- Hacker Uses XSS and Google Street View Data to Determine Physical Location
- CAnCAn te iubim, CA CA tine nu gasim. Superfete.cancan.ro e de rahat
- Deface (?!?) pe Cotidianul.ro
- Virusi in clipuri video [how to]
- Cyber-Bullying – palma parinteasca a noului mileniu
- Christopher “moot” Poole: The case for anonymity online
- Wtf Avira?
- Some old story about tagged.com
- Pwning cam girls for fun
- Tabloshit
- Yahoo! again - XSS in Uncategorized (357 Visits)
- Yahoo! again - bad settings? in Uncategorized (252 Visits)
- Fanii nostri in Uncategorized (183 Visits)
- Frustrant in Uncategorized (146 Visits)
- La multi ani România, la multi ani românilor in Uncategorized (137 Visits)
- Weblog.ro - Shell via Local File Inclusion in Uncategorized (119 Visits)
- Yahoo! epic fail - permanent xss unleashed in Uncategorized (50 Visits)
- ... in Uncategorized (38 Visits)
- XSS Ownage - hi5 vs. Yahoo! + video in Uncategorized (2 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in Uncategorized (2 Visits)
- Hackersblog.org is now blog.rstcenter.com in (1770 Visits)
- O mica dar importanta precizare in (1371 Visits)
- Twitter in (805 Visits)
- This is the end in (776 Visits)
- Ce servicii de mail folositi? in (773 Visits)
- Un nou membru in (730 Visits)
- La multi ani România, la multi ani românilor in (718 Visits)
- Inca o pierdere de timp in (674 Visits)
- De reţinut in (634 Visits)
- Azi este ziua userilor hackersblog.org in (610 Visits)
- SMS scam (1) in (564 Visits)
- Dezinformare sau proasta informare? in (563 Visits)
- Hi5.com coders read this in (553 Visits)
- Phishing Raiffeisen cu atasament html in (516 Visits)
- Phishing Bancpost in (486 Visits)
- Si tentativele de phishing pot fi amuzante in (422 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (2707 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in (2601 Visits)
- Despre CSRF, hi5.com, cum sa trisezi la concursuri s.a.m.d. in (1143 Visits)
- [Utilitare] Suna gratis de pe internet sau de pe iPhone in (1107 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (950 Visits)
- Virusi in clipuri video [how to] in (838 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (725 Visits)
- Yahoo! redirects - a big issue (with video) in (570 Visits)
- Internet vs. privacy (1) in (469 Visits)
- Ca musca in... in (435 Visits)
- RedTube.com ... The Free Sex Video Community in (12972 Visits)
- usa.kaspersky.com hacked ... full database acces , sql injection in (4921 Visits)
- libertatea.ro vulnerabil la (blind) sql injection in (2950 Visits)
- Pwning cam girls for fun in (2586 Visits)
- Telegraph.co.uk hacked, sql injection in (2546 Visits)
- Facebook hacked - sql injection in (2424 Visits)
- Simpatie.ro, matrimoniale3x.ro, apetisant.ro, deliciu.ro , etc Sql injection in (2406 Visits)
- F-Secure.com - SQL Injection + Cross Site Scripting in (1775 Visits)
- [Hacked]Bitdefender (Portugal) exposes sensitive customer data in (1743 Visits)
- Wtf Avira? in (1723 Visits)
- Christopher "moot" Poole: The case for anonymity online in (1495 Visits)
- Digital Photocopiers Loaded With Secrets in (1458 Visits)
- Wannabe Hackers [2] - cum sa faci un virus by sppy_hacker in (592 Visits)
- Wannabe Hackers [1] - Cum sa hack-uiesti RapidShare-ul in (590 Visits)
- Hope 2603 – Kevin Mitnick - Life a Computer Hacker – Revealed in (463 Visits)
- PRIVACY IS DEAD - GET OVER IT, Pt 01-34 (Recommended by Hackersblog ) in (396 Visits)
- Oldies but goodies - Freedom Downtime - The Story of Kevin Mitnick in (379 Visits)
- [Video] The History Of Hacking in (373 Visits)
- Email Security - Why You Should Encrypt Your Email - Part One in (368 Visits)
- The Story of DEFCON in (343 Visits)
- Deface - tuttoaffari.lastampa.it si citymusiclab.city.corriere.it in (3493 Visits)
- RNS vs. RAI - citizenreport.rai.it hacked. in (3300 Visits)
- Hi5 email finder si sfarsitul a tot ceea ce inseamna privacy in social networking in (2996 Visits)
- Se poate sparge parola de Yahoo? in (2572 Visits)
- Free SMS time, TrimiteSMS.ro in (2492 Visits)
- Planete-plus-intelligente.lemonde.fr defaced by R.N.S. in (2464 Visits)
- Gmail uber hacking in (2256 Visits)
- Camera de supraveghere a universitatii Alexandru Ioan Cuza din Iasi in (2255 Visits)
- Cancan.ro spart pentru a doua oara intr-o zi in (2252 Visits)
- Stiri cu antena3 in (2208 Visits)
Posted on February 4th, 2009
Articol scris atat in limba engleza cat si in limba romana
Facebook, a website with an estimated of 5 to 10 Million in US Dollars, a number of 250-1000 employees, a website ranked number 8 GLOBALLY by alexa.com’s traffic standards, is not capable of securing their data base. Millions (LOTS OF MILLIONS) of accounts, email addresses and passwords up for grabs by anyone. Let me show you a few concrete examples of vulnerable parameters.
Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with wich we can do virtualy anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.
But let’s see what else is interesting in the data base. Because I was accused for making personal info public, I didn’t concatenate the username, email, and password syntax, but only the userid and session key column along with the date the key was created. If you don’t know what a session key is to facebook read http://wiki.developers.facebook.com/index.php/Authorizing_Applications .
Let’s move on to another SQL injection vulnerable parameter. This time it’s blind sqli. Interesting in the image is that, firstly, the error wich reveals proof that server data can be accessed from this point.
Let’s see another vulnerable parameter. In the image you see the version of the data base software, and the name of the number 55 table in the database wich is : users. How could the columns of this table be named other than email and password ? You guessed it, they are named like that.
To be continued.
——————————————————————————–
RO Version :
Facebook un site cu venituri de 5-10M usd , cu un numar de 250-1000 angajati, un site aflat pe locul 8 global ca si trafic (sursa:alexa.com) nu este capabil sa-si securizeze baza de date. Milioane (multe milioane) de conturi, adrese de email, parole pot ajunge pe mana oricui. O sa va prezint cateva exemple concrete de exploatarea parametrilor vulnerabili.
Site-ul pe langa ca este vulnerabil la sql injection mai are lasat activ si functia load_file ceea ce este foarte periculos pentru ca, cu un pic de rabdare, se poate gasi un director writable, dupa care injectand codul obtinem linia de comanda si de aici facem ce vrem cu site-ul : upload shell, redirect, infectarea cu troian al calculatorului celui care acceseaza pagina, etc pana la deface total.
Dar sa vedem ce mai are interesant aceasta baza de date. Pentru ca am fost acuzat ca fac publice informatii personale , n-am concatanat in sintaxa username-ul, email-ul si parola utilizatorilor, ci user id-ul si coloana de session key impreuna cu data cand a fost creat respectivul key. Cine nu stie ce inseamna un Session Key pentru facebook sa citeasca linistit pe http://wiki.developers.facebook.com/index.php/Authorizing_Applications
Sa trecem la alt parametru vulnerabil la SQL Injection. De data asta la blind sqli. In imagine interesant este , in primul rand, eroarea data /usr/local/www/data/__facebook/facebook-platform care pentru oricine este o dovada clara ca de aici se pot accesa datele intregului server.
Sa vedem inca un parametru vulnerabil. In imagine avem versiunea bazei de date, si denumirea tabelului 55 din database care se numeste : users. Iar coloanele pentru acest tabel cum s-ar numi altfel decat username, email si password ? Ati ghicit, exact asa se numesc.
Vom continua.
February 4th, 2009 at 9:23 am
What the…Haideti si cu Hi5-ul ca sa mor si eu fericit.
February 4th, 2009 at 9:52 am
La naiba.. Aveam dubii cand ati zis de facebook, dar se pare ca nu era cazul
February 4th, 2009 at 9:57 am
Nice one, dar totusi titlul mi se pare un pic de senzatie in sensul ca ati spart 3 aplicatii ale facebook, nu facebook-ul. Aplicatiile nu sunt scrise de cei de la facebook ci de diversi alti programatori. Aplicatiile nu sunt parte din facebook, ba ei chiar avertizeaza ca prin aderarea la o aplicatie te expui catre alte entitati, diferite de facebook.
February 4th, 2009 at 10:13 am
baza de date e comuna so guess what … same impact
February 4th, 2009 at 10:21 am
Chiar de ziua lor, hhaha, las că-i bun
February 4th, 2009 at 10:23 am
E ziua lor azi?
February 4th, 2009 at 12:52 pm
@Andre3000: aici te inseli. baza de date si aplicatia e gazduita de alt site, in ultima poza se vede clar si despre ce site e vorba in cazul respectivei aplicatii.
Tot ce ati incercat sa aratati aici e de fapt sql injection in apps
February 4th, 2009 at 1:00 pm
Deci aveti sau nu acces la baza de date?
Din cate stiu eu, aplicatiile nu au posibilitatea sa vada efectiv numele, prenumele sau e-mail-ul user-ilor. Aplicatiile au acces la functii de genul send_email(), care se executa pe serverul facebook si trimite mail-ul clientului – fara ca aplicatia third party sa vada date personale.
Deci?
February 4th, 2009 at 2:04 pm
intr-o oarecae masura fiecare are dreptate …direct sau indirect se pot accesa milioane de conturi .De ex pe apps-ul live gifts erau peste 400.000 de session key-uri , si nici pe un site din cele prezntate mai sus nu erau mai putin de 200.000 de conturi cu parole cu tot.Pe langa asta, ganditi-va la un simplu exemplu de exploatare (desigur dupa ce obtii linia de comanda) : redirect la o pagina fake de logare
February 5th, 2009 at 12:29 am
asta e partea a2a… prin xss de yahoo s-a luat si parola la siteul elenei … dar asta nu inseamna ca siteul ei era vulnerabil
February 5th, 2009 at 1:24 am
sql injection + local path disclosure = shell acces and maybe a rooted server. good job
February 5th, 2009 at 4:39 am
hahahahahaha daca ar durea prostia ar muri astia instant constant nelimitat de fapte, ia si citeste
http://wiki.developers.facebook.com/index.php
facebook e doar o platforma care citeste aplicatiile alea, care defapt sunt “embed” in site dar totul este extern, unde facebook e doar un reader, ala nu a spart nici un facebook, a spart site-ul de pe care ruleaza ownerul aplicatia si chestia asta se vede foarte bine in poza asta
http://img443.imageshack.us/img443/2913/etcpasswoc3.jpg
dar nu multa lumea chiar citeste, tre sa ai iq pe minus ca sa crezi ca facebook are 20 useri cu tot cu sys:)))))
ce este mult mai interesant, este faptul ca orice idi cu si anume cateva cunostinte de programare poate sa-si faca o app facebook sau poti sa le cumperi gata facute, problema ar fi ca sunt verificate si acceptate manual
nu zic ca nu e interesanta chestiuta asta, poti sa faci bani buni din ia, gandeste doar cati bani ai face daca ti-ai pune cate un ad unit de 1pixel pe o aplicatie cu 10-20demii de useri inregistrati, care folosesc cel putin 1data pe zi aplicatia, si scuza-ma 80% din aplicatii sunt de social sau gaming fii singur ca 80% din useri intra pe aplicatia aia de 5-6 ori, problema mai mare ar fi ca daca te a agatat facebook te-ai cam ars la fundulet, dar e destul de lejer pentru ca si ala de si-a pus aplicatia are bannere si ads si mai intai tre’ sa-si dea seama el dupa aia face report se verifica logurile si tralala intr-un sfarsit ajunge la contul tau de ads
de ff multe ori nu se merita atata munca asa ca nu patesti nimic doar iti sterge ad-ul si isi fac fix ptr bug
February 27th, 2009 at 8:02 pm
unu you are my man!
nice findings btw..
October 1st, 2009 at 10:20 pm
unu as ya know there are on facebook about 19 sql injectable pages, thats the count i found now, only i am not as good as you to exploit it
i can just find it:)