Rival Company snoops for SQL Injection Vulnerability

19:29.37 - Wednesday 30th May 2007   (Link to This Entry)

A bit of scandal! I decided to check up on a website we'd finished recently to see how many visitors were coming in after the client had launched it and promoted it a little bit, and I spotted the following in the list of URLs accessed:

/results.php?q=SELECT+*+FROM+custom+where+custome+=+%+a+%+--

Seems someone had been attempting to inject (currently) harmless SQL commands via the search form of the site, which was pretty pointless because the first thing results.php does is split any given string into seperate words.

Even better, the server that this site is on resolves IP addresses to their host names, and the IP that attempted the above resolved to... one of our competitors. The very competitor, in fact, that had lost this account to us.

After the daily log rotate had run I downloaded the log files and wrote a quick script to list all of their attempts, of which there were about 8 altogether. Of course, I reported this to the client and will let them ask the awkward questions. Could be interesting!