Skip to content

July 2, 2010

1

When SQL injection becomes too easy

Monkey FacepalmWhen surfing around the net I recently came across a website that appeared to use some kind of simplified database query as part of the GET request. This got me thinking about what would’ve been possible if the developers had been stupid enough to pass an actual SQL query in the URL.

Turns out that some websites actually do this!  See Monkey Facepalm picture.

A quick Google search with the following terms will bring back a number of pages that use SQL queries as GET parameters:

inurl:select inurl:where inurl:%20

One of the results, from Washington State University:

http://refbase.wsulibs.wsu.edu/yellowstone/search.php? sqlQuery=SELECT%20author%2C%20title%2C%20year %2C%20publication%2C%20volume%2C%20pages%20 FROM%20refs%20WHERE%20serial%20RLIKE%20%22. %2B%22%20ORDER%20BY%20author%2C%20year%20 DESC%2C%20publication&submit=List&citeStyle=APA& citeOrder=&orderBy=author%2C%20year%20DESC

decodes to:

http://refbase.wsulibs.wsu.edu/yellowstone/search.php?sqlQuery=SELECT author, title, year, publication, volume, pages FROM refs WHERE serial RLIKE “.+” ORDER BY author, year DESC, publication&submit=List&citeStyle=APA&citeOrder=&orderBy=author, year DESC

Now, how many databases with with full admin privileges? I think I also spotted some ecommerce sites doing this too… passwords and credit card numbers anyone?

1 Comment Post a comment
  1. test
    Dec 26 2014

    alert(“I hope your site isn’t vulnerable to XSS, since it says right here ‘HTML is allowed'”);

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php