1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I Got SQL Injected - Lucky Me!

Discussion in 'BlackHat Lounge' started by 0_00_0, Aug 27, 2014.

  1. 0_00_0

    0_00_0 Senior Member

    Joined:
    Oct 7, 2010
    Messages:
    1,024
    Likes Received:
    486
    Location:
    Canada
    So I took a few shortcuts when programming some custom functionality for one of my websites and it came back to bite me in the ass. A phishing page with 8+ files was created on my FTP server. I am assuming that it is the additions I made and not a vulnerability with WordPress. I just thought I would share the hilarious page that the attacker has created on my server and maybe show people an example of what to look for. It is a bit of a headache because I have to go through all my SQL queries and add mysql_real_escape_string() everywhere.

    The injection added a folder with files in this directory:
    %%mywebsite%% .com/works/construction
    m0J2T5D.jpg


    Here is the professionally designed phishing "landing page":
    CKUFUsl.jpg
    Edit: Image won't embed well. Here is the link to the full-sized beauty: http://i.imgur.com/CKUFUsl.jpg
    I mean really though.. Did a 5 year-old make this? Please note the poorly sized background (tiles on my 27" monitor) with a watermark from some image optimizing website. Just beautiful. If this fools anyone then I have nothing to say. All of the images are warped and it is just terrible in every way. I didn't try and click on anything. I am going to download and backup the cancerous files to take a look at them later.

    Google was actually nice enough to let me know about the incident. They sent me this email:
    Subject:
    Code:
    Phishing notification regarding %%mywebsite%%.com
    Body:
    Code:
    Dear site owner or webmaster of %%mywebsite%%.com
    
    We recently discovered that some pages on your site look like a possible phishing attack, in which users are encouraged to give up sensitive information such as login credentials or banking information. We have removed the suspicious URLs from Google.com search results and have begun showing a warning page to users who visit these URLs in certain browsers that receive anti-phishing data from Google.
    Below are one or more example URLs on your site which may be part of a phishing attack:
    
    %%mywebsite%% .com/works/construction/
    Here is a link to a sample warning page:
    http://www.google.com/interstitial?url=http%3A//%%mywebsite%%.com/works/construction/
    We strongly encourage you to investigate this immediately to protect users who are being directed to a suspected phishing attack being hosted on your web site. Although some sites intentionally host such attacks, in many cases the webmaster is unaware because:
    1) the site was compromised
    2) the site doesn't monitor for malicious user-contributed content
    
    If your site was compromised, it's important to not only remove the content involved in the phishing attack, but to also identify and fix the vulnerability that enabled such content to be placed on your site. We suggest contacting your hosting provider if you are unsure of how to proceed.
    Once you've secured your site, and removed the content involved in the suspected phishing attack, or if you believe we have made an error and this is not actually a phishing attack, you can request that the warning be removed by visiting 
    http://www.google.com/safebrowsing/report_error/?tpl=emailer
    and reporting an "incorrect forgery alert." We will review this request and take the appropriate actions.
    Sincerely,
    Google Search Quality Team
    Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.
    
    Conclusion:
    So this will absolutely teach me to be more safe in the future when dealing with SQL. It could have been much worse. The website is not de-indexed but I'm sure that it has taken a hit in search engine results (although this site receives almost solely Social Media traffic).

    Perhaps this may enlighten a few people to the dangers of unprotected SQL queries :) and to be wary of new folders that have been created without your knowledge. At least you hopefully got a laugh from the high caliber landing page.
     
    Last edited: Aug 27, 2014
  2. Phunky

    Phunky Regular Member

    Joined:
    Aug 23, 2009
    Messages:
    292
    Likes Received:
    82
    Occupation:
    Sales
    Location:
    USA
    SQL can get you in trouble really quick. I got hit by some Korean hackers many years ago, and it was a huge pain in the ass as well. They did a lot better job appearance wise than the fools that hit yours though lol. Do people even use AOL emails anymore??? :p
     
  3. keyboard

    keyboard BANNED BANNED

    Joined:
    May 26, 2010
    Messages:
    234
    Likes Received:
    55
    lol i like how they are targetting all email providers the greedy mofo's
     
  4. 0_00_0

    0_00_0 Senior Member

    Joined:
    Oct 7, 2010
    Messages:
    1,024
    Likes Received:
    486
    Location:
    Canada
    God knows it could have been much worse. They could have dropped all my tables and whatnot instead of creating this (let's say - harmless) phishing page.

    UPDATE:
    I have found the email that all of the phishing information gets sent to. They didn't even try and hide it. But then again this template probably took them 10 minutes to put together. Ironically it is an @gmail.com address. Anyone have something fun to do with it? I kind of feel like teeing it up for a massive Xrumer/GSA SER spam fest. I'm not allowed to post it publicly here right?
     
    Last edited: Aug 27, 2014
  5. koolkake

    koolkake Regular Member

    Joined:
    Jul 2, 2014
    Messages:
    220
    Likes Received:
    217
    Mail him a bunch of fake email accounts. It will piss him off. I also believe this was an automated attack so check your wp plugins. Dunno why he would waste time manually hacking your code just to put up a shitty phish page for email accs.
     
  6. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,126
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    add an anti-sql code to your htaccess file.
     
  7. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,119
    Likes Received:
    28,558
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    EDIT: OP, Sent you a PM
     
    • Thanks Thanks x 1
    Last edited: Aug 27, 2014
  8. 0_00_0

    0_00_0 Senior Member

    Joined:
    Oct 7, 2010
    Messages:
    1,024
    Likes Received:
    486
    Location:
    Canada
    You have a future in digital forensics my friend. Thanks for the heads up!!
     
    • Thanks Thanks x 1
  9. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Just to add to this thread, generally you shouldn't be relying solely on mysql_real_escape_string as it is not 100% sufficient protection in all cases.

    You should really be using prepared statements. Using them is not just considered to be more secure, but it can improve performance as well.
     
  10. DatMoney

    DatMoney Regular Member

    Joined:
    Jul 20, 2014
    Messages:
    238
    Likes Received:
    103
    Occupation:
    Chief Engineer at NASA
    Location:
    New York, United Kingdom
    Home Page:
    hahaha that's why i never mess with the database stuff :D