This morning, December 19th 2018, “Knushh” announced a unique hack of the Municipal Educational Department of Rio de Janeiro, Brasil, revealing several key vulnerabilities effecting the website allowing for the remote access/download of Government files/databases. I almost hesitate to call this an “Ethical Hack” because Knushh didn’t just simply hack the website and report its vulnerabilities to town administrators, he hacked the website and then disclosed the bugs/vulnerabilities to everyone in the world – including site administrators.
In a research report featured on Ghostbin, Knushh explains how Rio de Janeiro’s Municipal Education Departments websites suffers from two specific vulnerabilities. The first is known as a Local File Disclosure Vulnerability (LFD), “a malfunction in web applications allowing for the download of files without permission” and the second is an SQL vulnerability, “an attack that consists of inserting query strings via web application to compromise the different layers of site databases.” Knushh goes on to explain how “the SQLi vulnerability is located in the site’s search engine so it can perform an SQL Injection (POST) and capture of the Sites Database (DBMS),” explaining that “we can test the vulnerability by adding a single quote in the mechanism.” Adding that “the LFD vulnerability is present in a tab that was to download .doc files .pdf etc … documents in ci http://www.semedjaperi.rj.gov.br/site/baixar.php?arquivo=“
In a move that I have never seen or even heard of before, Knushh then proceeded to hack the website through the same exploits disclosed above and defaced its pages with instructions for site administrators, teaching them how to fix the exploits in the future. For example, here are screen shots of the URL’s defaced and his activity:
Lastly, Knushh closed out his research report with a message to the IT department of Rio de Janeiro, stating that “I HOPE THIS ARRIVES TO THE TEAM OF SITE PROGRAMMERS TO RESOLVE THESE SERIOUS VULNERABILITIES – ASS.“
Website Effected: hxxp://www.semedjaperi.rj.gov.br/
Full Threat Analysis of Site Vulnerabilities: https://ghostbin.com/paste/6rw7k