Hi Guys,
Back with one more vulnerability technique "Local File Inclusion" attack. With this attack, I was able to get the complete source code of the application and the API keys of the victim enterprise.
I have found this vulnerability in India's largest online health platform website.
Let's have a look at the vulnerability-
The
technique that was used to find this vulnerability is called Path Traversal
Attack.
Back with one more vulnerability technique "Local File Inclusion" attack. With this attack, I was able to get the complete source code of the application and the API keys of the victim enterprise.
I have found this vulnerability in India's largest online health platform website.
Let's have a look at the vulnerability-
A
file inclusion vulnerability allows an attacker to access unauthorized or
sensitive files available on the web server or to execute malicious files on
the web server. This vulnerability occurs when a user input contains the path
to the file that has to be included. When such an input is not properly
sanitized, the attacker may give some default file names and access
unauthorized files, or an attacker may also make use of directory traversal
characters and retrieve sensitive files available in other directories. Local File Inclusion (LFIs) allow an attacker to read and sometimes execute files on the victim machine.
This can be very dangerous because if the web server is misconfigured and
running with high privileges, the attacker may gain access to sensitive
information. If the attacker is able to place code on the web server through
other means, then they may be able to execute arbitrary commands.
By
this vulnerability, I was able to read all the files including source code of
the application and sensitive files like webconfig where I got APIs key of mail
server, sms, payment gateway etc and further I was also able to use mail server
key to send mail from enterprise mail server and were able to even send sms using the
sms key.
I
found this vulnerability in the URL and the parameter shown in the screenshot
above.
The response of the above URL HTTP request is as below-
The response of the above URL HTTP request is as below-
By
this I analysed that Micrsoft-IIS webserver is in use. So I tried to open
WIN.INI file of windows by path traversal attack.
And
I got the following response-
This
is the content of WIN.INI file. So by this I was confirmed that Local File
Inclusion vulnerability exist.
The
“../” used in the example above represent a directory traversal. The number of
“../” depend on the configuration and location of the target web server on the
victim machine. Some experimentation may be required.
Now
I tried escalating to this vulnerability.
And
as expected I was able to get the complete source code for login.ashx page
which is also a high vulnerability risk.
Source code disclosure vulnerability allows an attacker to view /
download the source code files of the web application from the webserver. These
files can reveal sensitive information related to specific functionality of the
website, how different web-pages react to various parameter values given to it
etc. An attacker can use this information to carry out targeted attacks on the
website which may lead to website compromise.
The
files contain source-code files that are publicly accessible. An attacker may
download these source-code files and carry out intellectual property theft.
In-addition,
these files may contain sensitive details about the inner workings of the
website and disclose additional vulnerabilities.
Response of above request-
Similarly , I was able to
find the source code of complete application.
Now the critical aspect of
this, below is the webconfig file –
Check the response-
As you can see , server credentials,
mail server API key, sms service api key and payment gateway API key are
accessbile.
By some more researching, I was able to use the keys to send mails, send sms etc.
By some more researching, I was able to use the keys to send mails, send sms etc.
Risk-
By
source code disclosure vulnerability, I was able to get the complete source
code of the application .
These files reveal sensitive information relates to the specific functionality of the application. For eg. I can get the logic behind the encryption used for login and hence can use it for user account hijack vulnerability.
These files reveal sensitive information relates to the specific functionality of the application. For eg. I can get the logic behind the encryption used for login and hence can use it for user account hijack vulnerability.
The
local file inclusion vulnerability gave me access to all the APIs key used in
application. I was able to use mail server api key to send mails from the
behalf of the company , and even sms. Payment gateway api can be used for completely bypassing
the payment gateway and buying the product at much less price.
I reported this vulnerability to the concerned company on 19th June and it was soon patched after that.
Any feedback,suggestion would be highly appreciated :)
Thanks
~logicbomb
I reported this vulnerability to the concerned company on 19th June and it was soon patched after that.
Any feedback,suggestion would be highly appreciated :)
Thanks
~logicbomb
