What Sql Injection May Cause

    I will tell you my story, which will be somewhat instructive. Initially, it happened in the summer, approximately in July-August.

    Imagine a provincial town with a population of about 60,000 people. There are two providers in this city. One has been operating for about 8 years and has about 5,000 customers. About him and this story.

    Looking through one of the resources (or rather, the site of the administration of that city), located on a server owned by the provider, changed the request /news.php?id=123 to /news.php?id=124-1. The result has not changed - there are no errors, the same news is displayed. Next is the routine work of selecting the number of fields. In principle, I did not expect anything interesting, such errors are complete, if the whole thing did not work from the root user. In addition, tags and javascript in the news body were not filtered. And then Ostap suffered ...

    Other resources located on the same server were also found - the sites of the prosecutor's office, air traffic control, etc. However, he did not waste time searching for vulnerabilities. Accessing the server from under root allowed reading all files and databases on the server all through the same injection. Configuration files of servers and development tools, password files, program codes of sites, billing and payment systems, phpmyadmin configuration files and authorization files in it were found. Thus, convenient full access to all databases was obtained. The data necessary for the activities of the provider and the site database were also stored on one server.

    Everything that could be interesting was merged: personal data of 5,000 users (information that they provided for contracts), logins, passwords, contracts, money in the account and information about payment cards (face value, activated or not). Naturally, I could put a million into any account for any user, bankrupt another, I could activate cards, etc.

    Further work on filling the shell. An abandoned resource was found on the same server that had not been visited by anyone for a couple of years with the admin panel for Mamba. Through phpmyadmin, I created an admin user there, logged in under it and uploaded the shell, additionally throwing a script proxy there, through which it then clung to access some network resources that were closed from outside access.

    Having walked around the server, I left everything as it is until future times. Partly not of their own free will. It’s just that department “K” seized three computers from a house in another case. Having kept the equipment at home for more than six months after the trial, they returned it and I remembered that shell.

    Having come in - I was a little surprised, because instead of what I expected, I saw there a colorful inscription “Hacked by Vasya”. Honestly, I was a little scared, as if the hacker Vasya hadn't done anything. But Vasya was only enough to change this page of someone else's shell, he did not get to the interesting data.

    You will most likely condemn further actions. Yes, the topic is not about ethics. A letter was written to the provider with evidence that I have full access to information and the offer to “buy” error information from me for a modest reward, since the reputation is more expensive. The answer was not long in coming. I got a call from the commercial director of this organization. A conversation took place in which I asked 40,000 rubles for the promise not to disseminate this information and explain to specialists how to fix the hole. The interlocutor asked for a day for reflection, because he thought that there was a mole in his organization that leaked data to me.

    The next day there was no call, the phpmyadmin interface “disappeared”, and the shell and proxies were deleted. However, through the injection, I could still read all the files. He called the sales director himself and said that since such a booze started, his clients would probably be very interested to see their data on one of the official sites, for example, the prosecutor’s office. It worked. We agreed on 30,000 rubles in two parts - the first immediately, the second - after disclosing information about the vulnerability.

    Further is of little interest. Everyone kept their promises. Everyone is happy.

    The moral of this fable is this - I, maybe, cattle and burn me in hell. But! Dear, if someone is engaged in the provision of this kind of service, watch out for security. The mistake is “children's”, but what can be seen from this story.

    PS If anyone is interested in what the “K” employees seized computers for, I can write separately. Since this is another story, with a search, investigation, interrogations, examinations and the court.

    Also popular now: