Exploiting: I Can Hack You, Part 3

Exploiting fits into two stages:

  • Finding the security hole (called scanning for exploits)
  • Using the security hole (called exploiting)

Scanning is easy. Pick a paysite and run through a list of URLs which might be interesting. You can download your own scanning program for free. You can do the same with other peoples’ URL lists. You’re supposed to then shorten your list to include only URLs that you personally know how to exploit. If you’ve noticed a bunch of weird off-the-wall URLs in your server logs from time to time, you’ve seen people scanning your site for exploits. You can safely ignore the scanning – unless they find something.

What they found, with the information necessary for its use, is called an exploit. Exploiters post lists of working exploits on the hackers’ boards, the same as crackers post lists of working passes, as a means of sharing information. At the same time as the sharks are using the passes, the other crackers are adding those passes to their John the Ripper word list.

Several billing company scripts require a secret keyword – and nothing else. If you have that keyword, you can add members or display the entire password file. If that script name is whatever.cgi (it isn’t!), exploiters know to check a paysite for /whatever.cgi, /cgi-bin/whatever.cgi, and so on.

Some exploiters check the join page to see if that billing company is being used or not. Some don’t bother, since checking the usual places takes a second or less, whereas actually “eyeballing” the join page takes longer.

Let’s suppose you have (1) found that whatever.cgi is there. You then found (2) the secret keyword, and (3) verified that the script is indeed exploitable (i.e., usable for your purposes). You then (4) harvested your own copy of the password file.

What’s next? You have several options. (Remember, my purpose here is to explain what hackers do, so you can better understand how to keep them from doing it.) You can:

  • Keep the information to yourself. You can crack the password file and post the results for the sharks to enjoy. You may choose to limit your posting to the “special” area. Or, if you have enough cracked, you might split your results between the “special” and regular areas.
  • Keep the exploit to yourself, but post the contents of the password file for others to crack and use. You’re a hero for having found it, and you’re not giving away your secrets by telling how you found it. You can use that trick to find other files on other servers without other exploiters stepping on your toes.
  • Post the exploit, not bothering to personally harvest the password file. You’re a hero for posting the exploit, and you don’t get any heat for getting caught. The other exploiters, in effect, become the sharks.

You might even pop in and enjoy the site. Most exploiters, though, seem to be too busy feeding the sharks.

Spoofs and Back Doors

Many sites use referrer-based validation. You get to visit the protected area if and only if you came from an authorized location. Since you needed a password to get to that authorized location, we assume everything is proper.

The most common referrer-based validation is with AVS sites, and with paysite plug-ins. The surfer enters his password on the AVS’s server, and then proceeds from the AVS server to the AVS site’s members area. Since we know the surfer came from the AVS server, we know he’s authorized.

Third-party paysite plug-ins such as live video feeds often work the same way. So long as the member came from an authorized members area, he’s allowed inside the video feed area.

There’s an exploitable weakness in this system. We don’t actually know where the surfer came from. It’s the surfer’s own browser which announces the referring URL. The server does not verify that information. All the hacker needs to do is supply the appropriate referring url, and he’s in. He’s spoofing his credentials.

Some paysites have “hidden” URLs. If you know where it is, you must be authorized! Once the back door is found, it will be posted, and suddenly your site becomes extremely popular. This technique works quite well for AVS sites which don’t have referrer-based (.htaccess) protection.