Search results for SQL injection | Breaking Cybersecurity News | The Hacker News

Security Alert : vBulletin 4.X  -  SQL Injection & CSRF/XSRF  Exploits available ! Two Serious Security Flaws are detected in  vBulletin 4.X Versions and also their Security SQL Injection & CSRF/XSRF Exploits are now also available. Impact of these Flaws: Lots of big Forums are on  vBulletin 4.X version and these Forums can be hacker easily using the exploits by any hacker. We would like to Request Admins to Patch their Forums as soon as possible. vBulletin 4.X Security Patch https://www.vbulletin.com/forum/showthread.php/376995-vBulletin-4.X-Security-Patch?AID=804495&PID=564936 Exploits are available at SQL Injection  :  https://www.1337day.com/exploits/16147 CSRF/XSRF     :   https://www.1337day.com/exploits/16160

WAVSEP   1.0.3 – Web Application Vulnerability Scanner Evaluation Project A vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. Additional information can be found in the developer's blog . Project WAVSEP currently includes the following test cases: Vulnerabilities: Reflected XSS:   66 test cases, implemented in 64 jsp pages (GET & POST) Error Based SQL Injection: 80 test cases, implemented in 76 jsp pages (GET & POST ) Blind SQL Injection: 46 test cases, implemented in 44 jsp pages (GET & POST ) Time Based SQL Injection: 10 test cases, implemented in 10 jsp pages (GET & POST ) False Positives: 7 different categories of false positive Reflected XSS vulnerabilities (GET & POST ) 10 different categories of false positiv

RED HAT has fixed multiple web application security issues that allowed hackers to extract website database using Blind SQL injection. Red Hat also confirmed a cross site scripting and Local File Inclusion Vulnerabilities on their website. Mohamed Ramadan Security Researcher and Trainer Attack-Secure , told ' The Hacker News ' that last year he reported 3 flaws to the company and they finally confirm and patch those in January 2013. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather than getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. Local file inclusion is a vulnerability that allows the attacker to read files, that are stored locally through the web application.This happens because the code of the application does not properly sanitize the include

Permissions in SaaS platforms like Salesforce, Workday, and Microsoft 365 are remarkably precise. They spell out exactly which users have access to which data sets. The terminology differs between apps, but each user's base permission is determined by their role, while additional permissions may be granted based on tasks or projects they are involved with. Layered on top of that are custom permissions required by an individual user.  For example, look at a sales rep who is involved in a tiger team investigating churn while also training two new employees. The sales rep's role would grant her one set of permissions to access prospect data, while the tiger team project would grant access to existing customer data. Meanwhile, special permissions are set up, providing the sales rep with visibility into the accounts of the two new employees. While these permissions are precise, however, they are also very complex. Application admins don't have a single screen within these applications th

A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it  released  an update (version 1.8.26) on March 10 addressing the issues. MyBB, formerly MyBBoard and originally MyBulletinBoard, is free and open-source forum software developed using PHP and MySQL. According to internet assets search engine Spyse, there are at least 2,100 potentially vulnerable domains that have MyBB installed. According to the researchers, the first issue — a nested auto URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB parses messages containing URLs during the rendering process, thus enabling any unprivileged forum user to embed stored XSS payloads into threads, p

TeaMp0isoN : NASA forum is Vulnerable SQL injection, Admin Hacked ! TeaMp0isoN Hackers crew today Reveal on twitter that the discussion forum on NASA website at  https://worldwind35.arc.nasa.gov/forum/ is Vulnerable to SQL injection. The discussion Forum script is Powered by Vbulletin. According to hacker, He use Vbulletin 4.0.x => 4.1.3 (messagegroupid) SQL injection Vulnerability Exploit for hacking the Database of Forum . Hacker also expose the Login details of Admin of website on Pastie .

HDFC Bank Database Hacked by zSecure team using SQL injection vulnerability zSecure team is back in news again, this time they have discovered a critical SQL injection vulnerability in HDFC Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. This critical flaw really affects the customer realtions of HDFC Bank's and this really questions the existing security in place within bank. HDFC Bank is the leading bank in India but they lack behind the basic security that needs to be implemented. zSecure team claimed in their blog post that even after sending them complete details about the vulnerability and even after conducting the vulnerability assessment from the third party service provider they were not able to discover this critical falw which existed in their web portal. This really raises a big question on their existing security policy. What would have happened if somone else would have gained acceess to this c

Code injection attacks, the infamous king of vulnerabilities, have lost the top spot to broken access control as the worst of the worst, and developers need to take notice. In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and code injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the  top ten most common  and dangerous vulnerabilities that attackers are actively exploiting. Well, the sun will rise tomorrow, and Mario still has "one-up" on Sonic, but code injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks,  code injection vulnerabilities  have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, inclu

Million ASP.Net  web sites affected with mass SQL injection attack Hackers are in the midst of a massively successful SQL injection attack targeting websites built on Microsoft's ASP.Net platform. About 180,000 pages have been affected so far, security researchers say. Attackers have planted malicious JavaScript on ASP.Net sites that causes the browser to load an iframe with one of two remote sites: www3.strongdefenseiz.in and www2.safetosecurity.rr.nu , according to security researchers at Armorize who discovered the attack. From there, the iframe attempts to plant malware on the visitor's PC via a number of browser drive-by exploits. A drive-by exploit will load malware without a visitor's knowledge or participation (no need to open a file or click on a link). Fortunately, the attackers are using known exploits, with patches available, so the attack can only be successful if a visitor is using an outdated, unpatched browser without the latest version of Adobe PDF

The Mole v0.3  Released : Automatic SQL Injection Exploitation Tool Nasel has just released the new version of The Mole, an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique. This release has introduced new features compared with the previous one, among these you can find that The Mole is now able to exploit injections thourgh cookie parameters. A new promising feature is that now you can exploit injections that return binary data, to achieve this the mole uses uses HEAD requests and analyzes the headers received (the size of the binary to download usually differs when the query was successful or not) and does not need to download the full binary data. In this release there has been a major change in the The Mole's architecture, and now allows to easily insert filters in order to bypass IPS/IDS rules or mod

Are you looking to master web hacking? Interested in a bug-hunting career? Do you want to land a job in cybersecurity? Are you already working as a security engineer, but want to further advance or refine your skills? If yes, read on. ZDResearch Advanced Web Hacking (AWH) course, including optional certification upon completion—is the answer. Last week, we sat with the ZDResearch training team and asked them a few questions to learn more about their "Advanced Web Hacking" course and understand how it could be a better choice for you. Can you tell us a little about ZDResearch? ZDResearch is a cybersecurity firm with more than 6 years of experience, having some of the world's top hackers and security researchers committed to engineering engaging and approachable courses to the most technical of topics. In the ZDResearch Advanced Web Hacking Course, the greenhorn, the novice, or the pro will benefit. Those selected to work for ZDResearch, and its department de

Nikjju Mass injection campaign target more than 2 Millions Urls Daniel Cid an open source developer and information security professional reported on Sucuri blog that their team tracked a new mass SQL injection campaign that started early this month and till now more than 180,000 URLs have been compromised.  Nikjju is a mass SQL injection campaign targeting ASP/ASP.net sites. At the time of writing Google has identified 361,000 pages infected with that javascript call, but the number is growing really fast. In this case it adds the following javascript to the compromised sites. One more interesting fact that researchers have noticed that  Nikjju.com domain was registered on April 1st 2012 and in 18 days more than 180,000 urls get infected. This mass Sql Injection also compromise some Government sites also , as listed below : jnd.xmchengdu.gov.cn study.dyny.gov.cn www.cnll.gov.cn www.bj.hzjcy.gov.cn www.mirpurkhas.gov.pk www.tdnyw.gov.cn gcjs.kaifeng.gov.cn Few hours we h

The Mole - Another Automatic SQL Injection exploitation tool The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique. Features Support for injections using Mysql, SQL Server, Postgres and Oracle databases. Command line interface. Different commands trigger different actions. Auto-completion for commands, command arguments and database, table and columns names. Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily. Exploits SQL Injections through GET and POST methods. Developed in python 3. Video Demonstration: 1.)  Installation Guide 2.) Tutorial to Use 3.) Download Mole

Network security company SonicWall on Friday rolled out fixes to mitigate a critical SQL injection (SQLi) vulnerability affecting its Analytics On-Prem and Global Management System (GMS) products. The vulnerability, tracked as  CVE-2022-22280 , is rated 9.4 for severity on the CVSS scoring system and stems from what the company describes is an "improper neutralization of special elements" used in an SQL command that could lead to an unauthenticated SQL injection. "Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data," MITRE  notes  in its description of SQL injection. "This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands." H4lo and Catalpa of DBappSecurity HAT Lab have been credited with discov

A critical flaw in Progress Software's in MOVEit Transfer managed file transfer application has come under widespread exploitation in the wild to take over vulnerable systems. The shortcoming, which is assigned the CVE identifier CVE-2023-34362 , relates to a severe SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment. "An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database," the company  said . "Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements." Patches for the bug have been made available by the Massachusetts-based company, which also owns Teler

A new research showed that Scripting languages, in general, give birth to more security vulnerabilities in web applications, which raised concerns over potential security bugs in millions of websites. The app security firm Veracode has released its State of Software Security: Focus on Application Development report ( PDF ), analyzing more than 200,000 separate applications from October 1, 2013, through March 31, 2015. The security researchers crawled popular web scripting languages including PHP, Java, JavaScript, Ruby, .NET, C and C++, Microsoft Classic ASP, Android, iOS, and COBOL, scanning hundreds of thousands of applications over the last 18 months. Also Read:  A Step-by-Step Guide — How to Install Free SSL Certificate On Your Website Researchers found that PHP – and less popular Web development languages Classic ASP and ColdFusion – are the riskiest programming languages for the Internet, while Java and .NET are the safest. Here's the Top 10 List:

Embassy of Kazakhstan hacked by Anonymous Supporters The official website of Embassy of Kazakhstan in Delhi having SQL injection Vulnerability, and Hacker with codename -  Abs0luti0n has successfully Extract the database tables info and leak it on a pastebin note  including Admin's Username and Password. Hacker said," Lately we have been experimenting on some new large targets which will be unveiled soon. However today while we were cruising around in our lulzmobile,we set sights momentarily on another outdated weak vehicle and with great ease put the pedal to the metal, ran all the lights and flew straight through our accquired target ." SQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. Attackers utilize this vulnerability by providing specially crafted input data to the SQL interpreter in such a manner that the int

Critical Sqli Vulnerability in channel [V] Website A 16 years old White Hat Hacker " Arjun Siyag " from India discover a Critical Sqli Vulnerability in channel [V] Website ( https://www.channelv.in ). Proof of the hack is as shown in above image. Hacker disclose only the admin username and password, which will not effect the admin panel directly,because for login Email ID is required.  SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organisations. It is perhaps one of the most common application layer attack techniques used today. Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin  said , adding they could result in RCE on Soko because of a "misconfiguration of the database." The  two   issues , which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023. Soko is a Go software module that powers  packages.gentoo.org , offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution. But the shortcomings identified in the service meant that it could have been possible for a malicious actor to  inject specially crafted code , resulting in the expo

Timesofmoney Database Hacked using Sql Injection Vulnerability General Information About the Vulnerability This is again a critical vulnerability discovery made by zSecure Team in TimesofMoney website. The group claims that there exist a critical SQL Inejction Vulnerability in the timesofmoney's website using which an attacker can gain access to the site's entire database which contains the huge amount of customers confidential information. Even many indian banks are availing the service of the timesofmoney. This vulnerability may prove to be very critical for the company because TimesofMoney is India's one of the leaders in e-payment system. Existence of such a critical flaw in company's web may cause huge to the existing market reputation of the company concerned. At the end of their advisory the zSecure Group left a small message which claims that they have discovered alike vulnerability in HDFC Bank's website and in coming days the group may come up with the

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of critical vulnerabilities affecting Philips Tasy electronic medical records (EMR) system that could be exploited by remote threat actors to extract sensitive personal data from patient databases. "Successful exploitation of these vulnerabilities could result in patients' confidential data being exposed or extracted from Tasy's database, give unauthorized access, or create a denial-of-service condition," CISA  said  in a medical bulletin issued on November 4. Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an  integrated healthcare informatics  solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions. The  SQL injection  flaws — CVE-2021-39375 and CVE-2021-39376 — affect Tasy EMR HTML5