About a month ago I decided to audit Cambridge University. I was hoping to find some webapp vulnerabilities which I could then report to get a bounty of some kind. I did a very basic audit, tested for Cross Site Scripting (XSS), Local File Inclusion (LFI) and some other vulnerabilities such as SQL Injection (SQLi). What I discovered for such a reputable University is crazy and the fact they won’t even respond to emails clearly implies they do not care whatsoever.
The first page I tested for XSS was their library page at http://www.lib.cam.ac.uk/
Yes, you guessed it. Vulnerable.
PoC:
the second page I tested was http://webapps.fitzmuseum.cam.ac.uk
…and of course XSS yet again
Here’s my openbugbounty submission report: https://www.openbugbounty.org/reports/280729/
PoC:
I also looked for other things like their robots.txt file which can be found at http://www.lib.cam.ac.uk/robots.txt
I decided to stop looking for XSS on Cambridge as this site is just littered with them. Can’t really do much either as they are non-persistent. (this doesn’t mean they shouldn’t be patched)
So to sum up the rest of this post…
Ok …. now let’s get straight to the more serious vulnerabilities which they should of most definitely patched by now but unfortunately they can’t even respond to emails. They also don’t seem to care at all as stated previously.
I will however post proof that these vulnerabilities can be exploited and that they are very SERIOUS.
The first SQLi vulnerability appears to be error based:
The database appears to have 20 columns from testing:
The attacker can now find the vulnerable columns and continue exploiting to get the database names/tables and then extract the data from them.
web server operating system: Linux Debian 8.0 (jessie)
Apache 2.4.10
MySQL >= 5.0
databases[6]
[*] generate
[*] images
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
Database: mysql
[24 tables]
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |And here is the data extracted from the user table in the [mysql] database. I decided to format it using Excel:
[click to enlarge image]
Data can be extracted from anyone of those databases, if a malicious attacker were to extract info from a different table within the database they could get Student Private Information, staff and even private research material stored in the mySQL database
I will now move onto the second SQLi vulnerability, this is on the admin sub-domain of Cambridge it has one database and over 400 tables.
Database: *
[424 tables]
| ActiveDataFeed |
| Admin |
| Affichage1Affichage1edu |
| Ansicht1 |
| Apply |
| Auftrag |
| BOOK_AUTHORS |
| BUYER |
| Bestellungen |
| CLIENTES |
| CUSTOMER |
| Campus |
| Channel_Data |
| Coefficients |
| Compagnie |
| DC_Data |
| DSProp_table |
| DWE_Subscriptions |
| DWE_Task_Attributes |
| DWE_Workflow_Documents |
| D_Abbreviation |
| D_Format |
| D_PR_EVENTOS |
| Economy |
| Editor |
| Employees |
| Etudiant |
| Film |
| FindCriteria |
| GDirectedRoute |
| Genre |
| Gruppen |
| LT_CLASSE_FORO |
| LT_CUSTOM3 |
| LT_EVENTO |
| LT_NATUREZA |
| LT_SERIE |
| Languages |
| LastName |
| Lieux |
| M_CADASTRO_GERAL |
| M_ESQUEMA_PERMISSAO |
| M_RELATORIOS |
| NUEVOS |
| OperationStatus |
| PERSONAL |
| PREFIX_order_return_state_lang |
| PREFIX_tab |
| PREFIX_timezone |
| PRODUTO |
| PROFESORES |
| PUBLISHER |
| PZ |
| Pilot |
| Propdesc_table |
| Publication |
| QRTZ_JOB_DETAILS |
| RATING |
| ROLE |
| SGA_XPLAN_TPL_DBA_IND_COLUMNS |
| SGA_XPLAN_TPL_DBA_TABLES |
| SIGNON |
| S_LOG |
| SchemaInfo |
| Slot |
| SpecificationLink |
| Standorte |
| Station_Comment |
| Student |
| Studenten |
| SurveyRespondent |
| TBLUSERS |
| THOT_SUB_MENU |
| Tagebuch |
| ThumbnailKeyword |
| Titres |
| TotalMembers |
| Umfrage |
| VenuesNew |
| Volume |
| X_3945 |
| USER |
| keys |
| language |
| translation |
| about |
| account_level |
| accounts |
| actualites |
| add_irm |
| adminpwd |
| adminuser |
| agence |
| aggtest |
| alarms |
| aliastype |
| alike |
| app_user |
| applications |
| area |
| art |
| artist |
| attribut |
| audio |
| auto_id_tests |
| autore |
| autorizacaonfe |
| banners |
| based |
| be_users |
| been |
| binn_articles |
| binn_catalog_fields |
| binn_catprops |
| binn_catrights |
| binn_form39 |
| binn_imagelib_templ |
| binn_user_rights |
| bkp_ResourceFolder |
| categorylinks |
| cdb_access |
| cdb_adminactions |
| cdb_adminsessions |
| cdb_debates |
| cdb_forumrecommend |
| cdb_imagetypes |
| cdb_paymentlog |
| cdb_pluginvars |
| cdv_map_feature |
| cdv_passport_group |
| chat_users |
| cities |
| clients |
| clubconfig |
| cmRole |
| cmsusers |
| coherently |
| compositions |
| comune |
| conf |
| config |
| connectorswitches |
| content |
| continent |
| country |
| cpg132_users |
| cpg_config |
| credits |
| css_file |
| customers_basket |
| dbstudents |
| dbuser |
| department |
| dept_location |
| detrimental |
| developers |
| diary |
| dictionary |
| div_annotation_type |
| div_locality |
| div_poly_type |
| dpt_trans |
| dtb_bat_relate_products |
| dtb_blocposition |
| dtb_customer_reading |
| dtb_deliv |
| dtb_recommend_products |
| duvida |
| e107_user |
| employer |
| emu_services |
| eventi |
| ew_temi |
| extremes |
| ezin_authors |
| f_attributedependencies |
| f_options |
| f_spatialcontextgroup |
| festplatte |
| fiscal |
| foreigntest |
| form_data |
| forum_user_stat |
| fusion_user_groups |
| ganatlebe_ge |
| geo_Island |
| geraet |
| gesuche |
| glmm |
| grau_escolaridade |
| grind |
| groupe |
| gws_client |
| has |
| hersteller |
| history |
| honorsinfo |
| ibf_members_converge |
| imagelinks |
| images |
| interactions |
| interwiki |
| intranet_users |
| invite |
| isMember |
| itemnotafiscal |
| items_template |
| itens |
| jforum_smilies |
| jiveExtComponentConf |
| jiveGroupUser |
| jiveRoster |
| jiveRosterGroups |
| jiveUserProp |
| jiveVersion |
| jobs |
| jos_estadisticas |
| jos_jce_groups |
| jos_jce_plugins |
| jos_languages |
| jos_messages_cfg |
| jos_modules_menu |
| jos_moschat_users |
| jos_poll_data |
| jos_templates_menu |
| jos_vm_auth_group |
| jos_vm_cart |
| jos_vm_category_xref |
| jos_vm_currency |
| jos_vm_product_category_xref |
| jos_vm_product_type_parameter |
| jurosstrategy |
| kategorien |
| kauf_artikel |
| kpro_adminlogs |
| lending |
| liens |
| line_items_seq |
| liste_domaines |
| livre |
| loan |
| located |
| login_user |
| mailaddresses |
| manage |
| mapdata |
| marital_status |
| math |
| mein_doc_h |
| membership |
| mima |
| minutes |
| mitarbeiter |
| mlattach |
| modulerubriquephoto |
| monitoringi_ge |
| music_association |
| mymps_advertisement |
| mymps_member_album |
| ndash |
| networking |
| newsletter_recipients |
| nickel |
| nomarski |
| noncommercial |
| notafiscal_deducao |
| notizen |
| nuke_authors |
| nuke_autonews |
| nuke_bbgroups |
| nuke_bbtopics_watch |
| nuke_bbuser_group |
| nuke_bbvote_voters |
| nuke_config |
| nuke_counter |
| nuke_downloads_categories |
| nuke_downloads_downloads |
| nuke_downloads_modrequest |
| nuke_downloads_newdownload |
| nuke_links_modrequest |
| nuke_main |
| nuke_poll_desc |
| nuke_pollcomments |
| nuke_reviews_comments |
| nuke_session |
| nuke_stats_month |
| nuke_subscriptions |
| nulltest |
| obb_profiles |
| oil_bfsurvey_pro |
| oil_bfsurveypro_34 |
| oil_bfsurveypro_35 |
| oil_biolmed_entity_types |
| oil_dbcache |
| oil_modules_menu |
| oil_newsfeeds |
| oil_phocadownload |
| oil_phocadownload_categories |
| oil_phocagallery_votes |
| oil_rokdownloads |
| orders |
| organization |
| osc_manufacturers |
| osc_products_attributes |
| otherwise |
| package |
| pagelinks |
| paper |
| participate |
| periods |
| phorum_user |
| phpbb_banlist |
| phpbb_topics_watch |
| phpbb_vote_results |
| platforms |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| polarised |
| poll_user |
| precipitation |
| preferences |
| presence |
| product |
| produtos |
| project_user_xref |
| property |
| province |
| pw_adminset |
| pw_forums |
| pw_hack |
| pw_wordfb |
| pwds |
| qrtz_simple_triggers |
| radacct |
| reciprocal_links |
| reciprocal_partnersites |
| registered |
| report |
| reserve |
| river |
| root |
| roots |
| rss |
| rss_subscription |
| sampleData |
| schema_info |
| seen |
| sf_guard_remember_key |
| singup |
| slserver |
| spip_caches |
| spip_meta |
| spip_mots |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
| stable |
| state |
| store3 |
| ststaff |
| stuser |
| subject |
| subscribe |
| sysadmin |
| system |
| t_snap |
| tables_priv |
| tb_nguoidungs |
| tblLayouts |
| tbl_login |
| tbl_works_categories |
| tblblogroles |
| tbllogins |
| tbuseraccounts |
| team |
| test_user |
| tester |
| three |
| time_zone_leap_second |
| transactions |
| trigger_depends |
| turizmi_ge |
| tusers |
| tx_tcdirectmail_clicklinks |
| u_n |
| un |
| uname |
| uniquetest |
| user_groups |
| user_nm |
| user_un |
| user_uname |
| user_usern |
| useradmin |
| userid |
| usern |
| usr_pw |
| vbulletin_session |
| vcd_CoversAllowedOnMediatypes |
| vcd_PornStudios |
| vcd_Pornstars |
| vcd_VcdToPornstars |
| vcd_VcdToSources |
| vendor |
| veranstalter |
| vertex |
| videos |
| vrls_listings |
| vrls_partners |
| vrls_xref_listing_type |
| vrls_xref_state_province |
| ways |
| webcal_config |
| webcal_entry_ext_user |
| win |
| wp_pod_types |
| wp_usermeta |
| writes |
| x_admin |
| xb0c |
| zo_kontakt_stelle |
| zones |
I don’t really want to drag this on so I will move straight onto the last SQLi Vulnerability:
And yes again, this can be exploited.
Database: information_schema
[40 tables]
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
So the message here is simple: get your sh*t patched and stop compromising student/staff data!
I wrote this up pretty quick and only decided to include database names & tables as I don’t want to compromise Cambridge anymore than they already are.
hope you enjoyed this lil writeup:)
I think what you published was very logical.
But, consider this, what if you were to create a awesome headline?
I ain’t saying your information is not good., but suppose you added a
headline that grabbed a person’s attention? I mean Cambridge University and their
glaring vulnerabilities they refuse to patch. is a little
plain. You might glance at Yahoo’s home page and see how they create
article headlines to grab viewers to click.
You might try adding a video or a pic or two to grab people excited about everything’ve got to say.
Just my opinion, it might make your posts a little bit more interesting.
Appreciate the feedback, completely understand what you’re getting at I’ll work on better headlines 🙂
I know this if off topic but I’m looking into starting
my own weblog and was curious what all is required to get setup?
I’m assuming having a blog like yours would cost a pretty penny?
I’m not very internet savvy so I’m not 100% positive.
Any recommendations or advice would be greatly appreciated.
Thanks
Drop me an email admin@syntexsecurity.co.uk or drop me a DM on twitter https://twitter.com/eulo_apt and I’ll be happy to get you started.
Greetings from Ohio! I’m bored to death at work
so I decided to check out your blog on my iphone during lunch break.
I love the info you present here and can’t wait to take a look when I get home.
I’m shocked at how quick your blog loaded on my cell
phone .. I’m not even using WIFI, just 3G
.. Anyhow, awesome blog!
Bigup ohio! Thanks for checking out the blog, glad you enjoyed the read 🙂
Keep on working, great job!
Good information. Lucky me I came across your blog by chance (stumbleupon).
I’ve book-marked it for later!
❤❤❤
Wonderful blog! I found it while browsing on Yahoo News.
Do you have any suggestions on how to get listed in Yahoo News?
I’ve been trying for a while but I never
seem to get there! Appreciate it
I like the helpful info you provide in your articles.
I will bookmark your weblog and check again here regularly.
I’m quite certain I will learn a lot of new stuff right
here! Best of luck for the next!
I really like your blog.. very nice colors & theme. Did you design this website yourself
or did you hire someone to do it for you? Plz reply as I’m
looking to design my own blog and would like to know where
u got this from. cheers
Wonderful goods from you, man. I’ve understand your stuff previous to and you are just extremely fantastic.
I actually like what you have acquired here, certainly like what you’re
stating and the way in which you say it. You make it entertaining and you still
take care of to keep it smart. I cant wait to read much more from you.
This is really a wonderful site.
Pretty section of content. I just stumbled upon your website and in accession capital to assert that I get actually enjoyed account
your blog posts. Anyway I will be subscribing to your augment and even I
achievement you access consistently rapidly.
Hi it’s me, I am also visiting this web site on a regular basis, this web site is in fact nice and the users are really sharing good
thoughts.
A motivating discussion is worth comment. There’s no doubt
that that you ought to publish more about this topic, it may
not be a taboo subject but usually people don’t speak about such issues.
To the next! All the best!!
Great weblog right here! Additionally your website a lot up fast!
What host are you the usage of? Can I am getting your affiliate hyperlink in your
host? I wish my site loaded up as fast as yours lol
Please let me know if you’re looking for a article author for your weblog.
You have some really great articles and I
think I would be a good asset. If you ever want to
take some of the load off, I’d really like to write
some articles for your blog in exchange for a link back to mine.
Please blast me an email if interested. Cheers!
WOW just what I was searching for. Came here by searching
for counteragent
I’m not sure where you’re getting your information, but great topic. I needs to spend some time learning more or understanding more. Thanks for magnificent info I was looking for this info for my mission.