Note: As of publishing this article, the vulnerable sections of the website have been shut down, effectively resolving the vulnerability. Special thanks to Gareth Corfield of The Register for coordinating with the responsible disclosure.
“Do UK residents need a visa to visit Gibraltar,” was what I needed an answer to, which is why I stumbled upon Gibraltar’s Borders and Coastguard Agency website. Being a British Overseas Territory, Gibraltar falls sort of under the jurisdiction of the UK, yet has its own government and laws so it’s a bit confusing. My intention at around 11 o’ clock at night was to clarify just that — and get a solid goodnight’s sleep. Little did I realise this would turn into a long night of exploration.
The Borders and Coastguard Agency website had an outlink to Gibraltar Immigration Act, which looked like:
To an everyday internet user, this doesn’t mean much, but when the front page of HM Government of Gibraltar Laws and Legislation website looks as follows, a techie would get suspicious. Notice the Secure Site logo at the bottom now as this is going to get interesting!
The outlink mentioned above, when clicked, displayed PDFs of laws and amendments under the Gibraltar Immigration Act, as predictable:
SQL Injection and database dumping
However, the dated website seemed like it could be vulnerable to something. Adding just a simple character — a single quote:
' (which when encoded becomes
%27) at the end of the URL indeed confirmed my suspicion. The website was vulnerable to the easiest kind of SQL Injection: error-based.
Unlike previous few pages which showed links to PDFs of laws and amendments, nothing appeared other than the page header for the link with a
‘at the end, or so it seemed at first glance. This could just have been an error due to a “bad URL,” i.e. a 404 — not found page. Upon selecting and highlighting the entire page, however, the black-on-black text became suddenly visible!
Error in query: SELECT * FROM `article` WHERE group_id=’000000062'’ AND category=’c’. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘c’’ at line 1
That’s a proper MySQL error message spelling out the name of the table i.e.
article along with the fields that follow, giving an attacker the perfect opportunity to craft malicious input accordingly.
For those not familiar, in layman’s terms, SQL Injection attacks deal with an attacker providing such a user input — such as a username or password value which tricks the database engine processing that value, into treating the input as a command to the database, as opposed to a mere data value. So, for example, normally username
michael would be processed by a database engine normally, as a value. A crafted input provided in place of the username, like
michael'-- may instead cause a vulnerable system to let an attacker access the user’s (Michael’s) account without requiring a password.
At this point, it was clear the website suffers from error-based SQL Injection — not at one, but many places. Also, changing the
group_id parameter to
0 or an invalid value dumped all PDFs:
Another place where this interesting flaw could be noticed was the Employment Tribunal Judgements section which, according to the page, “contains judgments, rulings and decisions passed by the Employment Tribunal in Gibraltar dating back to 1999.”
Searching for just a single quote (‘) on the webpage, or a name with one, such as Derick O’Brian, will lead to a rather verbose SQL error message:
Error in query: SELECT * FROM industrial_tribunal_judgement WHERE itj_title LIKE ‘%’%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%\’%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND (itj_tribunal = ‘dummy’ OR itj_tribunal = ‘t’ OR itj_tribunal = ‘a’) AND (itj_type = ‘dummy’ OR itj_type = ‘j’ OR itj_type = ‘d’ OR itj_type = ‘r’) ORDER BY itj_date_passed DESC. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%\’%’ AND itj_keywords LI’ at line 1
Using a simple penetration testing and analysis tool like
sqlmap it isn’t too hard to peek further for what all the database of a vulnerable server contains. A simple test with a command like
./sqlmap.py -u <URL> --schema is enough to list all the databases and tables contained within a MySQL instance.
Out of these, everything else seemed to be either baseline
information_schema SQL tables which contain routine information, or Gibraltar Laws website custom tables with public-facing information about laws, amendments, etc. The most interesting table out of all was
user table when analysed further with
-t command, revealed: the staff member names, usernames, password digests (hashes), the IP addresses used at the time of account registration, and other information. This is information about staff members who likely manage the content on the website, with enough privileges to edit or delete any articles, laws, amendments, and attached documents on the website — including pieces of legislation dating all the way back from 1887 to present day, 2020.
Password analysis and cracking
sqlmap and other tools have inbuilt options to further analyse a table and offer quick dictionary-based ‘guessing’ of certain password digests on it, offline. A quick analysis of the digests revealed one of the passwords was extremely weak — a mere 6-digit date combination (perhaps a date of birth or anniversary). Although the password digest was stored in the table rather than the actual plaintext password, the password got easily revealed in less than a second. After all, even a regular computer can very well throw over 100,000 guesses per second and to crack a 6-digit password would be a piece of cake.
Once an attacker can get their hands on the username and password, they can modify or delete anything using the website’s CMS — including the very laws:
Bam! A successful login enables an attacker to “rewrite any law”, delete or upload new PDFs and tamper with other data.
Yup, not going to try deletion but I’m sure it works.
Although suffice to say, while the second-step of this exploit — password analysis and cracking looks impressive, the critical nature of SQL Injection vulnerability itself means it isn’t necessary. With malicious input such as crafted queries alone an attacker could modify, delete or tamper with any of the tables and database information. With more sophisticated SQL Injection payloads, one could even potentially achieve reverse-shell access.
So next time you choose to put a Secure Site logo at the bottom, make sure you’re covered against the most common critical vulnerabilities. ;)
Props to the staff of HM Government of Gibraltar. Not only was the flaw resolved within a week of reporting — following the long holiday break, the same day a fresh website was launched replacing the previous one. Doesn’t it look pretty?