Project Hell Fire leak analysis – one step further

Posted by

On 25th of August Team GhostShell published a list with leaks from hacks they supposedly committed. I will not discuss what data leaked. Everyone can go and take a look. I was more interested in the Team GhostShell modus operandi and how intelligent was the attack.

How did they do it and how much skill their attacks required?

According Imperva the theam used sqlmap tool to compromise the victim backend databases.
I can only agree with that statement.
Everyone that ever run sqlmap wll recognise its output.
But it is not just that. It is NOT very complicated to conclude that the tool Team GhostShell used is sqlmap especially when some of the dumps contain command line calls to sqlmap itself :). Obvious isn’t it.
For example “General Targets Part 3

“python sqlmap.py –random-agent -o -u …”

How they selected the victims?

What I wanted to find out is: were those sites explicitly targeted or they were just found suitable for attack?
Take a further look at the targets URLs with me. I made a short list of vulnerable targets found in the dumps. The same pattern repeats through all the files. Can you notice it?

dept_details.php?dept_id=4
business_detail.php?bus_id=771
single_member_firm.php?id=1
press_view.php?id=37
details.php?package_id=37
index.php?id=373
talentprofile_detail.php?id=12
consultation.php?id=28
details.php?id=6
vieweconink.php?id=259
article.php?id=77
article-detail.php?id=62
showPage.php?ID=10814
article_detail.php?id=292
articledetail.php?recordID=109
contact.php?id_dpt=112
biographydetail.php?id=39

EXACTLY. All the targets are php applications with “id” string in the URL.

So my guess is that the victims were NOT preliminary selected, researched and then attacked.
They were just found “suitable” for attack.
How this can be achieved?
The simple answer is – dorks.
There are plethora of tools that automate the process of SQL injectable targets search. Just Google “dork scanner” and you will get references to tons of tools.

So my personal conclusions are:

  • That type of attack does not require high level of technical knowledge and basically can be carried out by any person having some idea about the security tools available today. So I can rate the sophistication level of those attacks as 2 (on scale of 1 to 10).
  • The number of targets proves that SQL injection vulnerabilities are still pretty common and they are still plenty of badly developed PHP applications out there (which is not really a surprise).

2 responses

  1. m0le Avatar
  2. ePsiLoN Avatar
    ePsiLoN

Leave a Reply

Your email address will not be published. Required fields are marked *