Scribd Logo
Upload

Welcome to Scribd!

  • (DOCX) Kiber-Telekom

    Uploaded by

    shortclippers14
    1 views5 pages

    Original Title

    (DOCX) kiber-telekom

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1 views5 pages

    (DOCX) Kiber-Telekom

    Uploaded by

    shortclippers14

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Target: https://cyber-tel.

    ru

    Location: Ivanovo, Russia

    Company name: Kiber Telekom

    IP Address: 87.236.16.73

    ____________________________________________________________________________________
    ______________________________________________________________________________

    // Whois Lookup //

    Domain: cyber-tel.ru
    Registrar: BEGET-RU
    Registered On: 2021-11-16
    Expires On: 2023-11-16
    Name Servers: dns1.yandex.net. ;; dns2.yandex.net.
    Organization: Kiber-Telekom, LLC

    // End of Whois Lookup //

    ____________________________________________________________________________________
    ______________________________________________________________________________

    // Manual Information Gathering & Recon //

    IP Address: 87.236.16.73

    HTTPServer[nginx-reuseport/1.21.1]
    Site running PHP version 7.4.33
    Site running Wordpress version 5.7.2

    Emails discovered from basic scans: Scyber@yandex.ru & f1@cyber-tel.ru

    The site seems to be behind a WAF or some sort of security solution.


    Reason: The server returns a different response code when an attack string is used.
    Normal response code is "200", while the response code to an SQL injection attack is "405" meaning
    Met hod Not Allowed.
    The server must generate an Allow header field in a 405 status code response.

    ____________________________________________________________________________________
    ______________________________________________________________________________

    // Server running //

    Apache/2.4.55 (Unix) Server at 87.236.16.73 Port 80

    // End of Server data //

    * When hunting for directories, server mostly returns code 301 Moved Permanently and then 302 Forbidd
    en (You don’t have permission to access this resource.) **

    * Anyways here are all the directories I found (status codes 200 and 301/302) **
    ____________________________________________________________________________________
    ______________________________________________________________________________

    // Directory Enumeration on IP Address 87.236.16.73 //

    Status code: Method: Dir:

    200 GET http://87.236.16.73/admin


    200 GET http://87.236.16.73/wp-admin
    200 GET http://87.236.16.73/administrator
    200 GET http://87.236.16.73/
    301 GET http://87.236.16.73/phpMyAdmin/
    301 GET http://87.236.16.73/phpMyAdmin/js/
    301 GET http://87.236.16.73/phpMyAdmin/libraries/
    301 GET http://87.236.16.73/phpMyAdmin/themes/
    301 GET http://87.236.16.73/phpMyAdmin/templates/
    301 GET http://87.236.16.73/phpMyAdmin/templates/test/
    301 GET http://87.236.16.73/phpMyAdmin/templates/components/
    301 GET http://87.236.16.73/phpMyAdmin/templates/login/
    301 GET http://87.236.16.73/phpMyAdmin/doc/
    301 GET http://87.236.16.73/phpMyAdmin/templates/config/
    301 GET http://87.236.16.73/phpMyAdmin/templates/error/
    301 GET http://87.236.16.73/phpMyAdmin/templates/database/
    301 GET http://87.236.16.73/phpMyAdmin/libraries/classes/
    301 GET http://87.236.16.73/phpMyAdmin/templates/javascript/
    301 GET http://87.236.16.73/phpMyAdmin/templates/display/
    301 GET http://87.236.16.73/phpMyAdmin/templates/export/
    301 GET http://87.236.16.73/phpMyAdmin/sql/
    301 GET http://87.236.16.73/phpMyAdmin/templates/database/search/
    301 GET http://87.236.16.73/phpMyAdmin/doc/images/
    301 GET http://87.236.16.73/phpMyAdmin/locale/
    301 GET http://87.236.16.73/phpMyAdmin/locale/ru/
    301 GET http://87.236.16.73/phpMyAdmin/vendor/
    301 GET http://87.236.16.73/phpMyAdmin/vendor/bin/

    / End of Directory Enumeration //

    ____________________________________________________________________________________
    ______________________________________________________________________________

    * robots.txt is empty on IP Address 87.236.16.73 ** BUT // robots.txt on https://cyber-tel.ru/ has these :

    User-agent: *
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: */cabinet/*
    Disallow: /wp-json/*
    Disallow: /check-address-connect
    Disallow: /navigaciya/
    Disallow: /category/без-рубрики/
    Disallow: /category/без-рубрики/page/2/
    Disallow: /без-рубрики/тарифы-и-карточки/
    Allow: /wp-admin/admin-ajax.php

    Sitemap: http://cyber-tel.ru/sitemap.xml

    Host: https://cyber-tel.ru/

    // End of robots.txt contents //

    * File enumeration was cancelled because of too many errors and avoiding to send too many packets **
    *

    ____________________________________________________________________________________
    ______________________________________________________________________________

    * After examining their sitemap.xml, I found a subdomain called lk which is their portal for
    Personal Acco unt (Личный кабинет >> translated from russian) ***

    // Personal Account login page URL: https://lk.cyber-tel.ru/

    ____________________________________________________________________________________
    ______________________________________________________________________________

    // Subdomain Enumeration //

    Found: info.cyber-tel.ru (Status: 200) <<< IP Address: 87.236.16.112 <<< Can't access this URL
    through browser, maybe there's something wrong with my TOR service...
    Found: lk.cyber-tel.ru (Status: 200) <<< IP Address: 37.18.26.159 <<< Packet loss is 100% when
    pinged ( maybe they've disabled ICMP)

    // End of Subdomain Enumeration //

    ____________________________________________________________________________________
    ______________________________________________________________________________

    // Censys data for cyber-tel.ru original IP: 87.236.16.73 //

    Open ports: 21(ftp), 22(ssh), 80(http), 443(https), 3306(mysql)


    Ports 21 & 22 probably belong to LTD BeGet since the banner of port 21(ftp) says "220 Welcome
    to LTD BeGet FTP Server 'venom'"
    Port 22 running: OpenBSD OpenSSH 9.2

    // End of Censys data for cyber-tel.ru //

    ____________________________________________________________________________________
    ______________________________________________________________________________

    *** Moving forward, let's see what Wordpress has to offer :) ***

    // Wordpress //

    wp-cron.php enabled and available on https://cyber-tel.ru/wp-cron.php but empty

    *** WordPress version 5.7.2 identified (Insecure, released on 2021-05-


    12) *** *** WordPress theme in use: cyberTelecom__2018 ***
    // Wordpress Plugins Identified:

    * lazy-load-optimizer // (version 1.4.6) <<< outdated <<< latest version is 1.4.7

    * wordpress-seo-premium // (version 14.7) <<< outdated <<< latest version is 19.3 // End of

    Wordpress Plugin Info //

    * Possible exploit found regarding Wordpress version (UNAUTHENTICATED)*** // Details:

    # Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection


    # Date: 11/01/2022
    # Exploit Author: Aryan Chehreghani
    # Vendor Homepage: https://wordpress.org
    # Software Link: https://wordpress.org/download/releases
    # Version: < 5.8.3
    # Tested on: Windows 10
    # CVE : CVE-2022-21661

    # [ VULNERABILITY DETAILS ] :

    #This vulnerability allows remote attackers to disclose sensitive information on affected


    installations of Wo rdPress Core,
    #Authentication is not required to exploit this vulnerability, The specific flaw exists within the
    WP_Query cl ass,
    #The issue results from the lack of proper validation of a user-supplied string before using it to
    construct S QL queries,
    #An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

    # [ Sample Request ] :

    POST /wp-admin/admin-ajax.php HTTP/1.1


    Host: localhost
    Upgrade-Insecure_Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.
    8,application/signed-exchange;v=b3;q=0.99
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Sec-Fetch-User: ?1

    ____________________________________________________________________________________
    ______________________________________________________________________________

    *** There is an admin user on https://cyber-tel.ru/wp-login.php ***

    *** Didn't proceed with brute-forcing or dictionary attack, just not to trigger any alarms so early ***

    But, regarding an exploit here's some stuff I found:


    WP < 6.0.3 - SQLi in WP_Date_Query

    https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-21664/

    https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86

    *** These one's could lead to confidential information disclosure ***

    General overview of all vulnerabilities regarding version 5.7.2: https://wpscan.com/wordpress/572

    ____________________________________________________________________________________
    ___________________________

    * Tested some parameters for SQL injection, but no luck. SQLmap can't do much as well, at
    least on my side. ***

    # Please get onto this as soon as possible, you might find something that I couldn't. Let's do this! //

    You might also like