The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: SQLi vulnerable sites

Hacker Arrested after Exposing Flaws in Elections Site

Hacker Arrested after Exposing Flaws in Elections Site

May 10, 2016Mohit Kumar
A security researcher responsibly disclosed vulnerabilities in the poorly secured web domains of a Florida county elections, but he ended up in handcuffs on criminal hacking charges and jailed for six hours Wednesday. Security researcher David Michael Levin, 31, of Estero, Florida was charged with three counts of gaining unauthorized access to a computer, network, or electronic instrument. On 19 December last year, Levin tested the security of Lee County website and found a critical SQL injection vulnerability in it, which allowed him to access site's database, including username and password. Levin was reportedly using a free SQL testing software called Havij for testing SQL vulnerabilities on the state elections website. According to Levin, he responsibly reported vulnerabilities to the respective authorities and helped them to patch all loopholes in the elections website. Video Demonstration of the Elections Website Hack Meanwhile, Levin demonstrates his finding via
How to Detect SQL Injection Attacks

How to Detect SQL Injection Attacks

September 19, 2014Swati Khandelwal
SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, according to Veracode's 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application. A SQLi attack involves inserting a malformed SQL query into an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited. There is a reason they're on the OWASP Top 10 . Termed " injection flaws ", they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi. They involve sending untrusted data to the interpreter as a part of the query. The attack tricks the interpreter into
Hacker discloses vulnerabilities in dozens of Military and Pentagon websites

Hacker discloses vulnerabilities in dozens of Military and Pentagon websites

February 02, 2013Wang Wei
A hacker with handle name (~!White!~) today disclose SQL injection vulnerabilities in dozens of Military, United Nation and Pentagon domains. SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. Through a Pastebin note hacker announce more details about his findings in many sensitive websites, including Pentagon Defense Post Office Website, Office of the Deputy Director for Science Programs, Wiesbaden Military Community, NMCI Legacy Applications, Darby Military Community, Department of Economic and Social Affairs at United Nation and many more. SQL Injection is the hacking technique which attempts to pass SQL commands through a web application for execution by the back-end database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database or even can wipe it out. Hacker also claimed to hack database of Pentagon.mil and other mentioned webs
Ministry of Justice of Qatar vulnerable to hackers

Ministry of Justice of Qatar vulnerable to hackers

December 02, 2012Mohit Kumar
Hacker Going by name "human mind cracker" discovered SQL injection vulnerability in official website of Ministry of Justice of Qatar. He has successfully breached the database and dump it on internet. Exploited Domain :  https://www.justice.gov.qa Hacker Mentioned no reason to hack this website in his note, neither any user information published. According to the note, he just expose the bug and exploit it using Boolean based blind injection to show Database structure including table names. There are about 10 Database available on server of Ministry of Justice of Qatar, that can have sensitive information also. Site is not patched yet and vulnerable to hackers. Pastebin Note :  https://pastebin.com/7amjyaMk
European Space Agency SQL vulnerability exploited

European Space Agency SQL vulnerability exploited

December 01, 2012Mohit Kumar
The European Space Agency (ESA) is an intergovernmental organisation dedicated to the exploration of space. Hacker going by name "SlixMe" find and exploit SQL Injection vulnerability on a sub domain of website. Hacker upload dump on his website, where he disclose the SQLi vulnerable link and Database tables also. Hacker also mention that other 5 domains are also hosted on same server, that can be exploited if he will be successful to exploit one site completely. Exploited Domain :  https://television.esa.int/ Method mentioned as "PostgreSQL AND error-based - WHERE or HAVING clause". In further discluse the PayLoad of injection also published. Site is vulnerable at time of publishing this article.
UK Ministry of Defence hacked by NullCrew

UK Ministry of Defence hacked by NullCrew

November 06, 2012Mohit Kumar
The United Kingdom Ministry of Defence website (www.qhm.mod.uk) hacked by two Null Hacking Crew members  @OfficialNull  and @Timoxeline  and They extracted data published online . The data dump include 3400 email addresses and passwords from Ministry of Defence portal. Hackers trying to trend  #FuckTheSystem hashtag on twitter and related it to all their hacks against UK government. Hacker wrote on note : " Your webmaster made a terrible mistake... You may criticize us on the simplicity of the vulnerability. But if you can get so much useful data so easily, why wouldn't you? " "We hope that all governments and organizations realize that #FuckTheSystem is definitely not a joke. We hope that you have the decency to grasp the concept of it. But hey... You're the government right... Just some butthurt little fags. This security just proves how much of a joke our governments are. " note continue. Hackers mention that, they hack the website using 
World Health Organization website hacked by NullCrew

World Health Organization website hacked by NullCrew

October 21, 2012Mohit Kumar
A well known hacking group " Nullcrew " once again most active hacking group right now. Dumping database from number of websites daily. Their latest target was World Health Organization (WHO) website. Well, World Health Organization website (who.int) need treatment now, because their admin panel credentials are leaked on internet by hacking crew. Hacker also disclose the Vulnerable link and Vulnerability type was Sql injection. SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. Web application security is much more challenging than infrastructure. The top Web application vulnerabilities occur and re-o
How to Minimize Web Application Security Risk !

How to Minimize Web Application Security Risk !

October 19, 2012Mohit Kumar
With Web applications remaining a popular target for attackers, Web app security sometimes seems like a digital version of the " Good, the Bad and the Ugly ." Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Web application security is much more challenging than infrastructure. The top Web application vulnerabilities occur and re-occur time and again. Items such as Cross Site Scripting (XSS), SQL Injection (SQLi) and file inclusion are common vulnerabilities and show up frequently. In his view, the majority of Web application security problems can be solved by applying well known security technology approaches. According to survey results, only 51 percent of organizations currently have coders conduct security testing, and only 40 percent of organizations report they test during development. Vulnerabilities like these fall often outside the traditional expertise of network security managers. To help you understand h
Harvard Carr Center for Human Rights Policy Hacked, Password was "DOG" ?

Harvard Carr Center for Human Rights Policy Hacked, Password was "DOG" ?

October 08, 2012Mohit Kumar
Harvard's Carr Center for Human Rights Policy website ( www.hks.harvard.edu/cchrp/ ) was hacked last week  and then silently fixed by the administrator without giving Reply/Credit to the Whitehat Hacker who reported the vulnerability. The Hack incident was performed in 3 Phases as described below: Phase 1: A Hacker , with nickname " FastFive" posted a few sql injection vulnerable Educational sites on a famous Hacking Forum last week which included the SQLi vulnerable link for the Harvard Carr Center for Human Rights Policy website, as you can see in the list in the above screenshot taken by me. Phase 2 : Almost 100's of Hackers have seen the post from " FastFive " and they got some juicy information for their next targets. One of them named, " Vansh " successfully exploit the Harvard's site and  extracted the database onto his computer. He Found the username and Password from the table and tried to login on the Admin access panel location
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.