*Sorry for this post being a lot later than Shadow's. Been busy with some other stuff and never really got down to writing this one.*
It started off like any other normal Sunday, woke up late, did some stuff, and then sat down at my computer and got on Skype. I saw a message from Shadow talking about how he found some vulnerable website. He messaged me the website and I saw that it was vulnerable to SQLi. After a little pen-testing on the site, we saw that the only vulnerability on the site was SQLi. So, we got down to business doing some different commands (of course the site had to be v.4 right?).
We managed to find some tables, but unfortunately for us the tables for users and admins (if they existed) didn't have any information in them at all. I kept trying to find more and more tables and then it hit me to go ahead and try out the names of the different events (in case you couldn't tell by the title, this website was a site about a festival that happens every year, the site apparently is done by volunteers, go figure, and everyone in the festival is a volunteer). Sure enough, the names of the events gave us a lot of information: emails, addresses, and names for people in large organizations as well as the "Festival Queen" and some country music stars (yay.........).
After extracting basically the entire database in about 10 minutes, Shadow messages me saying that the admin of the site has a vulnerable password. In fact, the password was the first name of the festival (ie. if the festival name is Lorem Ipsum, the password was lorem). So, thanks to pure human stupidity, we were able to actually access the site.
Shadow didn't want to deface, but I wanted to screw around as I hadn't had a successful hack in a while. So, me being me, I posted some Pedobear images in the "Kids Festival" section, and added a nice page explaining how we did what we did, or really... how Shadow did what he did. After a little more screwing around, the admin finally erased the pages, and reverted the page back to normal, and changed everyone's password. Well, the admin forgot to change his own password, so we had access to the admin panel once again. This time I decided to send messages to everyone on the staff explaining how weak the security of the website was. This was fun, but the interesting part has yet to come.
Later on we got bored again and we created a new user on the page, gave him admin privelages, and then logged in to the site as him (because the admin finally had the sense to change the Wordpress passwords, but again we still had access to the site panel, which allows us to edit all of the events). As we were on the site, the admin started to change all of the user passwords to a random string of characters and he deleted our account, but their biggest flaw was when the fact that they had their logins as PHP Sessions with no timeout. So, if we wanted to, we could still be an admin today as long as we didn't log out (if the site were still up that is, the festival is over now though).
Since we knew the admin was at his computer, we decided to call the guy up and tell him about what we had done. We told him how we got in, and how he could fix it, and I also gave him some suggestions on his PHP code (which is funny because I'm only 17 and I'm definitely not an expert at PHP). To my surprise, he was actually very grateful for the help (or so it seemed) and he even offered us a job working on the site for next years festival. Guess good can pay off after all.
Thanks for reading, and I hope you enjoyed my first hack diary,
- Clocwork
Nice job clocwork! :D
ReplyDelete