When SQL injection becomes too easy

When surfing around the net I recently came across a website that appeared to use some kind of simplified database query as part of the GET request. This got me thinking about what would’ve been possible if the developers had been stupid enough to pass an actual SQL query in the URL.

Turns out that some websites actually do this!  See Monkey Facepalm picture.

A quick Google search with the following terms will bring back a number of pages that use SQL queries as GET parameters:

inurl:select inurl:where inurl:%20

One of the results, from Washington State University:

http://refbase.wsulibs.wsu.edu/yellowstone/search.php? sqlQuery=SELECT%20author%2C%20title%2C%20year %2C%20publication%2C%20volume%2C%20pages%20 FROM%20refs%20WHERE%20serial%20RLIKE%20%22. %2B%22%20ORDER%20BY%20author%2C%20year%20 DESC%2C%20publication&submit=List&citeStyle=APA& citeOrder=&orderBy=author%2C%20year%20DESC

decodes to:

http://refbase.wsulibs.wsu.edu/yellowstone/search.php?sqlQuery=SELECT author, title, year, publication, volume, pages FROM refs WHERE serial RLIKE “.+” ORDER BY author, year DESC, publication&submit=List&citeStyle=APA&citeOrder=&orderBy=author, year DESC

Now, how many databases with with full admin privileges? I think I also spotted some ecommerce sites doing this too… passwords and credit card numbers anyone?