DISCLOSURE OF PRIVATE INFORMATION
Long after the vote will, I entered curious to verify the safety of the pages of political parties, obviously my country of origin, and after several attempts on other sites
how the partidoverde.org.co and partidocambioradical.org , stumbled partidoconservador.org and try to find a critical vulnerability that allowed me to see private information, and after a few minutes I found I could inject SQL code and maybe with luck could access the application as a super user.
BINGO! I was able to inject SQL code to get the tables, fields and records, so now I have left to do 2 things. The first, decrypted the hash unfortunately this MD5 and second, find the admin panel
. In my first step, I found dead in the first user, the hash was not in any databases decrypted my pages you preferred to MD5, but hell I'm lucky in the second user, I did decrypted password. Now I am ready to find the admin panel. With a good dictionary, I start my "Admin Panel Finder" -coded in perl- and Voala! I have also luck and a lapse of time of about 15 minutes get everything you need to log in as a super user and try to find private information -which is what I mainly wanted to do-.
and I'm about to get much satisfaction to see:
 |
| After logon to data produced by iSQL |
 |
| List all users with personal information of each. |
0 comments:
Post a Comment