We learned about SQL injection today and were just randomly picking Malaysian websites to test it on. This is the result that I managed to get with a local organisation’s website (which shall remain nameless). I managed to find out the version of MySQL server that they were running (5.0.45) and also the account credentials for that MySQL server ([email protected]).
Our trainer was able to exploit this further and enumerate a whole bunch of stuff, including all the user login credentials for their MySQL database, a list of all their databases and column fields, a dump of all the records of any selected database and more. This is not a bad reflection on MySQL as our trainer says that MySQL databases are amongst the hardest to attack.
However, if there system administrator is not doing their jobs correctly, things can get screwed.