Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Search Engine using SQL SERVER > Hole found
Posted by: alerttoyou
Date: November 30, 2009 08:34AM

Dear Experts,

I am currently trying to find hole in a local search engine. This website is done by ASP.NET and SQL Server (don't know the version). In this site there is a feature to email a search result to friend. The url of that page (email2friend) is:

/Email2Friend.aspx?WebID=100

Basically for every WebID there is a 'Title' & 'Web Link' which is shown in the page when requested. This page contains a form as well containing friends email, your email, message.

Now, I tried to modify the 'WebID' parameter with common SQL Injection vectors. Most of the cases it takes me to a custom common error page. I can't see the real error. By the way, trying the following urls doesn't give me any error rather I see the corresponding 'Title' & 'Web Link' in the page:

/Email2Friend.aspx?WebID=54+and+1=1#
/Email2Friend.aspx?WebID=54+and+char(48)=char(48)#
/Email2Friend.aspx?WebID=54+and+webid>53#

The following causes error:

/Email2Friend.aspx?WebID=54+and+1=2#
/Email2Friend.aspx?WebID=54+and+webid>54#
Single quote, Double quote causes erorr also.

Anybody can help me what more I can test to find out the table information or any other information that might be interesting?

Thanks,
aler2u

Options: ReplyQuote
Re: Search Engine using SQL SERVER > Hole found
Posted by: Bullet
Date: December 13, 2009 10:17AM

This page is probably vulnerable to SQLi; 1=2 lead to error while 1=1 didn't - this page is vulnerable to blind SQLi.

You can make sure for 100% by using this:
/Email2Friend.aspx?WebID=54;+waitfor+DELAY+’00:00:30’

If you'll got delay for 30 secs, so the page is vuln to SQLi and you can do what ever you wish, like xp_cmdshell (in MS-MSQL...), etc.

I also suggest you to try HPP (HTTP Parameter Pollution) in .Net applications for SQLi exploitations.

Options: ReplyQuote
Re: Search Engine using SQL SERVER > Hole found
Posted by: rvdh
Date: December 14, 2009 02:05PM

ASP.NET has request validation which resides in Machine.config and is ON by default, besides that it's rewritten to a custom error page as you already stated. On the looks of it, they know what they are doing. But the ASP.net 2 request validation only filters on; 

   1. Look for &#
   2. Look for ‘<’ then alphas or ! or / (tags)
   3. Skip elements with names prefixed with double underscore (__)

Silly but true.

So figure out what it is running, it's easy.

Options: ReplyQuote


Go to: Forum ListMessage ListSearchLog In
Sorry, only registered users may post in this forum.
Click here to login

Falling Rock Networks

sla.ckers.org RSS feed
Board haX0r3d together by ha.ckers.org, forshizzle. *