Welcome Guest | RSS

Official Site Of The Xakep 4T english version

Monday, 2018-10-22, 1:06 AM
Main » 2011 » September » 8 » Backstreet`s Back: total destruction of the Backstreet Boys band
1:10 AM
Backstreet`s Back: total destruction of the Backstreet Boys band

Salute, my dear admirer of the Backstreet Boys band! Today I will tell you an interesting story about how backstreetboys.com, myspace.com/backstreetboys, and also the twitter.com/backstreetboys (the main network resources of your favorite band) had capitulated like a house on fire, with no fight. It all started with the fact that one day the notorious column editor alluded to continue the theme of hacking the well-regarded foreign celebrities. You know, right at that time the simple "Everybody" song was just running in my head.


Who is who

Of course, we begin our excavations with studying the http://backstreetboys.com site. The resource is a simple flash start page with a band photo on it and the "Coming soon" inscription. Below there’re some links: Tour Dates, Enter Fanclub, Shop BSB, BSBlog. "Tour Dates” and "Enter Fanclub” lead to the same subdomain - http://fanclub.backstreetboys.com. ”Shop BSB” leads to some strange http://backstreetboys.shop.bravadousa.com, and the "BSBlog” respectively leads to http://blog.backstreetboys.com.

Do not be surprised if you find out that the band’s blog engine is a WordPress :). But, as it often happens, the blog version (2.7.1) had no vulnerabilities at that moment, so we had to say goodbye to some easy rapid hack.

Here it’s worth mentioning that I did not forget to find resource’s admin panel. It was found at http://admin.backstreetboys.com, but required the http-authorization so this option also had to be delayed for some time.

The band’s fan club (fanclub.backstreetboys.com) is on the way toward our research.

Money defeats evil

Fan club is like a simple social network, but it works on a fee basis (the last successful BB album was released in 2007, now they have to have smth. to earn on). Everything has its fee, starting with chat, forum and ending with viewing videos and photos from concerts and tours. I don’t really want to give my money earned by the sweat of one's brow for such services. I had to be content with what I have.

Thus, there were only three free fan club categories: Home (home), Tour (Tour Schedule) and Discography (discography). Enough to make fun of launching the page with all sorts of parameters (as much as the mod_rewrite had permitted; most of them looked like this - http://fanclub.backstreetboys.com/events/827 # signups), and after trying the standard way to search for admin panel, I realized that this subdomain can offer absolutely nothing and began to think of further steps. A bit later, my eye fell on the site footer:

© 2009 Backstreet Boys. All rights reserved.
Powered by ground(ctrl).

So I headed to the http://groundctrl.com site being curious about what constitutes that aforesaid "ground (ctrl)".

Everything is vulnerable

It turned out that the ground (ctrl) is a company that develops websites for various celebrities based on the ground’s CMS. As they write about themselves: "We offer innovative interactive marketing and merchandising services for Music Stars, Athletes, and Personalities".

The company’s clients (except of Backstreet Boys) are such people and music bands as: Daughtry, Papa Roach, Paul Oakenfold, Thalia, Far, New Kids on the Block, Third Eye Blind, Dredg, Gavin Rossdale. Such a turn of events gave me some additional forces to find ways to penetrate both the backstreetboys.com, and the groundctrl.com :).

I didn’t try to use various bad characters in all sorts of requests at the CMS developer’s site. I just started searching for admin panel and instantly found it at http://groundctrl.com/admin.

Admin panel pleased my eyes by the fact that there was no http-authentication. There was just a usual web form with username / password authorization. This meant that some sort of database is used for authorization and I could test the appropriate fields for some banal sql-injection. So, after submitting the fields "Username" and "Password" with "1" value I got the following sql-error:

SELECT * FROM users WHERE user_name = '1'' AND password = MD5('1\'')

Consequently, it means that professional web programmers don’t keep tracking the simple filtering of input fields :).

Now it cost nothing to login to the admin area: the only thing we need is inserting something like "1 'or 1 = 1 / *" into the username field.

Probably you already know that admin panels are often prone to multiple vulnerabilities. Web developers believe that no one can enter the admin area from outside :). So this time it was much easier than I thought. After entering the "Manage Users" menu, I randomly chose to edit the user’s profile of some girl called "jennie".

Normally, profile configuration menu has an avatar uploading form. It had this time too. Next to the form there was a notice "jpg, gif and png images minimum size 265 x 213”. I thought that devil may play any trick and tried to upload my php-shell instead of the avatar.

Without any additional questions, my evil-file was successfully uploaded to http://groundctrl.com/media/images/404.php.

Getting aboard

Here I have to make a small remark. While viewing the list of users in the groundctrl.com admin panel I got the idea to find the mail pop-domain of this site, cause all admin users have the e-mail at the groundctrl.com domain. Oddly enough, once again I got lucky here as I was redirected from http://mail.groundctrl.com to the https://www.google.com/a/groundctrl.com/ServiceLogin.

It’s possible that any admin’s passwords would be the same for Gmail. There could be kept some official correspondence of CMS developers. Now, when I had a web-shell at groundctrl.com, it would be nice to explore the admin area source code for some data to connect to MySQL. All necessary data was almost immediately found at /var/www/vhosts/groundctrl.com/httpdocs/admin/con/mysql_connect.php:

define ('DB_USER', 'groundctrl');
define ('DB_PASSWORD', 'breakhouse');
define ('DB_HOST', 'localhost');
define ('DB_NAME', 'groundctrl_website');

$dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) or die ('Could not connect to MySQL: ' . mysql_error());
mysql_select_db (DB_NAME);

I have been known the approximate name and structure of the admin’s DB table from some of the very first sql-error while logging in admin area. It remained only to write a small script to run a PHP-eval shell window:

include 'mysql_connect.php';
$query = mysql_query('select * from users');
while($arr = mysql_fetch_array($query))

That code brought me to my screen all log-in details of all admins accounts. After choosing a random user with matt.sergent@groundctrl.com e-mail and 330ef80613513b8286f95042bf372362 md5-hashed password, I’ve entered the plain-text.info site to decrypt the hash into the irc:

M4g .c3p0 addmd5 330ef80613513b8286f95042bf372362
C3P0 M4g: add ok... at 02:51:33
C3P0 MD5 Hash:330ef80613513b8286f95042bf372362 passwd:paplee hex:7061706c6565


The only thing that had left is logging in to https://www.google.com/a/groundctrl.com/ServiceLogin with the login and password which are "matt.sergent" and "paplee" properly. Then I took advantage of the remarkable mail search, which was carefully embedded by uncle Google in its mail service. As the search phrases I used the following combinations: "ftp pass", "ftp password", "password login". As a result of these excavations I fished the following accounts:

username - backstreetboys
password - j3nnj3nn
Bsbadmin.com (он же admin.backstreetboys.com)
host: backstreetboys.com
user: backstreetsback
pass: 3rxvt6pueuyr
host: groundctrl.com
user: groundctrl
pass: ninegbzif3zfgw

- and lots of other interesting things (such as access to the Plesk control panel, mysql root-accounts and ftp/sftp accounts for a great multitude of sites), which I don’t even want to tell you about :).

But, finally, the goal of our quest is achieved! It’s time for little scoff over the fans of our experimental band.

Social networks

Inasmuch as defacing is first graders prerogative, I decided to "work” on band’s social networks accounts. At first I’ve posted the sacramental "I'll be watching you! From Russia with love :)" phrase on Twitter (as in the case with Stephen Fry). The surprised reactions of fans were not slow to arrive:

piiittta@backstreetboys what...i dont understand?????
NinaBackstreetRT @kairarosa @backstreetboys Oh Guys!!!!!!!! Hello!!!! Russia????? OMG! Around the world again????? LOL! Love you! Say Hi to Brazil!
Loliii@backstreetboys I'll be watching YOU with love from Argentina, how about that uh?
realNinoRodgers@backstreetboys I'll be watching you! From Russia with love :) << That's my country, HAVE FUN!! :-)
MysticalPixie@backstreetboys who will be watching? gotta tell us who is twitting here guys...lol
puricha@backstreetboys What? Are you in Russia now? I thought you were in Madrid !!
DannynhaMansani@backstreetboys Are u going to Russia? Is Russia your next stop, guys? WOW! U're traveling a lot, hope u're having some fun =)
overloved@backstreetboys oooohhh my boys!!! tell me something, i wanna know if u do feeling excited to come to Dubai?? how u feel? :D
m_serra@backstreetboys i'm watching you! from brazil with love :)
k_rina_ktbspa@backstreetboys COME BACK TO SOUTHAMERICA.. CHILE MISS YOU!!! BESOS!!! SA FANS.. LOVES YOU!!!! PLEASE!! :-(
vale101@backstreetboys heeey what?s new.. are in Russia .. Wow, understand the language .. tell me something in Russian?... jejeje kisses
MayMclean@backstreetboys Hey guys... what's up?? Russia... this is great!! OMG!! tell us when TIU TOUR will arrive in Brazil?!
danyzinhalee_@backstreetboys Russia, madrid, Holland, Germany, u guys travel a lot - beijinho doce to you
pancho_torto@backstreetboys realyy!!?? people said that it's a great placee!!! please come back to Argentinaa!!! We love you guys!!

As you see, people were very surprised that their idols are suddenly moved from Brazil to Russia. Therefore, I deleted my post being no longer able to injure anyone :).

Then there was a page on MySpace service which is unfamiliar to me. After sorting out the social network internal structure I’ve posted the already known phrase in the BSB blog post and in the comments of the profile main page. Here are the answers I got from Backstreet Boys fans:

Maira Carter:
And who will that 'I' be ????? ;) Mr Littrell? Mr Mclean? Mr Carter? Mr Dorough???? ;)
Cause I'll be watching too... From Holland with Love! ;)
[*ALMA DaNgErOuS*]:
who's gonna be watching???
remember, Mexico loves you, you have to come back! :)
I don't know WHO will be watching us..:p but i have a feeling that Nick is the one who will be watching us!
oh never mind then lol
I don't know who will be watching us, but I'm def will be watching u ;)
From Brazil, with love =)

As you see, many fans on MySpace are surprised about the thing that BSB’s are "writing from Russia" instead of Brazil, where they should be at that moment. So again I had to remove my posts and finish this epic hack at such a high note.

Some "evil” conclusions

If your site is competently made, well tuned and patched it doesn’t always mean that it’s impossible to hack. Often, hacker gets help from a human factor and it doesn’t matter whether it’s social engineering or just a simple developer’s inattention. Even the most rich and famous people are not secured from those things. I hope you’ve found this article interesting with one more simple, but important advice: NEVER save ANY letters having important information (logins, passwords etc.) in your mail box!

P.S. I love to rule over the pulse of several thousand fans army. Meet the continuation of interesting starry hack with due time :)


The above article is the product of the author’s diseased imagination. Any overlap with existing site is accident. Neither the editors nor the author shall not be liable for any possible damages caused by the materials of this article.

Views: 895248 | Added by: XakepNews | Rating: 5.0/1
Total comments: 0
Name *:
Email *:
Code *: