Daily cyber threats and internet security news: network security, online safety and latest security alerts
January 9th, 2010

US Army Website Compromised Through SQL Injection

A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers. The website has been taken offline.

The Army Housing OneStop (AHOS) is “the official Army website for soldiers who need information about Military Family Housing (MFH), Unaccompanied Personnel Housing (UPH) and/or Community (Off-Post) Housing. It includes both comprehensive and quick-reference information for Army installations worldwide.”

A self-confessed security enthusiast, who goes by the online handle of TinKode, documented a proof-of-concept attack against the on his personal blog. The published screenshots reveal that the Web server runs on Microsoft Windows 2003 with Service Pack 2 and the database engine used to power the ASP website is Microsoft SQL Server 2000:

#Version: Microsoft SQL Server 2000 – 8.00.2282 (Intel X86) Dec 30 2008 02:22:41 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2
#User: Dynatouch
#Database: AHOS

The AHOS website seems to have been developed by DynaTouch Corporation, a third-party government contractor that provides software and hardware solutions to create “self-service kiosk systems.” The company’s client portfolio includes a long list of local and federal government organizations.

There are a number of 76 databases on the server, but TinKode focused his attention on the one called “AHOS.” There are various tables in this database containing general website configuration information, but two in particular stand out as they are called “mgr_login” and “mgr_login_passwords.”

Upon investigating the latter, the hacker stumbled upon passwords stored in plain text, a major security oversight. Storing cryptographic hashes instead of the actual password strings has been a common practice in Web application programming for years now. Furthermore, if for convenience the hashes are generated with a weak algorithm, a technique known as “salting” can be employed to make them nearly impossible to crack.

In a time when even the most amateur programmers follow such security practices, the fact that many business or government websites do not boggles one’s mind. Additionally, the administrative account is called “Dynatouch” – who would have guessed that? – and its password is “AHOS” – yes, really.

Credit: Softpedia News

Share this item with others:

More on CyberInsecure:
  • Phishing Botnet Expands By SQL Injecting Websites Found In Google
  • New Lateral SQL Injection Method To Hack Oracle Database
  • Database Compromised Through SQL Injection, Localized Website Versions Also Affected
  • The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen
  • Anti-U.S. Hackers Infiltrate Army Servers

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: US Army Website Compromised Through SQL Injection

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word