Most active commenters

    ←back to thread

    Taking over 60k spyware user accounts with SQL injection

    (ericdaigle.ca)
    227 points mtlynch | 17 comments | 03 Jul 25 14:56 UTC | HN request time: 1.905s | source | bottom
    1. mtlynch ◴[08 Jul 25 16:13 UTC] No.44501414[source]

      sqlmap https://catwatchful.pink/webservice/servicios.php?operation=getDevice&imei=M6GPYXHZ95ULUFD0
  ...
  sqlmap identified the following injection points
    This was the wildest part to me. I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability.

    >Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.

    I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.

    replies(7): >>44501856 #>>44502507 #>>44502986 #>>44503559 #>>44505103 #>>44506752 #>>44507826 #
    2. supriyo-biswas ◴[08 Jul 25 16:59 UTC] No.44501856[source]
    The incorrect Firebase configuration usually stems from people trying to have the frontend write database entries directly, however these developers usually had an old-school backend sending structured objects to Firebase, so that issue was kinda mitigated.
    3. sigmoid10 ◴[08 Jul 25 18:08 UTC] No.44502507[source]
    >I'd heard of sqlmap but I didn't realize it was so good

    The blog correctly explains how it has become pretty useless in our age where noone writes their own database integration anymore and everyone uses off-the-shelf components, but man... I remember a time when it felt like literally every sufficiently complex web service was vulnerable to sql injection. You could write a small wrapper for sqlmap, hook it up to the results of a scraper, let it run over night on every single piece of data sent to the server and the next day you'd have a bunch of entry points to choose from. It even handled WAFs to some degree. I'm out of it-sec for several years now, but I still remember every single command line argument for sqlmap like it was yesterday.

    replies(1): >>44504499 #
    4. RankingMember ◴[08 Jul 25 19:05 UTC] No.44502986[source]
    I agree, I'm blown away at the level to which this kind of probing and exfiltration has been abstracted. Not quite surprised that years of iteration have led to this, but still, I didn't realize it'd become this easy.
    5. jerf ◴[08 Jul 25 20:05 UTC] No.44503559[source]
    "I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability."

    If there's one lesson I'd convey to people about security it is do not underestimate your foes. They've been building tools for decades just like any other discipline.

    Tech to find a hole in your system that lets you run an arbitrary-but-constrained fragment of shell code that can put a small executable on to the system that puts a larger executable on that lifts itself up to root and also joins a centralized command-and-control server with the ability to push arbitrary code across entire clusters of owned systems is not some sort of bizarre, exotic technology that people only dream of... it's off-the-shelf tech. It's a basic building block. Actually sophisticated attackers build up from there.

    If $YOU're operating on the presumption I see so often that the script kiddies blind-firing Wordpress vulnerabilities at servers is the height of attacker's sophistication $YOU are operating at an unrecoverable disadvantage against these people.

    6. technion ◴[08 Jul 25 22:09 UTC] No.44504499[source]
    Ive always admired hn for bringing me people in very different spaces. Of the development teams I've worked with in the last year pretty much all of them were writing injectable code by default. Ive got an email from an executive in a saas telling me they aren't worried because they geofilter china.
    replies(4): >>44504713 #>>44504862 #>>44505518 #>>44507307 #
    7. fancyswimtime ◴[08 Jul 25 22:45 UTC] No.44504713{3}[source]
    what?
    8. Lucasoato ◴[08 Jul 25 23:13 UTC] No.44504862{3}[source]
    Implying Chinese hackers can't use a VPN to bypass that geofilter lol
    replies(1): >>44505184 #
    9. GuB-42 ◴[09 Jul 25 00:16 UTC] No.44505184{4}[source]
    Even more ironic considering that China already geofences itself and using a VPN it pretty much a requirements if you want to communicate with the outside world.

    Chances are that these hackers are bypassing that filter without even realizing it.

    replies(1): >>44505309 #
    10. jojobas ◴[09 Jul 25 00:44 UTC] No.44505309{5}[source]
    Chinese state-employed hackers don't have to worry about VPNs.
    replies(1): >>44509241 #
    11. transcriptase ◴[09 Jul 25 01:26 UTC] No.44505518{3}[source]
    The real security pros set their keyboard language to Russian.
    replies(2): >>44506599 #>>44507292 #
    12. carlmr ◴[09 Jul 25 05:29 UTC] No.44506599{4}[source]
    Isn't it enough to have the Cyrillic keyboard installed?
    13. nneonneo ◴[09 Jul 25 06:02 UTC] No.44506752[source]
    sqlmap not only figures out how to dump the DB, they even provide a handy "shell" mode that parses SQL, converts it into an injection payload, and executes it on the server. It feels just like having a mysql or sqlite etc. shell. It even supports things like reading files and executing commands (!) if the server supports them (and if the DB user has the appropriate credentials).

    Even better, it knows how to exploit blind SQLi and has a number of tricks for doing so: it can often tell if a query is succeeding or failing based on HTTP error codes, and it will do things like try various SLEEP() injections to see if it can hang the server. If it finds any blind SQLi opportunities, it has the ability to dump the entire database *one bit at a time* by just doing a ton of requests in parallel.

    You can actually hand it a file full of HTTP request headers and it'll automatically figure out where the potential injection points are, and send a bunch of requests formatted identically to the provided headers. You can practically automate SQL injection testing with a suitable MITM proxy and some scripting.

    It has options for disguising requests, for bypassing WAFs, for submitting requests using custom protocols, and a ton more. Just a really well designed tool overall.

    14. HenryBemis ◴[09 Jul 25 07:46 UTC] No.44507292{4}[source]
    oh damn you're showing your age here!! :)
    15. HenryBemis ◴[09 Jul 25 07:48 UTC] No.44507307{3}[source]
    Ship, ship, ship, and when we get discovered we/you/they write a nice corp spin email "we deeply care for our customers, acted responsibly to inform our clients promptly and worked fast to mitigate all relevant risks" (I've read enough of this BS comms so I don't need LLMs to make one for me). Right?
    16. tonyhart7 ◴[09 Jul 25 09:12 UTC] No.44507826[source]
    this php webserver, its no wonder
    17. GuB-42 ◴[09 Jul 25 12:30 UTC] No.44509241{6}[source]
    I wonder how many of these "state-employed hackers" are just random criminals and their bots, doing regular criminal stuff like stealing money from bank accounts.

    I easily see people claiming they are the target of a foreign government because it gives them importance and it is less shameful than a spam botnet.