←back to thread

Taking over 60k spyware user accounts with SQL injection

(ericdaigle.ca)
228 points mtlynch | 1 comments | 03 Jul 25 14:56 UTC | HN request time: 0.267s | source
Show context
mtlynch ◴[08 Jul 25 16:13 UTC] No.44501414[source]

  sqlmap https://catwatchful.pink/webservice/servicios.php?operation=getDevice&imei=M6GPYXHZ95ULUFD0
  ...
  sqlmap identified the following injection points
This was the wildest part to me. I'd heard of sqlmap but I didn't realize it was so good that you can just hand it a URL that hits the database and the tool basically figures out from there how to dump the database contents if there's any SQL injection vulnerability.

>Intercepting my test phone’s traffic confirms that the files are directly uploaded to Firebase, and reveals that the commands for features like live photos are also handled through FCM. This is going to reduce our attack surface by a lot - nothing in Firebase is going to be IDORable or vulnerable to SQLI, and some quick testing eliminates any of the usual traps like open storage buckets or client-side service account credentials.

I was surprised at how the malware devs made such sloppy mistakes but being on Firebase protected them from more severe vulnerablities. I've seen other vendors get popped by configuring Firebase incorrectly, but it seems like if you configure the basics right, it cuts down the attack surface a lot.

replies(7): >>44501856 #>>44502507 #>>44502986 #>>44503559 #>>44505103 #>>44506752 #>>44507826 #
1. nneonneo ◴[09 Jul 25 06:02 UTC] No.44506752[source]
sqlmap not only figures out how to dump the DB, they even provide a handy "shell" mode that parses SQL, converts it into an injection payload, and executes it on the server. It feels just like having a mysql or sqlite etc. shell. It even supports things like reading files and executing commands (!) if the server supports them (and if the DB user has the appropriate credentials).

Even better, it knows how to exploit blind SQLi and has a number of tricks for doing so: it can often tell if a query is succeeding or failing based on HTTP error codes, and it will do things like try various SLEEP() injections to see if it can hang the server. If it finds any blind SQLi opportunities, it has the ability to dump the entire database *one bit at a time* by just doing a ton of requests in parallel.

You can actually hand it a file full of HTTP request headers and it'll automatically figure out where the potential injection points are, and send a bunch of requests formatted identically to the provided headers. You can practically automate SQL injection testing with a suitable MITM proxy and some scripting.

It has options for disguising requests, for bypassing WAFs, for submitting requests using custom protocols, and a ton more. Just a really well designed tool overall.