Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WhatsUp Gold gives a user visbility into applications, network devices and servers. To do this, it requires a lot of credentials, making it a good target for attackers.

While tracing out some inputs, Sina noticed that user controlled input was being placed into a SQL query. Classic SQL injection vulnerability! Now what? Credential leakage? Command injection? From understanding the configuration of the DB, they noticed that command execution wasn't possible because of a secure database configuration. Additionally, the credentials for the admin-user were encrypted.

Reverse engineering the application found that the encryption was fairly faulty. It was a combination of funny hardcoded keys or keys stored in another table. This made decryption inconsistent and unreliable, which was frustrating.

The idea was to find a primitive from the application to either decrypt the password or encrypt a user controlled password to overwrite the existing one. While browsing around, they found some code that was using the same key and encrypting arbitrary user data. This gave us an encryption oracle.

So, here's the full exploit chain:

1. Use the encryption oracle to encrypt data for us that we will use as a password later.
2. Use the SQL injection to retrieve the encrypted value. We don't know how its encrypted but we know the encrypted value!
3. Use the SQL injection again to overwrite the admin password with the encrypted value.
4. Login!

Overall, a solid post! I enjoyed the reverse engineering breakdown and the creativity to turn this into an authentication bypass.