[Full-disclosure] Worldwide SQL Advisory



+-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-++-+
TSUH-Security
Security Advisory


Topic: Multiple SQL Injections
Announced: 2008-09-25
Credits: UberDuberHax0rx
Affects: Teh Interweb




I. Background

TeamSuperUber H@x0rrifickal a group of supercomputing collaborative
human superpower elite hackers with a clue has determined that there
are worldwide vulnerabilities surrounding vast implementations of
websites running SQL. It would seem in our efermal wisdumb of the
inner workings of the OSI layer we have discovered the potential to
inject multiple e-syringes into websites all over the world.

This persistent problem is relevant to programmers and webdevelopers
who cannot conform to our upper strategically placed of infinite
wisdumb associated with technology. We cannot be stopped nor we will
be hindered from disclosing to the world our intentions of Global
Security Domination in the security realm.


II. Problem description

The problem exists with the usage of the apostrophe character which
will now be reffered to as "'" or '\'' if using certain shells. The
' character is an omen to escape and has provided malicious hackers,
crackers, slackers and hijackers with an attack vector to thereafter
flood your email with useless advisories.


III. Impact

Hackers, crackers, slackers, hijackers and governments will in turn
compromise multiple dozens of hundreds and thousands of millions of
servers should the ' character continued to be used on the Internet.


IV. Workaround

Develop a new character to replace the apostrophe


V. Solution

Using a flat thin object preferrably a screwdriver, carefully pluck
the apostrophe from your keyboard. This will ensure that in the
event your machine - be it server, laptop or desktop - becomes
compromised, you do not aid anyone in performing SQL injections.

We are now forming a petition to the IEEE and other organizations
to remove the apostrophe as it is as useful as an American penny.
Many people do not know the function of pennies and financial
organizations will not accept pennies as curriences in hopes of
raping you financially on a microscale.

Billions of pennies sit in cars, desks, jars, drawers in unusable
fashion with millions of dollars in value solely because of the
machinations of the financial industry's conspiracy to avoid giving
you the face value of ten thousand pennies you're trying to
deposit. Same holds true for the apostrophe.


VI. Apostrophe Project

Beginning now, we will scour and download every single program in
this world that uses SQL in order to audit the apostrophe attack
vector. We do so in hopes to not annoy you with utterly meaningless
advisories, sometimes up to twenty a day, but to fill your heart
with the warm thought that there are some superhero hackers left
in this world.

#!/bin/bash
# SLAPDATASS.sh
# Super Leet Apostrophe Project
# Definitely Addressing the Topic
# Always Supporting Security
# (c) 2008

printf "TeamSuperUber H@xxxxxxxxxxxxxx activate!"

wget http://www.freshcripts.com/ && cd www.freshcripts.com

for x in `echo TeamSuperUber H@xxxxxxxxxxxxxx activate\!`

do

for y in `find . |grep signin

do

echo "Ut oh spaghetti0 we bees founded a vuln" && genIdiotAdvisory

done

done


VII. Shoutouts

We wish to shout out all the uberhax0rrifickal superstars who
flood our inboxes with vulnerabilities time after time. It
takes a real genius to point us in the right direction and
gives us incentive to go forward facing in the hopes of being
able to properly direct corporations of proper security
posture.

Without all my fellow hax0rrrifickal comrades toiling 24/7
every day of the year, we would not be able to contain the
risk associated with Citibank using say phpBB or IBM using
PHPmyEjeetSuperThingAMajiggyFoofoo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/