I’m back with a new post and a new discovery. As I’m a Mobilis GSM subscriber I thought about registering to their online invoice system, I took the steps and I have been provided with access to my account online .
EXPLORING THE WONDERLAND :
When you first login you get this page :
You can do some things from here, like viewing/downloading your invoices and canceling the online account, we are mainly interested in the invoices as they contain all information about the target in order to help conduct further attacks on him/her
I hooked up burp suite proxy to the browser and I logged in, I was amazed about what I was seeing 😮 …. this is happening upon login :
Isn’t that a session initializer ? : /servlet/InitSessionExt?USER=”account_id”&ACCESS=1&INVOICE=”invoice_id”
The “account_id” can be brute forced as it a sequence number, but how can we get the “invoice_id” for the target account if we don’t have access yet ? .. remember the Graph we saw previously ? well it could be our entry point as it reveals all invoices ids for a particular account .
With fingers crossed I tried to pass a “random” 😉 account_id
wow !! I got all invoices numbers associated to that account 😀
And now that I have everything I can pass those paramerters to the “InitSessionExt” using Burp repeater and see if it initilize the session without a password required,
YES ! I’m in (y)
A malicious attacker can then use those information to social engineer the help desk guys into doing things to the account like suspending it, I’ll let you work the machine and think about other potential scenarios 🙂
VIDEO POC :