MySQL Website Hacked (Ironically) by Blind SQL Injection

Monday, March 28, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Allow me to point out a little bit of irony in this headline... a website for one of the more popular open-source database alternatives gets completely compromised using blind SQL Injection.  Ouch.

Someone going by the moniker "Jack Haxor" posted this to the Full Disclosure mailing list just a little while ago... giving a nice explanation of what's happened and  more importantly where the vulnerable target page is (customers/view/index.html) so others can go and play for themselves. 

The hacker claiming responsibility, calling himself 'TinK0de' keeps a pretty good blog of his activities (here) - and you can read about his exploits (pun intended).

MySQL has (as of this writing) not issued a statement yet... which probably means they're scrambling to close up and clean up the mess... whatever that mess may be. 

Did the attacker get into anything more than just the databases behind the website?  Maybe we'll know, maybe we won't - but this is at very least very unsettling for the open-source database organization. 

Hopefully they have clean, check-summed backups, right?

Oh, and if you're interested in seeing the handywork that resulted from this compromise... check out this pastebin.com link... I swear I had nothing to do with that rabbit/hat graphic.

Some take-aways from this one...

  • Never re-use passwords across too many websites of different security levels
  • Use complex pass-phrases as much as possible so they're harder to crack
  • Back up, then check-sum your backups and keep them off offline in case you need a restore point
  • Hiding the SQL error from an attacker will still get you compromised (blind SQL injection)
  • Check your code... attackers don't sleep, and won't spare you just because you're an open-source, charitable project
  • It can happen to anyone, anywhere at any time

Update: A Twitter colleague just pasted me this link to another pastebin.  Ouch again.  It appears as though this is from an intrusion into Sun.com itself? 

Let's put a few puzzle pieces together here... MySQL is owned by Oracle.  Sun is owned by Oracle too. 

Maybe they're hosted on a common database platform... oh that would surely spell trouble, wouldn't it?

Possibly Related Articles:
14452
Breaches
SQl Injection Oracle hackers MySQL Sun Microsystems
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.