VU Web Visitor Analyst Authentication Bypass

2010-06-21 / 2010-06-22
Credit: L0rd CrusAd3r
Risk: High
Local: No
Remote: Yes
CVE: CVE-2010-2338
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ########################################### 1 0 I'm L0rd CrusAd3r member from Inj3ct0r Team 1 1 ########################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com] Exploit Title:VU Web Visitor Analyst Authentication Bypass Code: ASP 3.0 & VBScript Vendor url:http://www.vunet.us Version:n/a Price:80$ Published: 2010-06-12 Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to all ICW members. Spl Greetz to:inj3ct0r.com Team ##################################################################################################################################################################################################### Description: VU Web Visitor Analyst is an application that retrieves your website visitors? IP address, visited date and time, visited page name, the link a visitor came from originally (referred URL address). You can view the single visitor history with the list of all pages visited. You can also display visits by date criteria. The weekly statistics allow you to see the total visits for every single day in the present and last weeks. The monthly statistics allow you viewing the total visits of every month for the whole year. In addition, every visitor is linked to the web database containing personal information about this visitor?s IP address (such as name, address, phone, email, etc. if available). Pleasant and professional graphic user interface will make your statistical experience more enjoyable. ####################################################################################################################################################################################################### Vulnerability: *Authentication Bypass found The Provided Script as Sqli Vulnerability in Admin Login page DEMO URL: http://www.vunet.us/demo/webanalyst/default.asp Use the string a' or '1'='1 for Username and Password to gain access. # 0day n0 m0re # # L0rd CrusAd3r #

References:

http://xforce.iss.net/xforce/xfdb/59396
http://www.vupen.com/english/advisories/2010/1460
http://www.exploit-db.com/exploits/13842
http://secunia.com/advisories/40176
http://packetstormsecurity.org/1006-exploits/vuwebvisitoranalyst-sql.txt
http://osvdb.org/65483


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top