A year ago I did my orientating internship at a webdevelopment company that mainly programmed in ASP and ASP.NET. Both languages I utterly hate for their lack of clearance and flexibility. Now I had to work for them for 10 weeks which wasn't that much.. After about 7 or 8 weeks they offered me a contract which would allow me to work for them 0-10 hours a week for a quite okay payrate. I accepted.. signed the contract and we were happy. Now after 10 weeks I had to turn in my paper. Covering the 10 weeks I worked at this company. The paper was a very critic paper. And like many people do, they didn't like being judged by an 'intern'. So I could give em back the contract and I was basically fired before starting.. Well that's not completely true.. I worked 10 hours for them and I didn't get paid. Evil.
Anyway to get to the point.. They recently delivered a webshop actually written in PHP. So I had to test it for holes.. And yes! sql injection, except that this one was a little tricky.. I always got an 'OK' Message. I had to find a way around this. I tried the following thing:
id=246 AND IF(1=(SELECT CHAR_LENGTH(pass) FROM users LIMIT 0,1),1,(SELECT 1 UNION SELECT 2))
Basically what this query did was if the length matched the first password I would get a normal page. If the lenght didn't match it would give me the error: Subquery returned more then 1 row.
So an exploit was in place and soon I had the first user's email and password. Now the funny part was that this first user I suspect being the one written the webshop. He works at a different company I ran my internship. It appears that this other company is in the same building where I work now.. funny.
Anyway there's nothing more hilarious than trying to hack the website of the company where I did my orientating internship. Before actually going into this I have to tell you one of the things I disliked a lot from this company. They didn't use any databases.. they used... XML files! for everything.. really! I mean.. come..onnnnnn...
Ok, Now back to their website. It didn't take me long for this one.. Now since they use a lot of xml files, there's no way of injecting sql. A different approach was needed. Local File Inclusion..
page.asp?inc=cgi-bin/xmldocs/b_users.xml
The above statement gave me all the usernames and passwords for their content management system..
All their passwords were the same.. Another point of this critic!
Tuesday, June 16, 2009
Woo a beertender for my efforts.
Well last time I spoke about the backup company's website. This website had a few serious holes in it. It appears the website WAS written by them selfs.. Made me wonder how well their software is written that takes care of the backups. Anyway, to get to the point, shortly after my compaignion notified them about the leak they were happy and asked if we were happy with a bottle of wine.. Well I don't drink wine.. my compaignion doesn't drink it.. so no.. Ok.. ok.. we said yes. Lateron we got an email from another dude from that company telling us that we DIDN'T like wine.. wow.. supersticious. So he figured we liked beer and decided to send something our way..
A few days ago we received a beer tender! Woo! that's very nice.. You can buy it from us on ebay. Thank you.
(Not that we don't like a beertender but it's expensive and I prefer bottle's over a beertender...)
A few days ago we received a beer tender! Woo! that's very nice.. You can buy it from us on ebay. Thank you.
(Not that we don't like a beertender but it's expensive and I prefer bottle's over a beertender...)
Subscribe to:
Posts (Atom)