One of the world’s largest cryptocurrency site was hacked by the Strynx team to find a flaw exposing multiple vulnerabilities that could to lead loss of millions of dollars. One of the team members shared his point of view on how we discovered such a critical issue involving data of millions of users.
Here’s on how we discovered it:
The testing began in two phases: Manual and Automated Recon.
The main purpose was for the discovery of an HTTP API, that could be accessed and exploited via a few commands. Manual recon is always preferred is because it allows people to be independent of different scripts and tools. Automated tools make things simple but consume a lot of time and throw out a lot of false positives. Whereas Manual Recon eliminates the possibilities of false positives and discovers issues much faster.
To begin, the website was behind Cloudflare. There are various methods on retrieving the actual server IP but Censys is generally preferred. Fast and accurate results make the recon process much faster. There are various tools used for automated recon and Censys is one of the best one to use. We’ll deep dive into some of these tools in the next blog. After obtaining the IP, port scanning was performed. Nmap was used to discover all open ports and services which could be potentially used to potentially take over the server or cause harm to the company. No special posts were found except for the port 443 used for website. The website was blockchain-based and It is always assumed that sites dealing with blockchain as usually secure and no harm can be done. But this is not the case here. A way is shown down how this server was exploited by using various methodologies including exploiting and chaining various issues.
On exploring the website, it was seen that each of the requests in the site was accompanied by a CSRF Token. For those who don’t know what a CSRF token is, it is a unique secret which has an unpredictable value that is generated server-side such that It cannot be guessed by users who make scripts which send a request on behalf of the target user. It is similar to a captcha which changes for every request. It was observed that there was an endpoint which was called to generate the CSRF Token. Thus, to automate the process of manually inserting new CSRF Token, A python script was developed. If you want to know how it was done, refer to this link: https://stackoverflow.com/questions/13567507/passing-csrftoken-with-python-requests. And it was time to deep dive.
Here is a short code snippet we used:
from cmd import cmd
import requests
from bs4 import BeautifulSoup
class Terminal(Cmd):
prompt = '>'
def __init__(self):
url = "url"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
respose = requests.get(url, header=header, cookies=cookies)
soup = BeautifulSoup(respose.text, 'html.parser')
self.token = soup.find ('input', {'name': 'token'}) {'value'}
Cmd.__init__(self)
def default(self, args)
cmd = agrs
injection = "example" + cmd
print = (injection)
url = "example.coin"
header = {}
cookies = {"PHPSESSID": "a1sw4s4e7s4s55w6s6sw8s5q2a"}
data = {
"username" : "b"
"password" : "a"
"db" : "injection"
"token" : self.token,
"login" : ""
}
respose = requests.post(url, header=header, cookies=cookies, data=data)
soup = BeautifulSoup(respose.text, 'html.parser')
print(respose.text)
if "PDOException" not in respose.text
self.token = soup.find('input'. {'name' : 'token'}) ['value']
trminal = Terminal()
trminal.cmdloop()
The next thing was to look for hidden directories and paths of the webserver. Using tools like dirbuster and gobuster can be used. Along with this, a wordlist was used to enumerate. As rockyou4.txt and directory-list-2.3-*.txt are very well known, a wordlist was prepared with unknown terms. Usually, the wordlists are known to developers and Pen-testers, hence another one was made. The main focus would be to search for JS files with the help of jQuery. Different methods were also used to enumerate hidden files, but we’ll leave that for later on. After this, Burp was used to analyse all the requests. Various POST requests were observed to look out for any issues. Various Parameters were tampered to check the functionality of the site and how database connection is used. Turns out there was a lack of error protection in the site which leaked data when certain parameters were being tampered.
Protip#- Always tamper data to look out for any loopholes. Suppose the value of a parameter is 0, make it 1 to see what happens. Always contradict values of parameters to look out for any loopholes.
On analysing the server (looking into JS files and the error messages) multiple occurrences of hidden parameters were found along with some sensitive information of the internal functions used by the website. These functions helped the site to give more user experience but turned out to be the worst nightmare. Various types of injections did work but we will focus on one of these in much depth. On observing the communications, it was noted that the application did accept some SQL special elements. Thus, it was time to search for SQL Injections. On testing one of the hidden parameters, it was observed that there was an error based SQLi. The working of the parameter wasn’t understood at it wasn’t making any observable changes on the page. Although, the parameter still made calls to the database. Hence it was maybe some functionality which was used for testing but the code wasn’t removed after sending the site to production.
Here are some of the PDO Exceptions we found. If you don’t know what PDO Exceptions are stay tuned for upcoming blogs. We would write about this in the blogs such that if you find exceptions of this kind, you will learn how to exploit it.
An example of a hidden parameter would be as:
Suppose in JS Files, something like document.getElementById(‘id’) is mentioned. If the JS file is called to some Html page, the parameter can be called from the URL as: example.com/index.php?Id=somevalue. Thus, in some other ways including this, hidden parameters can be found.
The parameter was also tampered to search for code injections such as ‘;id’ or ‘;pwd’ to see if these values delivered any output or throw some error which can be useful for us in understanding the application. But this didn’t work so the next step was to exploit the SQLi found before.
There are various methods to find or exploit SQLi, for that, you can refer to any cheat sheets available online, as too much content is to be delivered. If another blog is needed for this please write in the comments so that we can blog about it later on. Various data from the database was extracted and the juiciest credentials were the database login credentials. If you know, the credentials are usually hashed by default, hence the next job was trying to decrypt these hashes. The hashes were decrypted easily as it was using one common password from public wordlists. It was like Ummm… Such critical site such less protection.
Ok, we got SQL access. What next?
It’s time for RCE.
If you know, after getting SQL remote access to the database, it is possible to upload a PHP shell if the database had executable permissions. To a surprise it did. It was possible to upload a shell to var/www/html directory which created a PHP shell in the root directory of the website. But this wasn’t as easy.
Hurdles don’t ever stop ☹
Turns out there was a filter on the parameter searching out for tags. (XSS Prevention :P). This was bypassed by using double encoding which allowed malicious PHP files to be uploaded on the system. For those who don’t know about how to get a shell from SQLi, please try out Sqlmap to learn about this more. SQLmap does have a function which allows us to get a PHP shell on the webserver. It checks if it has permissions to upload to the web directories and creates a PHP file, which when opened, has options to upload our malicious web shells to the server. From the web shell, we were able to get a reverse shell to the system and hence RCE!
After this, the report was submitted using screenshots and proper POC via secure channels. Within one hour a reply was obtained back acknowledging the report and asking to provide personal details to receive a bounty. To my surprise, a 5-digit bounty was rewarded by the company for this effort. Appreciate the response and the fix time for the company as it was fixed in just 2 hours. Everything from the error codes to the database names was fixed in no time. Kudos to the company!
Please leave down any comments or any suggestions for this blog and any further blogs which you would like to read. We provide services to companies who would like their products to be tested. If you’re a company who wants us to perform complete testing of your site, please use the Contact Us page to drop a message or info(at)strynx.org. We would try to reply at the earliest.
Pingback: Keto Diet Pills
Pingback: Jazzct.com
Pingback: Cutting Steroids for Weight Loss
Pingback: Diet Pills
Pingback: Buy Best Testosterone Booster
Pingback: Gym Exercises
Pingback: Information on Brain and Nootropics
Pingback: Digital Health
Pingback: lowest price for viagra 100mg generic
Pingback: generic viagra pills
Pingback: http://droga5.net/
Pingback: how to purchase Viagra 25mg
Pingback: Viagra 50mg coupon
Pingback: Viagra 150mg coupon
Pingback: order Viagra 50 mg
Pingback: Viagra 50 mg canada
Pingback: Viagra 130mg pills
Pingback: Cialis 20mg australia
Pingback: Cialis 60mg united states
Pingback: Cialis 10mg no prescription
Pingback: where can i buy Cialis 40 mg
Pingback: Cialis 60 mg canada
Pingback: where to buy Cialis 40mg
Pingback: Cialis 80 mg over the counter
Pingback: Cialis 40 mg united states
Pingback: sildenafil 100mg united kingdom
Pingback: tadalafil 80 mg online
Pingback: levitra 40 mg price
Pingback: lasix 40 mg tablets
Pingback: furosemide 40 mg australia
Pingback: propecia 5mg tablet
Pingback: where to buy lexapro 20mg
Pingback: finasteride 5mg without a doctor prescription
Pingback: abilify 10 mg tablets
Pingback: actos 15mg pills
Pingback: aldactone 25mg united states
Pingback: allegra 120 mg without prescription
Pingback: allopurinol 300 mg united kingdom
Pingback: amaryl 4 mg coupon
Pingback: how to purchase amoxicillin 250 mg
Pingback: cheap ampicillin 500 mg
Pingback: antabuse 250mg canada
Pingback: antivert 25 mg pills
Pingback: arava 20mg cheap
Pingback: where to buy strattera 25mg
Pingback: aricept 10 mg canada
Pingback: cialistodo.com
Pingback: arimidex 1 mg cheap
Pingback: tamoxifen 10mg tablets
Pingback: ashwagandha 60caps price
Pingback: atarax 25 mg medication
Pingback: augmentin 750/250mg usa
Pingback: avapro 150mg pharmacy
Pingback: avodart 0,5mg tablet
Pingback: where can i buy baclofen 10 mg
Pingback: cost of bactrim 800/160mg
Pingback: benicar 20 mg no prescription
Pingback: where to buy Biaxin 500 mg
Pingback: Premarin 0,3mg uk
Pingback: calcium carbonate 500 mg otc
Pingback: casodex 50 mg nz
Pingback: where can i buy catapres 100 mcg
Pingback: ceclor 500mg without a prescription
Pingback: ceftin generic
Pingback: celebrex 200mg uk
Pingback: celexa price
Pingback: cheap cephalexin
Pingback: cipro purchase
Pingback: where can i buy claritin 10 mg
Pingback: free slots
Pingback: online casinos
Pingback: ocean casino online
Pingback: online slots for real money
Pingback: rivers casino
Pingback: casino games online
Pingback: play casino
Pingback: casino online usa
Pingback: online slots for real money
Pingback: online casino gambling
Pingback: insurance car insurance
Pingback: mexico car insurance
Pingback: car insurance quotes companies in texas
Pingback: costco car insurance quotes
Pingback: car insurance online
Pingback: auto owners car insurance
Pingback: erie car insurance quotes
Pingback: cheap insurance auto
Pingback: progressive car insurance quotes
Pingback: insurance for cars
Pingback: new mexico personal loans
Pingback: 5mg cialis
Pingback: best payday loans
Pingback: payday loans near me
Pingback: same day installment loans
Pingback: buy cialis usa
Pingback: fast quick loans
Pingback: when to take viagra
Pingback: sex with viagra
Pingback: bad credit loans in pa
Pingback: sildenafil 100mg
Pingback: buy cialis brand
Pingback: 1 hour payday loans no credit check
Pingback: personal loans near me
Pingback: cialis samples request
Pingback: cbd oil vs hemp oil comparison
Pingback: brother sister viagra
Pingback: health benefits of cbd hemp oil
Pingback: viagra online pharmacy
Pingback: buy cialis usa
Pingback: reputable cbd oil companies
Pingback: viagra gel
Pingback: cbd oil benefits and uses in books
Pingback: cost of generic viagra
Pingback: cbd oil for dogs with cancer
Pingback: generic viagra reviews
Pingback: cbd hemp oil for sale amazon
Pingback: cheap cialis
Pingback: buy levitra in usa
Pingback: what is viagra
Pingback: cbd oil and anxiety
Pingback: sister viagra prank
Pingback: cialis and alcohol
Pingback: cbd hemp oil capsules
Pingback: essay writing services reviews
Pingback: vardenafil 20mg
Pingback: how to writing essay
Pingback: atorvastatin dubai
Pingback: buy essay online
Pingback: how to write scholarship essay
Pingback: college paper writers
Pingback: printable homework planner
Pingback: essay writing services australia
Pingback: money can buy happiness essay
Pingback: does money buy happiness essay
Pingback: automatic paper writer
Pingback: where to buy cleocin
Pingback: clomid 25 mg usa
Pingback: cialis familjeliv
Pingback: cheap viagra online
Pingback: Testogen
Pingback: clonidine 0,1 mg without a doctor prescription
Pingback: viagra sex stories
Pingback: clozaril medication
Pingback: colchicine 0,5 mg australia
Pingback: symbicort inhaler 160/4,5mcg generic
Pingback: combivent canada
Pingback: pfizer viagra cost
Pingback: coreg pharmacy
Pingback: national junior honor society essay help
Pingback: cialis opisanie
Pingback: generic cialis
Pingback: compazine 5mg online
Pingback: coumadin no prescription
Pingback: cozaar coupon
Pingback: buy custom research paper
Pingback: customessaywriterbyz.com
Pingback: dissertation defense advice
Pingback: order crestor
Pingback: college essay help service
Pingback: cymbalta over the counter
Pingback: help writing thesis statement
Pingback: someone write my paper
Pingback: phd thesis database
Pingback: dapsone 1000caps generic
Pingback: ddavp 0.1 mg online
Pingback: depakote no prescription
Pingback: diamox 250mg prices
Pingback: differin 15g united states
Pingback: cheap diltiazem 30mg
Pingback: doxycycline without a prescription
Pingback: dramamine 50mg online
Pingback: elavil 10mg without a prescription
Pingback: where to buy erythromycin
Pingback: nizagara vs viagra
Pingback: etodolac usa
Pingback: augmentin nausea treatment
Pingback: flomax 0,2 mg medication
Pingback: viagra for men
Pingback: need help writing scholarship essay
Pingback: discount cialis
Pingback: garcinia cambogia caps australia
Pingback: cialis mail order pharmacy
Pingback: cialis tadalafil
Pingback: geodon 40mg for sale
Pingback: hyzaar 12,5mg price
Pingback: keflex and upper respiratory infection
Pingback: cost of imdur
Pingback: does cialis work
Pingback: cheap tadalafil
Pingback: cialis for women
Pingback: does ciprofloxacin cause bloating
Pingback: cialis for sale
Pingback: imitrex 25mg price
Pingback: oxybutynin vs vesicare
Pingback: imodium medication
Pingback: where to buy viagra
Pingback: canadian viagra
Pingback: generic viagra online for sale
Pingback: does tizanidine contain sulphur
Pingback: i was reading this
Pingback: female viagra
Pingback: aripiprazole drug class
Pingback: cheap imuran
Pingback: allopurinol 7155
Pingback: indocin 75 mg tablet
Pingback: lamisil 250mg no prescription
Pingback: amiodarone severe side effect
Pingback: where can i buy levaquin 250 mg
Pingback: amitriptyline and marijuana effects
Pingback: lopid 300 mg over the counter
Pingback: amlodipine besylate and ed
Pingback: lopressor uk
Pingback: luvox generic
Pingback: common allergic reactions to amoxicillin
Pingback: macrobid 100 mg coupon
Pingback: web medical information
Pingback: meclizine no prescription
Pingback: abilify maintena administration
Pingback: mestinon tablets
Pingback: atorvastatin mgs
Pingback: azithromycin how long to cure chlamydia
Pingback: no prescription pharmacies
Pingback: global pharmacy canada
Pingback: micardis online pharmacy
Pingback: Neurontin
Pingback: mobic without a prescription
Pingback: withdrawal from baclofen and gabapentin
Pingback: meds online
Pingback: motrin without a prescription
Pingback: where to buy nortriptyline
Pingback: baclofen interaction with tramadol
Pingback: bupropion hcl 150mg xl
Pingback: viagra
Pingback: phenergan 25 mg without a prescription
Pingback: buspirone hcl dosage
Pingback: where to buy plaquenil
Pingback: prednisolone 40mg over the counter
Pingback: buspirone constipation
Pingback: prevacid cost
Pingback: order prilosec 20mg
Pingback: coreg vs metoprolol tartrate
Pingback: proair inhaler without a prescription
Pingback: medicine celebrex
Pingback: procardia united states
Pingback: substtute for celexa
Pingback: proscar nz
Pingback: protonix 20 mg cheap
Pingback: provigil 200mg without a prescription
Pingback: generic viagra cost
Pingback: pulmicort tablet
Pingback: order viagra
Pingback: pyridium tablets
Pingback: reglan nz
Pingback: remeron usa
Pingback: cialis versus viagra
Pingback: retin-a cream 0.05% without a prescription
Pingback: viagra on line no prec
Pingback: revatio price
Pingback: viagra pills for sale
Pingback: risperdal 4 mg cheap
Pingback: robaxin 500 mg without a doctor prescription
Pingback: rogaine usa
Pingback: seroquel 200mg otc
Pingback: order singulair 5mg
Pingback: skelaxin 400 mg prices
Pingback: spiriva 9mcg cheap
Pingback: tenormin uk
Pingback: low cost cialis 20mg
Pingback: thorazine uk
Pingback: buy toprol 100mg
Pingback: viagra rough fuck nurse forced
Pingback: cost of tricor 160 mg
Pingback: where can i buy valtrex 1000 mg
Pingback: buy verapamil
Pingback: voltaren online
Pingback: wellbutrin 150 mg online pharmacy
Pingback: zanaflex 2mg cheap
Pingback: gookerdoughboy777
Pingback: visit site
Pingback: zocor online pharmacy
Pingback: zovirax 400mg cost
Pingback: zyloprim 100mg united states
Pingback: zyprexa 2,5 mg canada
Pingback: order zyvox
Pingback: sildenafil usa
Pingback: how to buy tadalafil 10 mg
Pingback: furosemide nz
Pingback: escitalopram cheap
Pingback: aripiprazole purchase
Pingback: cimetidine viagra interactions
Pingback: cost of cialis 20 mg tablets
Pingback: where to buy pioglitazone 15mg
Pingback: where can i buy spironolactone
Pingback: viagra generics india
Pingback: fexofenadine without a prescription
Pingback: glimepiride 1mg otc
Pingback: cheapest meclizine 25 mg
Pingback: buy leflunomide 10 mg
Pingback: how to purchase atomoxetine 18mg
Pingback: cheapest donepezil 10mg
Pingback: anastrozole 1mg coupon
Pingback: irbesartan uk
Pingback: how to purchase dutasteride
Pingback: olmesartan tablet