United
- Yahoo! again - XSS in Uncategorized (357 Visits)
- Yahoo! again - bad settings? in Uncategorized (252 Visits)
- Fanii nostri in Uncategorized (183 Visits)
- Frustrant in Uncategorized (146 Visits)
- La multi ani România, la multi ani românilor in Uncategorized (137 Visits)
- Weblog.ro - Shell via Local File Inclusion in Uncategorized (119 Visits)
- Yahoo! epic fail - permanent xss unleashed in Uncategorized (50 Visits)
- ... in Uncategorized (38 Visits)
- XSS Ownage - hi5 vs. Yahoo! + video in Uncategorized (2 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in Uncategorized (2 Visits)
- Ce servicii de mail folositi? in (121 Visits)
- Azi este ziua userilor hackersblog.org in (120 Visits)
- De reţinut in (117 Visits)
- Inca o pierdere de timp in (107 Visits)
- De tinut minte in (106 Visits)
- Twitter in (78 Visits)
- Un nou membru in (74 Visits)
- Interviu la Radio Lynx in (70 Visits)
- 2009 in (51 Visits)
- Editori noi. in (35 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (199 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (139 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (104 Visits)
Posted on March 6th, 2009
“Latest news, business, sport, comment, lifestyle and culture plus content from the Daily Telegraph and Sunday Telegraph newspapers and video from Telegraph” and an SQLi that allows full acces to ALL the databases of this famous newspaper.
Here are some of the database names and their version:
Users passwords are in plain view:
Besides numerous interesting tables there is one that contains email addresses of those receivingt he newsletter. A real treasure for spammers. In the syntax you can see there quite a bunch of them. I concatanated the 700.000th email address.
Later edit: if you are a member of telegraph.co.uk read this article too and follow the advice regarding passwords.
—–
RO Version
“Latest news, business, sport, comment, lifestyle and culture plus content from the Daily Telegraph and Sunday Telegraph newspapers and video from Telegraph”… si un sql injection, care permite full acces in toate bazele de date al respectivului ziar online.
Sa vedem o parte din denumirile bazelor de date cat si versiunea :
Parolele userilor sunt tinute in text clar:
Pe langa multe alte tabele interesante avem si una cu adresele de email, a celor inscrisi pentru newsletter. O adevarata comoara pentru potentialii spammeri.In sintaxa, sa vedeti numarul mare a celor inregistrati, am concatanat adresa de email cu numarul 700.000
March 6th, 2009 at 5:34 pm
Am si eu o intrebare, daca asa site-uri mari si renumite, care (cred) cheltie o gramada de bani, au asa vulnerabilitati, ce se intimpla cu site-urile de talie mica si medie?
March 6th, 2009 at 6:09 pm
this is not the live website… easy to compare by the pictures above.
March 6th, 2009 at 6:18 pm
yes it is one of the sections of the live website, with full access to all database’s tables
March 6th, 2009 at 6:52 pm
[...] have made some high profile web site compromises recently and today they posted evidence that they had compromised the website of the UK national daily newspaper, The [...]
March 6th, 2009 at 7:30 pm
Looks like this area of the site is no longer available
March 6th, 2009 at 11:10 pm
Hey guys, you are not really hackers, you are just simple php + mysql developers which find poorly written websites. That’s all I see from you, sql injection in php. Is that the best you guys can do?
March 6th, 2009 at 11:26 pm
Of course not. We are also able to eat tons of ice cream.
March 7th, 2009 at 12:38 am
Hmm… date on site says Tue 17 Feb 2009…
March 7th, 2009 at 12:41 am
..and Mon 23 Feb 2009… Robin Hood hacking?
March 7th, 2009 at 12:49 am
“We will do a full disclosure if the vulnerability isn’t patched in usefull time or if it’s been patched after the admin is contacted.”
http://www.hackersblog.org/about/
Sometimes we don’t have enough time to make all the screenshots and we make the rest of screenshots after a day or two.
March 7th, 2009 at 4:27 pm
[...] Romanian group, HackersBlog, has struck again and this time it is not an infosec firm. This time it is the website of the [...]
March 8th, 2009 at 10:48 pm
[...] Daily Telegraph’s web site has been compromised using an SQL injection attack, according to HackersBlog. It says: “Latest news, business, sport, comment, lifestyle and culture plus content from the [...]
March 9th, 2009 at 4:54 am
[...] I’m a bit stunned that an organisation the size of The Telegraph would store user passwords in plaintext, but, well … they do. [...]
March 9th, 2009 at 11:57 am
[...] claim attack over Daily Telegraph web site An ethical hacker from HackersBlog today claimed that he was able to carry out a SQL injection attack successfully and has got access [...]
March 9th, 2009 at 12:19 pm
[...] Daily Telegraph’s web site has been compromised using an SQL injection attack, according to HackersBlog. It says: “Latest news, business, sport, comment, lifestyle and culture plus content from the [...]
March 9th, 2009 at 1:00 pm
[...] Spotify’s breach last week, hackersblog has posted up proof that hackers have used the SQL injection technique to gain entry to the [...]
March 9th, 2009 at 1:20 pm
[...] goes unnoticed and if you let down your guard for a minute you can be front page news, like the Daily Telegraph (interestingly on the Guardian web site). In this case the method of attack is old chestnut, [...]
March 9th, 2009 at 1:37 pm
Thanks guys. There is a statement from Telegraph.co.uk’s CIO on my blog here: http://blogs.telegraph.co.uk/shane_richmond/blog/2009/03/09/hackersblog_and_telegraphcouk
March 9th, 2009 at 1:45 pm
With pleasure Shane.
March 9th, 2009 at 1:51 pm
[...] to a blog post at hackersblog.org , Telegraph.co.uk has been [...]
March 10th, 2009 at 12:39 am
felicitari, ati ajuns pe digg.
March 10th, 2009 at 4:39 am
[...] Daily Telegraph’s web site has been compromised using an SQL injection attack, according to HackersBlog. It says: “Latest news, business, sport, comment, lifestyle and culture plus content from the [...]
March 10th, 2009 at 4:23 pm
[...] reported on the register – grey hat hackers discovered an SQL injection vulnerability in the Daily Telegraph property website. Not only did their website allow malacious users to access information stored in their website but [...]
March 10th, 2009 at 4:41 pm
PRINT screen cu digg ?
March 13th, 2009 at 7:30 pm
I’m a tech security reporter for USA TODAY; I’d like to interview unu. Can anyone advise how I can get in touch with him? Thanks, Byron Acohido
March 13th, 2009 at 7:39 pm
You can contact him at hackersblog.org [at] gmail.com
March 14th, 2009 at 1:09 am
Many thanks, 2fingers
Byron
April 4th, 2009 at 7:47 am
The sign up page seems like a good hack http://my.telegraph.co.uk/signup1/
May 29th, 2009 at 3:03 am
[...] of afected users? It seems allot bigger than the first time, mostly because now we are talking full access on the server which allows data extraction of ALL [...]