Web Application Infiltration: An Ethical Hacker’s Demand for $10K USD Before Reporting An Issue
Hi Friends!
This is my 37th blog on web application security penetration testing. In this blog I will explain how simple security misconfiguration leads to whole database takeover vulnerability.
In my last blog, I have explained about Stored XSS Via File Upload [Using SVG Content]. Hope everyone liked it. If you haven’t read it yet please follow along.
Friends, recently I was doing penetration testing (freelancing) for one of the client for their trading app. We all know how critical information can be processed by trading apps especially when currency is involved. In my whole lifetime I have never been landed in such a scenario. So Please be with me for a while.
So it’s all began with one of re-known client of mine contacted me asking for testing their web, android and iOS application for trading app. After some days, Me and my team were continuously working on it for 2 weeks. We have reported several critical vulnerabilities which includes SQL Injections, Account takeovers and Security Misconfiguration issues.
We were in the testing phase only and client come back to us saying someone inform them about their database takeover and asking for $10K USD before reporting issue. As we all know when business is at risk no one in the team could even think about the rest. So me and my team started working day and night with client for fixing known vulnerabilities we have discovered earlier especially SQL Injection. After some days client again came back to us saying that guy reached them again and it is still vulnerable.
As I was working in the web development earlier, I have strong understanding of the platforms and their configuration files. I have started my own enumeration for understanding configuration files and file path which was publicly disclosed through the web or mobile app. After taking some efforts, one requested file catch my eyes from the burp-suite search history, I was like
Their web application were disclosing .env file publicly with all the back-end information.
.env files contain credentials in key-value format for services used by the program they’re building. They’re meant to be stored locally and not be uploaded to code repositories online for everyone to read. Each developer in a team typically carries one or more . env files for each environment.
It was disclosing information like, DB Connection, DB Hostname, DB Port, DB Username, DB Password, etc. now I was literally surprised because I haven’t expected such misconfiguration for trading app platform so I was directly trying to connect using MySQL client like HeidSQL, I was getting below error message as expected.
If you are not already aware “HeidiSQL is an all-in-one tool for database management, development, and administration. You may use HeidiSQL to remotely connect to a database. Our web hosting plans offer phpMyadmin to help with database management, HeidiSQL is the preferred choice for many developers.
Now, I have to think out of the box to understand from where that ethical hacker get access to complete database when we have already patch all the SQL injection related vulnerabilities. I was recalling all the reported vulnerabilities and finally something clicked in my mind. We have uploaded php shell using file upload vulnerability earlier bypassing file- filters, So I have started chaining the vulnerability for further exploitation.
Exploitation: I uploaded Adminer php client in the web sites root directory using file upload functionality. In attackers case it was already uploaded there that’s why he has persistent access to the database. If you don’t know what is Adminer and how it works then visit,
Attacker was able to browse back uploaded Adminer.php file and with this Adminer client after entering DB Hostname, Db username and Db Password extracted from .env file attacker was able to gain access to the complete database. Below are some features supported by Adminer that attacker could use,
I am intentionally not attaching screenshot for Adminer.php. Attacker connected to the database by browsing file back like this,
“https://www.redacted.com/adminer.php” Attacker could have entered extracted information from .env file or changing hostname to localhost.
Adminer Interface looks like below:
From all of this we can understand why Security Misconfiguration is still there in OWASO TOP 10 2023 list.
Hope everyone will like this blog and learn from it. Please do lik, follow and comment for more reads!
Thanks!
