After my previous article named – When I was phished – which was based on a real life experience, I am writing a similar articled named – When my website was defaced – which is again based on a true life experience.
I am running a web site named The Admins – http://www.theadmins.info – . One fine morning, when I opened the site, I noticed that the title bar of the web site changed to some pseudo code like sentences. I realized that my site was defaced. Now what? The pseudo code was indicating that my site is vulnerable to some SQL injection. I did some research and I got the answer immediately. I thought I would like to share it with the EH-Net community so that we all are aware of the latest happenings. The message of the story is
- The importance of patch management,
- The importance of a contingency plan,
- The importance of backup,
- The importance of secure coding practices, and
- The truth that there is nothing known as 100 percent security.
Lets get into the real life example. Some info – Vulnerable Application – PHP 7.8
Go to the Search Module as shown in the below screen shot:
Enter the below mentioned string and press enter
p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*
You will get the result which will show you the encrypted password and the admin user name as shown in the screenshot.
Go to http://gdataonline.com/seekhash.php and enter the encrypted password. You should will get the password in plain text (decrypted format). That’s all, go to http://www.targetsite.com/admin.php and enter the obtained login credentials – you are inside the website control panel.
1. If you cannot upgrade to the latest version, disable the search module.
2. Upgrade to PHP Nuke 7.9 or 8.0
The above example shows how a person can get into the admin panel without any programming or technical knowledge in just less than 1 minute. This brings us to the very important concept of Information Security and its related domains. Had the programmer and the project manager followed the secure coding standards, such critical errors could have been avoided.
Please comment on your similar experiences.
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor
[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n