On Tue, Jun 7, 2011 at 10:26 AM, Peter C. Ndikuwera <[email protected]>wrote:
> Most likely an SQL injection hack. Almost certainly at least started with SQL injection. Quick example of how it may have been done: http://cit.mak.ac.ug/events_detail.php allows raw SQL queries to be run. You can see by comparing the two links: http://cit.mak.ac.ug/events_detail.php?item=27%20and%201=1 http://cit.mak.ac.ug/events_detail.php?item=27%20and%201=2 In general, if you add " and 1=1" to the end of a GET variable and it produces a different page from when you add " and 1=2" then the site is vulnerable to at least blind SQL injection. What information can you get out of a very simple blind, TRUE or FALSE vulnerability like this? Depending on permissions, you can get the entire database schema, all usernames and password hashes and every row of data. It just requires brute force. One you have a way to get a TRUE or FALSE result (as we have in events_detail.php) then instead of adding 1=1 or 1=2, you can, for example start running queries (that also return TRUE or FALSE) such as: - Is there greater than 10 user accounts? - Is there greater than 5 user accounts? - Is there three user accounts? - Is the first letter of the first user account A? - Is the fist letter of the first user account B? - ... - Is there 1 database? - Are there 2 databases? - Is there 1 table in the first database? - Are there 2 tables in the first database? - ... - Are there more then 5 characters in the name of the first table of the first database? - ... We know whether each query is TRUE or FALSE just by appending it to the item variable of the events_detail.php page. If we get the normal page, we know it's TRUE. If we get the blank page (produced by appending " and 1=2") we know the result is FALSE. Seems like a lot of work? sqlmap (http://sqlmap.sourceforge.net/) will do it all for you. You just give it the vulnerable URL and you can get the entire DB dump. Granted it takes a long time, because it has to do thousands (perhaps tens of thousands) of queries, but it works. So a note to all web admins out there: CLEAN YOUR INPUTS. If 'item' should always be an integer, raise a 404 if it's anything other than an int. And if you didn't write the code, but you're responsible for it, test for these vulnerabilities. Test using sqlmap, because you know others will if you don't. David
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
