A hacker claims to have gained full access to the website of the British Royal Navy and the underlying database through an SQL injection attack.f8b934d3915740a4b36827079ae56046
In a blog, TinKode claims that the compromise of www.royalnavy.mod.uk happened on November 5 at 22:55.
The hacker mentions that the attack vector was SQL injection, but fortunately, he doesn’t publicly disclose the vulnerable URL.
He does, however, link to a file hosted on pastebin.com, which contains sensitive information gathered from the Royal Navy Web server and database.
This includes a copy of the /etc/passwd file, a listing of MySQL databases, as well as the tables for some of them.
For the “globalops” database, which we assume corresponds to the “Global Operations” section of the website, TinKode lists the contents of the “admin_users” table. This includes the administrative accounts and their corresponding passwords hashes.
The hacker even decrypted the hashed password for the user called “admin,” posted it in plain text. Suffice to say that it’s ridiculously simple and in no way appropriate for a military website.
Furthermore, he also posted usernames and hashed passwords for the site’s “Jack Speak” blogs section, which appears to be running WordPress. We have alerted the Royal Navy Web team, but have yet to receive a reply. Meanwhile, the website remains online.
SQL injection is a type of vulnerability, which stems from a failure to properly sanitize user input. It allows attackers to execute rogue database queries by manipulating the vulnerable URL.
TinKode previously disclosed similar vulnerabilities on NASA and U.S. Army websites. At the end of October he announced compromises on websites belonging to the U.S. Army 470th MI Brigade, the U.S. Army Civil Affairs & Psychological Operations Command and the National Weather Service.