Another school-hack.

Okay, this isn't an article but a bit more than a forum post. Combination between a story and a how-to.

Background info needed: Well I took computing for A-level (UK school) and my class were given account privileges so we can have access to files and folders needed for our projects.

My finds: My school use the online admin system 'ePortal' to write pupil reports and fill in registers. Well I thought I would take a look and I entered a few basic SQL injection into the login box to test the security… After three or four attempts noticed the URL. markuphttps://*****.**********.cardiff.sch.uk/eportal/PortalServ?reqtype=login

To see if the page is vulnerable to XSS I changed the 'login' to 'qwerty' to see if it would get outputted…It did. markup/eportal/PortalServ?reqtype=qwerty

Next I tried some Javascript… markup/eportal/PortalServ?reqtype=%20%3Cscript%3Ealert('XSS');%3C/script%3E And this worked also.

Although this is basic XSS you can also do some phishing with iframes markup/eportal/PortalServ?reqtype=%3Ciframe%20src=%22http://bbc.co.uk%22%3C/iframe%3E

And my last test before I got bored or got myself in some trouble that I didn't want to be in: markup/eportal/PortalServ?reqtype=%3Cobject%20width=%22425%22%20height=%22350%22%3E%3Cparam%20name=%22movie%22%20value=%22http://www.youtube.com/v/0ZR-XUHj-o4%22%3E%3C/param%3E%3Cparam%20name=%22wmode%22%20value=%22transparent%22%3E%3C/param%3E%3Cembed%20src=%22http://www.youtube.com/v/0ZR-XUHj-o4%22%20type=%22application/x-shockwave-flash%22%20wmode=%22transparent%22%20width=%22425%22%20height=%22350%22%3E%3C/embed%3E%3C/object%3E and bingo.It worked.

Well I informed my teacher and originally they really appreciated it after the other errors I found.

My Downfall: All things were good then when I logged in once I returned from my easter break I noticed my privileges were gone.

This really annoyed me.

My Comeback

So I offered to do some GFX work for my teacher which let me use his work station. I got the thumbs up.

I implemented a keylogger I had made in VB and I said there was some windows error about the admin password (Lies). So not to take any precautions…my teacher changed his password. Now it had logged all I had to do was put my privs back.

Now anyone who has used an RM machine knows it's limitations to changing anything such as a theme or wallpaper. And you don't even get access to My Computer.

Well…alas…. Click here to see my account!

So I made a few more accounts with higher privs.

End of my story.

Not much point to this other than another way to beat the system and that if all else fails, do it again and succeed.

//Flash

[Edit] I also included the links so people can learn about how to find these errors in such admin systems. However, to stop skiddies and XSS'ing the shit out of it I wild carded the vital bits. Given on request from non-skiddies.

*Disabled smileys [/Edit]

nice nice story. Learning from this stuff man.

For all the other 1337 users: Make your own thread for your story, don't post in here.

For flash: ;), nice job. 1337 skills man.

damn if only i could find the upload path for my schools website, we can upload any file we want i was thinking bout uploading a .php then executing it. is there any way of finding the upload path?

oo, nice finds, dude!

My Downfall: All things were good then when I logged in once I returned from my easter break I noticed my privileges were gone.

That's why I almost never disclose any exploits/vulnerabilities to some individuals or a group of them.

Did they detect your keylogger, or is it still pWn'ng them?

Rofl, that kind of stuff happens to me all the time. My school will use a program and i usually can't refrain myself from trying to find exploits in it. In all but 1 case (f*cking groupwise webmail), i'm successful… :p

Good to know there's others that can't seem to refrain, lol.

@Netfish - I only used the keylogger for the single workstation that my teacher uses so I removed it once he had changed his password. It wasn't a very strong keylogger either, it didn't run on startup or anything special lol.

@mr_noob - Check the form properties or run a web crawler and look for an upload file. You could try uploading a webadmin and seeing what you get from that

@nights_shadow - Yeah I found something funny in Visual C compiler. It's part of the visual studio collection. When you select a new project (Ctrl+N) you need to select where you save the project. I went back a few directories and found myself with access to every pupils documents. Maybe check something like that. And that error is still there, found it like a few days ago so might take more time looking into it.

[Edit] I'll get a screenshot of it Friday (When I have computing next) so you can see what I'm talking about.

I'll update this post with it.

erm how can i use a webadmin to find out the file if i cant execute files because i dont know where theyre stored?

I can't be bothered to PM you so I'll say here.

Before I said upload webadmin and see what you find, I said check the form properties and/or run a web crawler?

Read it properly.

[/mr noob]

@nights_shadow - Yeah I found something funny in Visual C compiler. It's part of the visual studio collection. When you select a new project (Ctrl+N) you need to select where you save the project. I went back a few directories and found myself with access to every pupils documents. Maybe check something like that. And that error is still there, found it like a few days ago so might take more time looking into it.

I used to be able to do that in Terminal Services. What kind of school do you go to that you have Visual C installed on the school computers? All we teach here is VB and the install is restricted to one room.

Day 10 - How to use if and else …..:|

ah i thought that uploading a webmin was another possible way of finding out. fair nuf.

@ mr_noob: No problem

@ nights_shadow: Haha yeah I get that… I giggle everytime my teacher uses the AND statement… it's such a bad habit to pick up for coding.

But yeah, we have visual studio installed for VB and Visual Java. We also have Turbo Pascal.

But unless your doing International Baccalaureate (IB) - you don't get to touch anything better than VB.

@nights_shadow:

if your admin uses the same naming scheme mine did

try file://hermes

then search for consoleone

once you've got that google fro novell login commands. you'll be able to edit your login script, and from there can give yourself admin rights for the webamil. it's what i did.

catcha!

richohealey wrote: @nights_shadow:

if your admin uses the same naming scheme mine did

try file://hermes

then search for consoleone

once you've got that google fro novell login commands. you'll be able to edit your login script, and from there can give yourself admin rights for the webamil. it's what i did.

catcha!

Yeah, unfortunately file:// works now due to teachers complaining that they couldn't access their H: via address bar. I've really no reason to do it locally, i'm working more towards a remote attack point.

I actually found ConsoleOne by accessing the network drive(s) through Novell Services. ;) This was all before file:// became enabled >.<

RM sucks, my school has it, theyre also secure as shit, having an ex-hacker as head of IT :S

but if you create a word document you can create VB programs in the Tools>Macro>VB editor part…

also if you create a powerpoint application you can hyperlink it to any C:/WINDOWS/system32/ or actually any program if you know the address (and they execute, as at my school .exe is banned).

Funny thing, after reading this i decided i wanted to find another exploit in our school's software. After finding MULTIPLE XSS injections and some SQL stuff i found an actually useful & fun exploit in "Safari Montage" that allowed me to post as a teacher and when they click on it it displays a little alert script saying how cool i am. B)

my school is rather secure, it was developed by a professional website team and it is a bit gay. plus everythings in .htmls or .cfms and its all really secure.

on rm, i once found a vuln in their website client login, and was halfway through exploiting it before it was patched :(

Okay well an update, got some further and duplicated my privileges to those of the server admin.

Now I can modify the whole RM system on each system in the whole school. Here is the screen shot

Also, as promised my find with Visual C. Click here to see

And I was mistaken before, it doesn't show every user but does those who are online. Still, can't complain!

The Flash wrote: And I was mistaken before, it doesn't show every user but does those who are online. Still, can't complain!

knew it xD, I can do that too but when I open their dirs im getting nothing at all :X

my rm system is controlled by VNC… there is no escape :( apparently the main server has unix on it :happy: