
Urban sql injection - freedrull
http://seanbonner.tumblr.com/post/3200064101/jacobjoaquin-r03-urban-sql-injection
======
simonsarris
Zwolnij just means "slow" in Polish.

The second frame is telling a particular (valid) polish license plate number
to slow down.

~~~
spoondan
I think the photos are meant to imply that the system is reading external
input as text and so might be vulnerable to an injection attack like what the
bottom picture shows. I don't think it was intended to suggest that the system
has actually been hacked in that photo.

Of course, the whole thing is meant as a silly joke (and that's one of the
reasons I wish it wasn't posted here). It's unlikely that the camera would
recognize something that's so obviously different from a license plate, let
alone use a SQL database.

I'd love to see a real discussion on how the ubiquity of computers creates
interesting vectors for attacking infrastructure. It seems inevitable that
these systems will be connected to higher-value targets and that non-
traditional input devices can still be used for launching attacks.

------
zabraxias
Pretty funny but I would have to agree these systems are likely meant as a
self contained warning appliance and are not powered by a database.

The more interesting question is whether YOU would've thought to sanitize
license plate input?

------
paulgerhardt
[2009] - Early post on the subject: <http://niebezpiecznik.pl/post/fotoradar-
injection/> [Polish]

Edit: Author's original post: <http://dabroz.scythe.pl/2009/10/29/ocr-
injection> [English]

~~~
markszcz
Google page translate seemed to have failed so here is the manual version of
the page:

As reported by the driver, the 1994 national road safety camera mounted was
interesting: [http://niebezpiecznik.pl/wp-
content/uploads/2009/10/radar-40...](http://niebezpiecznik.pl/wp-
content/uploads/2009/10/radar-403x350.jpg)

The camera scans car number plates in excess of the speed, and a few dozen
meters away, a special table shows the following message:
[http://niebezpiecznik.pl/wp-
content/uploads/2009/10/radar2-4...](http://niebezpiecznik.pl/wp-
content/uploads/2009/10/radar2-450x265.jpg)

I wonder what happens when the national road 94 driven into the car
[http://niebezpiecznik.pl/wp-
content/uploads/2009/10/radar3-4...](http://niebezpiecznik.pl/wp-
content/uploads/2009/10/radar3-418x350.jpg)

P.S. The whole reminds me of an old strip xkcd: [http://niebezpiecznik.pl/wp-
content/uploads/2009/10/xkcd-450...](http://niebezpiecznik.pl/wp-
content/uploads/2009/10/xkcd-450x147.gif)

~~~
idlewords
More Englishy translation of that page:

Drivers report that an interesting radar camera has been installed on Rt. 94.

The camera scans license plates of cars that exceed the speed limit, and a few
hundred feet further there's a special display that shows this:

[DW 530GS SLOW DOWN]

I wonder what will happen when a car like this drives down Rt. 94?

The whole thing reminds me of this old XKCD strip

~~~
markszcz
Oh fine +1 for you making it more "Englishy" =P

Yeh its like Rt. 94
[http://maps.google.com/maps?f=q&source=s_q&hl=en&...](http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=94&aq=&sll=52.288323,20.390625&sspn=2.150551,6.591797&ie=UTF8&hq=&hnear=94,+Poland&ll=50.691238,17.85965&spn=0.069598,0.205994&z=12)

------
BoppreH
While it's funny and mind-opening, the OCR system will probably miss the small
punctuation marks such as ' , and ;

------
georgecmu
Bobby Tables [1] gets a car.

[1] <http://xkcd.com/327/>

------
geuis
Click through to the larger image. Its much clearer
<http://i.imgur.com/haspR.jpg>

------
tibbon
Could there be anything illegal here? They took a picture of you...

------
Sniffnoy
But, did it work?

~~~
markszcz
Thats what I dont get. On the car it looks like the driver is writing some
other sort of License, ZU O666 but the sign is telling DW 530GS to slow down.
Not enough images of the car to prove if it did, or did not tell the driver
exactly to slow down. But for the sake of making this awesome, lets say it did
work.

------
zackattack
This sucks

