Author Topic: Email website hacking (Read 1135 times)

jxfn · « **on:** March 07, 2014, 02:16:04 pm »

So I had been exploiting an online email website (which should not be named) by abusing a bug in the password recovery forms, which allowed me to skip to the last step of the recovery by manipulating the headers . But they recently fixed it (some sort of cookie change between the recovery steps or something), so I'm forced to look for other vulnerabilities. I'm new with website hacking and the bug I found was pure luck. I'm not even sure how is this vulnerability called or how it works.
Any idea how to identify the exact software running on the website so I can start reading on it and how to exploit it ? What setup are typically such sites running, and what's the easiest way of attacking them? Thanks

PS: I'm not using it for anything substantially wrong.

lucid · « **Reply #1 on:** March 07, 2014, 02:53:14 pm »

There's plenty of ways to figure out website software info. You could always telnet/netcat to the website and then issue an HTTP get request. This doesn't always work but it can. Another way would simply be to use curl.

EDIT: Or if you are bored you could always code your own http client.

vezzy · « **Reply #2 on:** March 07, 2014, 03:17:21 pm »

This is a legitimate service which fingerprints web technologies: http://builtwith.com/

Won't raise any eyebrows if it shows up in server logs.

jxfn · « **Reply #3 on:** March 07, 2014, 03:29:58 pm »

So the target uses nginx + apache, php framework and jQuery 1.8.2 JS framework. Any idea where to go from there ?

lucid · « **Reply #4 on:** March 07, 2014, 07:19:58 pm »

Unless you have a specific question you should poke around some more before just asking us how to do it

jxfn · « **Reply #5 on:** March 09, 2014, 06:19:01 pm »

Quote from: lucid on March 07, 2014, 07:19:58 pm

Unless you have a specific question you should poke around some more before just asking us how to do it

So I think I understood how the process of password recovery on the website works.
I enter the username:
-> it gives me a cookie and asks me for birth date
-> I enter the correct birth date, i get another cookie and get transferred to the secret question
-> I enter the correct answer, I get a cookie and get transferred to the change password page
Before I was able to skip the birth date page entirely, because the birth date and secret question pages used the same cookie, so I'd just send the POST parameter to the new page with the same cookie and a test answer.
I was ready to give up on this when I found something interesting: I can still access the secret question page even without giving the correct birth date, but I just don't see the question. If I answer it correctly, I get to the password change page. Basically it will be great if I can see the question again.
This is not the case for the password change page, I can't access it without the correct cookie.
I'm trying everything without any direction, it would be great if I get some pointers on what to try and check.

EvilZone

News:

Author Topic: Email website hacking (Read 1135 times)

jxfn

Email website hacking

lucid

Re: Email website hacking

vezzy

Re: Email website hacking

jxfn

Re: Email website hacking

lucid

Re: Email website hacking

jxfn

Re: Email website hacking