How did I Compromise an IPMS

After haivng spent two decades of days on security development in SenseTime, an A.I. company in China, I finally finished a detection system helping company find their private source codes leaked on Github. It did takes some of my effort but fortunately it works well and every morning our team can be informed by the email sent by my detection system. 

On finishing the detection system, I was asked by my mentor to do a penetration test for an Intellectual Property Management System. The system currently works in the Intranet, but is to serve on the Internet some days later. What I need to do is to find as many vulnerabilities as possible to help the IPMS get rid of threats. As the end, I finally dumped the database, which seems to be a 0-day.

To be honest, I have never expected that I can even dump all data in database because I have never imagine a widely-used system can be such insecure, filled with security weakness.

After authorized by my mentor, I am here to share this interesting experience. Of course, some details may be dim by purpose.

This is a black-box test. What I have are simply an IP address of the management system and an account with admin privilege. After checking the port and services with nmap and some other tools, I exclude the posibilities of hacking the site with services except the web service. Port 443 is closed, so I decide to start from IP:80.

As the beginning, I log into the system and go through the whole system. Considering the collection of information as my first step, I quickly confirm the system is based on Windows Server + IIS 7.0 + ASPX + MS SQL Server. Perhaps uploading a backdoor and I can hack the site with the IIS 7.0 extension parsing vulnerability. 

I quickly triger some functionalities and go through the http history with Burp Suite. Soon I find a place where I guess I should take effort in. That is a interface for users to do query function. Everybody find this will decode it as JSON and do some more things. Me too.

What I do is to modify the TableName and FixField. Perhaps I can use this interface to get some user information, I guess. However, I still do not know the exact name for user table and related columns. If I can have the structure of database, then I can retrieve anything I want. Luckily enough, I find the developers of this system publish the overall structure of the database. They think administrators should know the structure of the database, but it seems to be silly thing to do so here.

I just modify the request and send the package. Then, it works. Finally, I managed to dump the whole database with 546 records of user information, including very sensitive information.

Now, I get the database. But is this the end? Obviously no! I did that with an admin privilege. What if I am only a normal user with least privilege? I signed up a new user with least privilege, and then reproduce all steps below, dumping whole database as the end. Interesting. No access control for this interface. 

Up to now, I discover the vulnerability allowing any user logged in is able to dump the database. However, it is far from the final discovery. The truth is, the absense of access control also exist not only at the interface of query but also the save data interface. By inserting a user record with an existing name and user ID into the database, I manage to reset any users’ password due to the mechanism that only the last record will be in force if there is more than two record with same username and ID. 

With several hours on it, I finally end up with several severe vulnerabilities. Although my mentor told me that what I found are 0day, I just regarded them as the result of an interesting CTF problem. To be honest, even CTF problems are much more difficult than such silly vulnerabilities.

Leave a Reply