Results 1 to 2 of 2

Thread: MySQL WebSite Hacked by (Ironically) Blind SQL Injection

  1. #1

    MySQL WebSite Hacked by (Ironically) Blind SQL Injection

    Allow me to point out a little bit of irony in this headline ... a website for one of the more popular open-source database alternatives gets completely compromised using blind SQL Injection. Ouch.

    Someone going by the moniker "Jack haxor" posted this to the Full Disclosure mailing list just a little while ago ... giving a nice explanation of what's happened and more importantly where the vulnerable target page is (customers/view/index.html) so others can go and play for themselves. He also keeps a pretty good blog of his activities (here) -and you can read about his exploits (pun intended).

    MySQL has (as of this writing) not issued a statement yet ..which probably means they're scrambling to close up and clean up the mess ...whatever that mess may be. Did the attacker get into anything more than just the databases behind the website? Maybe we'll know, maybe we won't -but this is at very least very unsettling for the open-source database organization. Hopefully they have clean, check-summed backups, right?

    Oh, and if you're interested in seeing the handywork that resulted from this compromise ... check out this link ... I swear I had nothing to do with that rabbit/hat graphic.

    Some take-aways from this one ...

    • Never re-use passwords across too many websites of different security levels
    • Use complex pass-phrases as much as possible so they're harder to crack
    • Back up, then check-sum your backups and keep them off offline in case you need a restore point
    • Hiding the SQL error from an attacker will still get you compromised (blind SQL injection)
    • Check your code ... attackers don't sleep, and won't spare you just because you're an open-source, charitable project
    • It can happen to anyone, anywhere at any time

    Update: A Twitter colleague just pasted me this link to another pastebin. Ouch again. It appears as though this is from an intrusion into itself? Let's put a few puzzle pieces together here ...MySQL is owned by Oracle. Sun is owned by Oracle too. Maybe they're hosted on a common database platform ...oh that would surely spell trouble, wouldn't it?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    Talking Ace!

    Brilliant post there mate!

    Reminds me of the Good Book............."Lo! how the mighty are fallen" ???

Similar Threads

  1. Shoestring SQL Injection Prevention
    By catch in forum The Security Tutorials Forum
    Replies: 27
    Last Post: August 9th, 2006, 08:01 AM
  2. SQL injection (to get root mysql Hashes)
    By cool_boy in forum Miscellaneous Security Discussions
    Replies: 4
    Last Post: June 29th, 2006, 08:03 AM
  3. Apache, PHP, MySQL with basic security settings.
    By nightcat in forum The Security Tutorials Forum
    Replies: 9
    Last Post: May 28th, 2005, 02:47 AM
  4. SQL Tutorial – Basics
    By mikester2 in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 31st, 2005, 01:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts