Quantcast
Channel: Cryptanalyst » Net of Lies
Viewing all articles
Browse latest Browse all 2

MTN, Irancell or Huawei? (II)

0
0

So, we are still at the hotspot. Let’s know more about it! First of all I’ve checked the HTTP server header on port 80; here it is:

[mahrud@eve ~]$ nc -vv 172.23.130.41 80
Connection to 172.23.130.41 80 port [tcp/www] succeeded!
GET / HTTP/1.1
HOST: 172.23.130.41
HTTP/1.1 302 Moved Temporarily
Server: <strong>Apache-Coyote</strong>/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 08:00:00 CST
Location: https://172.23.130.41:8443/
Content-Length: 0
Date: Tue, 24 Aug 2010 05:37:16 GMT

According to 7th line, this is a Apache Tomcat server. At 11th line, the browser redirects to this address: https://172.23.130.41:8443. So I went there too :-) but it was just like connecting on port 80, except, first it redirected me to /portal/ then it gave me a JSESSIONID, and then to /portal/default.portal.

There is still few things to look at; Is there any administration panel on the portal? I think it doesn’t need one, but it has one! Here it is!

iSAP Admin Console (click to enlarge)

The strange thing is that the default password works! (see update) They didn’t even change the default password! :-D (we’ll see this problem many times in future posts! ;-)) Do you know what the hell iSAP is? Perhaps Integrated Server Application Platform, but I’m not sure.

Let’s google “iSAP admin console”; the only result is this, and again with default password! This server belongs to MTN Conference Call service.

This is what I say, a `Net of Lies`! They don’t secure your net, you should do it yourself! You can go across the net through the routers to find other lies. Anyway … ;-)

Before logging in the panel, just take a deeper look at the login page … there is the copyright info at the footer, but the time had been passed before Irancell’s WiMAX service even began! Also we can see the Huawei’s logo but no sign of Irancell. The point that I want to focus on, is that small button that changes the language! Click on it and you’ll see that in addition to the language, the URL is changed:

https://172.23.130.41:8443/admin/changelanguage.do?language=zh

So, what if we change ‘zh’ to ‘abcd’? Hmm … Nothing appears :-( but wait! Take a deeper look at the HTML source! there are 2 changes in the source, one in line 9:

<html lang="abcd">

and the other one, in line 74:

<a href="changelanguage.do?language=abcd"><img border="0" src="images/chinese.gif"></a>

Do you think it is vulnerable against XSS or not? Let me check it … :-D that’s vulnerable! here is the PoC:

https://172.23.130.41:8443/admin/changelanguage.do?language=a%22%3E%3C/a%3E%3Cscript%3Ealert%280%29%3C/script%3E

But how can we use it? we have the default password! Laugh out load! ;-)
TODO: inside of the admin panel, and then, work on the internal network!
UPD: A friend of mine (who also uses WiMax) has changed the default password. Perhaps I should have done this to prevent damage. If you are a representative from Irancell you can contact me using the email provided in the sidebar.


Viewing all articles
Browse latest Browse all 2

Latest Images

Trending Articles





Latest Images