And.. Again they put the blame on MDP and Christians.. Why guy? Don't you believe you guys have a crappy and shitty setup and that we maldivians can't do it? So what you guys are saying or assuming is Maldivians are crappy bunch of people who don't know shit? And you call your site "the maldivian"!!! Shame!
This event has got nothing to do with MDP or others; this was just done for fun and to show that some people are out there who don't like what's going on! Even with MDP or the other parties. We don't need this shit!
anyway what you find below and here on just only published for educational purposes ONLY! Lets roll!
First : You find time and a day you have the mood to spend some time off work at your home and with a good connection to the internet!
Second: you get some good tips and information off security sites and your friends; that there are new exploits out.
Third: you find a subject: in this case it was www.themaldivian.org. Why? cos it won't do you any harm legally even if anything goes wrong! This site does not belong to the gov or a company. Or a registered organization. Nor any individuals has claimed the owner ship! So Bingo! Plus find a place you don't like!
anyway.. They have php and mysql running. A tip was given by a friend that there is an sql injection exploit, I thought I'll give my luck on it. Been a while since I did not play around on the net. So thought I'd party for a night. So... On the way home; with two of my friends went for a cofe'. Talked about it; and possible ways to exploit it.
Next ; after going home; I had a good look at the site. Exploring it. Found out that it's php and mysql based. Knew that even before.. But also figured out that there must be a control panel for the content management system. So the most logical way is to try your luck first. Did a www.themaldivian.org/login.php and also admin.php.. ah ha! Found the panel. Now the password.. No way I can guess the user name and password. At first I thought they are stupid and will use something like admin. But guess I was wrong. Went out and came and had a quick nap.
Woke up.. Got hooked on to the net. Made a cofe' and some music. Looked into the site. When you click on the news links it takes you through the content management system. So there I go. I passed a few parameters and read through the exploits archives. Found out that the "UNION" will be use ful. So gave it a couple of tries. Like end of the URL's added stuff like "UNION%20SELECT%20*%20FROM%20admin%20".. This gave some good tips ..Then I was able to get some errors with the table names.. And here is what become interesting... I found out that dhiyavaru was the name of the db and obviously the admin pass and user names will be in a table called admin. Easy guess.. Now to exploit this. With a couple of tried me and one more friend on line.. I tried this one.." http://www.themaldivian.org/news_details.php?index_no=
.. what did I get.. ah ha! you don't need to pay a guy thousands of USD to know these kinds of stuff. Just play around with stuff... And anyone who spends time enough; will get this right! No big deal! No super computers used to crack codes! just simple "maldivians" and so called "fucked up minds".. I know they will get back at me with all the crap: but before that let me tell them this.. No matter how fucked up I am : I beat that again! So ? And they did not even get a hint! Infect they used this also to mislead people. So I prove my point! Now they can go on...
here is what you get...
ok! what you see is the user name and password dumps. First one in bold is the user name ; followed by password. You get two users. First I tried the two bold ones. Thought first one was the user name and second bold was the pass. But my other friend who was on the same job; figured it out first! hehe! Now to get to this point it was like 15 to 30 mins. Considering how lame this site was.
Next what do I get... This...
This is the admin panel... Rest was .. I passed it to other friends who were online.. And they played around with it.. NOP! Did not pay them! hehehe! And they had fun too. Exploring the site and all! Rest was history you got in the site! From that point on I just quit! And yeah! Make sure you are on a proxy all the while.. So they can't trace you. Let them put the blame on MDP and others! Who cares! Its a game! And as for the DO pics and stuff! I guess my friends did a good job pissing themaldivian.org guys! And this information was given out right then and there!
All what I have typed here was shared online.. in real time. So it was multiple people who did get in! I don't know who they are just know them through MSN and IRC. :D
Hope that was educative enough to the so called "VERY much Secure web site" and the people who are hired to maintain it. So next time; fix these and go to some classes to learn or read. How? Now you ask!ok let me give you a little tip here! Know abt encryption? What fool will keep the password unencrypted on public DB's?. So how is this done; I think even with php they have MD5 encryption functions as well! So go one and use them! And get the content management thingy up! We don't use the same next time! Besides you are off my list!
here are the bull shit which they have on TM and FM about this event! All false. Now you see and it's proven how much they lie! And talk crap.