WEB Log   Comments   Archive   Sources   Contact me   About   RSS  

Archive 2008

Archive 2009

Archive 2010
  January
  February
  March
  April
  May
  June
  July
  August
  September

  
   Talking
  Development
  Funny
  Jokes
  Network
  Security
  Software
  Source code
  Talking
  Video
  WEB
  WEB Development
  Windows
  Windows Resources




airbag replacement . medical supply New York

SQL Injection on www.compostingcouncil.org

Today we shall consider a WEB site that contains SQL Injection Error: http://www.compostingcouncil.org. The programmer of the site does not know about security and the majority of the WEB page parameters are vulnerable. We shall consider following URL:

http://www.compostingcouncil.org/section.cfm

The section.cfm file receives the parameter id. If you add in the end of the parameter the single quotes there will be an execution error. We shall consider the error text more in detail:

ODBC Error Code = 37000 (Syntax error or access violation)

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'id = 29'''.

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:59).

The ODBC Microsoft Access Driver used to data access, i.e. as a database the site uses MS Access. I know it badly, but we shall try to study. Let's try to determine amount of the fields returned by the query. MS Access cannot return anonymous SELECT queries and necessarily there should be the FROM section with a table name. Server has a registration form. Let's assume that there is such table - users. Let's load the next URL:

http://www.compostingcouncil.org/section.cfm?id=29%20union%20select%201%20from%20users

The table really exists, because the server informs us in an error, that the amount of fields in the injected query does not coincide. Now it is possible to select table fields. At me 13 fields have turned out. Not the happy number (especial for the programmer of this site). We shall try to pick up fields which are in the table users. My selection has shown that here are present userid, email, memberpwd. Now you can determine the users registered on the site and to use its data.

Now we shall try to determine, what else tables are in the database. This information is stored in the system table MSysObjects. Field names contain names of all tables of the database file. We shall try to inject the quiry SELECT to this table:

http://www.compostingcouncil.org/section.cfm?id=29%20union%20select%201,2,3,4,5,6,name,8,9,10,11,12,13%20from%20MSysObjects

No comments!!!

---

Low cost auto insurance quotes

hertz car rental . cad to jpg converter