Содержание статьи
Salute, my dear admirer of the Backstreet Boys band! Today I will tell you an
interesting story about how backstreetboys.com, myspace.com/backstreetboys, and
also the twitter.com/backstreetboys (the main network resources of your favorite
band) had capitulated like a house on fire, with no fight. It all started with
the fact that one day the notorious column editor alluded to continue the theme
of hacking the well-regarded foreign celebrities. You know, right at that time
the simple "Everybody" song was just running in my head.
Who is who
Of course, we begin our excavations with studying the
http://backstreetboys.com
site. The resource is a simple flash start page with a band photo on it and the
"Coming soon" inscription. Below there’re some links: Tour Dates, Enter Fanclub,
Shop BSB, BSBlog. “Tour Dates” and “Enter Fanclub” lead to the same subdomain -
http://fanclub.backstreetboys.com. ”Shop BSB” leads to some strange
http://backstreetboys.shop.bravadousa.com, and the “BSBlog” respectively leads
to http://blog.backstreetboys.com.
Do not be surprised if you find out that the band’s blog engine is a
WordPress :). But, as it often happens, the blog version (2.7.1) had no
vulnerabilities at that moment, so we had to say goodbye to some easy rapid
hack.
Here it’s worth mentioning that I did not forget to find resource’s admin
panel. It was found at http://admin.backstreetboys.com, but required the
http-authorization so this option also had to be delayed for some time.
The band’s fan club (fanclub.backstreetboys.com) is on the way toward our
research.
Money defeats evil
Fan club is like a simple social network, but it works on a fee basis (the
last successful BB album was released in 2007, now they have to have smth. to
earn on). Everything has its fee, starting with chat, forum and ending with
viewing videos and photos from concerts and tours. I don’t really want to give
my money earned by the sweat of one's brow for such services. I had to be
content with what I have.
Thus, there were only three free fan club categories: Home (home), Tour (Tour
Schedule) and Discography (discography). Enough to make fun of launching the
page with all sorts of parameters (as much as the mod_rewrite had permitted;
most of them looked like this - http://fanclub.backstreetboys.com/events/827 #
signups), and after trying the standard way to search for admin panel, I
realized that this subdomain can offer absolutely nothing and began to think of
further steps. A bit later, my eye fell on the site footer:
© 2009 Backstreet Boys. All rights reserved.
Powered by ground(ctrl).
So I headed to the
http://groundctrl.com site being curious about what constitutes that
aforesaid "ground (ctrl)".
Everything is vulnerable
It turned out that the ground (ctrl) is a company that develops websites for
various celebrities based on the ground’s CMS. As they write about themselves:
"We offer innovative interactive marketing and merchandising services for Music
Stars, Athletes, and Personalities".
The company’s clients (except of Backstreet Boys) are such people and music
bands as: Daughtry, Papa Roach, Paul Oakenfold, Thalia, Far, New Kids on the
Block, Third Eye Blind, Dredg, Gavin Rossdale. Such a turn of events gave me
some additional forces to find ways to penetrate both the backstreetboys.com,
and the groundctrl.com :).
I didn’t try to use various bad characters in all sorts of requests at the
CMS developer’s site. I just started searching for admin panel and instantly
found it at http://groundctrl.com/admin.
Admin panel pleased my eyes by the fact that there was no
http-authentication. There was just a usual web form with username / password
authorization. This meant that some sort of database is used for authorization
and I could test the appropriate fields for some banal sql-injection. So, after
submitting the fields "Username" and "Password" with "1" value I got the
following sql-error:
SELECT * FROM users WHERE user_name = '1'' AND password = MD5('1\'')
Consequently, it means that professional web programmers don’t keep tracking
the simple filtering of input fields :).
Now it cost nothing to login to the admin area: the only thing we need is
inserting something like "1 'or 1 = 1 / *" into the username field.
Probably you already know that admin panels are often prone to multiple
vulnerabilities. Web developers believe that no one can enter the admin area
from outside :). So this time it was much easier than I thought. After entering
the "Manage Users" menu, I randomly chose to edit the user’s profile of some
girl called "jennie".
Normally, profile configuration menu has an avatar uploading form. It had
this time too. Next to the form there was a notice "jpg, gif and png images
minimum size 265 x 213”. I thought that devil may play any trick and tried to
upload my php-shell instead of the avatar.
Without any additional questions, my evil-file was successfully uploaded to
http://groundctrl.com/media/images/404.php.
Getting aboard
Here I have to make a small remark. While viewing the list of users in the
groundctrl.com admin panel I got the idea to find the mail pop-domain of this
site, cause all admin users have the e-mail at the groundctrl.com domain. Oddly
enough, once again I got lucky here as I was redirected from
http://mail.groundctrl.com to the
https://www.google.com/a/groundctrl.com/ServiceLogin.
It’s possible that any admin’s passwords would be the same for Gmail. There
could be kept some official correspondence of CMS developers. Now, when I had a
web-shell at groundctrl.com, it would be nice to explore the admin area source
code for some data to connect to MySQL. All necessary data was almost
immediately found at
/var/www/vhosts/groundctrl.com/httpdocs/admin/con/mysql_connect.php:
<?php
define ('DB_USER', 'groundctrl');
define ('DB_PASSWORD', 'breakhouse');
define ('DB_HOST', 'localhost');
define ('DB_NAME', 'groundctrl_website');
$dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) or die ('Could not connect
to MySQL: ' . mysql_error());
mysql_select_db (DB_NAME);
?>
I have been known the approximate name and structure of the admin’s DB table
from some of the very first sql-error while logging in admin area. It remained
only to write a small script to run a PHP-eval shell window:
include 'mysql_connect.php';
$query = mysql_query('select * from users');
while($arr = mysql_fetch_array($query))
{
print_r($arr);
}
That code brought me to my screen all log-in details of all admins accounts.
After choosing a random user with matt.sergent@groundctrl.com e-mail and
330ef80613513b8286f95042bf372362 md5-hashed password, I’ve entered the
plain-text.info site to decrypt the hash into the irc:
M4g .c3p0 addmd5 330ef80613513b8286f95042bf372362
C3P0 M4g: add ok... at 02:51:33
C3P0 MD5 Hash:330ef80613513b8286f95042bf372362 passwd:paplee hex:7061706c6565
GMail
The only thing that had left is logging in to
https://www.google.com/a/groundctrl.com/ServiceLogin with the login and password
which are "matt.sergent" and "paplee" properly. Then I took advantage of the
remarkable mail search, which was carefully embedded by uncle Google in its mail
service. As the search phrases I used the following combinations: "ftp pass",
"ftp password", "password login". As a result of these excavations I fished the
following accounts:
https://twitter.com/backstreetboys
username - backstreetboys
password - j3nnj3nn
---
Myspace.Com
bsbsocialutility@yahoo.com
spring99
---
Bsbadmin.com (он же admin.backstreetboys.com)
Bsboys
.sandoz.
---
FTP
host: backstreetboys.com
user: backstreetsback
pass: 3rxvt6pueuyr
---
FTP
host: groundctrl.com
user: groundctrl
pass: ninegbzif3zfgw
- and lots of other interesting things (such as access to the Plesk control
panel, mysql root-accounts and ftp/sftp accounts for a great multitude of
sites), which I don’t even want to tell you about :).
But, finally, the goal of our quest is achieved! It’s time for little scoff
over the fans of our experimental band.
Social networks
Inasmuch as defacing is first graders prerogative, I decided to “work” on
band’s social networks accounts. At first I’ve posted the sacramental "I'll be
watching you! From Russia with love :)" phrase on Twitter (as
in the case with Stephen Fry). The surprised reactions of fans were not slow
to arrive:
piiittta@backstreetboys what...i dont understand?????
---
NinaBackstreetRT @kairarosa @backstreetboys Oh Guys!!!!!!!! Hello!!!!
Russia????? OMG! Around the world again????? LOL! Love you! Say Hi to Brazil!
---
Loliii@backstreetboys I'll be watching YOU with love from Argentina, how about
that uh?
---
realNinoRodgers@backstreetboys I'll be watching you! From Russia with love :) <<
That's my country, HAVE FUN!! :-)
---
MysticalPixie@backstreetboys who will be watching? gotta tell us who is twitting
here guys...lol
---
puricha@backstreetboys What? Are you in Russia now? I thought you were in Madrid
!!
---
DannynhaMansani@backstreetboys Are u going to Russia? Is Russia your next stop,
guys? WOW! U're traveling a lot, hope u're having some fun =)
---
overloved@backstreetboys oooohhh my boys!!! tell me something, i wanna know if u
do feeling excited to come to Dubai?? how u feel? :D
---
m_serra@backstreetboys i'm watching you! from brazil with love :)
---
k_rina_ktbspa@backstreetboys COME BACK TO SOUTHAMERICA.. CHILE MISS YOU!!!
BESOS!!! SA FANS.. LOVES YOU!!!! PLEASE!! :-(
---
vale101@backstreetboys heeey what?s new.. are in Russia .. Wow, understand the
language .. tell me something in Russian?... jejeje kisses
---
MayMclean@backstreetboys Hey guys... what's up?? Russia... this is great!! OMG!!
tell us when TIU TOUR will arrive in Brazil?!
---
danyzinhalee_@backstreetboys Russia, madrid, Holland, Germany, u guys travel a
lot - beijinho doce to you
---
pancho_torto@backstreetboys realyy!!?? people said that it's a great placee!!!
please come back to Argentinaa!!! We love you guys!!
As you see, people were very surprised that their idols are suddenly moved
from Brazil to Russia. Therefore, I deleted my post being no longer able to
injure anyone :).
Then there was a page on MySpace service which is unfamiliar to me. After
sorting out the social network internal structure I’ve posted the already known
phrase in the BSB blog post and in the comments of the profile main page. Here
are the answers I got from Backstreet Boys fans:
Maira Carter:
BACKSTREET BOYS FOREVER <3
PLEASE, COME TO BRAZIL.
I LOVE YOU SO MUCH....
---
Suzan:
And who will that 'I' be ????? ;) Mr Littrell? Mr Mclean? Mr Carter? Mr
Dorough???? ;)
Cause I'll be watching too... From Holland with Love! ;)
---
GinCarter:
WOW GUYS! GOOD LUCK!
---
[*ALMA DaNgErOuS*]:
who's gonna be watching???
xD
remember, Mexico loves you, you have to come back! :)
---
-Rawan-:
I don't know WHO will be watching us..:p but i have a feeling that Nick is the
one who will be watching us!
---
*JULIE*ORR*:
oh never mind then lol
---
Danny_Mansani:
I don't know who will be watching us, but I'm def will be watching u ;)
From Brazil, with love =)
---
Stephanie:
What?
As you see, many fans on MySpace are surprised about the thing that BSB’s are
"writing from Russia" instead of Brazil, where they should be at that moment. So
again I had to remove my posts and finish this epic hack at such a high note.
Some “evil” conclusions
If your site is competently made, well tuned and patched it doesn’t always
mean that it’s impossible to hack. Often, hacker gets help from a human factor
and it doesn’t matter whether it’s social engineering or just a simple
developer’s inattention. Even the most rich and famous people are not secured
from those things. I hope you’ve found this article interesting with one more
simple, but important advice: NEVER save ANY letters having important
information (logins, passwords etc.) in your mail box!
P.S. I love to rule over the pulse of several thousand fans army. Meet the
continuation of interesting starry hack with due time 🙂
DANGER
The above article is the product of the author’s diseased imagination. Any
overlap with existing site is accident. Neither the editors nor the author shall
not be liable for any possible damages caused by the materials of this article.
