How I could have pwned my highschool (SQLi, CSRF, Hardcoded Passwords & XSS) Part 2: Investigating the Breach

Honestly, this is a blog title I’ve never expected to write, but hey, data breaches happen – no website is exempt from that.

I will begin with a little bit of a backstory: I’ve found flaws in a website that did belong to a high school in late 2015, but I’ve only been able to get it to their attention 2 years later. After I have been reliably informed that the flaws I found have been patched, I wrote about it. I was happy: I prevented a possible data breach – or so I thought..

“For security measures, please reset your password”

Few months later, one day I log onto my account, and the first thing I see is a prompt that asks me to reset my password. There’s only one good reason why an organization might do that – that’s because they believe that all of the passwords have been compromised.

I might be able to help though, but how?

I have my own approach for analyzing data breaches – first, I like to secure the evidence and then analyze it so that I could figure out what happened and help an organisation triage the incident. That’s what I did in this case – I asked the IT staff for the access logs.

The analysis

When the staff provided me the evidence of the incident, the first thing I had done was URL decode the access logs so they’re easier to read. After that, I expected to see a lot of manual vulnerability probes. However, this wasn’t the case – as soon as I opened the access logs, the first thing I saw was the IP of the attacker and “sqlmap/1.2.2#stable” being used as the user agent which suggested that at least some of the vulnerabilities included SQL injection and that it might have been exploited using tools. The second thing which caught my attention was the different user agents that have been used, so I started counting all of them while also noting when they have been utilized:

1. (X11; U; Linux x86_64; en-US) – was used from 2018 March 06 17:21:23 to 2018 March 07 00:56:19.
2. sqlmap/1.2.2#stable – was used from 2018 March 06 17:24:32 to 2018 March 06 22:26:01.
3. (X11; U; Linux i686; en-US; rv:1.8.1.18) Gecko/20081113 Ubuntu/8.04 (hardy) Firefox/2.0.0.18 – was used at 2018 March 06 22:39:07.
4. curl/7.58.0 – was used from 2018 March 06 22:39:28 to 2018 March 06 22:43:27.
5. (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9 – was used from 2018 March 06 22:43:47 to 2018 March 06 22:43:50.
6. (Macintosh; U; PPC Mac OS X; it-it) AppleWebKit/412.7 Safari/412.5 – was used at 2018 March 06 22:44:18.
7. Opera/8.54 (Windows NT 4.0; U; zh-cn) – was used from 2018 March 06 22:44:36 to 2018 March 06 22:44:38.
8. (Windows NT 6.1; WOW64) Chrome/27.0.1453.93 Safari/537.36 – was used from 2018 March 06 22:45:28 to 2018 March 06 22:45:29.
9. (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) – was used from 2018 March 06 23:00:22 to 2018 March 06 23:00:25.
10. (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 Chrome/0.3.155.0 Safari/525.19 – was used at 2018 March 06 23:01:42.
11. (X11; Linux x86_64) AppleWebKit/535.11 Chrome/17.0.963.66 Safari/535.11 – was used at 2018 March 06 23:10:03.
12. (Macintosh; U; Intel Mac OS X 10_5_6; en-gb) AppleWebKit/528.10 Version/4.0dp1 Safari/526.11.2 – was used at 2018 March 06 23:19:43.
13. (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060803 Firefox/1.5.0.6 (Swiftfox) – was used from 2018 March 06 23:21:26 to 2018 March 06 23:28:30.
14. (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.19.2 Version/4.0.2 Safari/530.19.1 – was used at 2018 March 06 23:29:09.
15. (X11; U; Linux i686; fr; rv:1.8.1.19) Gecko/20081216 Ubuntu/7.10 (gutsy) Firefox/2.0.0.19 – was used at 2018 March 06 23:29:43.
16. Opera/9.00 (X11; Linux i686; U; pl) – was used at 2018 March 06 23:30:32.
17. Opera/8.50 (Windows NT 5.1; U; fr) – was used at 2018 March 06 23:30:58.
18. Opera/9.02 (X11; Linux i686; U; hu) – was used at 2018 March 06 23:35:15.
19. (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729) FirePHP/0.3 – was used at 2018 March 07 00:10:36.
20. Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; Hotbar 4.1.8.0) – was used from 2018 March 07 00:11:10 to 2018 March 07 00:12:51.
21. (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 Ubuntu/10.10 Chromium/10.0.648.127 Chrome/10.0.648.127 Safari/534.16 – was used from 2018 March 07 00:13:22 to 2018 March 07 00:14:23.

Since I saw “sqlmap/1.2.2#stable” being used as the user agent, I thought the attacker might have used other tools as well, so I started checking out all of the user agents one by one, and sure enough, I’ve found a few:

1. User agent #9 is telling me that a tool called BDD Automated Security Tests for Web Applications might have been used.
2. User agent #20 tells me that a tool called Fuxploider might have been used.
3. User agent #21 tells me that a tool called WAScan might have been used.

At this point, I had the following information:

• The IP of the attacker
• The user agents and browsers that have been used during the incident
• Some of the tools that might have been used
• When did the breach take place

However, what I really wanted to know is how the attacks were exploited and what data is at risk so I could define the data breach scenario, so I kept looking and here’s what I found:

1. At 2018 March 06 17:33:01, the attacker mounted an SQL injection attack with the help of SQLMap and logged out of his own account.
2. At 2018 March 06 17:33:35, he logged in to an account that had belonged to a parent.
3. At 2018 March 06 17:39:56, while logged in to the account, he attempted SQL injection once again. The attempts were successful.
4. At 2018 March 06 19:14:23, the attacker had logged out of the above mentioned account.
5. At 2018 March 06 19:14:45, he gained access to one of the accounts that had belonged to a staff member.
6. At 2018 March 06 19:20:52, he logged out of the staff members account.
7. At 2018 March 06 19:21:04, the attacker logged in to an account that had belonged to a different staff member and had reviewed all of the available options, but didn’t cause any damage.
8. At 2018 March 06 19:31:39, after logging in to the parents account for the second time, the attacker mounted an SQL injection attack that granted him access to some parts of the database, namely the “inbox” table, which archived all sent and received messages, the “plugins” table, which contained all of the used plugins, the “inventory” table which contained valuable data regarding the inventory of the high school and other information. On top of that, he also revised the count of some documents.
9. At 2018 March 07 00:33:20, the attacker also assumed control of the high school’s photo gallery and tried to access the plugin manager, but failed to do any damage.
10. After that, the administration control panel of the gallery was accessed once again – this time, the gallery user management was reached. The attacker stopped his work at 2018 March 07 00:56:19 after reviewing comments and searching through the gallery.

Now I knew the sequence of events that have taken place. That’s good, but there’s one more thing that bothered me: there’s so many user agents that have been used.. I had to take a look at them too.

The user agents

1. (X11; U; Linux x86_64; en-US) – Linux with a 64 bit hardware architecture. Local language – American English.
2. sqlmap/1.2.2#stable – SQLMap 1.2.2.
3. (X11; U; Linux i686; en-US; rv:1.8.1.18) Gecko/20081113 Ubuntu/8.04 (hardy) Firefox/2.0.0.18 – Firefox 2.0 on Ubuntu Linux 8.04. Local language – American English.
4. curl/7.58.0 – cURL 7.
5. (Windows; U; Windows NT 5.1; pt-BR; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9 – Firefox 1.5 on Windows XP. Local language – Brazilian Portuguese.
6. (Macintosh; U; PPC Mac OS X; it-it) AppleWebKit/412.7 Safari/412.5 – Safari on Mac OS X. Local language – Italian.
7. Opera/8.54 (Windows NT 4.0; U; zh-cn) – Opera 8 on Windows NT 4.0. Local language – simplified Chinese.
8. (Windows NT 6.1; WOW64) Chrome/27.0.1453.93 Safari/537.36 – Chrome 27 on Windows 7.
9. (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) – Firefox 3.5 on Windows XP. Local language – Spanish.
10. (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 Chrome/0.3.155.0 Safari/525.19 – Chrome 0.3 on Windows XP. Local language – American English.
11. (X11; Linux x86_64) AppleWebKit/535.11 Chrome/17.0.963.66 Safari/535.11 – Chrome 17 on Linux with a 64 bit hardware architecture.
12. (Macintosh; U; Intel Mac OS X 10_5_6; en-gb) AppleWebKit/528.10 Version/4.0dp1 Safari/526.11.2 – Safari 4 on Mac OS X (Leopard). Local language – British English.
13. (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060803 Firefox/1.5.0.6 (Swiftfox) – Firefox 1.5 on Linux. Local language – American English.
14. (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.19.2 Version/4.0.2 Safari/530.19.1 – Safari 4 on Windows Vista. Local language – American English.
15. (X11; U; Linux i686; fr; rv:1.8.1.19) Gecko/20081216 Ubuntu/7.10 (gutsy) Firefox/2.0.0.19 – Firefox 2.0 on Ubuntu Linux 7.10.
16. Opera/9.00 (X11; Linux i686; U; pl) – Opera 9 on Linux. Local language – Polish.
17. Opera/8.50 (Windows NT 5.1; U; fr) – Opera 8.50 on Windows XP. Local language – French.
18. Opera/9.02 (X11; Linux i686; U; hu) – Opera 9.02 on Linux. Local language – Hungarian.
19. (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729) FirePHP/0.3 – Firefox 3 on Windows Vista. Local language – British English. Operating system Framework – Microsoft .NET 3.5. One of Fuxploider user agents.
20. Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; Hotbar 4.1.8.0) – Internet Explorer 5 on Windows NT. One of WAScan user agents.
21. (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 Ubuntu/10.10 Chromium/10.0.648.127 Chrome/10.0.648.127 Safari/534.16 – Chromium 10.0.648.127 on Ubuntu Linux with a 64 bit hardware architecture. Local language – American English.

The first user agent was used for more than 7 hours – it instantly stood out to me so I glimpsed into the actions done with it, however, I didn’t find anything significant – only a few files have been downloaded, the rest of the logs contained failed directory access attempts (either 302 redirects or 403 forbidden errors).

Summary

• The nefarious party gained unauthorized access to the system at Tuesday, 6 March 2018, 17:33:35 and sustained it until Wednesday, 7 March 2018, 00:29:45 – the attack took 6 hours, 56 minutes and 10 seconds.
• The attacker had used 4 tools – SQLMap 1.2.2 was used while he has been logged in to his own account from 2018 March 06 17:24:32 to 2018 March 06 22:38:22, BDD Automated Security Tests for Web Applications was put to use from 2018 March 06 23:00:22 to 2018 March 06 23:00:25, Fuxploider was utilized at 2018 March 07 00:10:36, WAScan was used afterwards too – the tool was utilized from 2018 March 07 00:11:10 to 2018 March 07 00:12:51.
• The attacker compromised some parts of the database with an attack known as SQL Injection.
• After mounting the attack, the intruder accessed accounts of parents and high school staff and had revised the count of some of the uploaded files.
• Even though the attacker might have utilized a tool known as Fuxploider which aims to detect what would work best to upload web shells or a malicious file to a web server, no shells or malicious scripts of any sort seemed to be uploaded or accessed – this saved the IT staff from even bigger problems because if that would be the case, the attacker could have maintained persistent access on the web application.
• Compromised data included usernames, hashed passwords, conversations, plugins, items related to the inventory of the high school, the count of documents and other information.