Zong is a Pakistan based mobile data network operator, owned by the company China Mobile. I have known for quite some time that their website has been vulnerable to SQL injection but there was a firewall present on their server which prevented anyone from doing anything.
This vulnerability has been in existence on their website for over a year now as far as I know. I am sure most of you are aware of SQL injection attacks. And if not fixed, a malicious user can potentially steal or leak customers' data. I have been trying to reach out to them for some days now. I have tried to connect with the technical team on their "live chat" but no one from the staff ever responds. The only thing you get to see is this screen:
Sadly, this is the case with every major company or governmental website in Pakistan. When it comes to security, they don't really care or know what to do. You may ask why contact them now and not before? The reason is simple; I figured some parts of the website are not protected by the firewall while some are.
I have also tried to contact them on their customer support email and as expected, I got silly replies from them asking me for details about the problem I was facing using their mobile services. Here is an email after I specifically warned them about the SQL injection vulnerability:
And my last desperate attempt to make sense of the situation one more time:
To get the same response again:
I am not going to share any details about the vulnerability until they have fixed it which I hope they will. If they keep avoiding this, I will have no choice but to visit their head office directly. But to prove that the vulnerability is in fact a SQL injection, I am going to share few screenshots without leaking any technical details.
The table I was working with had 4 columns and using UNION command I was able to execute this line of code:
SELECT 1, database(), user(), @@datadir --
This is the response:
- "zong" was the name of the database that I was currently running my SQL queries in.
- "heidi" was the user associated with the database.
- "/var/lib/mysql" is the MySQL working data directory.
As it turns out I can execute commands to dump the entire database. I will update the thread with technical details of the vulnerability once the flaw in their system is patched. Let's hope they respond quickly.