MySQL.com taken out - with SQL injection attack

Viruses, hackers and crackers
Post Reply
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

MySQL.com taken out - with SQL injection attack

Post by Ron2K »

An email was sent out earlier today on the Full-Disclosure mailing list, detailing the compromise of numerous MySQL websites along with portions of their database containing usernames and passwords.

MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted servers including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by "TinKode" and "Ne0h" of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by "Jackh4x0r".

The stolen database contain both member and employee email addresses and credentials, as well as tables with customer and partner information and internal network details. Hashes from the database have been posted, with some having been already cracked.
Source

Ouch...
Kia kaha, Kia māia, Kia manawanui.
User avatar
Tribble
Registered User
Posts: 88465
Joined: 08 Feb 2007, 02:00
Processor: Intel Core i7-4770K CPU@3.50GHz
Motherboard: ACPI x64-based PC
Graphics card: GeForce GTX 780 Ti
Memory: 16GB
Location: Not here
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by Tribble »

Wow - we use MySQL for many of our music and spot databases. Thanks for the heads up
Image
-Prometheus-
Resident Drama Llama
Posts: 967
Joined: 05 Mar 2008, 02:00
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by -Prometheus- »

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
Last edited by -Prometheus- on 04 Apr 2011, 04:39, edited 1 time in total.
BBLounge - Broadband and Technology forum
Please like our facebook page
User avatar
Tribble
Registered User
Posts: 88465
Joined: 08 Feb 2007, 02:00
Processor: Intel Core i7-4770K CPU@3.50GHz
Motherboard: ACPI x64-based PC
Graphics card: GeForce GTX 780 Ti
Memory: 16GB
Location: Not here
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by Tribble »

I am going to check none the less.
Image
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by hamin_aus »

MySQfaiL

You get what you pay for.
Image
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by rustypup »

q: how often do the package devs get involved in the web interface?
a: less than 0.00002% of the time..

bad web dev != bad MySQL... just saying... lousy internet presence should hardly be equated to vulnerabilities in the product... MySQL has plenty of flaws, but this "hack" is a flaw shared by every SQL engine out there....
Most people would sooner die than think; in fact, they do so - Bertrand Russel
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by hamin_aus »

rustypup wrote:MySQL has plenty of flaws
Oh, the thesis I could write in reply to this statement :lol:
Image
senile
Registered User
Posts: 471
Joined: 05 Mar 2008, 02:00

Re: MySQL.com taken out - with SQL injection attack

Post by senile »

jamin_za wrote:
rustypup wrote:MySQL has plenty of flaws
Oh, the thesis I could write in reply to this statement :lol:
We're here now, you might as well entertain us: MySQL vs MSSQL in this regard?
RuadRauFlessa
Registered User
Posts: 20576
Joined: 19 Sep 2003, 02:00
Location: Bloodbank

Re: MySQL.com taken out - with SQL injection attack

Post by RuadRauFlessa »

@Senile: A use on MSSQL with the correct rights can grant permissions and create users the same as can be done in MySQL......
The flaw is that the user used for accessing the database from a web front end should under no condition have the required access to perform such operations. It is an implementation flaw rather than a SQL design flaw. You can have the most secure system in the world but if it is not used correctly it will be as secure as a piece of swiss cheese....


Oh my.... the CHEESE.... :P
:rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock:
Spoiler (show)
Intel Core i7-2600k @ 3.4GHz
Corsair Vengence 2x4GB DDR3 2000MHz
Thermaltake Toughpower 850W
ASUS nVidia GTX560 1GB
CoolerMaster HAF 932
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by hamin_aus »

senile wrote:MySQL vs MSSQL
Rant inbound...

MySQL does not do replication well, it does not do recovery well, it cannot do transactional processing with any degree of reliability, it's user interface would have been tiresome 20 years ago, it does not adhere to SQL norms and syntax in a lot of fundamentally silly ways and even the simplest of configuration and troubleshooting steps are a chore.
What it does do well is cost nothing and run simple queries fast. It is good for serving webpages or hosting dumb data stores.
It is over-hyped by fanboi developers and up until version 5 and InnoDB I would have flat out refused to even look at it as a database option.

I am completely amazed by peoples attempts to build complex applications around it. Just because it is free and every half-arsed developer and his fleshlight can install one and begin writing software for it does not mean you should. I have watched some truly laughable attempts to integrate it into Windows environments, I have seen some very creative ways people have tried to get it to aggregate data - just because it makes a neat data warehouse, does not mean it can also process that raw data into something usable...

Facebook has a MySQL farm. Thats should tell you everything you need to know.

I'm not going to extoll the virtues of MSSQL - just read all the faults I listed about MySQL and know MSSQL does it better.
It's not perfect, it has it's drawbacks, it needs more money, bigger hardware and you will probably pay your devs and admins more to look after it, but it's not for nickel-and-dime operators.
RuadRauFlessa wrote:A use on MSSQL with the correct rights can grant permissions and create users the same as can be done in MySQL
wat?
Image
-Prometheus-
Resident Drama Llama
Posts: 967
Joined: 05 Mar 2008, 02:00
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by -Prometheus- »

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
Last edited by -Prometheus- on 04 Apr 2011, 04:39, edited 1 time in total.
BBLounge - Broadband and Technology forum
Please like our facebook page
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by hamin_aus »

I was asked to comment on MySQL vs MSSQL - you must have missed that part because your reply is telling me not to compare them...
-Prometheus- wrote:I'll bet if you compare MSSQL you will find flaws there that are not in MySQL.
Find me some.
-Prometheus- wrote:The same way I would entrust my life to the best opensource app, Truecrypt, but I won't touch MS' proprietary Shytelocker carp.
http://esec-lab.sogeti.com/dotclear/ind ... pt-english
-Prometheus- wrote:MySQL does a near perfect job for what it was intended to do.
I already said it did.
-Prometheus- wrote:So much actually that even large organisations are using it with great success for what it wasn't intended for.
Which large corporations, and what are they using it for :?:
-Prometheus- wrote:using bookface as an example, come on man!!!
Why not? Facebook is a perfect example of a basic and fairly dumb database. One person puts stuff in and then thousands read from it. There is virtually no data transformation. Once it is in there, it's in there.
-Prometheus- wrote:Don't blame the developer's mistake on the software used.
In this case the developers who allowed the vulnerability also wrote the backend that was exploited. Who should I blame here?
-Prometheus- wrote:I will continue to use it and not pay extra for a windows webhost with no benefit.
You still dont get my argument. Using it as a webhost is fine. That is what it was built to do.
Use it for something complex and see how far you get.
Image
-Prometheus-
Resident Drama Llama
Posts: 967
Joined: 05 Mar 2008, 02:00
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by -Prometheus- »

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
Last edited by -Prometheus- on 04 Apr 2011, 04:39, edited 1 time in total.
BBLounge - Broadband and Technology forum
Please like our facebook page
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by hamin_aus »

-Prometheus- wrote:
jamin_za wrote:
-Prometheus- wrote:I'll bet if you compare MSSQL you will find flaws there that are not in MySQL.
Find me some.
Since I haven't really used it..
For the record, I have supported both databases, so I know their relative strengths and weaknesses.
At the end of the day, if you want simple stuff done really fast, use MySQL
If you want a full featured, robust DBMS for both transactional and analytical application use MSSQL (or Oracle, or DB2, or ADABAS - but that's a different argument)
Image
-Prometheus-
Resident Drama Llama
Posts: 967
Joined: 05 Mar 2008, 02:00
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by -Prometheus- »

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
Last edited by -Prometheus- on 04 Apr 2011, 04:42, edited 1 time in total.
BBLounge - Broadband and Technology forum
Please like our facebook page
RuadRauFlessa
Registered User
Posts: 20576
Joined: 19 Sep 2003, 02:00
Location: Bloodbank

Re: MySQL.com taken out - with SQL injection attack

Post by RuadRauFlessa »

jamin_za wrote:For the record, I have supported both databases, so I know their relative strengths and weaknesses.
At the end of the day, if you want simple stuff done really fast, use MySQL
If you want a full featured, robust DBMS for both transactional and analytical application use MSSQL (or Oracle, or DB2, or ADABAS - but that's a different argument)
Wow this is probably the first time ever I have to agree with hamin.... scary...

Seriously people... The particular exploit is not a flaw of a DBMS but rather a combination of bad administration and coding. If the coders who did the website (And for the record I can guarantee you that it isn't the same bloke who wrote the MySQL DBMS) had half a brain they would guard against SQL Injection. If their DBA had half a brain he would not allow them to connect to the DBMS with a user who has administrative rights.
:rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock: :rock:
Spoiler (show)
Intel Core i7-2600k @ 3.4GHz
Corsair Vengence 2x4GB DDR3 2000MHz
Thermaltake Toughpower 850W
ASUS nVidia GTX560 1GB
CoolerMaster HAF 932
JollyJamma
Registered User
Posts: 446
Joined: 21 Dec 2010, 09:02

Re: MySQL.com taken out - with SQL injection attack

Post by JollyJamma »

Jamin Vs. religion and -Prometheus-
Jamin Vs. MySql and -Prometheus-

Why you argue so much?
I no longer think of myself as Atheist however I reject religion as a concept where you must do x because someone says so. May contain nuts.
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: MySQL.com taken out - with SQL injection attack

Post by hamin_aus »

Image
Image
JollyJamma
Registered User
Posts: 446
Joined: 21 Dec 2010, 09:02

Re: MySQL.com taken out - with SQL injection attack

Post by JollyJamma »

egzackery
I no longer think of myself as Atheist however I reject religion as a concept where you must do x because someone says so. May contain nuts.
Post Reply