Tag Archives: sql injection

Mass SQL Injection Attack Hits 1 Million Sites

“To have input validation turned off on their Web servers seems crazy,” he says. “There is literally a script feature on ASP.NET that checks input validation, and it’s on by default. These people have turned it off, and I cannot wrap my head around why they’re turning it off.”

Why would you disable the safety features of your development language, and put them into production like that?

via Mass SQL Injection Attack Hits 1 Million Sites – Dark Reading.

As SQL Injection Attacks Surge, New Report Offers Insight On How To Prevent Them

Brad Causey at Dark Reading presents a summary of SQL injection, and a whitepaper about how to prevent them.

SQL injection has taken its place among the top Web threats and compromised some of the Internet’s best-known companies. Here’s a look at how SQL injection attacks happen — and what you can do about it

via As SQL Injection Attacks Surge, New Report Offers Insight On How To Prevent Them – Dark Reading.

Security Firm Barracuda Networks Embarrassed by Hacker Database Break-in

Even the mighty security firm Barracuda was hacked through the simplest, well-known, and commonly-used exploits.

Barracuda’s firewall was accidentally put into passive monitoring mode, which means it lets all the traffic through without doing any analysis or blocking and was essentially doing nothing since late evening April 8. This gave the attacker sufficient time to poke around via an automated script to crawl the site.

It took approximately two hours of “nonstop” probing before the intruder discovered a SQL injection flaw in a PHP script used to display customer case studies. That error allowed the attacker entry into the database used for marketing programs and sales lead development efforts. The customer case study database was on the same system as the one used for marketing programs.

Do you have a way of monitoring the status of your firewall?  Are internal apps as hardened as external applications?

via Security Firm Barracuda Networks Embarrassed by Hacker Database Break-in – Security – News & Reviews – eWeek.com.

SQL Injection galore!

Attention developers, programmers, and hobby websiters – please sanitize your inputs!

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically “http://lizamoon.com/ur.php” or more recently, “http://alisa-carter.com/ur.php.” Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.

via: Massive SQL injection attack making the rounds—694K URLs so far

And in addition:

Two hackers going by the names TinKode and Ne0h managed to gain access to sensitive information on MySQL.com, the website for the popular open source database.

In the data shared by the hackers, some of the password hashes were cracked to reveal complete login details for accounts associated with mySQL.com, including the WordPress account login details for Robin Schumacher, the former director of product management, and Kaj Arnö, former vice president of community relations.

Some of the passwords revealed simple phrases. Schumacher set his password as a simple 4-digit number—with three repeating digits. The hackers also posted several other database tables without the password hashes.

That’s the same number I use on my luggage!

via: Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com

Anonymous speaks: the inside story of the HBGary hack

It’s been very interesting watching the HBGary vs Anonymous event unravel in such a public way, with such well-known hacker methodology used to compromise the systems of security specialists.  Anonymous uses SQL injection on HBGary’s public CMS to find a few usernames and passwords, and with a non-privileged user account they were able to compromise an otherwise fairly secure Linux system that was behind on its patches:

The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.

Exploitation of this flaw gave the Anonymous attackers full access to HBGary’s system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.

Aaron’s password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company’s mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company’s mail—not just his own. It’s this capability that yielded access to Greg Hoglund’s mail.

PCI DSS requires that patches be installed monthly.  In addition, could Google Apps’ two-factor authentication have helped prevent that portion of the attack?

Regardless:

So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren’t patched. And an astonishing willingness to hand out credentials over e-mail, even when the person asking for them should have realized something was up.

    It’s not enough to know security if you don’t actually implement it.

    via Anonymous speaks: the inside story of the HBGary hack.

    SQL injection flaw leaves door wide-open to valuable user information on a popular file sharing site

    I wonder why, after being online for so many years, Pirate Bay still had SQL injection vulnerabilities?  Did they recently re-engineer their site and forget to sanitize input?

    This week, a trio of hackers based out of Argentina uncovered various entry points into the popular (and controversial) file-sharing site Pirate Bay using SQL injection flaws contained in the site. The infiltration gained them access to upwards of four million user profiles containing names, addresses, email accounts and other sensitive and (potentially) incriminating information.

    As originally reported by Krebs on Security, the group gained access through SQL injection vulnerabilities contained within the site. The leader of the hacker group, Ch Russo, maintains that he and his accomplices did not crack the site for any personal gain, though he did admit, once inside, it had dawned on him that some of the information uncovered would have been valuable to the Recording Industry Association of America and Motion Picture Association of America. But at the end of the day, they chose not to share information with either organization. The group says that they were only attempting to spread awareness that security vulnerabilities exist and SQL injection flaws can still be readily found in today’s applications and websites.

    […]

    Hackers are able to gain access to apps through weak SQL portals by adding their own Structured Query Language (SQL) into language field features on sites and in applications. These coded statements instruct the app or site to respond to their coded request and (in most cases) grant them administrative or backend access. Once access is gained, typically the sky is the limit to what database information becomes available and what changes can be made.

    via SQL injection flaw leaves door wide-open to valuable user information on a popular file sharing site – Software Quality Insights.