Advertisement
Home
Sunday, 23 November 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  8778  71.58%
Win 2003  1950  15.90%
Win 2000  722  5.89%
Solaris 9/10  402  3.28%
FreeBSD  226  1.84%
Other  185  1.51%

Total attacks: 12263 of which 4619 single ip and 7644 mass defacements

Polls
Should Zone-H continue mirroring defacements? (floods will be purged)
 
Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
ZONE-H In Numbers
 News: 14559
 Advisories: 11
 Managers: 1
 Administrators: 1
 Super Administrators: 3
 Operators: 3
 Registered Users: 38293
 Downloadable Files: 3888
 Digital Attacks: 2981160
 Attacks On Hold: 3192
 Online Users: 86
Syndicate
Visitors' Map
Highlight on most recent attacks
jiefanglu.gov.cn/zkn.txt by ZoRRoKiN       ytjj.gov.cn/zkn.txt by ZoRRoKiN       bislig.gov.ph by Ashiyane Digital Security Team       prefeiturajoseraydan.com.br by Fatal Error       semag.taquarussu.ms.gov.br by Fatal Error       pmsaltodolontra.com.br by Fatal Error       cmirituia.com.br by Fatal Error       pmriobrancodoivai.com.br by Fatal Error       prefeituraborrazopolis.com.br by Fatal Error       pmcurionopolis.com.br by Fatal Error       
Latest advisories
Latest on Digital Warfare
Latest on Geopolitics
Microsoft Defaced, again! PDF Print E-mail
User Rating: / 175
PoorBest 
Wednesday, 27 June 2007

Very little time has passed from the last Microsoft defacement (Microsoft Technet), when yesterday Saudi Arabia crackers successfully compromised another Microsoft website: Microsoft.co.uk at the page http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399.

At the time being, the defacement is still up and running even though not every browser will be capable to show it as too many users are trying now to load the hacker's injected CSS (Cascading Style Sheet)  located on an external host (h.1asphhost.com) which now has is suffering slow response time. 

By analyzing the HTML source code of the defaced page we can see some "extra" HTML code: 

"<link xhref=http://h.1asphost.com/remoter/css.css type=text/css rel=stylesheet>". 

The technique used by the attacker to deface Microsoft's page is probably based on a kind of SQL flaw (sql injection). In fact, after a short investigation we noticed how the V2 parameter passed to the PreRegister.aspx script, allows to execute both Cross Site Scripting attacks (www.microsoft.co.uk/events/net/PreRegister.aspx?eventID=p8399&v2="><script>alert(/XSS/)</script>) as well as SQL injection attacks, as you can deduct from the debug error message generated by the application. 

Most probably, the attacker exploited the site by means of SQL injection to insert the HTML code "<link xhref=http://h.1asphost.com/remoter/css.css type=text/css rel=stylesheet>" in a field belonging to the table which gets read every time a new page is generated. To discover the name of the table the attacker might have queried the database trying to read the system table "SysObjects" or even the INFORMATION_SCHEMA.TABLES view. We are just speculating here as the DBMS is most probably a MS SQL Server. 


The result after the defacement is this one:  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 -- NEWS UPDATE --

The attacker has issued a video which shows  some proof of concepts related to SQL Injection flaws affecting http://www.microsoft.co.uk/.
In the video it is possible to see the attacker while getting usernames and passwords from Microsoft's database. The video is available here


Comments Index (Total Messages: 21)
jea Written by Guest on 2007-06-28 17:03:12
microsecurity Written by Guest on 2007-06-29 19:41:27
Re: microsecurity Written by Guest on 2007-06-30 19:09:02
Re: microsecurity Written by Guest on 2007-07-01 03:20:10
Re: microsecurity Written by Guest on 2007-07-05 18:38:56
Re: jea Written by Guest on 2007-07-02 15:29:15
someone Written by Guest on 2007-07-02 18:32:37
Mikkeyhack Written by Guest on 2007-07-02 22:54:05
gr33tz to iranian hackers Written by Guest on 2007-06-28 23:33:05
Re: gr33tz to iranian hackers Written by Guest on 2007-06-29 15:27:02
Re: gr33tz to iranian hackers Written by Guest on 2007-06-29 16:18:35
video is missing from unbase Written by Guest on 2007-07-02 23:26:02
the video link Written by Guest on 2007-11-18 11:34:37
Video down? Written by Guest on 2007-07-02 11:08:53
Re: Video down? Written by Guest on 2007-07-03 15:48:22
Re: Re: Video down? Written by Guest on 2007-09-04 18:19:30
Re: Re: Re: Video down? Written by Vympel on 2007-09-04 18:18:08
Greetz to my brothers from Saudi Arabia Written by Guest on 2007-07-03 00:26:56
the video again Written by 123123 on 2007-11-13 16:37:33
Re: gr33tz to iranian hackers Written by Guest on 2007-11-12 04:39:22
Re: Re: gr33tz to iranian hackers Written by Guest on 2008-07-28 13:57:11

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
Advertisement
 
Top!
© 2008 Zone-H.org - Unrestricted Information
Joomla! is Free Software released under the GNU/GPL License.
 Top!