Privilege Escalation And Misconfigurations
Nothing but a login
Links to javascript files in the HTML <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot;  src=&quot;...
Grab the source of the javascript files
Analyze the source for anything interesting
Found admin URL’s
Paste this into the browser and click send <ul><li>https://www.site.com/Secure/Admin/AdminNewUser.aspx?user_id=spidynamics...
A 302 to an inside page <ul><li>HTTP/1.1 302 Object moved </li></ul><ul><li>Server: Microsoft-IIS/5.0 </li></ul><ul><li>X-...
A 302 back to the login <ul><li>HTTP/1.1 302 Object moved </li></ul><ul><li>Server: Microsoft-IIS/5.0 </li></ul><ul><li>X-...
Back at the login
Let’s see if our login exists
Welcome user SPIDynamics
Let’s try accessing the admin functions <ul><li>https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=spidynamic...
Returns an Error
Use an integer instead of a string <ul><li>https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=2 </li></ul>
Welcome Admin <ul><li>UID field cycles thru each user </li></ul>
Ability to view all users <ul><li>UID 3 is now another user </li></ul>
Here we are <ul><li>By incrementing the UID field to 183 – we identified our user id. </li></ul>
I feel like being an administrator today <ul><li>Clicking ‘Edit’ allowed us to set our user role to administrator </li></ul>
Feels good to be an admin
Where is the main admin page?
Start Guessing <ul><li>Admin.asp </li></ul><ul><li>Default.asp </li></ul><ul><li>Administrator.asp  </li></ul><ul><li>Admi...
The existing admin links <ul><li>/Secure/Admin/AdminEditUser.aspx </li></ul><ul><li>/Secure/Admin/AdminNewUser.aspx </li><...
Success
Maybe Not.
Start Guessing
The existing admin links <ul><li>/Secure/Admin/AdminEditUser.aspx </li></ul><ul><li>/Secure/Admin/AdminNewUser.aspx </li><...
Success – About Time
Upcoming SlideShare
Loading in …5
×

Privilege Escalation And Misconfigurations Part2

1,462 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,462
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Privilege Escalation And Misconfigurations Part2

    1. 1. Privilege Escalation And Misconfigurations
    2. 2. Nothing but a login
    3. 3. Links to javascript files in the HTML <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-init.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-writevb.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-main.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-swap.js &quot;></SCRIPT>
    4. 4. Grab the source of the javascript files
    5. 5. Analyze the source for anything interesting
    6. 6. Found admin URL’s
    7. 7. Paste this into the browser and click send <ul><li>https://www.site.com/Secure/Admin/AdminNewUser.aspx?user_id=spidynamics&pwd=pass </li></ul>
    8. 8. A 302 to an inside page <ul><li>HTTP/1.1 302 Object moved </li></ul><ul><li>Server: Microsoft-IIS/5.0 </li></ul><ul><li>X-Powered-By: ASP.NET </li></ul><ul><li>Location: /Secure/ViewSystemMessage.aspx?id=47 </li></ul>
    9. 9. A 302 back to the login <ul><li>HTTP/1.1 302 Object moved </li></ul><ul><li>Server: Microsoft-IIS/5.0 </li></ul><ul><li>X-Powered-By: ASP.NET </li></ul><ul><li>Location: /Logon.aspx </li></ul>
    10. 10. Back at the login
    11. 11. Let’s see if our login exists
    12. 12. Welcome user SPIDynamics
    13. 13. Let’s try accessing the admin functions <ul><li>https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=spidynamics </li></ul>
    14. 14. Returns an Error
    15. 15. Use an integer instead of a string <ul><li>https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=2 </li></ul>
    16. 16. Welcome Admin <ul><li>UID field cycles thru each user </li></ul>
    17. 17. Ability to view all users <ul><li>UID 3 is now another user </li></ul>
    18. 18. Here we are <ul><li>By incrementing the UID field to 183 – we identified our user id. </li></ul>
    19. 19. I feel like being an administrator today <ul><li>Clicking ‘Edit’ allowed us to set our user role to administrator </li></ul>
    20. 20. Feels good to be an admin
    21. 21. Where is the main admin page?
    22. 22. Start Guessing <ul><li>Admin.asp </li></ul><ul><li>Default.asp </li></ul><ul><li>Administrator.asp </li></ul><ul><li>Admin.aspx etc… </li></ul>
    23. 23. The existing admin links <ul><li>/Secure/Admin/AdminEditUser.aspx </li></ul><ul><li>/Secure/Admin/AdminNewUser.aspx </li></ul><ul><li>/Secure/Admin/AdminUserProgramRole.aspx </li></ul><ul><li>/Secure/Admin/AdminChangePassword.aspx </li></ul>
    24. 24. Success
    25. 25. Maybe Not.
    26. 26. Start Guessing
    27. 27. The existing admin links <ul><li>/Secure/Admin/AdminEditUser.aspx </li></ul><ul><li>/Secure/Admin/AdminNewUser.aspx </li></ul><ul><li>/Secure/Admin/AdminUserProgramRole.aspx </li></ul><ul><li>/Secure/Admin/AdminChangePassword.aspx </li></ul>
    28. 28. Success – About Time

    ×