So why would anyone hack U.N.? There seem to be an answer to the question “how”, as for “why” it’s still pretty unclear (save for some strong language):
# Why did you hack it ?
I fuck actually system… I fighting for Internet Freedom, equiality & rights for all. You’re FREEDOM my brothers & my sisters ! <3
At least we know who it is – a hacker or group called “Casi”. They also posted the list of website’s vulnerabilities at pastebin.
Here is a quick example:
http://www.un.org/chinese/News/focus.asp?focusID=20+AND+1=1
Basically in all examples they just add
+AND+1=1
to the query string and it does the job (of showing the hole, not hacking the website). I tried it (was really curious, sorry) and there seem to be a real problem – helpful error reporting is on and its reports tell us, that under the hood happens something like that (in MS syntax):
"SELECT * FROM `some_table` WHERE `id` = ".$_GET['id'];
To put it simple – U.N.’s security needs help big time…
Pingback: Few words about legal hacking | Bcat's Blog