AssetMan v2.5-b SQL Injection using Session Fixation Attack

vendor:

AssetMan

by:

Neo Anderson & Rohit Bansal

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: AssetMan

Affected Version From: 2.5-b

Affected Version To: 2.5-b

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

AssetMan v2.5-b SQL Injection using Session Fixation Attack

By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.

Mitigation:

Ensure that the application is not vulnerable to SQL injection attacks by validating user input and using parameterized queries.

Source

Exploit-DB raw data:

============================================================
AssetMan v2.5-b   SQL Injection using Session Fixation Attack
============================================================

           ;               ,           
         ,;                 '.         
        ;:                   :;         
       ::                     ::       
       ::                     ::       
       ':                     :         
        :.                    :         
     ;' ::                   ::  '     
    .'  ';                   ;'  '.     
   ::    :;                 ;:    ::   
   ;      :;.             ,;:     ::   
   :;      :;:           ,;"      ::   
   ::.      ':;  ..,.;  ;:'     ,.;:   
    "'"...   '::,::::: ;:   .;.;""'     
        '"""....;:::::;,;.;"""         
    .:::.....'"':::::::'",...;::::;.   
   ;:' '""'"";.,;:::::;.'""""""  ':;   
  ::'         ;::;:::;::..         :;   
 ::         ,;:::::::::::;:..       :: 
 ;'     ,;;:;::::::::::::::;";..    ':. 
::     ;:"  ::::::"""'::::::  ":     :: 
 :.    ::   ::::::;  :::::::   :     ; 
  ;    ::   :::::::  :::::::   :    ;   
   '   ::   ::::::....:::::'  ,:   '   
    '  ::    :::::::::::::"   ::       
       ::     ':::::::::"'    ::       
       ':       """""""'      ::       
        ::                   ;:         
        ':;                 ;:"         
          ';              ,;'           
            "'           '"             
              ' 


AUTHOR : Neo Anderson   &   Rohit Bansal
DATE   : 19th Sept,2008
Email  : neo.whizzy@gmail.com & rohitisback@gmail.com

#####################################################

# Site        : http://www.bctree.com/~assetman
# Bug         : SQL Injection using Session Fixation Attack
# File        : search_inv.php
# Variable    : GET variable 'order_by'

#####################################################

# Impact of Vulnerability:

By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards.

#####################################################

# Bug explanation - Session Fixation Attack/Meta Tag Exploitation:

By injecting a custom HTTP header or by injecting a META tag, it is possible to alter the cookies stored in the browser. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site.

#####################################################

# PoC:

http://127.0.0.1/assetman/search_inv.php?action=search_all&order_by=%3Cmeta+http-equiv='Set-cookie'+content='=value'%3E&order=DESC+limit+1,1--

#####################################################
# GreeTz
InfySec , str0ke & EvilFingers

www.infysec.com
www.evilfingers.com

#####################################################

# milw0rm.com [2008-09-18]