Report [PDF]

Zitiervorschau

PENETRATION TESTING foomegahost.com Abstract This is an extensive penetration testing done from jan-1 to jan-7 of 2023 intended to support Foomegahost with information necessary to the task of hardening its systems

Rodrigo Banzi

[email protected]

Contents 1

2

Introduction .................................................................................................................................... 2 1.1

Non-disclosure and no compete ............................................................................................. 2

1.2

Data retention ......................................................................................................................... 2

1.3

Rules of engagement .............................................................................................................. 2

Reporting......................................................................................................................................... 3 2.1

Executive Summary ................................................................................................................. 3 2.1.1.1

Vulnerabilities by impact ............................................................................................ 3

2.1.1.2

Risk exposure over time .............................................................................................. 4

2.1.1.3

Vulnerabilities by cause .............................................................................................. 4

2.1.2 2.1.2.1

Vulnerability report ......................................................................................................... 5 foomegahost.com ....................................................................................................... 6

2.1.2.1.1 Windows Server 2008 ........................................................................................... 7 2.1.2.1.2 DNS server............................................................................................................. 7 2.1.2.1.3 Microsoft IIS 7.5 .................................................................................................... 7 2.1.2.2

m.foomegahost.com ................................................................................................... 8

2.1.2.2.1 service.wsdl open to the internet ......................................................................... 8 2.1.2.2.2 SQL injection in the getTicketInfo ......................................................................... 9 2.1.2.2.3 Improper user privileges in the database ‘foomegahost’................................... 11 2.1.2.3

me.foomegahost.com ............................................................................................... 14

2.1.2.3.1 Administrators’ user enumeration ..................................................................... 14 2.1.2.3.2 XSS in the Wall section ........................................................................................ 15 2.1.2.3.3 XSS in the comment section of the Wall ............................................................. 17 2.1.2.3.4 XSS in the support section .................................................................................. 19 2.1.2.3.5 SQL injection in the support section ................................................................... 20 2.1.2.3.6 Local File Inclusion (LFI) in the Support section .................................................. 22 2.1.2.3.7 Files with passwords in cleartext ........................................................................ 24 2.1.2.3.8 Session stealing possibility .................................................................................. 26 2.1.2.4 2.1.3 2.1.3.1

fmh-intranetarea.foomegahost.com ........................................................................ 28 Remediation report....................................................................................................... 28 The remediation ........................................................................................................ 28

2.1.3.1.1 Weak password ................................................................................................... 29 2.1.3.1.2 User enumeration possibility .............................................................................. 29 2.1.3.1.3 Upgrade of server and services........................................................................... 29 2.1.3.1.4 XSS, HttpOnly flag and SQLi ................................................................................ 29 2.1.3.1.5 Local File Inclusion in the support ticket formular ............................................. 30

2.1.3.1.6 SQL injection in the support ticket formular ...................................................... 31 2.1.3.1.7 Other issues ........................................................................................................ 32 3

Conclusions ................................................................................................................................... 32

1 Introduction The scope of this engagement included the following domain, including all existing subdomains: -

foomegahost.com

All conventional tools and methods for the penetration testing were allowed during the engagement however lesser risky methods should have been preferred to mitigate eventual risk for outages as the systems are currently used in production. The engagement occurred without any major problem as no production server were taken down or had its functionality been diminished by any means. Many vulnerabilities were found, some should receive immediate attention, others can be resolved further in time as described in this document in the section about remediation. The overall security of Foomegahost is low and the impact of real attacks could bring serious consequences for its business future. Therefore, it is highly recommended that Foomegahost starts working on solving the issues discussed in this document immediately. The penetration tester is available to support Foomegahost in the process of remedying the sites immediately and/or in the future.

1.1 Non-disclosure and no compete The penetration testers commit themselves to not work with Foomegahost’s competitors and not to expose data from Foomegahost to anyone outside the penetration testers lab.

1.2 Data retention Most of the data collected during the engagement will be destroyed immediately after the sending of this report. The data collected that is necessary for further follow up penetration tests will be encrypted and stored in the penetration testers lab, which is accessed by penetration testers involved in this test using two factors authentication.

1.3 Rules of engagement All tools were allowed to be used in the engagement and no time constraint was imposed. The scope of the engagement was the domain foomegahost.com and all its subdomains which was found in the IP address 10.21.32.43. The tools used were mainly BurpSuite, SQLMap and a Browser using Kali Linux. The origin IP of this Kali Linux was 172.16.5.68-73 varying depending on the DHCP of the VPN to the local network at Foomegahost.

2 Reporting 2.1 Executive Summary 2.1.1.1 Vulnerabilities by impact The following vulnerabilities were found during the penetration test. ID

Service/Vulnerability

CVE

Difficulty to exploit

Impact

Multiple

Easy

High

Server 1

Windows server 2008

2

DNS 6.1.7601 (1DB14556)

CVE-2012-0006

Easy

Medium

3

Microsoft IIS 7.5

CVE-2010-2730

Easy

Medium

m.foomegahost.com 4

service.wsdl open for the public

CWE-200

Easy

Medium

5

SQL injection in the getTicketInfo

CWE-89

Easy

High

6

Improper user privileges db user

not applicable

Easy

High

CWE-521

Medium

High

not applicable

Easy

High

me.foomegahost.com 7

Account with weak password

8

Admin user enumeration

9

XSS in the wall section

CWE-87

Easy

Medium

10

XSS in the wall comment section

CWE-87

Easy

Medium

11

XSS in the support ticket form

CWE-87

Easy

Medium

12

HttpOnly flag off

CWE-1004

Medium

High

13

SQL injection in the support ticket form

CWE-89

Easy

High

14

LFI in the support area

CWE-98

Easy

High

15

Improper priv manag user in the server

CWE-269

Easy

High

16

Files with passwords in cleartext

CWE-256

Easy

High

fmh-intranetarea.foomegahost.com 17

phpinfo.php file open for the public

CWE-200

Medium

High

18

XSS in the wall section

CWE-87

Easy

Medium

19

XSS in the wall comment section

CWE-87

Easy

Medium

1

The chart 2 present a visualization of the distribution of the vulnerabilities in terms of the difficulty of a threat actor to exploit and the impact of a possible exploitation. It can be used as a roadmap for investments in hardening Foomegahost’s infrastructure.

1

List of found vulnerabilities and respective criticalities

2

2.1.1.2 Risk exposure over time Foomegahost is currently exposed 19 vulnerabilities that could potentially be exploited compromising its IT infrastructure. The penetration testers advise Foomegahost to prioritize the high impact and easy to exploit quadrant in the vulnerability map. Afterwards, issues on the quadrant low impact easy to exploit could be solved from the higher issue impact to the lower.

2.1.1.3 Vulnerabilities by cause The chart 3 represents a list of vulnerabilities per type. Foomegahost suffers from a considerable variety of vulnerabilities. Some easily solvable with a simple server reconfiguration. Others likewise solvable through more elaborate measures.

2

Vulnerability map

Frequency of vulnerabilities 7 6 5 4 3 2 1 0 Vulnerable software

XSS

SQLi

Weak password

LFI

HttpOnly flag

Others

3

2.1.2 Vulnerability report The topology found at foomegahost.com is presented in the figure 4. Although all servers and databases are hosted in the same virtual machine, that would be the representation based on the purpose of each subdomain and how it communicates with the databases.

4

The domain in scope for the engagement was foomegshost.com along with all its subdomains. Using the following command, it is possible to enumerate the subdomains ‘m.foomegahost.com’ and ‘me.foomegahost.com’:

3 4

Number of vulnerabilities found by type IT topology found at Foomegahost infrastructure

-

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://FUZZ.foomegahost.com

Furthermore, using the local file inclusion discussed in the chapter 2.1.2.3.6, it is possible to get a command line shell into the server and read in the file ‘config.php’ about the presence of a third subdirectory, ‘fmh-intranetarea.foomegahost.com’. Further investigation and exploitation discussed in the following chapters reveal purpose of the three subdomains found: -

foomegahost.com – main website, used by regular customers m.foomegahost.com – administrators’ area, used to see the open tickets. me.foomegahost.com – members area, used by non-administrators to communicate among each other and to communicate to the support team (administrators). fmh-intranetarea.foomegahost.com – intranet area, where administrators and nonadministrators that work at foomegahost can check pending tickets, close tickets and communicate with each other. The wall site of the intranet is the same of the one in the members site, all posts and comments can be read and written in both sites.

As a summary, 19 vulnerabilities were found during the penetration testing engagement, each one with its assigned CWE (Common Weakness Enumeration) according with the CWE framework 5 which describes the most commons vulnerabilities in, among others, web applications and its impacts.

2.1.2.1 foomegahost.com This is the main site, where customers can find information about the company’s products or from where company’s members could login. A full nmap scan revealed the following open ports and their respective services: PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB14556) (Windows Server 2008 R2 SP1) 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 3389/tcp open ssl/ms-wbt-server? 49155/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows The site doesn’t allow any user input but revels too much information about the company and its staff, which facilitates the work of eventual threat actors by for example, revealing names and positions that could potentially be used to infer usernames to be used in password brute force attacks or to find targets in social media sites which could be used in phishing campaigns.

5

https://cwe.mitre.org/index.html

6

2.1.2.1.1

Windows Server 20087

Nmap detected that the server used to host the site is a Windows Server 2008:r2:sp1 which is highly vulnerable according to cvedetails.com8. Furter enumeration into the machine confirmed the server’s specifications. This particular server is no longer supported by Microsoft since 2020-01-14 which means that whatever vulnerability found after the end date, the last support day, will in theory not be patched by the vendor. 2.1.2.1.2

DNS server

The DNS server used in this system runs on a Microsoft DNS 6.1.7601 (1DB14556), which is also vulnerable9, with CVSS score of 5.0, mainly vulnerable to denial of service, which prevents the service from fulfilling its functions when exploited. 2.1.2.1.3

Microsoft IIS 7.5

The web application Microsoft IIS 7.5 used to host the servers at foomegahost.com is out of date and should be updated. 10

6

Foomegahost.com revealing names and positions. Very useful information for a threat actot. https://www.cvedetails.com/product/11366/Microsoft-Windows-Server-2008.html?vendor_id=26 8 https://www.cvedetails.com/product/11366/Microsoft-Windows-Server-2008.html?vendor_id=26 9 https://www.cvedetails.com/cve/CVE-2012-0006/ 10 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2730 7

2.1.2.2 m.foomegahost.com 2.1.2.2.1

service.wsdl open to the internet

The administrators’ area communicates with its database using the XML SOAP method.

11

12

Apparently, there is enough input validation to both username and password inputs against SQLi (SQL injections) or XSS (Cross Site Script). However, the page loads the file service.wsdl and publicly exposes it.

11 12

Administrator’s area XML SOAP used by m.foomegahost.com to talk to its database

13

In the service.wsdl it is possible to identify three possible methods for user input to the server using XML SOAP: -

login – which is the one used by the m.foomegahost.com site to authenticate users getLatestTickets – which gets a token as input which is later added in the URL getTicketInfo – which is used to query data on the site me.foomegahost.com about support tickets as well as posts in the ‘wall’ as well as comments to those posts.

2.1.2.2.2

SQL injection in the getTicketInfo

Further investigation reveals that the ‘authToken’ parameter of the getTicketInfo method is vulnerable against SQLi:

13

Service.wsdl open for the public

14

Using SQLMAP tool it is possible to extract information using this SQL injection vulnerability. The dump of five ‘foomegahost’ database reviews five databases: - Comments - Messages - Roles - Ticket - User The table ‘user’ contains the following columns: - id - role - email - password - username - last_name - first_name By reading the column role, it is possible to infer that there are three groups of users, the ones with role numbers 1, 2 and 3. The role number 3 with least privileges, users third party email addresses, not @foomegahost.com. The role number 2 probably higher level of access and email addresses @foomegahost.com. The role number 1 are the administrators, probably the only ones that can log in the administrator’s pane

14

getTicketInfo method appears to be vulnerable against SQLi https://cwe.mitre.org/data/definitions/89.html

15

All extracted passwords seem to be enough complex to prevent password brute forcing or dictionary attacks in a reasonable amount of time. However, it is possible to easily crack the user ‘test’ and its password using the ‘John the Ripper’ tool on the attacker Kali machine: - username: test - password: password1234 As suspected, the ‘test’ username and password will not work on m.foomegahost.com site probably because of the role number 3. 2.1.2.2.3

Improper user privileges in the database ‘foomegahost’

Using the local file inclusion vulnerability found in the support section of the members area, described in detail in chapter 2.1.2.3.6, it is possible to run a webshell by using the following steps: -

Upload the file disguised as a .png file Intercept the upload in BurpSuite and change the extension to .php before sending it Opening the file in the tickets section of the members area

In this case, I uploaded the file webadmin.php, which is a webshell with the functionality of sending direct queries to the MySQL database. Using the database credentials discussed in chapter 2.1.2.3.7, I could change all the passwords to the MD5 hash of the word ‘password’, ‘5f4dcc3b5aa765d61d8327deb882cf99’.

15

Content of the ‘foomegahost’ database tables extracted using the SQLi vulnerability of the method getTicketInfo

16

17

16

Original md5 hash of the password for the username ‘admin’ Webadmin.php inserted using the support local file inclusion in the members site and accessed in the ticket section of the members site 17

18

19

The database username ‘res_foomegahost’ should not be able to access and change the table ‘user’. Although this issue is not a clean CVE determined vulnerability, it goes against the principle of least privilege, which states that ‘each user must be able to access only the information and resources that are necessary for its legitimate purpose’20. The change in the database worked successfully and I could login in the administrators panel with the following credentials: -

18

User: admin Password: password

Password changed successfully All passwords changed to the word hash of the word ‘password’ 20 https://en.wikipedia.org/wiki/Principle_of_least_privilege 19

21

2.1.2.3 me.foomegahost.com Using the username ‘test’ and password ‘password1234’ (discussed in chapter 2.1.2.2.2), it is possible to login the members area. Once logged in, it is possible for a user to send a ticket to the support team, read its current tickets and communicate to other users posting messages and commenting on existing posts. 2.1.2.3.1

Administrators’ user enumeration22

When the username ‘admin’ is used to login in the me.foomegahost.com members site, the site responds with a particular error, confirming the existence of the admin username. The same will not happen when non-administrator usernames are used. That can be exploited by an adversary to enumerate administrator user accounts to be used in a password brute force or dictionary attacks.

21

Logged in the admin panel using username ‘admin’ and password ‘password’ https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account 22

23

2.1.2.3.2

XSS in the Wall section

The blog area, ‘The daily wall’, is vulnerable to persistent XSS in the main posting formular. Furthermore, the penetration test detected that both the members area and the intranet area have the HttpOnly flag set to off, which means that eventual XSS vulnerabilities could lead to scripts reading cookie sessions ID and sending it externally24. This setting could possibly allow an adversary actor to steal cookies once the actor posts a script that collects and sends active sections’ cookies to the attacker’s server and waits until someone logs in the server. I setup such a script but no one logged in during the attack span time.

23 24

Enumerating admin user accounts https://owasp.org/www-community/HttpOnly

25

26

27

25

Blog posting area, ‘The daily wall’ is vulnerable to XSS The same blog posting area in the intranet is vulnerable to XSS 27 The same blog posting area in the intranet is vulnerable to XSS 26

28

29

2.1.2.3.3

XSS in the comment section of the Wall

The comments section of the wall site is also vulnerable to XSS injection. When users insert more than two comments the site only shows the two last. However, users can see the remaining comments clicking the ‘View all X comments’ button triggers the XSS payloads if that is among the comments. That triggers the ‘viewajax.php’ script which triggers all existing XSS payloads among the comments of that particular post. Since the intranet site uses the exact same wall site, it is then vulnerable to the same XSS vulnerability in the comments section.

28 29

Persistent XSS Cookie stealing setup

30

31

30 31

XSS payload not triggered in the comments section of the wall Viewajax.php script

32

2.1.2.3.4

XSS in the support section

The parameter ‘category’ in the formular used in the support site to register a ticket is vulnerable to reflected XSS. Furthermore. In this test, it was discovered that the current user of the database ‘foomegahost’ has permission to insert data. If there is a possibility to redirect a query via a file inclusion, for example, in order to insert a new admin user in the ‘user’ table or changing the details of one of its current users, then the site is completely compromised.

32

XSS triggered when users click the ‘View all 3 comments’ in the comments on the wall

33

34

2.1.2.3.5

SQL injection in the support section

The parameter ‘category’ of the formular used to create new tickets to the support team is also vulnerable to SQL injection. Fuzzing with the parameter in BurpSuite it is possible to read the SQL query used by the developer to insert the ticket to the database.

33 34

Reflected XSS in the Support Reflected XSS in the Support

35

Using SQLMAP, with the form as a text file, it is possible to enumerate and exploit the database ‘foomegahost’ along with its five tables: -

User Comments Messages Roles Tickets

36

35 36

SQL injection fuzzing in the support ticket formular SQL injection attack in the support ticket formular using the SQLMAP tool

37

2.1.2.3.6

Local File Inclusion (LFI) in the Support section

The support function enables users to write a title for the ticket, provide eventual IP addresses and posting a file attachment. Users should be able to post files according to a whitelisted number of extensions and the web application indeed enforces the whitelist. However, the enforcing mechanism is made in the client side and can be bypassed using a web application proxy. The user can post an allowed extension file and, before sending it forward, change to any extension.

37

Database enumeration using the SQL injection in the ticket formular section

38

Exploiting this LFI (Local File Inclusion) vulnerability and posting a reverse php shell file, it is possible to click on the file in the tickets area, executing the file, and getting a shell as well as discovering the address where the file is posted in the server, in this case: http://me.foomegahost.com/ticketAttachments/4b3519fbe17e82993e76927e5f253/

39

38

Webshell being posted as a ticket attachment. The attacker can change the file extension and the application accepts the file 39 Reverse shell using the support file attachment upload LFI vulnerability

40

The user logged in the shell has limited capabilities and is not allowed to list some folders in the system. However, it is possible to read some important files and discover that all the discovered subdomains are hosted in this server, members, administration, intranet and even foophones.com. 2.1.2.3.7

40 41

Files with passwords in cleartext41

Users in the server https://cwe.mitre.org/data/definitions/256.html

42

Here follows a list of interesting files that could be extracted from the folder: -

config.php – from where it is possible to discover the intranet url and database credentials for two databases, foomegahost_www and res_foomegahost with their respective users:

43

44

42

Interesting files in the C:\inetpub\vhosts\foomegahost.com\subdomains\me\httpdocs\include\ folder Config.php file 44 Database credentials 43

It can be inferred that the res_foomegahost database is where it is stored more reserved information than what the www stores. -

members.foomegahost.com.config – from where we can read the hashed password of the current user, IUS_MEFMH, as well as three addresses for the me.foomegahost.com subdomain.

45

-

login.php in the members area. Here, since the current user has permission to change the file and replace the one used in the members subdomain, it is possible to change, for example, the file allowing the user insert the hashed password instead of the password and gain access to the members area impersonating other users:

46

47

48

2.1.2.3.8

Session stealing possibility

Including the phpinfo.php file with the command to show the phpinfo() data reveals that the sessions are stored in the C:\inetpub\sitesdata\foomegahsot.com\SESSIONS\USERS folder. Uploading and using a webshell, it is possible to list the contents of the folder, the sessions ID. Changing the PHPSESSID to the first one on the list and refreshing the page reveals that now we are the administrator. Changing the PHPSESSID of the http://fmh-intranetarea.foomegahost.com/ site also gives me access to the site.

45

File ‘members.foomegahost.com.config’ Slight change to the file allowing to insert the hashed password instead of the password 47 Impersonating Mr. Goodwin in the members area 48 Impersonating Mr. Delacruz in the members area 46

In the intranet area it is discovered that the wall section is the same as the one on the members site where the same persistent XSS exists. That means that through the members area it is possible to steal cookies from users that log into the members area and get into the wall site and the ones that come through the intranet.

49

50

49 50

Session stealing cookie possibility Session stealing cookie possibility

51

52

2.1.2.4 fmh-intranetarea.foomegahost.com The intranet area is a simpler version of the members area plus the function of closing tickets. The same XSS vulnerability found in the wall section of the members area were found in the intranet area.

2.1.3 Remediation report 2.1.3.1 The remediation Assuming that Foomegahost’s resources are finite, the hardening of its IT infrastructure should be made eliminating the vulnerabilities found in this penetration test campaign according to the vulnerabilities’ severity. Following is our priority recommendation for Foomegahost with an estimate of the resources needed according to our experience into the IT security branch.

51 52

Session stealing cookie possibility Session stealing cookie possibility

2.1.3.1.1

Weak password

If the ‘test’ user account has to remain, it should have its password lifted to the same level of complexity standard of the other users’ accounts. Preferably, the account should be removed as having an account without a defined owner raises the risk of the overall security of the site. User accounts should preferably have an owner, accountable for securing it. Estimated resources: 0,5 hour of a junior administrator 2.1.3.1.2

User enumeration possibility

The design of the login page of the members area should be changed in order to obfuscate the login process. In other words, a user logging in should not see the error page saying that the administrator has a special page to login.

53

The www page should not give up names and positions as it does to avoid possible username and password attacks as well as social engineering attacks. Estimated resources: 1 day of a medium level developer 2.1.3.1.3

Upgrade of server and services

The two legacy services described and the legacy operational system should be upgraded. Furthermore, the company should create and put in practice an upgrading plan in order to lower the out-of-date time of servers and services. Estimated resources: 2 days of a medium level system administrator 2.1.3.1.4

XSS, HttpOnly flag and SQLi

Foomegahost should sanitize its users input and review its server’s configuration. Furthermore, it should implement a plan to test its code before going to production. -

53

The persistent XSS in the wall sections of the members area and the intranet can be avoided by implementing a sanitization mechanism in the file ‘savemessage.php’ in the process of

The login.php file should be changed not to confirm that the user inserted is a valid administrator username

saving messages. The file, as is, simply posts the inserted message. Instead, it should identify a malicious payload and only post legitimate messages.

54

-

The viewajax.php file should not echo the comment without verification mechanism that checks that comment inserted is not a malicious payload.

55

Estimated resources: 5 days of a senior developer 2.1.3.1.5

Local File Inclusion in the support ticket formular

The LFI issue in the support ticket attachment could be solved via a server-side validation of script files instead of only client-side as it is configured now. The file ‘support.php’ checks if the file has a valid extension in the moment the user clicks the

54 55

Part of the savemessage.php that should be reviewed. A sanitization algorithm should be implemented. Part of the viewajax.php file that should be reviewed. A sanitization algorithm should be implemented.

56

2.1.3.1.6

SQL injection in the support ticket formular

As it can be seen in the ‘support.php’ file, the formular implements the method ‘mysql_real_escape_string’ to filter malicious characters from the ‘summary’ and ‘details’ attributes but not to the ‘category’ attribute. Perhaps the developer’s reasoning was that the ‘category’ attribute would come from a strict, defined list of strings. However, the list was never enforced in the code in the server-side, it can be changed to whatever string using a local proxy, for example. Two possible solutions to this issue would be either to apply the ‘mysql_real_escape_string’ method to the ‘category’ attribute or to enforce a server-side verification that the ‘category’ attribute comes from a strict list of possible strings.

56

Support.php file with the XSS vulnerability

57

Estimated resources: 1 day of a medium level developer

2.1.3.1.7

Other issues

The other issues discussed in this report must be dealt with in order to increase the overall security of the. The clear text database passwords should be obfuscated. The administrator should review the privileges of each user with regularity in order to follow the policy of least privilege discussed previously in this report. The file service.wsdl should not be available to end users of the site. Estimated resources: 5 days of a medium level system administrator plus 2 hours of senior developer

3 Conclusions The overall security of Foomegahost is low and should receive immediate attention. However, most of the issues found during this penetration test could be solved with relatively a low number of resources. The most serious issue, according to the penetration testers judgement, is the fact that the vulnerabilities found are repeated, structured issues. That is evidence of a lack of security culture at Foomegahost’s development. Therefore, a part of the remediation recommendations presented in this report, the penetration testers recommend that developers and system administrators go through a series of security training and that Foomegahost implement security testing processes in order to harden its IT infrastructure permanently.

57

Support.php file with the SQL injection vulnerability