“Rewriting the laws” of a British Overseas territory with SQL Injection

How this security vulnerability could let anyone “rewrite the laws” of HM Government of Gibraltar.

Akshay ‘Ax’ Sharma
Jan 7 · 7 min read
The Rock of Gibraltar — Photo by Michal Mrozek on Unsplash
An overview for those who prefer video over reading (licensed under Creative Commons)

Note: As of publishing this article, the vulnerable sections of the website have been shut down, effectively resolving the vulnerability. Special thanks to Gareth Corfield of The Register for coordinating with the responsible disclosure.

“Do UK residents need a visa to visit Gibraltar,” was what I needed an answer to, which is why I stumbled upon Gibraltar’s Borders and Coastguard Agency website. Being a British Overseas Territory, Gibraltar falls sort of under the jurisdiction of the UK, yet has its own government and laws so it’s a bit confusing. My intention at around 11 o’ clock at night was to clarify just that — and get a solid goodnight’s sleep. Little did I realise this would turn into a long night of exploration.

The Borders and Coastguard Agency website had an outlink to Gibraltar Immigration Act, which looked like:

Law and Policies page of Borders and Coastguard Agency, Gibraltar

To an everyday internet user, this doesn’t mean much, but when the front page of HM Government of Gibraltar Laws and Legislation website looks as follows, a techie would get suspicious. Notice the Secure Site logo at the bottom now as this is going to get interesting!

The outlink mentioned above, when clicked, displayed PDFs of laws and amendments under the Gibraltar Immigration Act, as predictable:

SQL Injection and database dumping

However, the dated website seemed like it could be vulnerable to something. Adding just a simple character — a single quote: (which when encoded becomes) at the end of the URL indeed confirmed my suspicion. The website was vulnerable to the easiest kind of SQL Injection: error-based.

Output of the link with a single quote added.

Unlike previous few pages which showed links to PDFs of laws and amendments, nothing appeared other than the page header for the link with a at the end, or so it seemed at first glance. This could just have been an error due to a “bad URL,” i.e. a 404 — not found page. Upon selecting and highlighting the entire page, however, the black-on-black text became suddenly visible!

That’s a proper MySQL error message spelling out the name of the table i.e. along with the fields that follow, giving an attacker the perfect opportunity to craft malicious input accordingly.

For those not familiar, in layman’s terms, SQL Injection attacks deal with an attacker providing such a user input — such as a username or password value which tricks the database engine processing that value, into treating the input as a command to the database, as opposed to a mere data value. So, for example, normally username would be processed by a database engine normally, as a value. A crafted input provided in place of the username, like may instead cause a vulnerable system to let an attacker access the user’s (Michael’s) account without requiring a password.

At this point, it was clear the website suffers from error-based SQL Injection — not at one, but many places. Also, changing the parameter to or an invalid value dumped all PDFs:

A malformed value dumping all of the PDFs from the database

Another place where this interesting flaw could be noticed was the Employment Tribunal Judgements section which, according to the page, “contains judgments, rulings and decisions passed by the Employment Tribunal in Gibraltar dating back to 1999.”

Searching for just a single quote (‘) on the webpage, or a name with one, such as Derick O’Brian, will lead to a rather verbose SQL error message:

Using a simple penetration testing and analysis tool like it isn’t too hard to peek further for what all the database of a vulnerable server contains. A simple test with a command like is enough to list all the databases and tables contained within a MySQL instance.

Out of these, everything else seemed to be either baseline SQL tables which contain routine information, or Gibraltar Laws website custom tables with public-facing information about laws, amendments, etc. The most interesting table out of all was .

The table when analysed further with command, revealed: the staff member names, usernames, password digests (hashes), the IP addresses used at the time of account registration, and other information. This is information about staff members who likely manage the content on the website, with enough privileges to edit or delete any articles, laws, amendments, and attached documents on the website — including pieces of legislation dating all the way back from 1887 to present day, 2020.

Password analysis and cracking

and other tools have inbuilt options to further analyse a table and offer quick dictionary-based ‘guessing’ of certain password digests on it, offline. A quick analysis of the digests revealed one of the passwords was extremely weak — a mere 6-digit date combination (perhaps a date of birth or anniversary). Although the password digest was stored in the table rather than the actual plaintext password, the password got easily revealed in less than a second. After all, even a regular computer can very well throw over 100,000 guesses per second and to crack a 6-digit password would be a piece of cake.

Once an attacker can get their hands on the username and password, they can modify or delete anything using the website’s CMS — including the very laws:

The not-so-subtle links on every page.
Sample login screen presented prior to modifying or deleting content

Bam! A successful login enables an attacker to “rewrite any law”, delete or upload new PDFs and tamper with other data.

Yup, not going to try deletion but I’m sure it works.

Although suffice to say, while the second-step of this exploit — password analysis and cracking looks impressive, the critical nature of SQL Injection vulnerability itself means it isn’t necessary. With malicious input such as crafted queries alone an attacker could modify, delete or tamper with any of the tables and database information. With more sophisticated SQL Injection payloads, one could even potentially achieve reverse-shell access.

So next time you choose to put a Secure Site logo at the bottom, make sure you’re covered against the most common critical vulnerabilities. ;)


Props to the staff of HM Government of Gibraltar. Not only was the flaw resolved within a week of reporting — following the long holiday break, the same day a fresh website was launched replacing the previous one. Doesn’t it look pretty?

Gibraltar Laws website launched Jan 6, 2020

To learn ethical hacking and get started with vulnerability hunting on your own, feel free to check out the The Complete Ethical Hacking Course Bundle.

© 2020. Akshay ‘Ax’ Sharma (Twitter). All Rights Reserved.

AxDB

Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

    Akshay ‘Ax’ Sharma

    Written by

    Security Engineer | Researcher | Tech Columnist | https://hey.ax

    AxDB

    AxDB

    Accidental eXposures Database (AxDB) — a publication featuring groundbreaking, firsthand vulnerability exposures affecting leading organisations and cyber systems, to which news media and research community can subscribe.

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade