was in charge of the new freelance website, and whom we will call simply Admin, knew perfectly well that the feedback form on the resource is disabled and the mailbox does not work. Therefore, he was not surprised by the phone call concerning this particular site. In response to a statement about security issues, he just said that he was very interested in this issue and gave his contact e-mail. Pentester, however, wrote it down with his favorite gel pen in a notebook, and half an hour later he was waiting for a response letter. The answer made me wait. It said that the vulnerability would be eliminated as soon as possible, and a small cash reward was promised to Pentester. The poor student was pleased with this fact, honest money for honest work is what he lacked right now. He left his details and waited. Two days. Week. Month. The day was getting shorter, and the site administration seemed to have forgotten about him. The admin, and he was the one who read the letters, even refused to answer the mail. And here Pentester decided to seriously engage in the analysis of the freelancer exchange. He did not even know why, he just liked this job.
The study has begun. A quick inspection revealed that the site was built on a third-party CMS, which could not be identified immediately. Viewing the forms on the search pages and personal information did not give anything. Modification of all other data transmitted in POST and GET requests also did not reveal anything new. But there was one more aspect of the site’s work that did not receive attention - the ordering procedure. And there remained a moment in it that aroused particular interest. It only remained to check ... And yes! The file of the finished work at the time of the exchange between the contractor and the customer was simply placed in a folder with standard access rights and was not filtered by extension. Very much a childish mistake, thought Pentester, he could not even believe that the stock exchange, whose turnover was measured by many hundreds of thousands of rubles, could afford such an oversight. And the new burglar could not use it. After a small war with the antivirus that persistently wiped the php shell from the disk, the script was successfully uploaded to the server. A few mouse clicks and Pentester saw on his monitor such a desirable shell menu and files of the site root directory.
')
What kind of CMS was so good to Pentester and calmly let it go where the entrance was strictly prohibited?
So read the first lines of the first open file. That's the answer - it was Cotonti, which, according to Wikipedia, “provides protection against most known types of network attacks: PHP injection, uploading files that do not match their type, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF ) and etc.". As you can see, you shouldn’t believe everything that is written in the free encyclopedia, although for any at least a little savvy technical student this is obvious. An analysis of the database showed that md5 standard eight-digit passwords were stable enough for free hash bases. But the passwords set by users failed to withstand such checks and split like nuts. Figures are similar to dates and even one nine-digit last name written in the English layout. As it turned out, after a detailed review of the results, the digital passwords belonged to test users, and the only one really changed to an absolutely non-crypto-resistant password - who would you think? An employee of the company, who was still sitting in the only one office that remained, arranged orders for the students who came to her, although in a more unusual form. By the way, the account of her account was several hundred thousand rubles, which our Pentester did not even touch with a finger. He has matured another plan.
The admin lived his life and, judging by the upgradeability of the site, completely forgot about all the problems associated with it. The site worked and brought money. But on that sunny day, something unexpected happened. Judging by the withdrawal logs, one of the users, about which the database did not contain not only the full name, but even the record of the last visit, into which the ip address was automatically entered, tried to remove a fairly large amount of funds from the system. The user was like a shadow — only an id and a nickname corresponding to its behavior, for example, Shadow. After digging deeper, Admin realized that Shadow could not withdraw any money, the multi-valued amount was just as slim as the user himself. In fact, it simply did not exist. But irrefutable machine records said the opposite - money is and should be paid. Panic began to grow. Pentester quietly finished his cup of coffee at that moment, and when there was just a little half-dried drink on the bottom, his eyes fell on the indicator of new messages. One unread is a letter from the Admin who forgot him so long ago. “Is it not you who practice on us?” The text of the letter was naive. After waiting a few minutes Pentester picked up another cup of coffee and dialed the Admin number.
- Hello, - he said calmly, - judging by your last letter, I understand that you have problems and even know what could have happened. The fact is that I did not reveal to you all the gaps in the security of a resource until you forgot about me. Can you tell me more about what's up with you?
In response, a confused speech was heard from the admin trying to explain the situation. A few minutes later he succeeded.
“I probably understand how it happened with an intruder,” said Pentester, and thought to himself that only a few well-formed SQL queries could work wonders. - I could even help you, but you did very badly at the time of our first collaboration ...
The conversation lasted a few more minutes and contained many apologies. A day later, a symbolic 1000 rubles arrived at the account of Pentester. But he no longer needed the money - he had enough of that confused and frightened voice from the pipe to decide for himself - justice prevailed. After another two days, the vulnerability of which the Admin was notified was eliminated by disabling the file sharing functionality, which was restored a day later. The shadow disappeared in the same way as it appeared on the site. No one even noticed the moment when the user with the ill-fated id simply disappeared, leaving no single byte in the table.
The Pentester long wondered: did he do the right thing? Was it possible to resist the momentary impulse, or was the whole story supposed to look different? In any case, for himself, he decided that the outcome was perfectly successful. The site no longer experienced security issues and became reasonably well protected, and Pentester received his little bonus. Now exactly Pentester, and not the Freelancer, to the exchange, which left so many impressions in his heart, he never returned.
Let's start!
Now the Freelancer and all his knowledge of the principles of web security were useful. Neither did the reading of the profile hub, nor numerous articles from the Internet, nor small practical experiences go free. Now he was no longer a Freelancer, but a Pentester, as we will call him in our narrative. It was decided to start with the search form on one of the first pages. So ... Sqli, no, but XSS ... Maybe! There was filtering in the field, but it was not strict, something could be done. This is where the real interest in exploring the resource begins! About 15 minutes was spent on developing the attack vector and here it is - such long-awaited “Oops!” Appeared on the screen in the alert window. But the subsequent events of Pentester were even a little upset - there was a steady active XSS in the username field. It was a shame to fight the usual passive XSS so much time, when on the next page there was nothing to disguise the possibility of code injection into the order tape - to the home page of the site! Evil thoughts were spinning in my head, and what if ... No. Pentester was not going to exploit the holes found. Satisfied with himself, he sat down to write a report to the administration of the resource. But it would be too boring a story, if it were destined to end here.
More interesting
The person who was in charge of the new freelance website, and whom we will call simply Admin, knew perfectly well that the feedback form on the resource is disabled and the mailbox does not work. Therefore, he was not surprised by the phone call concerning this particular site. In response to a statement about security issues, he just said that he was very interested in this issue and gave his contact e-mail. Pentester, however, wrote it down with his favorite gel pen in a notebook, and half an hour later he was waiting for a response letter. The answer made me wait. It said that the vulnerability would be eliminated as soon as possible, and a small cash reward was promised to Pentester. The poor student was pleased with this fact, honest money for honest work is what he lacked right now. He left his details and waited. Two days. Week. Month. The day was getting shorter, and the site administration seemed to have forgotten about him. The admin, and he was the one who read the letters, even refused to answer the mail. And here Pentester decided to seriously engage in the analysis of the freelancer exchange. He did not even know why, he just liked this job.
Deal, gentlemen!
The study has begun. A quick inspection revealed that the site was built on a third-party CMS, which could not be identified immediately. Viewing the forms on the search pages and personal information did not give anything. Modification of all other data transmitted in POST and GET requests also did not reveal anything new. But there was one more aspect of the site’s work that did not receive attention - the ordering procedure. And there remained a moment in it that aroused particular interest. It only remained to check ... And yes! The file of the finished work at the time of the exchange between the contractor and the customer was simply placed in a folder with standard access rights and was not filtered by extension. Very much a childish mistake, thought Pentester, he could not even believe that the stock exchange, whose turnover was measured by many hundreds of thousands of rubles, could afford such an oversight. And the new burglar could not use it. After a small war with the antivirus that persistently wiped the php shell from the disk, the script was successfully uploaded to the server. A few mouse clicks and Pentester saw on his monitor such a desirable shell menu and files of the site root directory.
')
What is inside?
What kind of CMS was so good to Pentester and calmly let it go where the entrance was strictly prohibited?
/** * Home page loader * * @package Cotonti * @version 0.0.3 * @author Neocrome, Cotonti Team * @copyright Copyright (c) Cotonti Team 2008-2009 * @license BSD */ So read the first lines of the first open file. That's the answer - it was Cotonti, which, according to Wikipedia, “provides protection against most known types of network attacks: PHP injection, uploading files that do not match their type, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF ) and etc.". As you can see, you shouldn’t believe everything that is written in the free encyclopedia, although for any at least a little savvy technical student this is obvious. An analysis of the database showed that md5 standard eight-digit passwords were stable enough for free hash bases. But the passwords set by users failed to withstand such checks and split like nuts. Figures are similar to dates and even one nine-digit last name written in the English layout. As it turned out, after a detailed review of the results, the digital passwords belonged to test users, and the only one really changed to an absolutely non-crypto-resistant password - who would you think? An employee of the company, who was still sitting in the only one office that remained, arranged orders for the students who came to her, although in a more unusual form. By the way, the account of her account was several hundred thousand rubles, which our Pentester did not even touch with a finger. He has matured another plan.
Million Bucks Trick
The admin lived his life and, judging by the upgradeability of the site, completely forgot about all the problems associated with it. The site worked and brought money. But on that sunny day, something unexpected happened. Judging by the withdrawal logs, one of the users, about which the database did not contain not only the full name, but even the record of the last visit, into which the ip address was automatically entered, tried to remove a fairly large amount of funds from the system. The user was like a shadow — only an id and a nickname corresponding to its behavior, for example, Shadow. After digging deeper, Admin realized that Shadow could not withdraw any money, the multi-valued amount was just as slim as the user himself. In fact, it simply did not exist. But irrefutable machine records said the opposite - money is and should be paid. Panic began to grow. Pentester quietly finished his cup of coffee at that moment, and when there was just a little half-dried drink on the bottom, his eyes fell on the indicator of new messages. One unread is a letter from the Admin who forgot him so long ago. “Is it not you who practice on us?” The text of the letter was naive. After waiting a few minutes Pentester picked up another cup of coffee and dialed the Admin number.
- Hello, - he said calmly, - judging by your last letter, I understand that you have problems and even know what could have happened. The fact is that I did not reveal to you all the gaps in the security of a resource until you forgot about me. Can you tell me more about what's up with you?
In response, a confused speech was heard from the admin trying to explain the situation. A few minutes later he succeeded.
“I probably understand how it happened with an intruder,” said Pentester, and thought to himself that only a few well-formed SQL queries could work wonders. - I could even help you, but you did very badly at the time of our first collaboration ...
The conversation lasted a few more minutes and contained many apologies. A day later, a symbolic 1000 rubles arrived at the account of Pentester. But he no longer needed the money - he had enough of that confused and frightened voice from the pipe to decide for himself - justice prevailed. After another two days, the vulnerability of which the Admin was notified was eliminated by disabling the file sharing functionality, which was restored a day later. The shadow disappeared in the same way as it appeared on the site. No one even noticed the moment when the user with the ill-fated id simply disappeared, leaving no single byte in the table.
Instead of conclusions and conclusions
The Pentester long wondered: did he do the right thing? Was it possible to resist the momentary impulse, or was the whole story supposed to look different? In any case, for himself, he decided that the outcome was perfectly successful. The site no longer experienced security issues and became reasonably well protected, and Pentester received his little bonus. Now exactly Pentester, and not the Freelancer, to the exchange, which left so many impressions in his heart, he never returned.
Source: https://habr.com/ru/post/173285/
All Articles