“Rewriting the laws” of British Overseas territory Gibraltar with SQL Injection
Note: As of publishing this article, the vulnerable sections of the website have been shut down, effectively resolving the vulnerability. Special thanks to Gareth Corfield of The Register for coordinating with the responsible disclosure.
“Do UK residents need a visa to visit Gibraltar,” was what I needed an answer to, which is why I stumbled upon Gibraltar’s Borders and Coastguard Agency website. Being a British Overseas Territory, Gibraltar falls sort of under the jurisdiction of the UK, yet has its own government and laws so it’s a bit confusing. My intention at around 11 o’ clock at night was to clarify just that — and get a solid goodnight’s sleep. Little did I realise this would turn into a long night of exploration.
The Borders and Coastguard Agency website had an outlink to Gibraltar Immigration Act, which looked like:
http://www.gibraltarlaws.gov.gi/edit_article_o.php?group_id=000000062Law and Policies page of Borders and Coastguard Agency, Gibraltar
To an everyday internet user, this doesn’t mean much, but when the front page of HM Government of Gibraltar Laws and Legislation website looks as follows, a techie would get suspicious. Notice the Secure Site logo at the bottom now as this is going to get interesting!
The outlink mentioned above, when clicked, displayed PDFs of laws and amendments under the Gibraltar Immigration Act, as predictable:
SQL Injection and database dumping
However, the dated website seemed like it could be vulnerable to something. Adding just a simple character — a single quote:
'%27http://www.gibraltarlaws.gov.gi/edit_article_o.php?group_id=000000062%27Output of the link with a single quote added:
Unlike previous few pages which showed links to PDFs of laws and amendments, nothing appeared other than the page header for the link with a ‘at the end, or so it seemed at first glance. This could just have been an error due to a “bad URL,” i.e. a 404 — not found page. Upon selecting and highlighting the entire page, however, the black-on-black text became suddenly visible!
Error in query: SELECT * FROM `article` WHERE group_id=’000000062'’ AND category=’c’. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘c’’ at line 1That’s a proper MySQL error message spelling out the name of the table i.e.
articleFor those not familiar, in layman’s terms, SQL Injection attacks deal with an attacker providing such a user input — such as a username or password value which tricks the database engine processing that value, into treating the input as a command to the database, as opposed to a mere data value. So, for example, normally username
michaelmichael'--At this point, it was clear the website suffers from error-based SQL Injection — not at one, but many places. Also, changing the
group_id0Another place where this interesting flaw could be noticed was the Employment Tribunal Judgements section which, according to the page, “contains judgments, rulings and decisions passed by the Employment Tribunal in Gibraltar dating back to 1999.”
Searching for just a single quote (
‘Error in query: SELECT * FROM industrial_tribunal_judgement WHERE itj_title LIKE ‘%’%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%\’%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND (itj_tribunal = ‘dummy’ OR itj_tribunal = ‘t’ OR itj_tribunal = ‘a’) AND (itj_type = ‘dummy’ OR itj_type = ‘j’ OR itj_type = ‘d’ OR itj_type = ‘r’) ORDER BY itj_date_passed DESC. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%\’%’ AND itj_keywords LI’ at line 1Using a simple penetration testing and analysis tool like sqlmap it isn’t too hard to peek further for what all the database of a vulnerable server contains. A simple test with a command like
./sqlmap.py -u <URL> --schemaOut of these, everything else seemed to be either baseline information_schema SQL tables which contain routine information, or Gibraltar Laws website custom tables with public-facing information about laws, amendments, etc. The most interesting table out of all was
userThe
usersqlmap -tPassword analysis and cracking
sqlmapOnce an attacker can get their hands on the username and password, they can modify or delete anything using the website’s CMS — including the very laws.
The not-so-subtle Modify|Delete links on every page make thiss possible:
Sample login screen presented prior to modifying or deleting content:
Bam! A successful login enables an attacker to “rewrite any law”, delete or upload new PDFs and tamper with other data. Yup, not going to try deletion but I’m sure it works:
Although suffice to say, while the second-step of this exploit — password analysis and cracking looks impressive, the critical nature of SQL Injection vulnerability itself means it isn’t necessary. With malicious input such as crafted queries alone an attacker could modify, delete or tamper with any of the tables and database information. With more sophisticated SQL Injection payloads, one could even potentially achieve reverse-shell access.
So next time you choose to put a Secure Site logo at the bottom, make sure you’re covered against the most common critical vulnerabilities. ;)
Props to the staff of HM Government of Gibraltar. Not only was the flaw resolved within a week of reporting — following the long holiday break, the same day a fresh website was launched replacing the previous one. Doesn’t it look pretty?
Gibraltar Laws website launched Jan 6, 2020:
© 2020. Akshay ‘Ax’ Sharma (Twitter). All Rights Reserved.