Como saber si es vulnerable una web

Iniciado por carlos-, 4 Mayo 2010, 16:01 PM

0 Miembros y 1 Visitante están viendo este tema.

carlos-

Hola, acvabo de usar el boton buscar (busqué asdi") en una web y me devuelve el siguiente error, me gustaria saber si es vulnerable o no:

Citarexception 'Zend_Db_Statement_Exception' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%" OR antetitulo_esp LIKE "%asdi"%" OR resumen_esp LIKE "%asdi"%" ' at line 2' in /var/www/aznar/library/Zend/Db/Statement/Pdo.php:68 Stack trace: #0 /var/www/aznar/library/Zend/Db/Statement.php(109): Zend_Db_Statement_Pdo->_prepare('SELECT `Noticia...') #1 /var/www/aznar/library/Zend/Db/Adapter/Pdo/Abstract.php(180): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Pdo_Mysql), 'SELECT `Noticia...') #2 /var/www/aznar/library/Zend/Db/Adapter/Abstract.php(432): Zend_Db_Adapter_Pdo_Abstract->prepare('SELECT `Noticia...') #3 /var/www/aznar/library/Zend/Db/Adapter/Pdo/Abstract.php(230): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Table_Select), Array) #4 /var/www/aznar/library/Zend/Db/Table/Abstract.php(1330): Zend_Db_Adapter_Pdo_Abstract->query(Object(Zend_Db_Table_Select)) #5 /var/www/aznar/library/Zend/Db/Table/Abstract.php(1158): Zend_Db_Table_Abstract->_fetch(Object(Zend_Db_Table_Select)) #6 /var/www/aznar/application/default/controllers/IndexController.php(376): Zend_Db_Table_Abstract->fetchAll('????????(titulo...') #7 /var/www/aznar/library/Zend/Controller/Action.php(503): IndexController->buscadorAction() #8 /var/www/aznar/library/Zend/Controller/Dispatcher/Standard.php(285): Zend_Controller_Action->dispatch('buscadorAction') #9 /var/www/aznar/library/Zend/Controller/Front.php(934): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http)) #10 /var/www/aznar/application/bootstrap.php(213): Zend_Controller_Front->dispatch() #11 /var/www/aznar/public_html/index.php(8): require('/var/www/aznar/...') #12 {main}

que pasos he de seguir?

Almamu

Cita de: carlos- en  4 Mayo 2010, 16:01 PM
Hola, acvabo de usar el boton buscar (busqué asdi") en una web y me devuelve el siguiente error, me gustaria saber si es vulnerable o no:

Citarexception 'Zend_Db_Statement_Exception' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%" OR antetitulo_esp LIKE "%asdi"%" OR resumen_esp LIKE "%asdi"%" ' at line 2' in /var/www/aznar/library/Zend/Db/Statement/Pdo.php:68 Stack trace: #0 /var/www/aznar/library/Zend/Db/Statement.php(109): Zend_Db_Statement_Pdo->_prepare('SELECT `Noticia...') #1 /var/www/aznar/library/Zend/Db/Adapter/Pdo/Abstract.php(180): Zend_Db_Statement->__construct(Object(Zend_Db_Adapter_Pdo_Mysql), 'SELECT `Noticia...') #2 /var/www/aznar/library/Zend/Db/Adapter/Abstract.php(432): Zend_Db_Adapter_Pdo_Abstract->prepare('SELECT `Noticia...') #3 /var/www/aznar/library/Zend/Db/Adapter/Pdo/Abstract.php(230): Zend_Db_Adapter_Abstract->query(Object(Zend_Db_Table_Select), Array) #4 /var/www/aznar/library/Zend/Db/Table/Abstract.php(1330): Zend_Db_Adapter_Pdo_Abstract->query(Object(Zend_Db_Table_Select)) #5 /var/www/aznar/library/Zend/Db/Table/Abstract.php(1158): Zend_Db_Table_Abstract->_fetch(Object(Zend_Db_Table_Select)) #6 /var/www/aznar/application/default/controllers/IndexController.php(376): Zend_Db_Table_Abstract->fetchAll('????????(titulo...') #7 /var/www/aznar/library/Zend/Controller/Action.php(503): IndexController->buscadorAction() #8 /var/www/aznar/library/Zend/Controller/Dispatcher/Standard.php(285): Zend_Controller_Action->dispatch('buscadorAction') #9 /var/www/aznar/library/Zend/Controller/Front.php(934): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http)) #10 /var/www/aznar/application/bootstrap.php(213): Zend_Controller_Front->dispatch() #11 /var/www/aznar/public_html/index.php(8): require('/var/www/aznar/...') #12 {main}

que pasos he de seguir?
Supongo que si devuelve error al consultar la base de datos MySQL sera vulnerable, aunque no se mucho, mejor espera a que alguien mejor que yo responda.