A week ago, I blog about the potential Path Traversal vulnerability found in Lowyat.net. Today I discover a more dangerous vulnerability and I categorized it as HIGH. It is the SQL Injection that attackers can do it on Lowyat.net’s MYSQL.
You might ask me how I found that the lowyat.net is using MYSQL. The answer is very simple, through the error message of SQL Injection, it just tell you. I’m not the MYSQL guy BUT I do know that MYSQL is using T-SQL standard. For a attacker who familiar with SQL Server it is easier to manipulate the SQL syntax.
When enter the malicious code as above (the blur-out portion), you can will be prompt with details error message as below.
Information that I gather from the following message include:
- mySQL 1064: SQL error
- it is using MySQL
- the columns (such as id, link) and the tables (been blur-out) that is query out from the SQL statement
It is very common for attackers to execute the CRUD (Create, Read, Update and Delete) operation through SQL Injection
- Create – create malicious record. Such as create a dummy administrator account
- Read – reading private and confidential information such as administrator and user’s password
- Update – update the record with attacker’s information – change password of the users. The other potential treat is user can inject Cross-site Scripting (XSS) code into the record
- Delete – delete any record they want or the whole table
update: 17 June 2008
The vulnerability has been patched.