On December 6th 2018, Rogue Media Labs covered an article detailing the hack of two international University’s by a Brasilian based hacker known as “SHIZEN.” However, what made the incident interesting or unique at the time was that SHIZEN did not disclose the databases he had uncovered, or how he went about doing so – something he is regularly known for doing. Instead, he tagged l’academie de Grenoble in the hack, asking them to reach out to him to learn where/how he got into their systems and where their website was vulnerable. Over the course of the last week and a half since, SHIZEN has continued to keep this information to himself, trolling the University on multiple occasions asking them to contact him about the hack – less he release the information in its entirety online. After days with no response, this is exactly what SHIZEN did this morning.
In a data dump released to the public via Ghostbin this morning, December 15th 2016, SHIZEN released the contents of the databases exposed in the December 6th hack, explaining how he was able to breach l’academie de Grenobles’s website through an SQL vulnerability tied to the academy’s math department. More specifically, SHIZEN was able to hack php version 5.3.3 files belonging to an extremely outdated MySQL database attached to a nginx web server. In fact, the MySQL database was so outdated that it’s version wasn’t even readably identifiable.
Target Website: hxxp://ac-grenoble.com
SQL User Haxxed: email@example.com
Location of SQL Injection: hxxps://ac-grenoble.fr/disciplines/maths/pages/PM/fonction/telechargement.php?/fichier/=1899%27%20and%20[t]%20and%20%271%27=%271
Database Name: De8u1
Data Dump: https://ghostbin.com/paste/58cjh