SQL Injection Vulnerability found in Lowyat.net

A week ago, I blog about the potential Path Traversal vulnerability found in Lowyat.net. Today I discover a more dangerous vulnerability and I categorized it as HIGH. It is the SQL Injection that attackers can do it on Lowyat.net’s MYSQL.

You might ask me how I found that the lowyat.net is using MYSQL. The answer is very simple, through the error message of SQL Injection, it just tell you. I’m not the MYSQL guy BUT I do know that MYSQL is using T-SQL standard. For a attacker who familiar with SQL Server it is easier to manipulate the SQL syntax.

When enter the malicious code as above (the blur-out portion), you can will be prompt with details error message as below.

Information that I gather from the following message include:

  • mySQL 1064: SQL error
  • it is using MySQL
  • the columns (such as id, link) and the tables (been blur-out) that is query out from the SQL statement

Potential treat

It is very common for attackers to execute the CRUD (Create, Read, Update and Delete) operation through SQL Injection

  • Create – create malicious record. Such as create a dummy administrator account
  • Read – reading private and confidential information such as administrator and user’s password
  • Update – update the record with attacker’s information – change password of the users. The other potential treat is user can inject Cross-site Scripting (XSS) code into the record
  • Delete – delete any record they want or the whole table

update: 17 June 2008

The vulnerability has been patched.

Advertisements

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s