MySQL.com compromised

March 27, 2011David Dede40 Comments

MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.

Vulnerable Target : http://mysql.com/customers/view/index.html?id=1170
Host IP : 213.136.52.29
Web Server : Apache/2.2.15 (Fedora)
Powered-by : PHP/5.2.13
Injection Type : MySQL Blind
Current DB : web

It seems their customer view application was used as the entry point. This is where the attackers were able to list the internal databases, tables and password dump. If you have an account on MySQL.com, we recommend changing your passwords ASAP (especially if you like to reuse them across multiple sites).

What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like the password used by MySQL’s Director of Product Management, it is only 4 numbers long. Multiple admin passwords for blogs.mysql.com were also posted.

The folks at MySQL have yet to say anything about this attack, but we will post more details as we learn more about it.

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Uncle Sam

Shocked 😎
Pingback: Securing SQL Server » Blog Archive » MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.()
aerdan

Irony, thy name is MySQL.
Rob

It is amazing how many big names on the web were hacked in recent times:

#google
#comodo
#rsa (emc)
#gawker
#sourceforge
#php
#apache
#tripadvisor
#mysql

Did I miss some?
jaredstenquist

If someone is smart enough to build it, someone is smart enough to break it.
That Spanish Guy

@ first i thought it was an early 0401 joke but it seems to be real
Pingback: MySQL.com compromised | Sucuri « aFblog()
Pingback: MySQL.com compromised by SQL injection | i.justrealized()
Chris

the bigger the target the more people will want to bring it down just to prove they can. what gets me is that if you wanna break it for personal gain, do it, use what you find. i don’t get the point in posting the passwords from these sites on the interwebs for schmucks who can’t steal it themselves. people need to regain some pride at least. i forget where i heard it, but “keep what you kill” comes to mind.
Pingback: MySQL.com被SQL注入攻击，用户密码数据被公布 | El4pse>和谐渗透小组-因为理想远大,所以放弃娱乐.()
Blah

alert(‘dumb test’);
Mahen Nowzadick

ACHEIVEMENT UNLOCKED!!!
Aaron

“What is worse is that they also posted the password dump online and some people started to crack it already.”

For the idiot who written this: You can’t start to extract in 10 min so many things via BSQLi.
If you read his post from: http://tinkode27.baywords.com/mysql-com-fr-it-de-jp-full-disclosure-hacked-by-tinkode-and-ne0h/ you can see that he found this vuln by long time ago, and had access to these accounts. DOH, idiots…
Pingback: SecuriTeam Blogs » mysql.com hacked… via blind sql injection()
Pingback: Objetivos de ataque: grandes empresas y administraciones públicas « segjsm()
Gueston

One thing I don’t understand: the dump contains the password hash and (in a few cases) the cracked password. How were they able to crack it from the hash?
I mean, they could’ve found a password what would generate that hash, but they actually found the original key.
- Michael Ebens
  
  I’m guessing they used a rainbow attack. They simply work out the hashing algorithm used, and then proceed to try different passwords. They would usually start with the most common passwords, and then may proceed to try randomly put together passwords. If the hashes match, they’ve got the password.
  
  If this was the attack they used, then either MySQL.com didn’t use salt on their passwords (bad idea) or the hackers got access to the salt.
  - Anon
    
    What the…
    - Tlringer
      
      http://en.wikipedia.org/wiki/Rainbow_table
      
      http://en.wikipedia.org/wiki/Salt_(cryptography)
Pingback: MySQL Web site falls victim to SQL injection attack | World news()
Pingback: MySQL.com被SQL注入攻击，用户密码数据被公布，开源界又杯具了！()
Pingback: MySQL website falls victim to SQL injection attack | World news()
Pingback: Hackean sitios de Mysql.com con inyección SQL | Ventiao | El mundo cambia, todo cambia, entérate()
Pingback: MySQL website falls victim to SQL injection attack « news4geeks.net()
Pingback: MySQL Web site falls victim to SQL injection attack - Internet, networking and IT security news and headlines from around the web. - darkcode 2 IT Security & Network Security – News()
Pingback: MySQL website falls plant to SQL injection attack |()
Pingback: Episode 352 – IPv6 DoS, $IPv4, EU, MySQL, Dumpster Diving, BofA & SCADA | InfoSec Daily()
Pingback: Episode 352 – IPv6 DoS, $IPv4, EU, MySQL, Dumpster Diving, BofA & SCADA » 信息安全播客()
Pingback: MySQL Web site falls victim to SQL injection attack - Internet, networking and IT security news and headlines from around the web. - darkcode 2 IT Security & Network Security – News()
Pingback: MySQL.com compromised()
Pingback: MySQL.com invadido, pasmem, por SQL injection! | 4 Friends Technology()
Pingback: MySQL.com被SQL注入攻击，用户密码数据被公布 | laura's site()
Pingback: Blog de 3ld3r » Oracle demuestra sus intenciones sobre Postgres..()
Pingback: Boot up: Engadget team jumps to SB Nation, and more | Trade Bloggers()
Pingback: Documentos internos de Oracle y el futuro de PostgreSQL « Conocimiento Libre (o lo que está detrás del Software Libre)()
Pingback: MySQL.com compromised via blind SQL injection (!) « code2hell()
Pingback: MySQL Website Falls Victim to SQL Injection Attack | simplesitetutorials.org()
Faris M a

my sql projects and my sql online live interactive training at http://bit.ly/wXKHod
Vishwas Soni

Just check it out sql-injection-tutorial…..
http://freaktrickz.wordpress.com/2012/09/27/sql-injection-tutorial-website-hacking/
Vishwas Soni

https://freaktrickz.wordpress.com/

Skip links

About David Dede