×
Login Register an account
Top Submissions Explore Upgoat Search Random Subverse Random Post Colorize! Site Rules
32

SQL Injection hack used to create 100s of thousands of fraudulent ballots (PER STATE) in last election.

submitted by TheSimulacra to electionfraud 1.5 yearsNov 3, 2022 15:04:54 ago (+32/-0)     (twitter.com)

https://twitter.com/hodgetwins/status/1587974088324153344?ref_src=twsrc%5Etfw



13 comments block

sort by: hot new top old low

[ - ] allahead 7 points 1.5 yearsNov 3, 2022 16:28:08 ago (+7/-0)

Any webdev not checking their input and putting strings into a query from a web post should be put in an industry blacklist. Also foreigners should never be allowed to work on critical systems. Hell most citizens shouldn't be allowed to work on them either.

[ - ] zr855 0 points 1.5 yearsNov 4, 2022 03:04:11 ago (+0/-0)*

Prepared statements stop sql injection cold. That and whitelisting is literally all you have to do. Why everyone isn't just using them is retarded. Sql injection is something that belongs in last century. Languages shouldn't even allow anything but prepared statements. Hell, they shouldn't even allow variables in the query. Just force the things that can't use prepared statements to be hard coded and do a switch on which prepared statement to use or something like predefined whitelist variables this way it's impossible to screw up--something like ?var.
Pseudocode:

?var=(option1, option2, option3)
update email, pass with ? ? orderby ?var

?var would be a special predefined, db varaible. In your prepared statements you could only use ? and ?vars not ordinary variables.

https://www.youtube.com/watch?v=WONbg6ZjiXk

[ - ] La_Chalupacabra 2 points 1.5 yearsNov 3, 2022 18:40:28 ago (+2/-0)

I occasionally tune into NPR radio to see what the latest outrage is coming coming down the line, and today it was how the 2,000 Mules 'debunked' 'fake documentary-style' movie is right-wing propaganda fueling conspiracy theories and violence.

No evidence to back up their claims; just tons of logical fallacies.
To be honest, I'm surprised they're even touching it with a 12 foot vaccinated cucumber; must be getting desperate.

[ - ] lord_nougat 2 points 1.5 yearsNov 3, 2022 17:15:00 ago (+2/-0)

Good job, Bobby Tables!

[ - ] allAheadFull 1 point 1.5 yearsNov 3, 2022 20:13:07 ago (+1/-0)

[ - ] CoronaHoax 1 point 1.5 yearsNov 3, 2022 21:15:15 ago (+1/-0)

Erm how did they know the table names etc

Inside job

[ - ] SecretHitler 0 points 1.5 yearsNov 4, 2022 07:01:34 ago (+0/-0)

It's possible to use sql injection to get descriptive data about tables.

[ - ] CoronaHoax 0 points 1.5 yearsNov 4, 2022 16:49:53 ago (+0/-0)

I believe the page would have to report sql errors then no?

[ - ] SecretHitler 0 points 1.5 yearsNov 4, 2022 16:55:23 ago (+0/-0)

You can get info by triggering errors which might go only to the screen or might go to an unmonitored log. You can also just inject a SHOW TABLES or DESCRIBE statement which wouldn't throw an error.

All of this depends on how the target is configured if it'll work or not.

[ - ] CoronaHoax 0 points 1.5 yearsNov 4, 2022 17:00:18 ago (+0/-0)

I'm just saying not only would they have to allow sql injection, but their page would have to be done in a way where it gave back debug / error info.

Double whammy for tardedness.

[ - ] SecretHitler 0 points 1.5 yearsNov 4, 2022 17:03:49 ago (+0/-0)

More common than you'd think

[ - ] deleted 0 points 1.5 yearsNov 4, 2022 08:38:34 ago (+0/-0)

deleted

[ - ] TheYiddler 0 points 1.5 yearsNov 4, 2022 06:18:25 ago (+0/-0)

Vote tabulation software must be open sourced.