What Sql Injection May Cause
I will tell my story, which will be somewhat instructive. Initially, it happened in the summer, around July-August.
Imagine a provincial town with a population of about 60,000 people. In this city there are two providers. One has been around for about 8 years and has about 5,000 customers. About him and this story.
Looking through one of the resources (or rather, the website of the administration of that city), located on the server belonging to the provider, changed the query /news.php?id=123 to /news.php?id=124-1. The result has not changed - there are no errors, the same news is displayed. Next - the routine work on the selection of the number of fields. In principle, I did not expect anything interesting, such errors are complete if the whole thing did not work from the root user. In addition, tags and javascript were not filtered in the body of the news. And then Ostap suffered ...
Were found and other resources located on the same server - the sites of the prosecutor's office, ATC, etc. However, they did not waste time searching for vulnerabilities. Accessing the server from under root allowed you to read all the files and databases on the server all through the same injection. Were found the configuration files of servers and development tools, password files, program codes of sites, billing and payment systems, phpmyadmin configuration files and authorization files in it. Thus, a convenient full access to all databases was obtained. On one server were stored and the data necessary for the activities of the provider and database sites.
')
Everything that could be interesting was drained: personal data of 5,000 users (information that they provided for contracts), logins, passwords, contracts, money in the account and information about payment cards (face value, activated or not). Naturally, I could put any million to the account of any user, bankrupt another, could activate cards, etc.
Further work on flooding the shell. An abandoned resource was found on the same server, not visited by anyone for a couple of years with the admin to the “mamba”. Through phpmyadmin, I created an administrator user there, I went under it and flooded the shell, additionally throwing a script proxy there, through which I then clung to access some network resources that were not allowed to be accessed from outside.
Having walked on the server, I left everything as it is until future times. Partly against their will. Just the department "K" withdrew three computers from the house in another case. Having kept the equipment for more than six months after the trial, I was returned and I remembered that shell.
Having entered, I was a little surprised, because instead of the expected one, I saw a colorful inscription “Hacked by Vasya” there. Frankly speaking, I was a little scared, as if hacker Vasya didn’t do anything. But Vasya was only enough to change this page of someone else's shell, he did not get to the interesting data.
Further actions you are likely to condemn. Yes, the topic is not about ethics. A letter was written to the provider with evidence that I have full access to information and the offer to “buy” error information for a modest fee from me, since reputation is more expensive. The answer was not long in coming. I got a call from the commercial director of this organization. A conversation took place in which I asked 40,000 rubles for the promise not to disseminate this information and explain to their experts how to fix the hole. The interviewee asked for a day to think, because he thought that there was a mole in his organization that had merged the data to me.
The next day, the call did not follow, the phpmyadmin interface “disappeared”, and the shell and proxy were removed. However, through the injection, I still could read all the files. I called the commercial director myself and said that once such a binge went, his clients would probably be very interested to see their data on one of the official sites, for example, the prosecutor's office. It worked. We agreed on 30,000 rubles in two parts - the first immediately, the second - after the disclosure of information about vulnerabilities.
Further is of little interest. Everyone kept their promises. Everyone is happy.
The moral of this story is as follows: I may be a beast and burn to me in hell. But! Dear, if someone is engaged in the provision of such services, watch out for security. The error is “childish,” but what can be seen from this story.
PS If anyone is interested in what the employees of the “K” department seized computers for, I can write separately. Since this is another story, with the search, investigation, interrogation, examination and trial.
Imagine a provincial town with a population of about 60,000 people. In this city there are two providers. One has been around for about 8 years and has about 5,000 customers. About him and this story.
Looking through one of the resources (or rather, the website of the administration of that city), located on the server belonging to the provider, changed the query /news.php?id=123 to /news.php?id=124-1. The result has not changed - there are no errors, the same news is displayed. Next - the routine work on the selection of the number of fields. In principle, I did not expect anything interesting, such errors are complete if the whole thing did not work from the root user. In addition, tags and javascript were not filtered in the body of the news. And then Ostap suffered ...
Were found and other resources located on the same server - the sites of the prosecutor's office, ATC, etc. However, they did not waste time searching for vulnerabilities. Accessing the server from under root allowed you to read all the files and databases on the server all through the same injection. Were found the configuration files of servers and development tools, password files, program codes of sites, billing and payment systems, phpmyadmin configuration files and authorization files in it. Thus, a convenient full access to all databases was obtained. On one server were stored and the data necessary for the activities of the provider and database sites.
')
Everything that could be interesting was drained: personal data of 5,000 users (information that they provided for contracts), logins, passwords, contracts, money in the account and information about payment cards (face value, activated or not). Naturally, I could put any million to the account of any user, bankrupt another, could activate cards, etc.
Further work on flooding the shell. An abandoned resource was found on the same server, not visited by anyone for a couple of years with the admin to the “mamba”. Through phpmyadmin, I created an administrator user there, I went under it and flooded the shell, additionally throwing a script proxy there, through which I then clung to access some network resources that were not allowed to be accessed from outside.
Having walked on the server, I left everything as it is until future times. Partly against their will. Just the department "K" withdrew three computers from the house in another case. Having kept the equipment for more than six months after the trial, I was returned and I remembered that shell.
Having entered, I was a little surprised, because instead of the expected one, I saw a colorful inscription “Hacked by Vasya” there. Frankly speaking, I was a little scared, as if hacker Vasya didn’t do anything. But Vasya was only enough to change this page of someone else's shell, he did not get to the interesting data.
Further actions you are likely to condemn. Yes, the topic is not about ethics. A letter was written to the provider with evidence that I have full access to information and the offer to “buy” error information for a modest fee from me, since reputation is more expensive. The answer was not long in coming. I got a call from the commercial director of this organization. A conversation took place in which I asked 40,000 rubles for the promise not to disseminate this information and explain to their experts how to fix the hole. The interviewee asked for a day to think, because he thought that there was a mole in his organization that had merged the data to me.
The next day, the call did not follow, the phpmyadmin interface “disappeared”, and the shell and proxy were removed. However, through the injection, I still could read all the files. I called the commercial director myself and said that once such a binge went, his clients would probably be very interested to see their data on one of the official sites, for example, the prosecutor's office. It worked. We agreed on 30,000 rubles in two parts - the first immediately, the second - after the disclosure of information about vulnerabilities.
Further is of little interest. Everyone kept their promises. Everyone is happy.
The moral of this story is as follows: I may be a beast and burn to me in hell. But! Dear, if someone is engaged in the provision of such services, watch out for security. The error is “childish,” but what can be seen from this story.
PS If anyone is interested in what the employees of the “K” department seized computers for, I can write separately. Since this is another story, with the search, investigation, interrogation, examination and trial.
Source: https://habr.com/ru/post/87024/
All Articles