Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

knorrede-sql.txt

🗓️ 06 Mar 2007 00:00:00Reported by Sebastian BauerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

The site knorr.de is vulnerable to SQL injection attacks and XSS due to unescaped user input in login fields and URL parameters. The login authentication vulnerability is particularly critical

Code
`Author: Sebastian Bauer  
Web: http://blog.gjl-network.net  
Date: 01/12/07  
  
Vuln. website: http://www.knorr.de  
Vulnerability: SQL Injection (mainly login authentication bypass + any   
other SQL inj.  
possibility), XSS  
Significance: Very Critical  
  
---------------------------------------------------------  
  
Detailed description:  
The site knorr.de is using a MS SQL database server and IIS as web server. The  
programming language used is ASP (Active Server Pages).  
  
There is a vulnerability using the login field of the site. Since user   
input will not be  
escpaed, it is vulnerable against SQL injection attacks.  
  
The SQL string to authenticate the user can be escaped using single   
quotes. Since the  
database server is MS SQL it is possible to easily create a valid SQL   
query and ignore  
the rest of the SQL query by adding ;-- which ends the current query   
and defines the rest  
as comment.  
  
There are several ways to bypass the authentication:  
  
1.) Provide a SQL query that will be always true.  
In this case the system selects the first possible user (which seems   
to be admin but  
without any special privilegues, as there is no real CMS behind this).  
An attack like this would be:  
  
Username: -1' or 'x'='x  
Password: -1' or 'x'='x  
  
This will log you in as the user "holgi" which seems to be the first   
user within the user  
table. The -1' will be required to be sure, that the result of this   
query (WHERE username  
= '-1') will be false! The first quote is used to escape from the   
condition given to the  
SQL database. The next condition 'x'='x will make sure, that the   
condition fits on any  
record. We don't provide a closing quote and use the already existing   
one in the original  
statement to keep a valid SQL syntax.  
  
2.) Provide a SQL query that will provide a special username as result.  
Example:  
  
Username: -1' or username = 'anyUserName';--  
Password:  
  
This will result that the query returns the record of the user   
'anyUserName' if it  
exists. To tell MS SQL that this is the complete statement we put the   
; and a --  
afterwards, to tell it, that the rest of the statement which is inside   
the code will be  
handled as comment and thus not to be interpreted. We have to deliver   
at least one  
character for the password field, because otherwise the website   
suggests us to create a  
new user and does not log us in.  
  
3.) Provide a SQL query that will provide a username which fits a   
special search  
condition.  
This is just a small modification of the 2nd query, which makes us   
possible to guess  
usernames.  
Example:  
  
Username: -1' or username LIKE '%anySearchCondition%';--  
Password:  
  
This will do a normal SQL LIKE condition. You can vary it as you want.   
You'll get the  
first possible result as your login.  
  
4.) It is also possible to manually insert new data into the database, receive  
information about the server and get access to a SQL shell. Those will   
not be described  
more closely in this document, as all neccessary information required   
for this are not a  
miracle for anyone knowing what he is doing.  
  
Cross-Site Scripting (XSS) Vulnerabilities:  
Knorr.de is using some kind of a content loader using URL parameter   
which is vulnerable  
against XSS attacks. This has not been tested in detail and thus will   
not described in  
deep in this document.  
Also form data used for the Knorr forum will not be escaped what   
causes the website to  
offer complete freedom for using XSS inside the forum. But since this   
is a moderated  
forum this issue can be rated as a low security risk, though it could   
be possible to  
steal the session cookie of an administrator reading an infected entry   
to confirm or deny  
it and hijack the session afterwards.  
  
---------------------------------------------------------  
  
Resumee: This login authentication is highly significant as it is   
possible to login as  
every user we want. Knorr.de is not a website, holding strictly   
confidential information,  
but you will get access to personal user data.  
There may also be a risk to the system itself as it is possible to   
have nearly full  
access to the database to delete records, tables or even get access to   
a SQL shell.  
  
All problems found have been discussed with Unilever, the mother   
company of Knorr and  
have been fixed before the release of this document.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Mar 2007 00:00Current
7.4High risk
Vulners AI Score7.4
knorr.desql injectionxssms sqliisauthentication bypasscontent loadersession hijackingaspweb servermoderatorforum.
26