|
|
#1
17.11.2003, 16:54
|
|||
|
|||
Seems to me that none (except for the forum) of the querystring in the urls are checked on sql!
If you look at the url's on dc you should notice that they are composed of blabla.asp?m=number. So supposing that the sql looks like: Select * From Pagesorsomething Where Pageoranything=" & request.querystring("m") & " it would be really simple to exploit this. What is I adapt the url to: blabla.asp?m=1 or 1=1 -> selects All records from the active table. But wait: 1 or 1=1 UNION SELECT Password as Content, Password,... From Users -> Content or text or whatever, I don't know, it should be the content that is extracted from the database. -> ... complete with , Password until the columns of the union match! @ Tim: I wrote this little Function: Function MaakSqlVeilig(inp) inp = Replace(inp, "'", "´") inp = Replace(inp, "select", "´") inp = Replace(inp, "union", "´") inp = Replace(inp, ";", "´") inp = Replace(inp, "join", "´") inp = Replace(inp, "=", "´") inp = Replace(inp, "'", "´") inp = Replace(inp, "Users", "´") inp = Replace(inp, "Paswoord", "´") inp = trim(inp) MaakSqlVeilig = inp End Function -> adapt it to suit dc  Snitz forum 2k: vulnerability in the register.asp page :evil: -> Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz Read the story at: http://www.k-otik.com/exploits/05.12.snitz_exec.pl.php That's it for now  Maybe it's just you, looking bad!     
|
|
#2
17.11.2003, 17:12
|
|||
|
|||
|
Whoah.. we just recovered from another downtime and you are telling people how to hack DC?? No idea if it works, BTW.
To the english people: MaakSqlVeilig means MakeSqlSecure - [url="http://neo.dzygn.com/"]Mark[/url:mavozml8f0]
|
|
#3
17.11.2003, 18:44
|
|||
|
|||
|
I think everyone should be aware of this sql-weakness, so I gave a 'hard-example', just to make sure somebody would read it
 .It's easy to solve so... (hint: try the same 'hack' on different sites, you will see many! bugs...) Maybe it's just you, looking bad!
|
|
#4
18.11.2003, 07:47
|
|||
|
|||
|
I have never looked into the Snitz code behind the scenes, but you are probably right.
The web application runs in the context of a very limited sql user anyway, so things like delete and update are obviously disabled. But do be careful what you say on public forums because giving away information about how we run DC is exactly what hackers need. An example is a photo script Brattli posted on his weblog a few months ago. He posted the source code for something that was also running on the server, so someone reverse-engineered it and hacked DC. Security is one of the big drives for the CMS on V2. All data access with be checked and go via stored procedures. -- Regards Tim Scarfe
|
|
#5
18.11.2003, 17:21
|
|||
|
|||
|
So dc isn't that vulnerable
 ops:, most sites run give sql almost admin rights...But maybe you should fix the snitz bug... hackers know this bug Maybe it's just you, looking bad!
|
|
#6
18.11.2003, 22:19
|
|||
|
|||
|
Looking through the joke code that Snitz is written in is not my idea of fun, but thanks I'll bare that in mind.
-- Regards Tim Scarfe
|
 |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Linear Mode
