SQL Injection
From the desk of Samy,
I didn’t want to post anything more today until next week… But this is almost compulsory! My fucking god, sometimes there are websites that make me freak out… How the hell can a so popular website have such a vulnerability?
Talking about SQL Injection is in my blog list now.
What do you think I could do with the following information I’ve just received after sending a VERY SIMPLE attack to the website?
Failed on select title.text, mistake.title, mistake.timecode, media, mistaketext.text, if((mistake.modified3) < (now() - interval 1 year),’yes’,'no’) as yearold, date(mistake.modified3) as date, mistake.type from title, mistake, mistaketext where mistake.id = ” or 1=1′ and mistaketext.id = mistake.id and mistake.title = title.id
Yes… You are right. EVERYTHING.
Reminding that all information (including admin password and so on) is stored in the website DataBase…
Have fun…
…SaMy*^30
