I was browsing for some clothes online - And I came accross this company (Triads)

Triads.co.uk

When I went to search for jeans I noticed the url ext became:
/search.html?query=jeans&search.x=0&search.y=0

I played about and noticed that it selects tables from the database.

ie.

Select tops from *

It worked for tops as well...

When I emailed the administrator telling him that although the contents of the database may not have any private information I had a stubborn reply saying I was wrong and that items weren't being selected.

I've tried the obvious Select USER From * etc etc but not avail.

Just wanted a few of you dudes to take a look and see if you get anywhere. I don't mind you reporting them etc

Would appreciate if you reply here with your finds :]

Thanks::
Flash O.-

he was right to be stubborn.. that's not SQL injection. he seems to use a test for just if the query parameter contains the substring 'tops' anywhere (case insensitive)
So this works: http://www.triads.co.uk/search.html?query=asdfqwerToPSasdfqwer query=asdfqwerToPSasdfqwer
And this doesn't: http://www.triads.co.uk/search.html?query=asdfqwerT__oPSasdfqwer query=asdfqwerT__oPSasdfqwer

if written in PHP, it would look something like:

db_qry = "SELECT * FROM ";
if ( stristr($_GET["query"],"tops") )  db_qry += "Tops";
if ( stristr($_GET["query"],"jeans") ) db_qry += "Jeans";

stristr is case-insensitive. There is multiple XSS injections from that parameter if it's any consolation, but that particular one doesn't seem to be vulnerable to SQL injecting..

XSS: http://www.triads.co.uk/search.html?query=%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E%3Cx

-maluc

but you can play around with this one: http://www.triads.co.uk/search.html?query=a&manufacturers%5B%5D=-1asdf&min_price=0&max_price=50&day=24&month=9&year=2006&to_day=24&to_month=11&to_year=2006&Submit.x=26&Submit.y=4&Submit=SEARCH http://www.triads.co.uk/search.html?query=a&manufacturers%5B%5D=-1')xxxx&min_price=0&max_price=50&day=24&month=9&year=2006&to_day=24&to_month=11&to_year=2006&Submit.x=26&Submit.y=4&Submit=SEARCH

-maluc



Edited 1 time(s). Last edit at 11/24/2006 01:47PM by maluc.

Well it depends, such as:

http://www.triads.co.uk/search.html?query=SELECT%20*%20FROM%20*%20LIKE%20A%ORDER%20%20BY%20ID%20ASC

is a preamble for real SQL injection,
if i mess around i could do more harm then he wants to happen, so i'll hope he doesn't dare me. As i see it nothing is checked or being escaped properly, and if he does i can always use char() to omit "addslashes", which is a pretty un-useful function. But, im not dropping his tables or trying to get root, that's for others to decide but it's possible, too much in need of sleep right now :|

:)



Edited 1 time(s). Last edit at 11/24/2006 10:46PM by jungsonn.

Well, at least there's XSS.
http://www.triads.co.uk/search.html?query=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E
Edit: whoops, didn't see maluc already pointing this one out



Edited 1 time(s). Last edit at 03/17/2007 07:05AM by rebel.