Learn More
Resend Email
15
SirVicco
5y

I learned recently that you can inject SQL lines in some fields like Passwords or usernames on some websites. (Hacky hacky)

At work there is this intra website that is used to manage the parts of the radios and computers we repair.
Each piece has a specific number, and there is a tree with every pieces for each radio/computer.

When we get to repair one, we gotta change the pieces virtualy on the website. Sadly sometimes, the virtual pieces aren't marked like they followed the whole Radio from the place they come to the place we repair (we need it to replace the piece). People are just not doing their job, so we have to send emails and call for them do it so we can repair it. (This is already fucked up.)

Today, I had to replace a piece, but it was marked like it's not there. I called the guy, and it seems like he is on a vacation for weeks. My superior was super annoyed due to the urge of this task.

Guess who managed to change the _mainlocation_ of the _piece_ in the _radiopieces_ table. (Not actual names, you malicious cunt)

I spent 3 hours looking for the name of the fields and table. I don't know how many times I had to refresh the dam page to see I failed once again.
Hopefully I didn't have to guess all of them. Also the joy when I realised I succeed !!!

No one bats a eyes, and I'm here, feeling infinitely superior, as I might get punished for wanting to do my job.
I know it's basic moves to some of you, but dam it felt good.

Conclusion: Do what you have to, specially when it takes 5 minutes and people need it.

rant

morons

sql

intranet

hacking

sql injection

hack

radio frequency
Favorite
Ranter
Comments
  • 7
    5y
    Intranets with SQL Injections? Amazing!

    Now you can grant yourself admin privileges and delete the guy who's on vacation from the system 😛
  • 5
    5y
    @alexbrooklyn for a second I though you gave me the best idea ever. Sadly this site is only for the repairment system. No employee database in there. It's supposed to be a working tool.
  • 5
    5y
    Playing with this kind of stuff is fun and all, but be careful: if the wrong person finds out about this, you can get into a lot of legal trouble. And in that case, it won't matter that it was "urgent" or "just want to get the job done".
  • 3
    5y
    I love when you can put a * in a input field and you get returned everything the database has to offer 😄
  • 5
    5y
    sqlmap + burpproxy ftw.

    Have fun, but make sure no one actually reads the audit logs!
  • 3
    5y
    @endor Yeah. Now I fear that maybe there wasn't only the location to change. I hope the regular way was close to what I did.
  • 2
    5y
    @magicMirror Thank you !
  • 1
    5y
    @heyheni where should I read such return ?
  • 1
    5y
    @SanitizedOutput No. But as I said there was a urge to get this radio repaired as the people who ordered the repairment come get it tomorow and will use it quite instantly.

    Tbh that was also alot of curiosity as I learned about this recently.
  • 3
    5y
    UPDATE !!!

    Workplace got a call from the IT center. I had to say I did it...

    The admin saw this quite instantly. He said I should have called him because I forgot to change something like "last editing time" and stuff.

    "So you're actually ok with the injections ??"

    "No, but I prefer telling you what you missed than telling the bigboss and ruin your life"

    Good Guy Admin !!!
  • 3
    5y
    @SanitizedOutput Yeah, depending on the settings (and persons involved) "urgent" can mean:
    - people will die if we don't do that
    - I want to cross something off my to-do list
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment