Facebook hacked - sql injection ???

Category: By we designworks!

Facebook, a website with an estimated of 5 to 10 Million in US Dollars, a number of 250-1000 employees, a website ranked number 8 GLOBALLY by alexa.com’s traffic standards, is not capable of securing their data base. Millions (LOTS OF MILLIONS) of accounts, email addresses and passwords up for grabs by anyone. Let me show you a few concrete examples of vulnerable parameters.

Not only is the website vulnerable to sql injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with wich we can do virtualy anything we want with the website: upload phpshells, redirects, INFECT PAGES WITH TROJAN DROPPERS, even deface the whole website.

But let’s see what else is interesting in the data base. Because I was accused for making personal info public, I didn’t concatenate the username, email, and password syntax, but only the userid and session key column along with the date the key was created. If you don’t know what a session key is to facebook read http://wiki.developers.facebook.com/index.php/Authorizing_Applications.

Let’s move on to another SQL injection vulnerable parameter. This time it’s blind sqli. Interesting in the image is that, firstly, the error wich reveals proof that server data can be accessed from this point.

Let’s see another vulnerable parameter. In the image you see the version of the data base software, and the name of the number 55 table in the database wich is : users. How could the columns of this table be named other than email and password ? You guessed it, they are named like that. To be continued.

Credits URL : http://hackersblog.org/2009/02/04/facebook-hacked-o-baza-de-date-cu-milioane-de-conturi-ce-pot-fi-accesate-de-oricine/

2 comments so far.

  1. Stacey Tee February 17, 2009 at 11:12 AM
    This is darn scary... I'm thinking if I should delete my Facebook account now... Thanks for sharing!
  2. d3ck4 February 16, 2010 at 3:45 PM
    good, i drop by here through keyword "sql injection" via a service call "blogger auto follow" im following u.. hope to see u in my followers list soon and would love to share anything from internet, network and information security stuff.

    Hacking Expose! Team

Something to say?