Recently i was performing a black box test of a web application. After initial reconnaissance i found nothing interesting. Basicly it was just a login screen... so i started WebScarab and sent some random credentials.
This is what i saw:
|RPC Call authenticating user|
python gwtenum.py -u "https://example.com/xx.nocache.js"As a result we get 50 methods like:
DataService.ChangePass( java.lang.String/2004016611, ... ) * DataService.DeleteUser( java.lang.String/2004016611 ) DataService.addUser( ... ) * DataService.getFirms( )*Dots indicate longer list of paremeters. Now it got intersting... What we can do with this knowlegde? As seen on the first screenshot CheckUser() method was called. We can try to call methods from the list. If the application does not handle permissions correctly we will succeed. Our best wish is addUser() method - because we want to get in. First problem that appears is that we don't know the parameter order, in methods like DeleteUser() or getFirms() it's rather trivial, but addUser() takes 6 parameters - all string type.
Let's start with something easy, like calling getFirms(), as we don't wan't to delete users from client productive system :). We start intercepting request again using WebScarab and transform CheckUser call into getFirms().
|Results of getFirms() call - success !|
We changed the parameters of the rpc call (explained in the article linked earlier) so it would not throw an exception and voila!
So, it's possible to call methods unauthorized - what about addUser() ? Since all parameters are strings let's just fill them out with the word 'pentest'.
|Successful login with user/pass "pentest"!|
We managed to create a user remotely on the sytem and were able to log in!