How Hacker Finds SQL Injection

>> Friday, January 22, 2010

(WEB HOST INDUSTRY REVIEW) -- A Romanian hacker has disclosed an SQL injection vulnerability on a US Army website that could lead to a full database compromise.
According to a report from Softpedia, a website used to provide information about military housing facilities to soldiers, called Army Housing OneStop, was found to be storing passwords in plain text -- a major security oversight.                                { Read Full Story }

A compromised AHOS website could provide an intruder access to some 76 databases on the server, some containing confidential information on worldwide Army installations. The AHOS has since been taken offline.
A security enthusiast going by the name of TinKode blogged about a proof-of-concept attack on, which seems to have been developed by a third-party government contractor, DynaTouch Corporation ( 
The published screenshots reveal that the Web server runs on Microsoft Windows 2003 with Service Pack 2 and the database engine used to power the ASP website is Microsoft SQL Server 2000.
"In a time when even the most amateur programmers follow such security practices, the fact that many business or government websites do not boggles one's mind," Softpedia notes. "Additionally, the administrative account is called 'Dynatouch' – who would have guessed that? – and its password is 'AHOS' – yes, really."
With other US Army servers having been successfully attacked in recent memory, the military would be wise to bolster security. Information Week reported in May 2009 that a Turkish hacker infiltrated two sensitive US Army servers. One was located at the McAlester Ammunition Plant in McAlester, Oklahoma, and the other in Winchester, Virginia at the US Army Corps of Engineers' Transatlantic Center. Tech blog The Register speculated at the time that the attack method was SQL injection.

blog comments powered by Disqus

Post a Comment

Related Posts with Thumbnails

  © Blogger template Webnolia by 2009

Back to TOP