As many of you probably know, studia.is is a programming company, mainly famous for its school management software called MySchool. This software, that is hosted on their website, gives schools the opportunity to host and manage course material for their students. It also communicated directly with Inna.is which contains all of students grades and history for all Icelandic students.
Now, you too can host this website cause studia.is is leaking their source code.
When I was going to access MySchool to retrieve my course material, I noticed a strange error where MySchool was unable to connect to their SQL server. Curious as I was, I decided to explore this error and see where it would lead me.
My first method of attack was to try and upload an .asp file of my own creation that will dump the site directory as well as its contents. MySchool has a feature where you can upload a file as an assignment but first I had to find out where the files are stored.
When I am accessing a file I put in as my assignment, my url looks like this:
At first glance, no obvious hints about its location can be found. Lets move on, what happens if I change the file name like so:
This results in the following error message:
File not found: E:\MySchool_Data\IR\20101\FOR6036S.9717\Assignments\30660\208635\bla
Ok, so the uploaded data are stored in a special folder on a special drive, go figure...
Lets move on. What happens if I remove fagID and verkID like so:
This results in a weird message:
Error: Student record not found.
That's weird. Lets remove also the act=1 and try the following:
Jackpot, I get the following:
Here I want to see closed files Enterprise.zip Enterprise_Services.zip imsent_bestv1p1.pdf imsent_bindv1p1.pdf imsent_infov1p1.pdf
Ok, so I can download the files by putting it in the filename inside the file url. What happens if the file name is \'../\' like following:
This gives the following error:
File not found: D:\Inetpub\wwwroot\MySchool\studia.is\Download\Docs\..\
Wow, I am inside the site path...
The weird thing is that on the previous file listing, I only needed to type in one of the filename and it sent the file to me directly. What happens when I type the default.asp as file to be download like so:
Voila, the server sends its own source code and you just found a reliable way to download any file from their server. Talk about backdoor.
Anyway thats it for today... Gotta go play some Heroes of Newerth.