Comment On Now Hiring SQL Injectors

It's still cute.

The most classic invitation for an SQL injection ever, perhaps they're scanning for 'em and only employing the people who do try their haxxor skills since they obviously understand SQL and it's "hidden bonii" :)

A friend's website had a silly vulnerability like this. All you had to do was select a user where 1 = 1 and you could log into the site with whatever the first user was in the database.

If this is actually how you do job searches on their site, they may want to add a disclaimer; Please do not enter the following in either field: ";DELETE FROM JOBS;SELECT * FROM JOBS WHERE "1" = "1

Is this a joke or does it really work??

Somehow I doubt it really just fills in the blanks in the SQL string (though it's happened before). The sad part though is their half-hearted attempts to pander to IT people. At least this one is reasonable, whereas the last one posted here was a complete joke.

I just tried it. It took 5 minutes for the page to refresh. And when it came back, every single job on their site was gone!!! woo hoo!!! hope they have backups.

This is at least better than their other one. I don't mind this one so much, but the other one was kind of sad in how poorly conceived it was.

Couldn't find a page that looked anything like that.
May be it was a test page.

Yes. It really does work. Having trouble breathing? Looking pale? At least my friend looked like that when I told him about SQL-injections... after he had developed commercial site and published it.

panzi:

If this is actually how you do job searches on their site, they may want to add a disclaimer; Please do not enter the following in either field: ";DELETE FROM JOBS;SELECT * FROM JOBS WHERE "1" = "1

Is this a joke or does it really work??

*IF* that was really what the ad did, then yes.

This is a great example for showing what SQL injection is and how it could work. If you don't protect against the user, then eventually, some malicious or curious user is going to run arbitrary queries on your database.

If you could trust the users, then they would only enter (for example) San Fransisco in the City field. However, you can't, and someone could just as easily enter control characters into the input field.

" ; DROP TABLE ends the "city" field then executes the DROP TABLE command.

Protecting against SQL injection is a matter of passing the escape characters along as characters to search against. (I'm not sure; databases aren't often used in embedded systems.) Thus, you'd search for the city:

" ; DROP TABLE

which would have no matches.

What your smart bad guy is going to do is just run a query to get the records for all users, then sell them at $20 each. That's a lot less detectable than having the records suddenly vanish.

I'd like to think that this ad is just to get your attention. It does, however, provide a decent visual aide.

Doesn't SQL normally use double-quotes for object names, and single-quotes for string literals? So the ad doesn't make sense anyways?

select * from users where clue>0;
no rows returned

Is this actually live somewhere? And does it actually allow SQL injection? If not, then then this WTF is completely pointless. All the advertisement needs to do is ADVERTISE, not be Turing complete or anything like that.

If they were looking for website developers and made an advertisement that said

<a href="dice.com">I need a new job! </a>

Would you rag on it for missing the DOCTYPE declaration and not validating?

Could they have bought this kind of advertising? I doubt it. Unfortunately, they probably just eliminated their best candidates

captch = waffles. Had the noun for breakfast. Will do the verb for the rest of the day.

I was going to post this on the sidebar, but I'm not registered. You'd think the other big guy in this field would be have access to some decent resumes, and then you stumble onto this:

http://jobs.thedailywtf.com/1001/listing.aspx?JobId=1000755

I've always wanted to change my legal name to ;DROP DATABASE; and see what kind of havoc ensues...

Pap:

Is this actually live somewhere? And does it actually allow SQL injection? If not, then then this WTF is completely pointless. All the advertisement needs to do is ADVERTISE, not be Turing complete or anything like that.

If they were looking for website developers and made an advertisement that said

<a href="dice.com">I need a new job! </a>

Would you rag on it for missing the DOCTYPE declaration and not validating?

No. I would rag on it for not using an absolute URL and therefore only linking to a child document of the current path named "dice.com."

I'd rag on it for not including "http://" in the href so it'd go to wherever.the.current.url.is/dice.com


CAPTCHA: Xevious. I've never played Xevious, actually..

That job listing is missing the requirement for the ability to solve world peace and bend time-space. All other things they have covered :)

Heh - even my company have made "SQL-languaged" banner for job applicants.
Think it is a rather common strategy to separate yourself from the normal crowd.

No, actually if you put '<base href="http://dice.com">' in the <head> then it works fine. Of course, we're not including all that meta data in our limited-space advertisement.

Then all Dice needs to do is make sure their webserver redirects it to their job search!

This is not a WTF. I'm certain the code filters to avoid SQL Injections.

Massive overreaction. Just because it has a *picture* of some SQL code does not mean that you're actually running SQL queries directly on the box. It's marketing, folks. Get real.

Sam:

A friend's website had a silly vulnerability like this. All you had to do was select a user where 1 = 1 and you could log into the site with whatever the first user was in the database.

My university had a vulnerability like this! So I knew everyone's grade, password and personal information and had some fun with statistics (I didn't modify anything!). The admin figured out something was wrong and fixed the bug, but I still had ALL student login/password combinations so that didn't prevent me from accessing any account.

The point is that they are trying to attract programmers with dodgy code lol.

It's the equivilent of trying to attract C# developers with code that contained a goto.

So, has anybody tried it...? <G>

p.s. LOL! My captcha for this comment is "dreadlocks" -- never had a "good" word, before...

Yeah, this was a pretty weak Error'd article. Just because some marketing guys thought this would be cute does not mean it's a SQL injection vulnerability.

Off-topic: Why do people announce their CAPTCHAs?

themagni:

Protecting against SQL injection is a matter of passing the escape characters along as characters to search against. (I'm not sure; databases aren't often used in embedded systems.)

to protect against injection, all you have to do is use parameterized commands. You should *never* concatenate anything together with a SQL statement and execute it, unless the language/framework/database you are using doesn't support parameters. Of course, in that case, you probably have bigger issues to worry about.

So far, today's entry has been setting a record for most people not "getting it". Of course dice.com doesn't actually have this form on their site to fill in; it's just funny that a company that (in theory) is hiring and placing "experts" in programming or technology would display BAD, UNSAFE CODE in their marketing.

that's all , kids. It's just a little ironic if you get it.

Pap:

No, actually if you put '<base href="http://dice.com">' in the <head> then it works fine. Of course, we're not including all that meta data in our limited-space advertisement.

Actually, I think you'd find it'd go to http://dice.com/dice.com if you did that.

Paul:

Doesn't SQL normally use double-quotes for object names, and single-quotes for string literals? So the ad doesn't make sense anyways?

that is standard SQl. however, in its default SQL_MODE, mysql allows strings with either type of quotes, and object names are quoted with backticks. if you set the SQL_MODE to ANSI, then double-quotes are used to quote object names and can't be used to quote strings.

Weaksauce. Must be a slow day in the clusterfu... er... newsroom.

Paul:

Doesn't SQL normally use double-quotes for object names, and single-quotes for string literals? So the ad doesn't make sense anyways?

Oracle uses single quotes for string literals...I dunno if that's standard though. Object names don't usually need attribution, because if its not a keyword or operator, its gotta be an object. An alias is double-quoted in Oracle, such as

SELECT cust_id "Customer ID" FROM ...

Again, I have no idea if this is ANSI standard or not.

Jeff S:

... it's just funny that a company that (in theory) is hiring and placing "experts" in programming or technology would display BAD, UNSAFE CODE in their marketing.

This is not software code, it's a SQL query. Like a query you would run in Query Analyzer or Toad, not part of a string concatenation routine. It's just marketing targeted more at DBAs and database-driven application developers.

If this is BAD and UNSAFE, then I guess I'm in trouble.

The only people that aren't "getting it" are the people who think this is a possibility for SQL injection. Including whoever did the write-up for the screenshot.

Jeff S:

to protect against injection, all you have to do is use parameterized commands. You should *never* concatenate anything together with a SQL statement and execute it, unless the language/framework/database you are using doesn't support parameters. Of course, in that case, you probably have bigger issues to worry about.

Never is such a horrible word to use. I concat strings for SQL execution all the time, well, I use System.String.Format, actually, but same effect:

System.String.Format("SELECT * FROM Foo WHERE Bar={0}", SQLExcape(szUserInput));

Now, concatenating raw user input to SQL without escaping it, thats just stupid... Although I do have that one application I use for executing arbitrary SQL, that is by its nature an acceptable use of unescaped SQL, but there is no concatenation involved then, so it doesn't qualify.

One can hope this isn't a real query but just a "fun" display for the actual query engine.

That is, it's probably a joke. You know, funny? Ha ha.

But please don't type "; DELETE * FROM JOBS ; " anyway, m'kay

SC dreadlocks which rhymes with deadlocks which is what bad SQL programmers get.

Ytram:

Yeah, this was a pretty weak Error'd article. Just because some marketing guys thought this would be cute does not mean it's a SQL injection vulnerability.

Agreed.

Ytram:

Off-topic: Why do people announce their CAPTCHAs?

Because they're nerds..

There's no WTF here. It might be dull, but it's pretty obvious what they're trying to tell you; they're seeking SQL programmers, and if that seems familiar, you're probably one. Securing it against injections would just have blurred intention of the ad.

The real WTF seems to be that the "select" part of the SQL injection seems to be somewhat irrelevant after the table has been emptied by the "delete" part.

Ciaran :

pap:

No, actually if you put '<base href="http://dice.com">' in the <head> then it works fine. Of course, we're not including all that meta data in our limited-space advertisement

Actually, I think you'd find it'd go to http://dice.com/dice.com if you did that.

agreed. <base ...> is also often ignored by spiders, which I run into regularly in the error log for the mod-rewrite based site I work for.

The DBMS would certainly be able to restrict the site's "web user" account from being able to execute delete, update, or drop statements.

There's another ad (I see it mostly on slashdot) just like this for the same business I believe, except it uses PHP:

It flashes a few times between

<?php format='The %2s contains %1d orders'; printf(format, num, location); ?>

and

<?php $format='The %2$s contains %1$d orders'; printf($format, $num, $location); ?>

This really annoys me as a PHP developer because they both have a few blatant, even-my-PHB-knows-this mistakes (vars need a $, undefined constants/variables "num" and "location", '%2$s' and '%1$d' are syntactically invalid...)

(captcha: I like how the word "smile" actually looks somewhat like a smile)

Waitaminute. I have had good uses for goto in C# code.

Let's say I'm talking to some instrument like a spectrum analyzer through a less-than-reliable driver supplied by the instrument vendor, whose name is something like Agile Ant. Lets say that this driver sometimes mysteriously barfs, throwing an Exception with the message "SA Application not installed." Let's also say that the driver behaves normally again with an immediate retry. Let's also say that the Agile Ant people appear to have no desire to fix this problem. My code looks something like this:

runTest:



try

{

   this.RunTest();

}

catch(Exception e)

{

   if(e.Message.IndexOf("SA Application") != -1)

   {

      goto runTest;

   }

   else

   {

      throw e;

   }

}

Better way to solve this problem?

Kai:

The real WTF seems to be that the "select" part of the SQL injection seems to be somewhat irrelevant after the table has been emptied by the "delete" part.

The injected SELECT is only used to get rid of the trailing quote and the rest of the query, because some DBs will just ignore an entire query string if any part of it has an error.

I think this ad could have been improved if they had put a disclaimer at the bottom:

*unless your name is "; Drop Table, of course.

Still, it does get the point across.

Ciaran:

Pap:

No, actually if you put '<base href="http://dice.com">' in the <head> then it works fine. Of course, we're not including all that meta data in our limited-space advertisement.

Actually, I think you'd find it'd go to http://dice.com/dice.com if you did that.

That's why I stated on the very next sentence (which you conveniently excluded from your quotation) that it then become's Dice's responsiblity to configure their webserver to redirect the page "dice.com" to their job searching page.

So you see, it ends up being a perfectly valid link.

bstorer:

Kai:

The real WTF seems to be that the "select" part of the SQL injection seems to be somewhat irrelevant after the table has been emptied by the "delete" part.

The injected SELECT is only used to get rid of the trailing quote and the rest of the query, because some DBs will just ignore an entire query string if any part of it has an error.

I think this is easier way achieve that;

';DELETE xxx/*

CrackWilding:

Massive overreaction. Just because it has a *picture* of some SQL code does not mean that you're actually running SQL queries directly on the box. It's marketing, folks. Get real.

It's the IT version of "punch the monkey"

"Ah ah, I hax0r him and ... what? I click on field and it take me to webpage? This no DB query, this tricky advertisement! Mongo mad!"

zlogic:

My university had a vulnerability like this! So I knew everyone's grade, password and personal information and had some fun with statistics (I didn't modify anything!). The admin figured out something was wrong and fixed the bug, but I still had ALL student login/password combinations so that didn't prevent me from accessing any account.

WTF #1 - having a system that allows SQL injection
WTF #2 - actually storing passwords. Never store passwords, only store one-way hashes of passwords. This prevents anyone from getting a password hacker or employee....

Jeez, this crap is security 101...
-Me

even better

";DELETE FROM Jobs WHERE "1"="1

trianglman:

agreed. <base ...> is also often ignored by spiders, which I run into regularly in the error log for the mod-rewrite based site I work for.

We're talking about advertisements that display said code raw inside a GIF. Did you notice the theme of this thread?

Posting to this forum is like talking to 6 yr olds, I swear. Everything is taken literally.