NetSparker hack research

10-12-2018


In the early morning of October 12th, a hack attempt was made on a client's site, specifically on their reservation system. The attack was carried out with an unauthorised use of NetSparker against the site. The attackers use a variety of methods to attempt a compromise of data.

the attack started at 03:40:12AM local time and ended 03:44:24AM. The attack ended when they attempted SQL injection and hit the service a little to hard, causing MySQL to overload and crash. the attack also involved searching for other active services on the host, which was to no avail.

The full attack was equivelent to a smash and grab. They scanned for WordPress files, Joomla Files, and then Drupal files. When that produced no results, the scan began to look for forms that appears to be more complex than a simple contact. They did find that in the reservation system. Once located and mapped, they attempted to submit multiple submissions using different SQL injection methods and on different fields. Due to the security tied to the form all injection attempts failed.

During my research of the Offender, I discovered that the host is a Windows server, with Remote Desktop enabled- but the hacker appears to be smart enough to avoid the admin/admin trope. I also discovered his system is baded on appserv, which includes PHPMyAdmin and PHP info files. Unfortunately PHPMyAdmin appears to be broken, but I was hoping to see something on there, oh well.

Credit to my partner, Mason Dorn, who helped me add better security to this system in 2016, which prevented customer data from being lost in this attack.

below I've included their code snippet, a few things I discovered on their site, and relevant screenshots.

Log Data
54.39.106.100 - - [12/Oct/2018:03:44:12 -0700] "POST /reservations/confirmation.php 
                  HTTP/1.1" 200 1111 "https://www.aerogelicballooning.com/reservations/" 
                  "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

54.39.106.100 - - [12/Oct/2018:03:44:12 -0700] "POST /reservations/confirmation.php 
                  HTTP/1.1" 200 1215 "https://www.aerogelicballooning.com/reservations/" 
                  "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

54.39.106.100 - - [12/Oct/2018:03:44:12 -0700] "POST /reservations/confirmation.php 
                  HTTP/1.1" 200 1111 "https://www.aerogelicballooning.com/reservations/" 
                  "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
[Fri Oct 12 02:41:27.639383 2018] [:error] [pid 31920] [client 54.39.106.100:50976] 
                                  PHP Notice:  Undefined index: map in /var/www/html/launchlocations.php on line 34, 
                                  referer: https://www.aerogelicballooning.com/

[Fri Oct 12 02:41:27.793946 2018] [:error] [pid 31921] [client 54.39.106.100:50981] 
                                  PHP Notice:  Undefined index: map in /var/www/html/launchlocations.php on line 34, 
                                  referer: https://www.aerogelicballooning.com/

[Fri Oct 12 02:41:27.873224 2018] [:error] [pid 31921] [client 54.39.106.100:50981] 
                                  PHP Notice:  Undefined variable: captcha in /var/www/html/send.php on line 32, 
                                  referer: https://www.aerogelicballooning.com/contact.php
Noteable data
IP: 54.39.106.100
Host: NONE IDENTIFIED
Crawl Data
.../	
.../phpMyAdmin/	
.../phpinfo.php	
.../appserv/README-en.php?appservlang=en
.../index.php?appservlang=en	
.../index.php?appservlang=th	
.../appserv/README-th.php?appservlang=th
.../appserv/AUTHORS.txt
.../appserv/COPYING.txt
.../appserv/ChangeLog.txt 
.../appserv/PHP-logo.gif 
.../appserv/account.gif	 
.../appserv/annoicon.gif
.../appserv/email.gif
.../appserv/flag-english.png
.../appserv/flag-thai.png
.../appserv/home.gif
.../appserv/lang-english.php 
.../appserv/lang-thai.php
.../appserv/main.php
.../appserv/members.gif
.../appserv/softicon.gif 	 
Screen Shots












© 2019 Dixon Ryder All Rights Reserved.
Privacy & Terms