Declaration
I'm not the hacker, and I'm just wanna share the data. I had reported it to their webmaster.
Content
It is an easy process to find the weakness of odroid forum. At first I just wanna watch their goods list. Because I have an IoT project, which needs lots of devices.
Though they are a great company (Hardkernel, http://www.hardkernel.com/), they dont have enough attention on the safety of their website. I had told them their websites are unsafe, but they do not reply and treat me as a kid who just know guessing the admin password.
Then they changed the password and deleted the phpmyadmin.
so funny
But they do not fix the BUG at all !
Not only the forum data, but other sites' data (like the wordpress site, but relatively has less value) can we get through the SQL Injection. In other word, they did not control the user priv in mysql.
Later, I tried the os-shell which provided by sqlmap but failed. But I think other method, like general_log config, could be able to get their shell. But I never try to get shell unless the RCE bug exists, I do not have the hobby to collect others' servers, they are meaningless for me ~
Finally I just get the data.
Download
So disappointed that I cannot upload the attachment to steemit !
I do hope that it doesnt ban the externel link.
The data can be download at HERE
Last but not least
Hardkernel should do more than before, not only your hardware.
