Saturday, March 03, 2018

[Full Disclosure] Vulnerable Web Sites In Hong Kong (March 2018)

Since I am not a White Hat, I will disclose all my findings fully to the public. Do not blame me for that! I am a Grey Hat.

Recently, I found out that the personal web site of the anti-government politician in Hong Kong, Claudia Mo, has been hacked since 2016. Some China relevance videos and statement had been posted to the site since 2017. Meanwhile, the volunteers' personal particulars had been leaked in the Pastebin since 2016. The most important thing to know is that the site was protected by Cloudflare, a kind of cloud based DDoS protection and web application firewall (WAF).

I conducted a very simple and quick check on the site some days before yesterday and confirmed that her site was vulnerable to blind sql injection. However, her site has been deleted since yesterday (March 2, 2018, Hong Kong Time).

After a simple search, it was confirmed that the site was developed by Some other sites that are developed by them has been obtained by Google search and from their official site. Another quick and simple tests on those sites has been conducted.

The result shows that about 18 web sites are vulnerable to sql injection vulnerability. It seems that those sites are developed by a vulnerable library.

The url of those sites are listed at the below for reference. It may not be a completed list. I do not responsible to any lost or/and damages caused once those sites have been disclosed. You have been warned that you will be put into the jail when you attack or doing evil on those sites.

Finally, some web developers in Hong Kong cannot build a secure web site properly. They believed that Cloudflare can protect the sites in a very secure manner. Cloudflare WAF can be bypassed very easily. Before investing money to your web sites, please consider the ability of the web developers and the security of the web applications.

Vulnerable sites :

Non vulnerable sites :

That's all! See you.