Embracing Technology

Interested with some amateur hacking skills? Read on…

Only yesterday did I tried to search online for the site of LHDN e-filing as I’ve forgotten the URL. Forgotten how i managed to get the URL but went thru a site to have a wonderful finding to what lies beneath http://eservice.hasil.org.my

Please note however,  I do not exactly know who is the owner of the site as I wasnt able to search for the handler from MYNIC whois service at : http://whois.mynic.net.my/

My opinion is that it could be an obsolete version of the online filing from LHDN.

The correct site for the e-filing (https://e.hasil.org.my) could be found from the official LHDN site http://www.hasil.org.my/. This one should be working properly but I’ve yet to register myself. Still a bit skeptical with watever new software version. (I’m a software developer, what!)

OK, now back to some hacking stuff. The layout itself wasnt really nice, and the worst still the registration page doesn’t really look at all professional. Somehow, it gave me the impression that I wouldn’t trust the site anymore. Probably, can have some fun playing with it also!

So i tried to register with whatever data, Nama Pengguna = 1, and 1 for all fields with some 1@somewhere.com and i got an error that 1 already exists. Great job there, I used 9 and it works.

Now to login with 9 and then see what’s inside. Everything looks decent, just with file download and nothing very special on functionalities.

Hmm.. wanna try login without password? SQL injection came to mind.

In a matter of 60 seconds, you can hack in and feel good 

If you know SQL injection, just try it urself, if not try something like this while i explain more :

1) put a single quote -> ‘ into the username textbox, and submit. It’ll show something like:

character string ” AND MemberPassword=”

Ah-ha.. you got to see a part of the SQL already, the original SQL should be something like ‘SELECT id from LOGINTABLE where USERNAME=’<user_name>’ and MEMBERPASSWORD = ‘<password>’

2) Manipulate it by skipping the password checking. Since it doesnt check invalid key for user_name, basically u can input anything. So i can change to login with account – 1 i know exists and without password. Key in -> 1′–     and then hit submit. Voila! you’re in…. That’s basically how a SQL injection hack works..

Stil do not understand why the ( 1′– ) can work? The first single quote ‘ ends the sql for user_name and the following — will comment the end of the SQL, skipping the password directly.. to the SQL form is just like

SELECT id from LOGINTABLE where USERNAME=’1′

3) A better way, even to login without an existing username would be the following. Key in -> ‘ OR 1=1 — and you would have hacked in without any login information. It formed an SQL like

SELECT id from LOGINTABLE where USERNAME=” OR 1=1 (which always return true)

Conclusion: It’s basically a lousy site.. i really forgot how i got the URL, luckily it’s not the one referred in the official LHDN site..  anyway, hope u enjoy some amateur hacking!

Refer to the following sites for more information:

http://www.acunetix.com/websitesecurity/sql-injection.htm

http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php

Continue reading Amateur hacking – Hacked in 60 seconds…