ePsiLoN's Information Security Blog

Project Hell Fire leak analysis – one step further

Posted by

ePsiLoN

, , , , ,

On 25th of August Team GhostShell published a list with leaks from hacks they supposedly committed. I will not discuss what data leaked. Everyone can go and take a look. I was more interested in the Team GhostShell modus operandi and how intelligent was the attack.

How did they do it and how much skill their attacks required?

According Imperva the theam used sqlmap tool to compromise the victim backend databases.
I can only agree with that statement.
Everyone that ever run sqlmap wll recognise its output.
But it is not just that. It is NOT very complicated to conclude that the tool Team GhostShell used is sqlmap especially when some of the dumps contain command line calls to sqlmap itself :). Obvious isn’t it.
For example “General Targets Part 3

“python sqlmap.py –random-agent -o -u …”

How they selected the victims?

What I wanted to find out is: were those sites explicitly targeted or they were just found suitable for attack?
Take a further look at the targets URLs with me. I made a short list of vulnerable targets found in the dumps. The same pattern repeats through all the files. Can you notice it?

dept_details.php?dept_id=4
business_detail.php?bus_id=771
single_member_firm.php?id=1
press_view.php?id=37
details.php?package_id=37
index.php?id=373
talentprofile_detail.php?id=12
consultation.php?id=28
details.php?id=6
vieweconink.php?id=259
article.php?id=77
article-detail.php?id=62
showPage.php?ID=10814
article_detail.php?id=292
articledetail.php?recordID=109
contact.php?id_dpt=112
biographydetail.php?id=39

EXACTLY. All the targets are php applications with “id” string in the URL.

So my guess is that the victims were NOT preliminary selected, researched and then attacked.
They were just found “suitable” for attack.
How this can be achieved?
The simple answer is – dorks.
There are plethora of tools that automate the process of SQL injectable targets search. Just Google “dork scanner” and you will get references to tons of tools.

So my personal conclusions are:

  • That type of attack does not require high level of technical knowledge and basically can be carried out by any person having some idea about the security tools available today. So I can rate the sophistication level of those attacks as 2 (on scale of 1 to 10).
  • The number of targets proves that SQL injection vulnerabilities are still pretty common and they are still plenty of badly developed PHP applications out there (which is not really a surprise).

ePsiLoN

2 responses

  1. m0le Avatar
    m0le

    Jeez, the news media hyped this too much. I was even hoping for these guys to perform a bit more ‘sophisticated’ attacks. It’s nowhere near complication. Any skid who’s 3 days in with SQLmap can perform this.

    SQLi (and other web-app vuls) will be around for very long, thank to careless web developers.

    Reply
  2. ePsiLoN Avatar
    ePsiLoN

    Yee … I was quite “disappointed” as well.
    The tragedy is that even after the media exaggeration some of the victims are not even aware that they have been breached.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Archive

Tags

bruteforce bug bounty bug hunting Burp Suite colossus d3 data leak data recovery dictionary entropy pool fix fuzzing hackaday image processing log analysis malware mindmap Practical Reverse Engineering randomness sandbox SANS skype SQL injection SSL Team GhostShell technical visualisation Vulnerability Management Wanda the fish Zeus