United
- Yahoo! again - XSS in Uncategorized (357 Visits)
- Yahoo! again - bad settings? in Uncategorized (252 Visits)
- Fanii nostri in Uncategorized (183 Visits)
- Frustrant in Uncategorized (146 Visits)
- La multi ani România, la multi ani românilor in Uncategorized (137 Visits)
- Weblog.ro - Shell via Local File Inclusion in Uncategorized (119 Visits)
- Yahoo! epic fail - permanent xss unleashed in Uncategorized (50 Visits)
- ... in Uncategorized (38 Visits)
- XSS Ownage - hi5 vs. Yahoo! + video in Uncategorized (2 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in Uncategorized (2 Visits)
- Ce servicii de mail folositi? in (121 Visits)
- Azi este ziua userilor hackersblog.org in (120 Visits)
- De reţinut in (117 Visits)
- Inca o pierdere de timp in (107 Visits)
- De tinut minte in (106 Visits)
- Twitter in (78 Visits)
- Un nou membru in (74 Visits)
- Interviu la Radio Lynx in (70 Visits)
- 2009 in (51 Visits)
- Editori noi. in (35 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (199 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (139 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (104 Visits)
- ioana (2)
- Lucian Constantin (2)
- Andrei Rinea (2)
- pax (1)
- TotEu23 (1)
- viorel (1)
- Cristi - Jurnalul National (1)
- alex (1)
- Bogdan (1)
- ghici (1)
Posted on March 15th, 2009
“Fast and reliable broadband and internet access, tv, plus email, sms, webspace, and top rated search”
A huge portal with hundreds of thousands of registered users for different services. Same story. An unsanitized parameter allows an SQLi, thus access to the databases. In the first pic I concatenated the version, user, name of the db as well as the name of the tables we gain access to (you can see only a part of them).
In the next picture you can see login data as well as personal data of the users (username, firstname, surname, company, telephone, regdate, lastlogin, email, password):
In the last printscreen you can see some data from the customers data base:
————-
RO Version
“Fast and reliable broadband and internet access, tv, plus email, sms, webspace, and top rated search”.
Un portal mare, cu sute de mii de inregistrati pentru diferite servicii. Un parametru prost sanitizat permite un sql injection, deci acces la bazele de date. In prima poza am concatanat versiunelea, userul, numele bazei de date si numele schemelor la care avem acces (doar o parte dintre ele se vad in poza).
In urmatoarea poza se vad datele de logare, cat si personale (username, firstname, surname, company, telephone, regdate, lastlogin, email, password) ale clientilor:
In ultimul print screen se vad niste date din bogata baza customers:
March 15th, 2009 at 9:01 pm
[...] A couple of days after this interview, HackersBlog released the details of their latest succesful compromise Tiscali. Once again, access to user data, including username, firstname, surname, company, telephone, [...]