Butterfly susceptible to SQL injection
Well, I was supposed to be reading for my Simulation and Modelling exam tomorrow, but I got bored and ventured into KDNs Butterfly. I then used one of the log in methods offered at their paid services, and voila, I was able to log in to their service via simple SQL injection. KDN please sanitize your queries before someone drops your tables. This also leaves me wondering how many coders sanitize their queries.(I don't remember doing it too in my pre-drupal era) with Regards: Kazi kwa vijana and other idiots, all at my blog: http://gramware.blogspot.com
Hehe! even susceptible to DNS tunelling. Goodness. Someone should do nothing. We want free internet! BTW that simulation and modelling exam was sweeeeet! 2009/8/19 Dennis Kioko <dmbuvi@gmail.com>
Well, I was supposed to be reading for my Simulation and Modelling exam tomorrow, but I got bored and ventured into KDNs Butterfly. I then used one of the log in methods offered at their paid services, and voila, I was able to log in to their service via simple SQL injection. KDN please sanitize your queries before someone drops your tables. This also leaves me wondering how many coders sanitize their queries.(I don't remember doing it too in my pre-drupal era)
with Regards:
Kazi kwa vijana and other idiots, all at my blog: http://gramware.blogspot.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Mimano G. Muthondu, Software Developer, Datadyne.org skype : gmimano Mobile : +254 723 615 206
Umm... How ethical is it to post vulnerabilities on a forum like this one? As opposed to alerting the right people at KDN... By the way, I'm only asking... :) Me. 2009/8/19 Geoffrey Mimano <gmimano@datadyne.org>
Hehe! even susceptible to DNS tunelling. Goodness. Someone should do nothing. We want free internet! BTW that simulation and modelling exam was sweeeeet!
2009/8/19 Dennis Kioko <dmbuvi@gmail.com>
Well, I was supposed to be reading for my Simulation and Modelling exam tomorrow, but I got bored and ventured into KDNs Butterfly. I then used one of the log in methods offered at their paid services, and voila, I was able to log in to their service via simple SQL injection. KDN please sanitize your queries before someone drops your tables. This also leaves me wondering how many coders sanitize their queries.(I don't remember doing it too in my pre-drupal era)
with Regards:
Kazi kwa vijana and other idiots, all at my blog: http://gramware.blogspot.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Mimano G. Muthondu, Software Developer, Datadyne.org skype : gmimano Mobile : +254 723 615 206
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- שִׁמְעוֹן
He didnt post a POC nor a Working exploit. Furthermore having a login sqli vulnerability is stupid. On 8/19/09, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
Umm...
How ethical is it to post vulnerabilities on a forum like this one? As opposed to alerting the right people at KDN...
By the way, I'm only asking... :)
Me.
2009/8/19 Geoffrey Mimano <gmimano@datadyne.org>
Hehe! even susceptible to DNS tunelling. Goodness. Someone should do nothing. We want free internet! BTW that simulation and modelling exam was sweeeeet!
2009/8/19 Dennis Kioko <dmbuvi@gmail.com>
Well, I was supposed to be reading for my Simulation and Modelling exam tomorrow, but I got bored and ventured into KDNs Butterfly. I then used one of the log in methods offered at their paid services, and voila, I was able to log in to their service via simple SQL injection. KDN please sanitize your queries before someone drops your tables. This also leaves me wondering how many coders sanitize their queries.(I don't remember doing it too in my pre-drupal era)
with Regards:
Kazi kwa vijana and other idiots, all at my blog: http://gramware.blogspot.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Mimano G. Muthondu, Software Developer, Datadyne.org skype : gmimano Mobile : +254 723 615 206
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- שִׁמְעוֹן
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/
Butterfly has had other vulnerabilities which are still not fixed. i specifically avoided posting the details, but I cant believe that simple SQL injections still works on sites designed by professionals. i know of a guy who once logged in into the brookside joomla back end because the admin used admin admin as user name and password On 19/08/2009, Gichuki John Chuksjonia <chuksjonia@gmail.com> wrote:
He didnt post a POC nor a Working exploit. Furthermore having a login sqli vulnerability is stupid.
On 8/19/09, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:
Umm...
How ethical is it to post vulnerabilities on a forum like this one? As opposed to alerting the right people at KDN...
By the way, I'm only asking... :)
Me.
2009/8/19 Geoffrey Mimano <gmimano@datadyne.org>
Hehe! even susceptible to DNS tunelling. Goodness. Someone should do nothing. We want free internet! BTW that simulation and modelling exam was sweeeeet!
2009/8/19 Dennis Kioko <dmbuvi@gmail.com>
Well, I was supposed to be reading for my Simulation and Modelling exam tomorrow, but I got bored and ventured into KDNs Butterfly. I then used one of the log in methods offered at their paid services, and voila, I was able to log in to their service via simple SQL injection. KDN please sanitize your queries before someone drops your tables. This also leaves me wondering how many coders sanitize their queries.(I don't remember doing it too in my pre-drupal era)
with Regards:
Kazi kwa vijana and other idiots, all at my blog: http://gramware.blogspot.com
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- Mimano G. Muthondu, Software Developer, Datadyne.org skype : gmimano Mobile : +254 723 615 206
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- שִׁמְעוֹן
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
-- with Regards: Kazi kwa vijana and other idiots, all at my blog: http://gramware.blogspot.com
participants (4)
-
Dennis Kioko -
Geoffrey Mimano -
Gichuki John Chuksjonia -
Simon Mbuthia