Thursday, July 4, 2013

SoftWare Analysis/Cracking/Testing its tricks and stupidity [part 2]

well continuing from our part 1 where we had found a bypass to extending/reseting the RPOSS that we were conducting an analysis on it.... so though a hacked software bearly needs to be 100 % clean ... having its reset being to re write a file continuously so i modified the file to be write-only and voila....
what do u know it still works.... what am simply saying is ...the software was not going to work as hey expected hence a security breech.... (but we dint hack it... ??? ) Did we ....?

SIMS---- owww dear so we start with decompiling it.... reading that when we overdated* it and backdated* it there was hardly a change.... it means that it locks from inside itself rather than outside(to the operating system level ok so the assessment starts.... for me i always start with the easy things first (this is what all hackers would definitely go for... and even noobs will spot)... and what is the easy thing... decompilation? well maybe... in this case its much easier seeing that .NET reflector decompiles the code to Visual C# so its not hard code as the case of ASM.... so here goes nothing, after a small decompilation of the form that handles activation... something catches my eye... very quick, we have a reference to the database in that form....why would we have that?? moving in on the clue i head to the database which is MySql and check for a few notables like we have normal tables (db users, students, teachers blah blah blah)... we have config tables VOILA ... configurations :) well in config (configurations) what do we have? well we have something named module, active and dateof_activation hmmmm see a pattern here? we have module (this would be one of the modules that we installed from the SIMS i.e examination module, finance module, school record module blah blah blah) checking on either i note al of them have the following information

module        active         dateof_activation
module1      false           12/3/13 (ok this is not the correct date format for MySql... but it is a 10 day                          advance from the day i forwarded it)

this goes on for all the modules... so... i edit the data fields and change active to true ... restart my application and voila!!! no error messages or warnings...

I would expose more if not for the lengthy subject as i said of embarrassing lazy developers... from this part of SQL injections on the application allowing me to add users via various form fields... in any case i go back to the teachers...

Is it possible for you(lecturers /teachers, consultants) to add some security information class when teaching developers about all this? if not .... our applications are as dangerous as letting a wolf lead sheep ... not that it would be better if it was vice versa :)

CIAO happy hunting

No comments:

Post a Comment

Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...