'Anonymous Conservative' Google Bar SQL Exploit

'Anonymous Conservative' has defaced the main page of the Official Iowa Caucus website using a Google Bar SQL Inject Vulnerability within The Google Toolbar Application. The group provides this message...

"The recent endorsement of Donald Trump by Sarah Palin is the final straw for our organization, The Anonymous Conservative. Every good Conservative knows that Sarah Palin is a national embarrassment and she represents everything that is wrong with America. She has failed at everything she has attempted since quitting her office as governor half way through her term. Her Anti-American, Anti-Family, Anti-Common-Sense stances have made her the laughing stock of American politics.
 Yet, even though Donald Trump has himself reached lower than a snake in the grass with his lies about his views on religion, abortion, health care, and Hillary Clinton, he has crawled lower. Trump has already alienated the black vote, the Hispanic vote, and a high enough percentage of the women vote to make it mathematically impossible for the GOP to win with him in 2016, but now he has let the devil back in the door by seeking and accepting the endorsement of Sara Palin.
We the people will not stand in silence. We, THE ANONYMOUS CONSERVATIVE, have hacked and taken over the front page of the Iowa Caucus site in hopes to reveal the truth
."



Now let's get to the fun stuff, the actual coding of the attack...

'http://2016iowacaucus.com/wp-admin/admin-ajax.php'

What the Code Injections are allowing the attacker/s to do is obtain escalated privilege on the front page that will probably be there for some time. The 'firstchild' syntax within the script allows whatever the "Admin" wants to appear first. This is a simple attack and why you should always Mod Sec and Black/White List your servers if you run an organization.

'function proceedWithGoogleBarInject() {
    clearTranslateInjects();
    var e;
    var theBody = document.body;
    if (theBody != null) {
        e = document.createElement("div");
        e.id = "google_translate_element";
        e = document.createElement("script");
        e.innerHTML = "function googleTranslateElementInit(){ new google.translate.TranslateElement({ pageLanguage: '" + translateFrom + "', includedLanguages: '" + translateTo + "' }); }";
        theBody.insertBefore(e, theBody.firstChild);
        e = document.createElement("script");
        e.src = "https://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&tl=" + translateTo + "&sl=" + translateFrom + "&hl=" + translateFrom;
        theBody.insertBefore(e, theBody.firstChild)'

Again using another Vulnerability this time it's an exploit within the Microsoft Translator Hub

'function proceedWithMicrosoftInject() {
    clearTranslateInjects();
    var e;
    var theBody = document.body;
    if (theBody != null) {
        e = document.createElement("div");
        e.id = "MicrosoftTranslatorWidget";
        e.style.cssText = "display:none!important;visibility:hidden;";
        theBody.insertBefore(e, theBody.firstChild);
        e = document.createElement("script");
        e.type = "text/javascript";
        e.innerHTML = "setTimeout(function(){{var s=document.createElement('script');s.type='text/javascript';s.charset='UTF-8';s.src=((location && location.href && location.href.indexOf('https') == 0)?'https://ssl.microsofttranslator.com':'http://www.microsofttranslator.com')+'/ajax/v3/WidgetV3.ashx?siteData=ueOIGRSKkd965FeEGM5JtQ**&ctf=True&ui=true&settings=auto&from=';var p=document.getElementsByTagName('head')[0]||document.documentElement;p.insertBefore(s,p.firstChild); }},0);setTimeout(function(){ Microsoft.Translator.Widget.Translate(null,'en');},5000);";
        theBody.insertBefore(e, theBody.firstChild);
        if (didMStranslate) {} else {
            didMStranslate = true




 Never trust that which takes one political choice or ideal over another
                                                                                                            -SODAGHAR 1/25/16

No comments:

Post a Comment