Re: SQL injection in Persianblog

To: alireza hassani <trueend5@xxxxxxxxx>
Subject: Re: SQL injection in Persianblog
From: nummish <nummish@xxxxxxxxx>
Date: Tue, 16 Aug 2005 18:31:33 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Va0rvfkmT6CPrRdaLtk/k4FrhuRIV0/DA2eS+Xfp/QO1TE9kM1WiWAO7mOuSMfP3lZOzALff6OZqnRSrGhRayKFkPAYbVwsHjl0FBnCsi2FJN9O0SAbD7gajhjiyEA3dplgyhJor8oLZHaYLoEYjiuL4x1z56J03p6D62w6Sop4=
In-reply-to: <20050816075721.95747.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050816075721.95747.qmail@xxxxxxxxxxxxxxxxxxxxxxx>

I fail to see how this is a SQL injection of any kind, unless of
course you only intend to inject numbers into the database records..

The CInt calls force typecasting, preventing non-integers from being
processed further.

The next error you post indicates no records are being returned, I
assume the same would happen with a negative number.

Are any of these actually injectable against? Or is it really just an
application that doesn't fail gracefully?

On 8/16/05, alireza hassani <trueend5@xxxxxxxxx> wrote:
>  This is the KAPDA.ir 's advisory
>   (Powered by PersianHacker.NET)
> 
> 
> Discussion:
> 
> PersianBlog.com is the Weblog service for Persian
> users.
> Over 75 per cent of Persian-language content on the
> Internet belonged to Persianblog with 63,000 number of
>  blogs.
> Website: http://www.persianblog.com
> ----------------------------------------------------------------
> vulnerability:
> Several scripts do not properly validate user-supplied
> input. A remote user can create specially crafted
> parameter values that will execute SQL commands on the
> underlying database.
> ----------------------------------------------------------------
> Description:
> 
> http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16
> Error :
> 
> Microsoft VBScript runtime error '800a000d'
> Type mismatch: 'Cint'
> /userslist.asp, line 213
> http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5
> Error :
> 
> Microsoft VBScript runtime error '800a0006'
> Overflow: 'Cint'
> /userslist.asp, line 213
> 
> CInt is a Visual Basic function, There is no programs
> or modules or anything failing. Just that single ASP
> script, that someone specifically passes wrong
> arguments to, fails.
> and the next one is not a buffer overflow or anything
> of that nature,When the multiple numbers go through
> the CInt conversion the conversion fails because the
> number sent is bigger than Long can store. Once again,
> there is no exploit or vulnerability here.
> but playing with catid parameter gives us something
> new.
> http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000
> Error :
> 
> ADODB.Field error '800a0bcd'
> Either BOF or EOF is True, or the current record has
> been deleted. Requested operation requires a current
> record.
> /userslist.asp, line 221
> http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid=
> Error :
> 
> Microsoft OLE DB Provider for SQL Server error
> '80040e14'
> Line 1: Incorrect syntax near ','.
> /userslist.asp, line 220
> 
> We are not going to discuss about this issue in
> detaills anymore, because
> There is not any vendor-supplied solution at the time
> of this entry.
> -----------------------------------------------------------------
> Impact:
>  A remote user can execute SQL commands on the
> underlying database.
> solution:
> Currently we are not aware of any vendor-supplied
> patches for this issue
> -----------------------------------------------------------------
> This vulnerabilty has been found and released by
> trueend5
> Kapda - Security Science Researchers Insitute of Iran
> http://www.KAPDA.ir
> (PersianHacker.NET)
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 


-- 
Bigger 1:23
This address if for mailing list traffic only. 
Please direct non-list correspondence to 0x90.org

References:
- SQL injection in Persianblog
  - From: alireza hassani

Prev by Date: Buffer-overflow in Chris Moneymaker's World Poker Championship 1.0
Next by Date: SQL injection in mediabox404 v1.2
Previous by thread: SQL injection in Persianblog
Next by thread: Hummingbird FTP Weak Password Encryption
Index(es):
- Date
- Thread