#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Search results for SQL Injection | Breaking Cybersecurity News | The Hacker News

SQL Injection Vulnerability in Google Lab Database System

SQL Injection Vulnerability in Google Lab Database System

Jun 30, 2011
SQL Injection Vulnerability in Google Lab Database System Very Big & Critical Vulnerability detected in Google Lab System. Vendor is already reported by hackers, But they don't take positive step in this case, so finally hackers exposed  the vulnerability in public by  Bangladesh Cyber Army Admin - Shadman Tanjim on their Forum . Google Lab Website has SQL Injection Vulnerability and Dangerous thing is this Vulnerability is Exploitable. Hackers are able to get Tables, columns and data from Database. Google Lab Database has his own customize DB system. But Interesting things is their database system is Similar as Ms Access database. In this case Ms Access SQL Injection System is Also Work on Google Lab Database system. Statement By Hacker : I already contact with Google Corporation but they don't give positive response, I think this is their big fault,  and will suffer for that. But if they give Positive response then this will be very good for them. Thanks a Ton!!! Shadma
SQL Injection Vulnerability in 'Yahoo! Contributors Network'

SQL Injection Vulnerability in 'Yahoo! Contributors Network'

Oct 09, 2014
Yahoo! Contributors Network ( contributor.yahoo.com ), the network of authors that generated the contents such as photographs, videos, articles and their knowledge to more than 600 million monthly visitors, was vulnerable to a Time based Blind SQL Injection vulnerability. Behrouz Sadeghipour, a security researcher reported the Blind SQLi vulnerability in Yahoo! 's website that could be exploited by hackers to steal users' and authors' database, containing their personal information. Behrouz reported this flaw to Yahoo! Security team few months back. The team responded positively and within a month they patched the vulnerability successfully. Unfortunately after that Yahoo! announced to shut down ' Yahoo Contributors Network ' due to its decreasing popularity and removed all the contents from the web, except some of the "work for hire" content may remain on the web. The critical vulnerability was able to expose the database which carried sensitive and personal inform
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
Flickr vulnerable to SQL Injection and Remote Code Execution Flaws

Flickr vulnerable to SQL Injection and Remote Code Execution Flaws

Apr 14, 2014
Yahoo-owned Flickr , one of the biggest online photo management and sharing website in the world was recently impacted by critical web application vulnerabilities, which left website's database and server vulnerable hackers. Ibrahim Raafat , a security researcher from Egypt has found SQL injection vulnerabilities on  Flickr Photo Books , new feature for printing custom photo books through Flickr that was launched 5 months ago. He claimed to have found two parameters ( page_id , items ) vulnerable to Blind SQL injection and one  (i.e. order_id ) Direct SQL Injection that allowed him to query the Flickr database for its content by the injection of a SQL SELECT statements. A Successful SQL exploitation could allow an attacker to steal the Database and MYSQL administrator password. Furthermore, Flickr's SQL injection flaws also facilitate the attacker to exploit remote code execution on the server and using  load_file("/etc/passwd")   function he was successfu
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Sqlmap v.0.9 - automatic SQL injection and database takeover tool !

Sqlmap v.0.9 - automatic SQL injection and database takeover tool !

Apr 11, 2011
Sqlmap v.0.9 - automatic SQL injection and database takeover tool ! sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Change Log : * Rewritten SQL injection detection engine (Bernardo and Miroslav). * Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav). * Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav). * Implemented support for SQLite 2 and 3 (Bernardo and Miroslav). * Implemented support for Firebird (Bernardo
How to Detect SQL Injection Attacks

How to Detect SQL Injection Attacks

Sep 19, 2014
SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, according to Veracode's 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application. A SQLi attack involves inserting a malformed SQL query into an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited. There is a reason they're on the OWASP Top 10 . Termed " injection flaws ", they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi. They involve sending untrusted data to the interpreter as a part of the query. The attack tricks the interpreter into
Hacker stole $100,000 from Users of California based ISP using SQL Injection

Hacker stole $100,000 from Users of California based ISP using SQL Injection

Oct 22, 2013
In 2013 we have seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using various techniques including  DDoS attack , SQL injection, DNS Hijacking and Zero-Day Flaws. SQL Injection is one of the most common security vulnerabilities on the web and is successful only when the web application is not sufficiently secured. Recently a hacking Group named ' TeamBerserk ' claimed on Twitter that, they have stolen $100,000 by leveraging user names and passwords taken from a California ISP Sebastian (Sebastiancorp.com)to access victims' bank accounts. A video proof was uploaded on the Internet, shows that how hackers used a SQL injection attack against the California ISP Sebastian to access their customers' database includes  e-mail addresses, user names and clear text passwords and then using the same data to steal money from those customers. Let's see what SQL Injection is and how ser
Latest Joomla 3.7.1 Release Patches Critical SQL Injection Attack

Latest Joomla 3.7.1 Release Patches Critical SQL Injection Attack

May 17, 2017
If your website is based on the popular Joomla content management system, make sure you have updated your platform to the latest version released today. Joomla, the world's second popular open source Content Management System, has reportedly patched a critical vulnerability in its software's core component. Website administrators are strongly advised to immediately install latest Joomla version 3.7.1, released today, to patch a critical SQL Injection vulnerability (CVE-2017-8917) that affects only Joomla version 3.7.0. " Inadequate filtering of request data leads to a SQL Injection vulnerability ." release note says. The SQL Injection vulnerability in Joomla 3.7.0 was responsibly reported by Marc-Alexandre Montpas, a security researcher at Sucuri last week to the company. According to the researcher , ' The vulnerability is easy to exploit and doesn't require a privileged account on the victim's site ,' which could allow remote hackers to steal sensitive inf
Iframe Injection & Blind SQL Injection vulnerability on Apple.com exposed by Idahc(lebanese hacker)

Iframe Injection & Blind SQL Injection vulnerability on Apple.com exposed by Idahc(lebanese hacker)

Jul 04, 2011
Iframe Injection & Blind SQL Injection vulnerability on Apple.com exposed by Idahc(lebanese hacker) After Sony hacks, Idahc(lebanese hacker) is back to strike Apple.com . He found two vulnerability on  https://consultants.apple.com/  as listed below. Iframe Injection : Click here Blind SQL INjection: C lick Here Examples of the injections: Example One Example two Two days before Another sub-domain of Apple's database was hacked with SQL injection by Anonymous : Read Here Hacker Expose the Database ,extracted using Blind Sql injection on a pastebin link .  According to Hacker " I am Idahc(lebanese hacker) I found a Blind SQLI and Iframe Injection on AppleI am not one of Anonymous or Lulzsecand I am against The ANTISEC OPERATIONBUt this is a poc with not confidential informationI didn't dump users,emails,passwords........ ".
Yahoo! Blind SQL Injection could lead to data leakage

Yahoo! Blind SQL Injection could lead to data leakage

Apr 26, 2013
It seems that 2013 is the " Data Leakage Year "! Many customers' information and confidential data have been published on the internet coming from government institutions, famous vendors, and companies too. Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor who found a high severity vulnerability in " Avira license daemon " days ago, is on the news again, but this time for finding and reporting Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications. SQL Injection vulnerabilities are ranked as Critical vulnerabilities, because if used by Hackers it will cause a database breach which will lead to confidential information leakage. A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service. The vulnerability allows remote attackers to inject own SQL commands to breach the database of that vulnerable application and get access to the user data.
Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo

Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo

Mar 28, 2023 Pen Testing / Artificial Intelligence
Malicious actors are constantly adapting their tactics, techniques, and procedures (TTPs) to adapt to political, technological, and regulatory changes quickly. A few emerging threats that organizations of all sizes should be aware of include the following: Increased use of Artificial Intelligence and Machine Learning : Malicious actors are increasingly leveraging AI and machine learning to automate their attacks, allowing them to scale their operations faster than ever before. The exploitation of cloud-based technologies:  Cloud-based services are increasingly being targeted by malicious actors due to the lack of visibility and control over these platforms. Increased use of ransomware:  Ransomware is becoming a more popular method of attack, allowing malicious actors to monetize their operations quickly. According to  CompTIA , ransomware attacks grew by 41% in 2022, while identification and remediation for a breach took 49 days longer than average. Phishing attacks  also increas
WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack

WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack

Jul 01, 2017
A SQL Injection vulnerability has been discovered in one of the most popular Wordpress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely. The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related to the number of users online on their sites, the number of visits and visitors, and page statistics. Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website's database and possibly gain unauthorized access to websites. SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of
Drupal SQL Injection Vulnerability leaves Millions of Websites Open to Hackers

Drupal SQL Injection Vulnerability leaves Millions of Websites Open to Hackers

Nov 03, 2014
One of the most popular content management systems, Drupal , is warning its users to consider their websites as compromised unless their sites were updated immediately with a security patch released on 15 October 2014. Drupal is an open source software package which provides a Content management system (CMS) for websites including MTV, Popular Science, Sony Music, Harvard and MIT. Drupal is used to power roughly 1 billion websites on Internet, which puts Drupal in third place behind the juggernaut Wordpress and then Joomla. Drupal's security team has released a " public service announcement " on Wednesday for its users to warn them of the SQL injection attack revealed two weeks ago, compromising almost 12 million of the widely used Drupal 7 websites. Users are asked to immediately update their websites to Drupal 7.32 within seven hours of the announcement of the vulnerability. " Automated attacks began compromising Drupal 7 websites that were not patched
Yahoo Quickly Fixes SQL Injection Vulnerability Escalated to Remote Code Execution

Yahoo Quickly Fixes SQL Injection Vulnerability Escalated to Remote Code Execution

Sep 20, 2014
Yahoo! was recently impacted by a critical web application vulnerabilities which left website's database and server vulnerable to hackers. A cyber security expert and penetration tester, Ebrahim Hegazy a.k.a Zigoo from Egypt , has found a serious SQL injection vulnerability in Yahoo's website that allows an attacker to remotely execute any commands on its server with Root Privileges. According to Hegazy blog post , the SQLi vulnerability resides in a domain of Yahoo! website i.e. https://innovationjockeys.net/tictac_chk_req.php . Any remote user can manipulate the input to the " f_id " parameter in the above URL, which could be exploited to extract database from the server. While pentesting, he found username and password ( encoded as Base64 ) of Yahoo!' admin panel stored in the database. He decoded the Administrator Password and successfully Logged in to the Admin panel. Furthermore, SQL injection flaw also facilitate the attacker to exploit Remote Cod
Preview : Web App Hacker's Handbook 2nd Edition !

Preview : Web App Hacker's Handbook 2nd Edition !

May 12, 2011
Preview : Web App Hacker's Handbook 2nd Edition ! The first draft of the new edition of WAHH is now completed, and the lengthy editing and production process is underway. Just to whet everyone's appetite, I'm posting below an exclusive extract from the Introduction, describing what has changed in the second edition. (And in a vain attempt to quell the tidal wave of questions: the book will be published in October; there won't be any more extracts; we don't need any proof readers, thanks.) What's Changed in the Second Edition? In the four years since the first edition of this book was published, much has changed and much has stayed the same. The march of new technology has, of course, continued apace, and this has given rise to specific new vulnerabilities and attacks. The ingenuity of hackers has also led to the development of new attack techniques, and new ways of exploiting old bugs. But neither of these factors, technological or human, has created a rev
Cybersecurity Resources