barackobama.com: Yes we can! (hack your website)
barackobama.com is the official website of the president of USA who is probably the most powerfull man in the world.Same, it is the most protected man on earth. Theoretically, his website, official or unofficial should be same secured. Practically it isn’t. An unsecured parameter allows us to inject an SQL query which allows us to get acces to the databases on his server. Because it is an MS Access database, I will use again Pangolin to show you the vulnerability.
What you will see, will be same incredible how it was for me. We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT !!! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing.
After we log in as admins, we can virtualy do anything we want with the website: upload phpshells, redirects, infect pages with trojan droppers, even deface the whole website.
Pangolin logged in to the IP 70.42.50.159. After a search on robtex.com we can see what domains are hosted on that server (http://www.robtex.com/ip/70.42.50.159.html).
Let’s only presume that that smartproxy redirects the users to the Roosevelt University server, the vulnerable page (and the data found) aren’t part of the official website of Barack Obama.
Two questions remain:
1. Why on the bottom of the page (underlined by me with red) appears that we still are on donate.barackobama.com ?
2. Let’s presume that we are on the Roosevelt University page and their server is vulnerable. Scenarios emerge :
– the potential attacker, using the found passwords logs in as administrator on the Roosevelt University, uploads a php shell, using that shell he then browses to the Barack Obama’s server… because the “responses” and the queries that are coming from the Roosevelt University are accepted, are legit for barackobama.com.
-the potential attacker, using the found/cracked passwords logs in as admin on the Roosevelt University server, uploads a trojan dropper or a keylogger to infect all the sites visitors of donate.barackobama.com. Then the personal data of these visitors will be stolen, passwords to other sites (including internet banking) or the credit card data, will make the difference between Roosevelt University server or the barackobama.com server ? I DON’T THINK SO. They will tell you that barackobama.com infected them, because they visited it.
from unu1234567
2 Responds so far- Add one»
Trackbacks And Pingbacks
Post a reply
You must be logged in to post a comment.