A Short Rambling/Introduction
You know, web hacking is a very different game than traditional "own-the-box" hacking. Instead of taking control of a target system, you usually try to exploit some flaw in the site's design to get information. Credit card info, Social Security Numbers, breast sizes, they're all fair game once someone types them into a form. The most publicized attacks of late have frequently been SQL injection (injecting SQL commands into a poorly written form that doesn't parse user input).
The Discovery - or, "Oreo's and Inputs mix well"
Note: I will not be mentioning the REAL names of any involved parties, for their protection.
This story begins as any great one does: It was late and I had sugar. Well, while surfing along the great flood of packets we all know and love, I stumbled upon the webpage for a conference company. I'm sure you've seen them before. This is the kind of business that will put together a convention or conference, and then have you pay a registration fee either in advance or at the door (think DEFCON, DallasCon, SummerCon, or any other *Con). Well, this particular company was hosting some pretty cool sounding conferences coming up in a few months. So, a little curious, I drifted over to the "Registration" page. Scrolling down, I see the "Early Registration" price. $20? $50? $100? Nope. $950. Ouch! Well, the conference looked good, but not $950 good.
Being curious, bored, and a little hyper, I decided to keep looking around. Oddly enough, I found a little "Payment Services by VeriSign" banner across multiple pages. Hmm... Well, the cream filling was starting to work its way into my bloodstream, so I check the source of the Registration page. I scrolled down, and I find a few interesting tags:
<FORM action="https://payments.verisign.com/payflowlink" method="post" target="_blank"> <INPUT type="hidden" value="jblow" name="LOGIN"> <INPUT type="hidden" value="Verisign" name="PARTNER"> <INPUT type="hidden" value="950.00" name="AMOUNT"> <INPUT type="hidden" value="S" name="TYPE"> <INPUT type="hidden" value="SecurTek.Conference" name="DESCRIPTION"> <INPUT type="submit" value="Early Registration"> </FORM>
The Exploit - or, "4.99-finger-discount"
Now, in case you have yet to realize it, my goal at this point isn't to steal card numbers or email addresses, I just want to go to this conference. Looking at the above HTML, I see one line that stands out most:
<INPUT type="hidden" value="950.00" name="AMOUNT">
Hmm... it seems that the payment engine gets all the price and event information right from this page. Well, looks like this is gonna be a quickie.
First things first: I need to figure out what number form this is on the page, so I can change it. Easy enough: I whip open the source and just count the number of <FORM> tags I see before this one. (Note: The first <FORM> is number 0, not 1. Keep that in mind, or it will be Hell.) O.K., cool, this is form number 1 (actually the second one).
Next step: Make sure that I have the right form. To the address bar Batman! I bang out a quick:
into the address bar in Firefox (IE users, no worries, this will work on Internet Exploder as well).
Now, let me break down what I just did.
When I press Enter, this little snippet of code causes an alert box to pop-up displaying 950.00. Sweet.
Forget the foreplay. It's time to hack. Now that I'm sure that I'm dealing with the right info, I make my move. I just plug:
into the address bar and hit Enter.
So, just to be safe, I drop our good friend:
back in, and he just says 1.00.
The final step in our dirty little dance: Now that the value for AMOUNT has been changed from $950 to $1, I think I can finally afford that conference. Let's see if my sugar induced orgy of code was worth it. I click the button. And to my absolute joy, I see a page asking me to enter my credit card information, as well as name, address, etc. The sweet part is that this page is asking me to authorize a charge of $1 to my card for this event. Needless to say, if you have come up with a root dance over the years, this is when you do it.
Conclusion - or, "Pull the needle out of your box, the injection's done"
I'm sure that anyone can find a practicality flaw in this particular application, but that's not the point. While getting a 99.89% discount is a sweet deal, what I hope you got out of this article is a basic understanding of a technique that, sadly, isn't so common anymore today. Don't get me wrong. I love SQL, PHP, and I get giddy every time I get my hands on a new 0-day, but sometimes the easiest route is the simplest. I hope you learned something that you can use, or at least think about. Enjoy and keep learning! I need sleep. Have a nice day.
Props to A. Witt for showing me the way to make formatting not die in wikis!