Sometimes along comes a tech story that diverges from our usual hardware subject matter yet which just begs to be shared with you because we think you will find it interesting and entertaining.
You will no doubt be familiar with the XKCD cartoon number 327, entitled “Exploits of a Mom”, but familiarly referred to as “[Bobby Tables]”. In it a teacher is ringing the mother of little [Robert’); DROP TABLE Students; –], whose name has caused the loss of a year’s student records due to a badly sanitized database input. We’ve all raised a chuckle at it, and the joke has appeared in other places such as an improbably long car license plate designed to erase speeding tickets.
Today we have a new twist on the Bobby Tables gag, for someone has registered a British company with the name “; DROP TABLE “COMPANIES”;– LTD“. Amusingly the people at Companies House have allowed the registration to proceed, so either they get the joke too or they are unaware of the nuances of a basic SQL exploit. It’s likely that if this name leaves Her Majesty’s civil servants with egg on their faces it’ll be swiftly withdrawn, so if that turns out to be the case then at least we’ve preserved it with a screenshot.
Of course, the chances of such a simple and well-known exploit having any effect is minimal. There will always be poor software out there somewhere that contains badly sanitized inputs, but we would hope that a vulnerability more suited to 1996 would be vanishingly rare in 2016.
If by some chance you haven’t encountered it before we’d recommend you read about database input sanitization, someday it may save you from an embarrassing bit of code. Meanwhile we salute the owner and creator of this new company for giving us a laugh, and wish them every success in their venture.
aday’); DROP TABLE Comments; –
Update comments set likes=1000 where user_name =usajnf;
DELETE FROM comments WHERE user_name =usajnf;
I am throughly entertained by this.
LTD should have been “LIMIT ed”.
oh well.
LTD is not part of the company name, its the type of company
It is part of the company name; you have a choice of spelling it “limited” or “Ltd”. It also indicates that it’s a limited company.
LTD stands is a short form of limited which is mostly used at the end of private companies name. For example ABCD Pvt LTD.
This could still cause a bit of trouble, There are quite a few scraping sites that use companies house data. For example http://www.bizdb.co.uk/company/-drop-table-companies-ltd-10542519/
This is great I hope it teaches someone a lesson.
“Company director: 28 years old, software developer” Well who’d’ve guessed?
I tried copying and google searching this comment, only to receive…
“400. That’s an error.
Your client has issued a malformed or illegal request. That’s all we know.”
This is awsome, i found a new way to mess with people.
T͕̮͔̬̗ͦ̆̐ͭ͛̎͊ͧͭ̾̚ͅͅĤ̟̜̯̥̳̥̪̣͓̰̮̞̳̅ͫ͐̌̇̏̔ͥ̔ͅA͔̣͎̻̖̖̬̰͎̅̊͌ͣͥ̈̈͊ͧ̈̅̃̑̔̚N͎̹͈͉̥͇̤̗̘̱̈́ͩͥ̓ͮ͆̏́̋̿̈̀̈̈̓͐͋͆Ǩ̼̻̼̝̟̘̠̻͖̯͙͕̟͕̖͓͛ͭ̏̓ ̻̣̹̮̘̞͓͕͚͕̖̰͙̦͚͈̩ͪ̌͆͋̓͑ͤͅY͓̥̞̼̘̤̦̥͌͊ͥ͛̽̋ͩͫ̆̽̊̑ͬͧO̪͙̭̖̞̯͓̹̝͕̖͉̲͙̲ͧͪ̽̏ͥ̅͌ͭͣ̊̒ͅU̜̫̝̱̟̅͋͊ͫͬ̍ͥ̐̌ ̹͚̰̹̫͖̼͕̯̠͎̥̞̽͛̍̀̓ͤ̏̑͗̿̾̑͒́̉͂ͭ̚ͅͅZ̲̲̰̼͈̃ͯ̿̇͑ͩ͗̇ͨͅA̯̘̖͚̿ͯ̔ͯ̈́̉ͨ̔̆̍ͯ̉̅̓��̥̥̞̟̜̯̦̤ͅĽ̩̰̲̜̙̙ͣ̍͊̂̄̉ͦ̌̎̓̂̓ͤͫͤ̚̚G̥̞̞̩̿̈̆ͤ͋̊̀͋̂O̬̤͉̰̖͙̱̪̞̙͓͉̯̮͈͔͑ͩ͂͗̎̐̎̒̆
P̭͔͓̹̉͂ͭ̈̈́̓R̟̻̮̬̫̞̒ͪͩ̎́͂͑̄̌͂ͮ̾Ă̭͓̲̮͈̬̊̐̅ͮ̅ͤ̃͛ͥ͛̔ͤ̈́ͅÍ̠͈̟̩̭̞͍̻̯͔͚̼̋ͥ̏̊̂̽̎̊̉͆ͨ͑̈ͩ̚S̘̜̘̤͚͔̮͚̘̯͕͇͇͖ͮͬ͒ͨͅE͓̗̹̝͇̳̩̙̱̥ͧ̂ͬ͒̀̔̈̓ͥ̎͗̎̓͛̎ͫͣ ̥̗̖̟ͤ̊ͫ̀̍̃ͣ͂̍̌ͮ͋ͩ̏̉́̓ͩ͆Z̖̺̦̖͋̊̏ͪͩ̊̊̊͗ͅẠ̙̖͙̱͍̍͒̇L̳͉̪̺̰͙̥̹͕͎̗̩͉̥̩̝͎̖̺ͭ̈́ͪ́̿̈́ͮ̿͌ͤ͊̉ͮͥ̿̓͐G̻͈͔̱ͩͭͫ̾̑̎O̳̦̮̼͙̘̥͖͙̯̳̘̦̻͇̹͍̻ͩͣ̉ͣ̿̈̈͛̍
This has happend in Polish registry also: http://prawo.vagla.pl/node/10115 (article in polish, but a screenshot tells it all). As far as I know, the guy was tired of spamer bots scanning the public registry for mailing addresses:)
When I worked for a local council e-mails with the word “union” in them used to cause problems, Never tried a “drop tables”
I imagine that there are problematic names for those out there, like say a real John Doe.
I recently heard about a man with the surname Null. Many systems would not accept this as valid input.
And the many cases of a name which included a string that was considered a curse word by the system authors…
Virginia Scunthorpe, from Sexton?
Except in most SQL languages, tables aren’t encapsulated in double quotes.
For some reason I thought I couldn’t have grave accents, but in retrospect I think I could have done – of course, in most engines it would work with nothing, but that’s boring.
Sam – You should explain what your software company does here – I sure your will pick clients up.
Also, did you do this to show the spam originating for Companies House registration ? (If so how effective?) or just for fun ?
BMS
You’d better be squeaky clean, because you’re definitely going to get a VAT/IR35 inspection!
Well done :) There are not many stories a Hackaday writer will stay up at 1am to write up.
And good luck with your by now very famous business.
I’ve seen this sort of thing before, but couldn’t even find a way to search for info because of the ERROR 400 message.
What exactly is this font or text effect
It’s just a use for utf see http://www.eeemo.net/
See also http://stackoverflow.com/a/1732454/128165
I’m wondering what’s happening to all those marketing companies that scrape data from company house. I bet a few of them would assume the data coming in is clean and sane: let’s see if any of them come forward after trashing their databases.
I wrote this up in the early hours when someone brought it to my attention, and of course I missed that we’ve previously covered that car licence plate with the SQL injection attack. Here it is: http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/
&̬͘l͉͉̲͠t̛;́a̲̮͈͚̺̝̲n̮ǵ̞ĺ͔̟͔̟̰e͏͉̬̥̰ ̧b̹̗͚͈r̦̭̱a̘̥c͖̫̭̼͔ḳ̖͙̟eț̰̘̟͕s̴̝&̟͙̠̱̖̻̹͢ģt͇̗͚̤̺̖̙;̧͉̻W̙h͕̺̻͇̗̗̳͝a̫̻͍͈̠͙̬͡t̼̼̗͖͉͙͉ ̯͙̝̞̰hąp̶̱̞p͜e̜͡n̵͔̭̳͈̝e͇͈̖͙d̙̥́?̫͖͉͇ͅ&̸͇̳̼͔̮l͖͜t̳̕;̧͎/̞͇̲͕̙̬͠ͅa̯̝̺͇͍͙̬n̞͈̬g̺͎l̝̦̲̖̳̭̘e̖̮̖̗ͅ ̼̻̞̘̝̫͎̀b̩̬̰̣ͅr̫̥̹͖͠ą̞͙̳̱͙̹̹c̦̮̭k̺͍̠͉̞͇e̸͕̤̫͙͍̰t̹̮̟̻͎̺s&̢̙̭̙̠̰̖ͅǵ̮̥͙t̟̤̥̲̟;͞
On an aircraft, the place where you put your meal / laptop is usually called a “drop tray”
If this new company is selling such a product, they could call it a “drop table”. And as such, they should be allowed to keep the name.
That’s how I see the argument going, anyway.
i accidentally made myself an administrator of a website and web-based app i was signing up for and was therefore unable to use said site as my device was unable to load dev files and did not give resonable error message as to why is was not working. tech support was unaware of ANY error messages of the software they were selling access to and therefore were unable to recognise WHY it was that i was unable to access my account EVEN FROM THE COURTESY COMPUTER PROVIDED FOR USEAGE DEMONSTASTIONS OF SAID SOFTWARE.
it was only after waiting hours each visit (until closing time) for days with customer support that i figured it out. i walked in and told them: I ACCIDENTALLY MADE MYSELF A DEVELOPER ANDOR ADMINISTRATOR OF YOUR WEBSITE AND THAT IS WHY YOUR SITE WONT WORK FOR ME AS I DO NOT HAVE YOUR DEV FILES, 24 hours later i was able to “get in” to said paid website, where i proceeded to copy the entire lump of info (against the rules) and then proceeded to print EVERY SINGLE PAGE… over 600 pages.
they never got any useage-statistics or money from me ever again.
the secret fake-name that activated dev mode?
firstname: firstname
lastname: lastname
i wont tell you the site because chances are they only fixed my account and the system is still broken. also, they know my real name ect.
if you dont understand why its a security issue you need to understand one thing: (dev)code can be easily copied, but dev or admin logins are hard to come-by.
let this be a lesson to everyone who thinks the boss will never find out just how lazy andor uncreative you are, eventually ALL Firstname’s get found out to all be related to the Lastname family. XD
Such a SQL Injection attack will target amateur developers. Professionals would usually call the table Company, not Companies.