Do Comment and I shall comment back. Your contributions are always welcome at emailadimn@gmail.com.
Nepali Security Community Accessible at NepSecure Google Groups

Tuesday, September 18, 2007

Kantipur Engineering College website Vulnerability to SQL Injection (minor hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Kantipur Engineering College is one of the well known colleges of KTM. It provides undergraduate studies for Bachelor of Engineering in Computer Science, Electronics engineering and other faculties.
Please see their website at here.

Level of vulnerability 1/5
SQL Injection in detail

Most of the pages are static as it seems with no option for url modifications and fiddling with.
The only place to tinker with is at the news section. Which can be seen at the right inside a small column.

The url is as http://www.kec.edu.np/news.php?id=5 . Now this is very lucrative since its so common to just change the id and see what outputs result in.

at id=5 we get


To insert a simple sql we just change the 5 into some text say "asdf" and you will get
Unknown column 'asdf' in 'where clause'
It shows that the query is something like
select * from where id=variablename
and above error is exactly what you get when you insert a string in place of variablename.

what about
http://www.kec.edu.np/news.php?id=news_id
or
http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title desc


Humm it seems that it executes OK with no error. So we know one of the column names of the table.
Finally with simple human guess, the table should be named news, so doing a simple
http://www.kec.edu.np/news.php?id=news.news_id
and we have all the respective rows in the news table.

These are the fields of the news table
news_id, news_title,
news_date
which is seen by successfully executing this line

http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title, news.news_date desc

Also, we can do union select. Which means pretty much a lot of thing. But i bet they have anything interesting. The homepage already has nbsp all around the top links, very bad web design.

How to remove the sql injection??
The techniques are widely discussed on various websites.
  • This is a very helpful link on how to prevent sql injections.
    http://www.unixwiz.net/techtips/sql-injection.html#miti
  • Its bad idea to create a website from scratch because there will be lots of places where we would most probably overlook. SQL injection is just one of the many loop holes for hackers to get int our website.
Comments are more than welcome. We hope this helped the original web author of the website to fix his/her flaws.

The admin of http://www.kec.edu.np has been emailed about this.
SO don't be surprised if this didn't work.

Update
the mentioned email admin@kec.wlink.com.np gave a failure email, :-| so even their official email does not work. Somebody please inform the college web admins.
Posted by at
Labels: ,
Subscribe to: Post Comments (Atom)