We then realized that though we are not able to add a new record to the members database, we can modify an existing one, and this proved to be the approach that gained us entry.
From a previous step, we knew that james@example.com had an account on the system, and we used our SQL injection to update his database record with our email address:
SELECT email, passwd, login_id, full_name
FROM members
WHERE email = 'x';
UPDATE members
SET email = 'jacob@xyz.net'
WHERE email = 'james@example.com';
After running this, we of course received the “we didn’t know your email address”, but this was expected due to the dummy email address provided. The UPDATE wouldn’t have registered with the application, so it executed quietly.
We then used the regular “I lost my password” link – with the updated email address – and a minute later received this email:
From: system@example.com To: jacob@xyz.net Subject: Intranet login This email is in response to your request for your Intranet log in information. Your User ID is: james Your password is: hello
Now it was now just a matter of following the standard login process to access the system as a high-ranked MIS staffer, and this was far superior to a perhaps-limited user that we might have created with our INSERT approach.
We found the intranet site to be quite comprehensive, and it included – among other things – a list of all the users. It’s a fair bet that many Intranet sites also have accounts on the corporate Windows network, and perhaps some of them have used the same password in both places. Since it’s clear that we have an easy way to retrieve any Intranet password, and since we had located an open PPTP VPN port on the corporate firewall, it should be straightforward to attempt this kind of access.
We had done a spot check on a few accounts without success, and we can’t really know whether it’s “bad password” or “the Intranet account name differs from the Windows account name”. But we think that automated tools could make some of this easier.
Setting up your first Azure Virtual Machine can be done by following these steps: Create…
Amazon CloudFront is a content delivery network (CDN) that helps you serve static content such…
Step-By-Step Guide To Setting Up An AWS Application Load Balancer Are you looking for a…
MySQL databases often get corrupted due to issues like hardware failure, file system failure etc.…
SQL Server Replication is the process of copying databases from one node to another to…
Here are 101 System Admin tools which make System Admins' life easy.
This website uses cookies.