Kantipur Engineering College is one of the well known colleges of KTM. It provides undergraduate studies for Bachelor of Engineering in Computer Science, Electronics engineering and other faculties.
Please see their website at here.
Level of vulnerability 1/5
SQL Injection in detail
Most of the pages are static as it seems with no option for url modifications and fiddling with.
The only place to tinker with is at the news section. Which can be seen at the right inside a small column.
The url is as http://www.kec.edu.np/news.php?id=5 . Now this is very lucrative since its so common to just change the id and see what outputs result in.
at id=5 we get
To insert a simple sql we just change the 5 into some text say "asdf" and you will get
Unknown column 'asdf' in 'where clause'
It shows that the query is something like
select * from
and above error is exactly what you get when you insert a string in place of variablename.
http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title desc
Humm it seems that it executes OK with no error. So we know one of the column names of the table.
Finally with simple human guess, the table should be named news, so doing a simple
and we have all the respective rows in the news table.
These are the fields of the news table
which is seen by successfully executing this line
http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title, news.news_date desc
Also, we can do union select. Which means pretty much a lot of thing. But i bet they have anything interesting. The homepage already has nbsp all around the top links, very bad web design.
How to remove the sql injection??
The techniques are widely discussed on various websites.
- This is a very helpful link on how to prevent sql injections.
- Its bad idea to create a website from scratch because there will be lots of places where we would most probably overlook. SQL injection is just one of the many loop holes for hackers to get int our website.
The admin of http://www.kec.edu.np has been emailed about this.
SO don't be surprised if this didn't work.
the mentioned email firstname.lastname@example.org gave a failure email, :-| so even their official email does not work. Somebody please inform the college web admins.