satcollege.txt

2006-08-27T00:00:00
ID PACKETSTORM:49262
Type packetstorm
Reporter Packet Storm
Modified 2006-08-27T00:00:00

Description

                                        
                                            `sat collegeboard site sql injection vulnerability  
  
they even show you the query to be nice  
  
to get your question of the day:  
http://www.collegeboard.com/apps/qotd/question/0,,47992,00.html  
  
<!--  
SELECT s.question, ls.name, ls.description, s.content_id, s.hint  
FROM survey s, lk_survey ls  
WHERE s.lk_survey_id = ls.lk_survey_id  
AND s.content_id = 47992  
-->  
  
and the s.content_id is directly controllable  
  
http://www.collegeboard.com/apps/qotd/question/0,,(47992),00.html  
<!--  
SELECT s.question, ls.name, ls.description, s.content_id, s.hint  
FROM survey s, lk_survey ls  
WHERE s.lk_survey_id = ls.lk_survey_id  
AND s.content_id = (47992)  
-->  
  
  
they do some naive filtering of quotes but you'll quickly find the bypass have PHUN and teachers live those kids alone  
***************************************************************  
This email was send via www.AnonymousSpeech.com,   
the worlds leading anonymous email provider.  
***************************************************************  
  
  
`