Mail me a password
We then realized that though we are not able to add a new record to the members database, we can modify an existing one, and this proved to be the approach that gained us entry.
From a previous step, we knew that [email protected] had an account on the system, and we used our SQL injection to update his database record with our email address:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = [email protected]' WHERE email = [email protected]';
After running this, we of course received the “we didn’t know your email address”, but this was expected due to the dummy email address provided. The UPDATE wouldn’t have registered with the application, so it executed quietly.
We then used the regular “I lost my password” link – with the updated email address – and a minute later received this email:
From: [email protected] To: [email protected] Subject: Intranet login This email is in response to your request for your Intranet log in information. Your User ID is: james Your password is: hello
Now it was now just a matter of following the standard login process to access the system as a high-ranked MIS staffer, and this was far superior to a perhaps-limited user that we might have created with our INSERT approach.
We found the intranet site to be quite comprehensive, and it included – among other things – a list of all the users. It’s a fair bet that many Intranet sites also have accounts on the corporate Windows network, and perhaps some of them have used the same password in both places. Since it’s clear that we have an easy way to retrieve any Intranet password, and since we had located an open PPTP VPN port on the corporate firewall, it should be straightforward to attempt this kind of access.
We had done a spot check on a few accounts without success, and we can’t really know whether it’s “bad password” or “the Intranet account name differs from the Windows account name”. But we think that automated tools could make some of this easier.