Nerderati

After attending & speaking at CakeFest 2009 in Berlin, Germany, I decided to take a week off and explore the city. Since the hotel that I had been lodged in for the conference had free Wifi, I assumed that this was the norm in mid-range to high-end hotels in and around Berlin. And, as you may have noticed from the title of this post, it seems as if I was mistaken.

Crazy prices

There’s no way in hell I was going to pay 69€ for the five days that I was staying at that hotel. So, like any good free loader, I first checked the other available networks that I could connect to.

The Intrigue

After a bit of recon on signal strength with iStumbler, I tried to connect to the only other moderately strong network that wouldn’t make me stab my own eyes out.

Available networks

It turned out to be another managed Wifi from the hotel across the street, but these guys offered a ‘Free’ connection in addition to their ‘Business’ connection (which was about as crazily priced as the one I was trying to desperately avoid paying), the difference being some bullshit options like not actively blocking VPN ports and prioritized traffic. Oh well, free is still better than nothing. Plus, I thought, I could always just tunnel whatever ports & services I needed.

The Turn

Of course, that would have been too easy. To actually use their free Wifi, you needed to input your room number, as well as the name of the person who registered the room in the first place. Seems that this particular establishment didn’t like the idea of letting people not actually staying at the hotel using their ‘free’ wifi.

After trying a few random room numbers and gibberish names to verify that data validation was actually being performed on the server-side, I figured I had nothing to lose by trying a few standard SQL injections to see if I could bypass the whole process.

On first blush I thought that this error message meant that my attempts were in vain, since the application seemed to be escaping my input and determined that no relative of Bobby Tables was currently in room 228.

The Revelation

However, I know how developers can sometimes be lazy, and this lazyness sometimes manifests itself in slightly incorrect error messages. So I tried a different room number.

And lo and behold, success!

I wasn’t going to be downloading torrents with a 200mb/50mb daily transfer limit, but it was good enough to check emails and do the occasional

on some projects.

It Shouldn’t Be This Easy

Sometimes I wonder how any web developer worth his salt can overlook such a simple SQL injection vulnerability, especially one that is both well documented and easy to protect against. Worse, I’m pretty sure that this application was developed for multiple hotel locations, which means this brain dead attack vector exists in all of those spots.

Now, I only tried this attack on the ‘Free’ wifi, but you can see all the trouble that could be caused by performing this same process on the ‘Business’ wifi option, which would have billed the room occupant at the end of his stay. I wouldn’t like to be the desk clerk when that person checked out of the hotel.

With tools like SQL Inject Me available at the click of a button, it’s never been easier to test (and hack) forms for a variety of simple injection vulnerabilities. Couple that with any half-decent developer who can figure out a few details about the internal structure of your application, and you’re just asking for trouble by not sanitizing your input.

But at least I didn’t have to pay for wifi.