The unauthenticated RCE issue was discovered on the customer’s wiki page. The machine was running an older OS that facilitated easier privilege escalation, password dumping, etc., after the initial exploitation. The machine was also connected to an Active Directory (AD), providing it with easy lateral network connectivity to other systems in the AD.
SQL injection allows an attacker to modify the structure of a SQL query executed by the application. Depending on the type of SQL server in use, the attacker may be able to modify existing queries or append entirely new queries to the existing query. The modified query can access any portion of the database with the same entitlements that the database connection is granted, potentially leading to:
- Loss of confidentiality when an attacker gains access to unauthorized information
- Loss of integrity through modification of other users' information, log files, and any other sensitive information
- Loss of availability when an attacker deletes other users' data, executes commands that take down the database server, or performs a denial-of-service attack that fills the database and subsequently exhausts the database server's storage
- Authentication bypass through modification of SQL queries that verify a user's credentials
- Authorization bypass from gaining access to or altering data in ways the application's business logic does not allow
By automating guesses, an attacker is able to retrieve a large list of valid usernames for an application. Once the attacker has a list of valid usernames, they can begin guessing passwords in an attempt to steal credentials and impersonate other users. Password guessing attempts may be done manually or via automated means depending on what login anti-automation mechanisms (if any) the application has in place. Valid usernames may also be used in phishing exercises as well as large-scale account lockout denial-of-service attacks. In this particular case, many of the harvested accounts were found to have the same password as the login, making this instance of this issue even riskier than usual.