Student Magazine
What is our information security? How often do you ask this question? What do you do to increase your network security? I will try to answer - rarely and little. However, as practice shows - it's time to start.
So let's get started. First of all, I suggest that readers grab a cup of coffee, cookies and half an hour of free time on our journey through the world of information security.
A lot of schools in our country have already been transferred to the electronic systems for monitoring student performance, and the rest are catching up to this bar, but how good is it? And is it worth it?
These and other questions, on the example of one of these systems, I will try to answer you.
Not so long ago, in some 2009, the Russian education began to introduce the so-called ECZ everywhere (Electronic class magazine). Directors and teachers are delighted, parents are always aware of the progress of their children, and children are motivated to learn not to get an "electronic" deuce and always please their parents. But, as they say, there it was! All praised products only on tests were great, but in reality?
')
It all starts ...
And the problem of the safety of all information was added, not just some assessments, but passport data, home addresses and other confidential information, because everything is stored and added, edited, ... in one program, with which our magazine "communicates".
Since this system quickly “sprawled out” across the wide, immense, after a few years posts on the Internet began to appear lovers that not everything is so smooth and there are loopholes. I checked a couple of posts, but I didn’t really find anything serious: a banal replacement of cookies and an opportunity to rate “0”, so that the average score for a quarter was approximately 6.45. Of course, the data was sent to the developers and the "0" was fixed in the next update, but the "cookies" were forgotten and then rushed.
For 2 hours, at night on one of Mondays, I discovered what the first post “trumpeted” - the possibility of using SQL injection, and not just some a la user privilege, but root access to the server with most, the main database.
Having played enough with the input without a password for some Marya Ivanovna, I wanted more access to the admin panel and try to do my own requests.
An hour or two, the analysis of traffic and success came. Everything was outrageously trite. All requests were transmitted in open form between the client and the server, and the answers always contained a little more than the necessary information, which helped to accomplish the planned.
In the first packages there were always data about you (Marya Ivanovna) - Login and password of the form ivanovna & [password_hash], by simply commenting on the password I got rid of the need to even enter it, which I indulged in at first.
Later he noticed that requests are simply sent to 2 directories (with a certain order), one of which is to the database of the journal, and the second to the general, main database. This could not but rejoice, I realized that everything is hanging out on Firebird, I took a couple of requests for issuing a structure from the site's office, a la privilege check, and ... it worked. Having on hand 2 structures of different databases, I understood - everything works: drop'y, create'y and so on.
In a few minutes I received information about everyone in the school, and then their data.
A simple query gives us all the information about students of an educational institution ...
... and the teaching staff ...
... and with a special skill by their ID you can get more extensive information.
A few days later, checking the same holes in other schools (from google.com), I realized that all this was serious and reported all the vulnerabilities to the system administrator and the director of the educational institution.
Later, we still had fun with the admin, tried (officially) the drops, and the director, at my request, at the meeting with the management of this company, reported bugs.
Time passed, nothing changed, bugs remained, 1 fixed (switched to a new version of the unit), the rest work ...
A couple of days ago I checked - and things are still there ...
Summing up, I would like to say that the first experience of communicating with foreign companies was much better than with domestic ones: the speed of the administrator’s response (reported access to highways bypassing the “credits” cheating system), polite communication, and threw in a month of pro-access.
Ps The name of the organization is not reported in the name of good.
So let's get started. First of all, I suggest that readers grab a cup of coffee, cookies and half an hour of free time on our journey through the world of information security.
A lot of schools in our country have already been transferred to the electronic systems for monitoring student performance, and the rest are catching up to this bar, but how good is it? And is it worth it?
These and other questions, on the example of one of these systems, I will try to answer you.
Not so long ago, in some 2009, the Russian education began to introduce the so-called ECZ everywhere (Electronic class magazine). Directors and teachers are delighted, parents are always aware of the progress of their children, and children are motivated to learn not to get an "electronic" deuce and always please their parents. But, as they say, there it was! All praised products only on tests were great, but in reality?
')
It all starts ...
- Slow loading of data of the program itself. (20 Mbit / s about 8-10 seconds), and sometimes it just did not work
- Once the SMS services are running , they’re notifications about ratings, and even if they do n’t work at all, like the web-magazine’s muzzle
- Teachers complain about the complexity (initially, at the beginning of the year / quarter / ..) filling and time is spent many times more than on a paper magazine
- The children are indignant , because before they approached the magazine - he looked through, looked at (read, corrected) grades and was happy, and now, even with a good connection, you don’t always look, let alone fix it.
And the problem of the safety of all information was added, not just some assessments, but passport data, home addresses and other confidential information, because everything is stored and added, edited, ... in one program, with which our magazine "communicates".
Since this system quickly “sprawled out” across the wide, immense, after a few years posts on the Internet began to appear lovers that not everything is so smooth and there are loopholes. I checked a couple of posts, but I didn’t really find anything serious: a banal replacement of cookies and an opportunity to rate “0”, so that the average score for a quarter was approximately 6.45. Of course, the data was sent to the developers and the "0" was fixed in the next update, but the "cookies" were forgotten and then rushed.
For 2 hours, at night on one of Mondays, I discovered what the first post “trumpeted” - the possibility of using SQL injection, and not just some a la user privilege, but root access to the server with most, the main database.
Having played enough with the input without a password for some Marya Ivanovna, I wanted more access to the admin panel and try to do my own requests.
An hour or two, the analysis of traffic and success came. Everything was outrageously trite. All requests were transmitted in open form between the client and the server, and the answers always contained a little more than the necessary information, which helped to accomplish the planned.
In the first packages there were always data about you (Marya Ivanovna) - Login and password of the form ivanovna & [password_hash], by simply commenting on the password I got rid of the need to even enter it, which I indulged in at first.
Later he noticed that requests are simply sent to 2 directories (with a certain order), one of which is to the database of the journal, and the second to the general, main database. This could not but rejoice, I realized that everything is hanging out on Firebird, I took a couple of requests for issuing a structure from the site's office, a la privilege check, and ... it worked. Having on hand 2 structures of different databases, I understood - everything works: drop'y, create'y and so on.
In a few minutes I received information about everyone in the school, and then their data.
A simple query gives us all the information about students of an educational institution ...
... and the teaching staff ...
... and with a special skill by their ID you can get more extensive information.
A few days later, checking the same holes in other schools (from google.com), I realized that all this was serious and reported all the vulnerabilities to the system administrator and the director of the educational institution.
Later, we still had fun with the admin, tried (officially) the drops, and the director, at my request, at the meeting with the management of this company, reported bugs.
Time passed, nothing changed, bugs remained, 1 fixed (switched to a new version of the unit), the rest work ...
A couple of days ago I checked - and things are still there ...
Summing up, I would like to say that the first experience of communicating with foreign companies was much better than with domestic ones: the speed of the administrator’s response (reported access to highways bypassing the “credits” cheating system), polite communication, and threw in a month of pro-access.
Ps The name of the organization is not reported in the name of good.
Source: https://habr.com/ru/post/194794/
All Articles