How I accidentally hacked a local news site
On a sunny summer afternoon, I was nestled in my favorite corner at home, consumed by my latest web development project. Soft lo-fi tunes floated in the background, creating an ambiance of focus and calm. However, that day was about to pivot from ordinary to extraordinary in ways I couldn’t have imagined.
During a quick break, I decided to survey local businesses online. I’m always intrigued by the digital presence of local establishments, and often draw inspiration for my own projects. On this particular afternoon, I found myself drawn to an online local newspaper that had a unique feature — an online version of the classic table game, “Jassen”.
As I navigated through the site, I stumbled upon an intriguing route, /ranking.php/6. It appeared to be a leaderboard for the game, but the ‘6’ at the end of the URL sparked my developer instincts. On changing this number, the corresponding number of player rankings displayed also shifted.
An icy realization struck me. This number was being used in an SQL LIMIT clause, a directive to the SQL query about the amount of data it should retrieve. More worryingly, it opened the door to the possibility of an SQL Injection, a technique used to exploit databases by injecting malicious SQL statements.
With an uneasy feeling gnawing at me, I decided to validate my suspicions. SQL Injection is a nefarious practice that can have grave consequences if left unchecked. My objective was clear and ethical: to confirm the vulnerability, and if it indeed existed, inform the business.
I initially entered random characters to check if the route would be vulnerable.
With bated breath, I hit enter.
What appeared on the screen made my heart sink. The website returned a MySQL syntax error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'fdsafsadfasdf' at line 2This was clearly a proof that this route was vulnerable to SQL Injection. Using the method known as error-based injection, I crafted a simple SQL Injection payload, which returned me entries of the users table.
https://DOMAIN/ranking/6 Procedure Analyse (extractvalue(0,concat(0x27,(select group_concat(passwd) from users))),1)--I even found out that RCE (Remote Code Execution) would be possible through INTO OUTFILE, and load_file function worked too, giving me access to /etc/passwd and other config files.
Without wasting a minute, I reached out to the newspaper office, urgently asking to speak with the owner. The news of a significant security flaw was met with initial disbelief. However, as I detailed the issue, the owner’s disbelief turned into gratitude.
Over the next hour, I explained the potential threat and advised them on the necessary corrective measures. I underscored the need for a skilled developer to sanitize the inputs and use prepared statements to prevent any potential SQL Injections in the future.
This unexpected foray into ethical hacking served as a stark reminder of the importance of secure coding practices in a world that’s becoming increasingly digital. For that day, I turned from a full stack developer to a white-hat hacker. I protected not just a local business, but potentially thousands of its online users, with my fortuitous discovery and swift action.
