Jan 29 2009

Chinese hacker blooper…but success!

Published by at 9:31 pm under UK Attacks,US attacks

There isn’t a day that goes by that I don’t thank karma for Jumper.  He was blessed with the gift of not making people feel stupid for asking really dumb questions.

Me: It really hurts when I touch the light socket, what should I do?

Jumper: Hey, great question! Stop doing that.

He is good to me that way.

Over at 7747.net, the New Year holiday has been a bit hectic for one of the boys.  He has taken over the job of website moderator and wants to keep the conversation lively.  Not a slacker by any means, he has been using the holiday season to sharpen his skills at manual SQL injection.  Our guru has posted his SQL injection attack on New York University and wants a little feedback/review of his methodology.

Problem: New York University is in the US.

Blooper: Our pilot drifts slightly east of target and hits York College in the UK.  Hey, we have all been there.

I could only tell that this was an SQL injection attempt and that he wanted to go after NYU and missed; then other stuff happened.  What, I had no idea.  So, I sent a note to Jumper pleading/begging for guidance…he was good enough not to laugh.

I will now turn you over to the smart guy on this site:

Jumper: That appears to be the wrong target indeed. It seems like he was able to obtain a username and password and that he used manual techniques to do this rather than HDSI or NBSI to automate it.  This PHP/MYSQL combination is a popular target for SQL injection and remote file includes (RFI).  Javaphile wrote a paper on blind SQL injection by the way.

Oh yeah – SQL Injection.  You probably know a little about database queries and boolean logic already.  SQL injection is basically where a hacker is able to escape the query structure and add additional queries such as username/password.

In the most classic example, one can inject ‘or 1=1– into the username field of a web form and authenticate as the first user in the users table.  The ‘or 1=1– bit forces the query to evaluate to true every time instead of actually comparing the input with a username in the table.

UPDATE: For those of you concerned, an attempt has been made to contact York College an inform them of the possible compromise.

Comments Off

Comments are closed at this time.