Hello guys,
I’m back with a new post and a new discovery. As I’m a Mobilis GSM
subscriber I thought about registering to their online invoice system, I
took the steps and I have been provided with access to my account
online .
EXPLORING THE WONDERLAND :
When you first login you get this page :
You can do some things from here, like viewing/downloading your
invoices and canceling the online account, we are mainly interested in
the invoices as they contain all information about the target in order
to help conduct further attacks on him/her
I hooked up burp suite proxy to the browser and I logged in, I was amazed about what I was seeing …. this is happening upon login :
Isn’t that a session initializer ? : /servlet/InitSessionExt?USER=”account_id”&ACCESS=1&INVOICE=”invoice_id”
The “account_id” can be brute forced as it a sequence number, but how
can we get the “invoice_id” for the target account if we don’t have
access yet ? .. remember the Graph we saw previously ? well it could be
our entry point as it reveals all invoices ids for a particular account .
With fingers crossed I tried to pass a “random”
account_id
wow !! I got all invoices numbers associated to that account
And now that I have everything I can pass those paramerters to the
“InitSessionExt” using Burp repeater and see if it initilize the session
without a password required
,
And ….
YES ! I’m in (y)
A malicious attacker can then use those information to social
engineer the help desk guys into doing things to the account like
suspending it, I’ll let you work the machine and think about other
potential scenarios
VIDEO POC :
Comments
Post a Comment