[Full-Disclosure] Trivial SQL Injection in Energis Search function
m_u_d_i_t_a at hotmail.com
Mon Jun 21 22:45:38 BST 2004
Tested on: Win XP SP1 IE 6.0
Risk: Medium severity
Title: Trivial SQL Injection in Energis Search function
Energis is a UK based provider of alternative ISP and telecommunications
services to business users.
On the 5th of May 2004, Energis published a study entitled the "Cost of
Chaos" outlining how many UK businesses are failing to combat the risks
posed by online attacks, which was widely reported by the media
The Energis corporate Internet presence located at contains a search engine
facility where prospective customers can search for various product and
service offerings. This pages is located at,
http://www.energis.com/products/search.asp Sadly, Energis seem to have
failed to have heeded
their own warnings as this feature of the web application is susceptible to
simple SQL injection.
By inserting a single quote character into the search engine, the underlying
SQL database returns an ODBC error which could be used by remote attackers
to enumerate database contents, potentially escalate privileges and even
execute arbitrary code.
Proof of Concept
Searching for: O'Reilly
Returns the error:
Microsoft OLE DB Provider for ODBC Drivers
[ODBC SQL Server Driver]
Line 1: Incorrect syntax near 'Reilly'.
/products/search.asp, line 463
The author of this advisory can be contacted at m_u_d_i_t_a at hotmail.com.
The author of this advisory is not responsible for the misuse of the
information contained herein. Any use of the information in this advisory is
used at personal risk, the author accepts no liability for any damages that
The vendor was informed on 31st May 2004. They have not responded as yet.
was originally discovered on a previous iteration, of the website. Since
informing the vendor, the
website has been redesigned, however the vulnerable search function still
Want to block unwanted pop-ups? Download the free MSN Toolbar now!
Full-Disclosure is hosted and sponsored by Secunia.