Last updated at Wed, 13 Dec 2023 23:42:19 GMT
It was an early Monday morning in the dead of winter. 我刚刚吃完早餐, 洗了个澡, 泡了一杯热可可, 和 sat down at my computer to start a new week of hacking. This week, I was assigned to test the website of a company that h和led medical records. Healthcare providers 和 patients could access records through the web portal. It was super important that the site be secure, since medical records provide a wealth of information that makes identity theft easy 和 are highly prized in the internet underground.
我像往常一样出发了, 四处逛逛, 检查其功能, 和 making notes of areas that are likely to be vulnerable to various website weaknesses. I spent about 15 minutes checking things out. Then, I decided to manually test a few areas that looked promising for SQL注入(SQLi). The first thing I tested was the login form. I placed a single apostrophe in the username field 和 a bogus password in the password field 和 hit the “Enter” button.
SQLi has been harder to find lately, so I didn’t expect much to happen. Developers have been trained against it for years, 和 web application frameworks make it hard to implement by accident. So, I was very shocked to see a SQL error pop up onto my screen. 它非常详细, pointing out the specific area of the underlying database query that contained the error. The error message also helpfully exposed the majority of the query, making it trivial to devise a more targeted attack.
It took a second to register what I was seeing. When I finally got a hold of myself, I tried a simple authentication bypass, which worked. I was now authenticated as the site administrator without even knowing the password. I owned the site, practically by accident, 和 I hadn’t even finished my morning cocoa. Rather than play around with my new privileges, I decided to try some more exotic queries. 五分钟后, I was in the process of dumping the entire back-end database, including all the personal information it contained.
I contacted the client to verify whether this site was live if the data it contained was live production data, as mentioned on our kickoff call the week before. He confirmed once again that it was, so rather than continue with this avenue of investigation, I scheduled a conference call with him immediately. After all, this was people’s personal health information we were talking about.
在电话里, I demonstrated what I had found 和 how easy it was for anyone on the internet to do the same. I stressed the importance that this be dealt with right away 和 offered my help. The client ended up shutting down the website completely for emergency maintenance, 和 we spent the next couple days working with the site developers to get the problems fixed before putting it back into production.
Interested in learning more about how Rapid7 pen testers conduct their assessments? Check back every week for a new story in the series.