Home / vulnerabilities

PDF

clubmahindra-sql.txt

Posted on 07 July 2009
Source : packetstormsecurity.org Link

 

Sql injection found at largest online portal which offers great family
holidays in India & Abroad.
URL: http://www.clubmahindra.com/resort.asp?id=4
Entity: id
Security Risk: It is possible to view, modify or delete database entries and
tables
Below are the tables found on the database
View_Contact_Family_PrintingProps
t_Room
tbl_feedback
t_Site_Img
t_SiteDestinationType
t_state
Mem_Updated_Det
t_UserParameterPoint
t_Season
t_zone
t_hep_web_emailid
ph2t_UserPromotionalChild
member_feedback
ph2t_UserProfile
Member_speak_Qstns
t_MHRIL_NtpcEmployee
ph2t_UserPromoViewData
t_SeasonDate
D99_Tmp
ph2t_SeasonalPersonalize
property_master
tbl_feedback_bkup_nov212007
ph2t_personalize
t_DownPmtTrans
t_site_ivista
Mem_Check
t_Mhril_Email_Response
CM_Album_Invitees
client
CM_Album_PName
t_UsageYear
t_Site
cm_attraction_info_bkupnov252007
ph2t_SiteNote
t_hep_web_email
ph2t_UserPromotional
CM_Album
CM_TJournal
t_CoOwnPros
t_Milestone
t_SoldInventory
t_UserParameterPoint_bk
t_webOwner
t_OwnerPreference
t_reservationrequested
t_SumInventory
t_RequestReservePref
t_ParallelPremium
MassEmail
t_Guest
t_OwnerSpouse
t_PremiumIssued
checkinout_time
t_reservationhistory
t_login
t_SaveHolidayPlan
t_register
jiaozhu
t_TypeAvailability
t_holiday_pref
cm_payment_options_new2
CM_TJ_Invitees
tbl_PermntContact
CM_Album_Share
points_conversion
t_UsageDetail
t_req_history
reservation_booking
t_Pre_web_mst
t_Campaign
t_NoteTrans
t_Pre_web_result
t_jobdetails
t_Attraction
t_OwnerChildren
t_pre_web_qstns
t_AttractionSite
D99_CMD
t_EscalationReservationRequest
t_Contract
t_EscalationComplaintQuery
t_OwnerAdditionalInfo
Welcomecall_Member_WebFeedback
WelcomeCall_MemFeedback_Result
t_InventoryBlock
t_Inventory
WelcomeCall_MemFeedback_AvgResult
WelcomeCall_Respond_Mast
sale_tran_dtl
t_pre_zest_web_mst
t_pre_zest_web_result
t_InventorySegment
t_Mortgage
transaction_master
t_UsageTransfer
cm_activities_info_bk
cm_apartments
Welcome_Letter_Det
t_Query
cm_activities_info
t_Owner
t_queryhistory
cm_attraction_info_bk
cm_apartment_info
cm_attraction_info
cm_club_news
cm_contact
cm_finance_institute
cm_holiday
cm_mhril
cm_payment_options
cm_payment_options_new
property_master
cm_payment_options_new_bk
t_PointsConversion
t_Premium
cm_payment_options_new1
cm_payment_plan
kill_kk
cm_payment_plan_new
t_stateemailid
cm_payment_plan_new1
CM_Survey
cm_price_list
systree
cm_Conf_Registration
cm_price_list_new
sysfile1
holiday_quiz
cm_price_list_new1
t_admin_Escalation
D99_CMD
cm_query
t_ARLineItem
cm_query_mailids
t_adm_login
cm_questionaire
ph2t_SeasonalGreetings
cm_registration
mailerRegistration
cm_resort
kill_kk
cm_resort_images
cm_price_int
t_Bulkregister
cm_season
tandem_event
D99_REG
cm_resort_bk
cm_resort_images_bk
cm_special_offer
D99_Tmp
cm_price_int_dump
IVista_Points
xl
PreHol_Member_Feedback
cm_price_list_new_dump
Results
tblCustomerDetail
cm_payment_plan_new_dump
t_ActivitySite
Offer_Name_Campaign
cm_payment_options_new_dump
tandem_event_bkp
t_Activity
t_Prospect
t_Lookup
D99_REG
Siwebtmp
t_LapsedEntitlement
t_Tour
t_Note
tbl_GContact
Mem_Durables_det
Mem_Personnel_det
t_Web_ContactPermanent
CM_Zone
t_Web_GeneralContact
t_adm_region
t_Web_ContactOffice
tbl_ResContact
t_checktime
heige
t_city
t_Web_ContactResidence
t_country
tbl_OffContact
t_DestinationType
t_education
t_ARPayment
t_houseincome
t_language
t_month
Member_speak_Qstns
t_MSAWebSiteId
t_occupation
t_hep_web_emailid
sale_tran_hdr
t_querycategory
T_HEP_WEB_MST
t_Reservation
t_region
T_HEP_WEB_RESULT
t_ReqReserveMapTSW
t_ClubRule
t_ResortPromotion
viewTPS_contact_printingprops
tbl_fbackhistory
t_RP_Privileges


Discovered by : Arvind Kumar,Dhawal Desai,Rohit Bansal,Jaydeep Dave (All
Independent Security Consultant )

 

TOP