[GOV] Life Insurance Website Compromised
#1
Greetings to all,

Upon compromising a few sites late this morning and early this afternoon, this one captured my Interest the most. This Is a government Life Insurance website based In India, whereby I had full raid on Its system and resources. The exploitation was SQLi, namely In-Band with the aid of Error-Based Injection.

There's simply too many details to post, therefore I've refined and consolidated everything Into 6 Images. I don't wish to bore you with details, so this Is very much straight to the point- with most content Identified and viewable via It's respective Image. I keep saying that I'll do a tutorial on the methodologies used and I am true to my word. Once my PCs decide to leave me alone, I shall document a noob-friendly guide.

As per my previous contributions, for security purposes, all Images have been heavily edited.
So here we go.


After manually testing and Identifying vulnerabilities, the exploitation begins whereby I'm In the Customer Portal of the website:


Time to checkout a few details. I've hit the "View Policies" link, and thousands of results returned. I've clicked on just the one result and now have a given member's details at my disposal. This Is the actual Life Insurance policy pertaining to the member:


I've now had a look at the "Premium Paid" section, and have the name, date of birth, address, policy number, etc of a given member on hand:


It'll be Interesting If I enrolled myself as a "New Policy" with the amount listed. Of course, I didn't perform anything of the sort:


Upon hitting the "Update Profile" link, I had the admin's personal details and could've updated It with any trash:


No need to elaborate on what can happen here, It's pretty much self-explanatory:


That's It for now. Stay tuned for further contributions (and my tutorial) when time permits.

CREDITS: mothered
#2
I don't know I find something doubt-full, help me here.

I visited the exact same site...http://www.p******lifeinsurance.gov.in/... available publicly.
At top right corner it says , Welcome , User ... and not admin or any name or anything similar
Now, if I try updating profile then simply I can't because the buttons won't work and upon checking in source code they simply don't link to any url.
Now, if I go to enroll policies : here submit button is actually working but guess what :
onclick="javascript:showDv(location.href='view_enrolled_policy.html');"
onclick simply redirects to enrolled policies page without any other action been taken.

And no dis-respect but in pic no.2 things you have blacked out are policy name and no.s available for general public, and are not policy no. related to any particular account.
Now coming to premium paid all policies return same name ...
Maybe the info there is mostly for filing form purpose (best guess) or something similar.

I might be wrong, but help me here how is this website really hacked ?
Reply
#3
(08-20-2016, 12:28 PM)loosekcha Wrote: I don't know I find something doubt-full, help me here.

I visited the exact same site...http://www.p******lifeinsurance.gov.in/... available publicly.
At top right corner it says , Welcome , User ... and not admin or any name or anything similar
Now, if I try updating profile then simply I can't because the buttons won't work and upon checking in source code they simply don't link to any url.
Now, if I go to enroll policies : here submit button is actually working but guess what :
onclick="javascript:showDv(location.href='view_enrolled_policy.html');"
onclick simply redirects to enrolled policies page without any other action been taken.

And no dis-respect but in pic no.2 things you have blacked out are policy name and no.s available for general public, and are not policy no. related to any particular account.
Now coming to premium paid all policies return same name ...
Maybe the info there is mostly for filing form purpose (best guess) or something similar.

I might be wrong, but help me here how is this website really hacked ?

It most certainly was compromised.

I don't know what and how you experienced the errors mentioned, but at the time of my above post, everything was functional- I didn't encounter any Issues whatsoever. Yes, as with a lot of websites, some Info (backend, not critical In nature) may be publicly available. I didn't cross-check each and every detail. I'm sure I'm not the first to compromise that site and certainly won't be the last.
Reply
#4
I don't know, at the time you hacked the site was supposed to be working.

So, I looked up the google-cache at http://cachedview.com, its a website copy of 16th August, 2016
Same things here also nothing working.
Cache link here
Sorry to doubt but I just can't digest it after I have spent quiet some time over it  Tongue Out
Reply
#5
(08-20-2016, 07:36 PM)loosekcha Wrote: I don't know, at the time you hacked the site was supposed to be working.

So, I looked up the google-cache at http://cachedview.com, its a website copy of 16th August, 2016
Same things here also nothing working.
Cache link here
Sorry to doubt but I just can't digest it after I have spent quiet some time over it  Tongue Out

No need to apologize, you have every right to question something that may not seem right at the time.

It was functional for myself, I don't know what you've experienced and why and whether you did gain backend priviliges. A lot of sites do have demo logins (hence loss of functionality), even when attacks seem to authenticate. Anyhow, It's smack on 6:00am here and I'm very much exhausted. Time for some beauty sleep.
Reply
#6
Yeah lets chuck this issue, looking forward to your amazing tutorials ahead :D
Reply
#7
(08-21-2016, 05:19 AM)loosekcha Wrote: Yeah lets chuck this issue, looking forward to your amazing tutorials ahead :D

All good my friend.

All the sites that I've compromised, are saved by taking step-by-step screenshots, as well as supported comments that denote each task. Everything Is In It's unedited form- the way I saw It then, Is the exact way It's represented. They're all categorized for easy navigation saved on my external.

Here's just one of many directories:


And here's the directory details:


At the time of this post, I have 10 more websites (already compromised yesterday and the day before) that I need to Investigate further. My Intention Is to share everything I have with our community here via private gateways. We're a small, trusted and close-knit family, so I'm quite confident that nothing further (linked to myself) will come of It. There's a few bits and pieces that need attending, so all details shall be progressively collated.

I'm exhausted, need some sleep and definitely a few cups of coffee.
Reply
#8
(08-21-2016, 07:28 AM)mothered Wrote:
(08-21-2016, 05:19 AM)loosekcha Wrote: Yeah lets chuck this issue, looking forward to your amazing tutorials ahead :D

All good my friend.

All the sites that I've compromised, are saved by taking step-by-step screenshots, as well as supported comments that denote each task. Everything Is In It's unedited form- the way I saw It then, Is the exact way It's represented. They're all categorized for easy navigation saved on my external.

Here's just one of many directories:


And here's the directory details:


At the time of this post, I have 10 more websites (already compromised yesterday and the day before) that I need to Investigate further. My Intention Is to share everything I have with our community here via private gateways. We're a small, trusted and close-knit family, so I'm quite confident that nothing further (linked to myself) will come of It. There's a few bits and pieces that need attending, so all details shall be progressively collated.

I'm exhausted, need some sleep and definitely a few cups of coffee.

Woo you certainly have a Big collection, cheers mate.
Reply
#9
(08-21-2016, 07:46 AM)loosekcha Wrote: Woo you certainly have a Big collection, cheers mate.

Yes, there are quite a few files In there.

One of the reasons for It's capacity, Is the database dumps, resumes, medical reports and user Information extracted from websites where It was possible to do so.
EDIT: Typo.
Reply
#10
sneaky sneaky! Nice job mothered, always amazed us with your bawz skillz
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
Airline Website Compromised mothered 2 2,371 08-13-2016, 02:46 PM
Last Post: mothered
Public School Website Compromised mothered 4 3,289 07-29-2016, 06:13 PM
Last Post: mothered

Forum Jump:


Users browsing this thread: 1 Guest(s)