what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MiniNukev2.x.txt

MiniNukev2.x.txt
Posted May 29, 2006
Authored by Mustafa Can Bjorn | Site nukedx.com

MiniNuke v2.x suffers from SQL injection

tags | advisory, sql injection
SHA-256 | b3c3a12e93cc677c73db8bb7a4d8a8f1b2a9501a36dcd2eab684d8df9b041266

MiniNukev2.x.txt

Change Mirror Download
--Security Report--
Advisory: MiniNuke v2.x Multiple Remote Vulnerabilities
---
Author: Mustafa Can Bjorn "nukedx a.k.a nuker" IPEKCI
---
Date: 27/05/06 03:16 PM
---
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
}
---
Vendor: MiniNuke (http://www.miniex.net/) (http://www.mini-nuke.info/)
Version: 2.3 and prior versions must be affected.
About: Via this method remote attacker can inject arbitrary SQL query
to Your_Account.asp. The problem is that
yas_1,yas_2 and yas_3 parameters did not sanitized properly before
using them on SQL query.This can be caused to remote
attacker could change the SQL query line and change his rights on MiniNuke.
Vulnerable codes can be found at lines 39-79..
-Code/39&79-
yas = Request.Form("yas_1") & "." & Request.Form("yas_2") & "." &
Request.Form("yas_3")
...
...
...
Connection.Execute("UPDATE MEMBERS SET yas = '"&yas&"' WHERE uye_id =
"&Session("Uye_ID")&"")
-Code/39&79-
Fixing this vulnerability is so easy change the line 39 to this.
-Fixed/39-
yas = duz(Request.Form("yas_1")) & "." & duz(Request.Form("yas_2")) &
"." & duz(Request.Form("yas_3"))
-Fixed/39-
Another SQL injection in Your_Account.asp is that change theme for
user, theme parameter did not sanitized properly before
using it on SQL query.
Vulnerable code can be found at line 229..
-Code/229-
Connection.Execute("UPDATE MEMBERS SET
u_theme='"&Request.Form("theme")&"' WHERE uye_id =
"&Session("Uye_ID")&"")
-Code/229-
Fixing this vulnerability is so easy change the line to this
-Fixed/229-
fixedtheme = duz(Request.Form("theme"))
Connection.Execute("UPDATE MEMBERS SET u_theme='"&fixedtheme&"' WHERE
uye_id = "&Session("Uye_ID")&"")
-Fixed/229-
duz() function is special for MiniNuke it cleans the malicious
characters on based variable.
Second problem is on membership.asp.The security code is made as text
format so it can be easily readable by
remote attacker, and can be used for mass-register so mass-register
can make D.o.S for MiniNuke.
Third problem is on enter.asp the gguvenlik and guvenlik parameters
used in login can be changeable by remote attacker,
this can be cause remote attacker makes a dictionary-attack to specified user.
Level: Critical
Solution: Given
---
How&Example:
POST ->
http://[site]/mndir/enter.asp?gguvenlik=1&guvenlik=1&kuladi=victim&password=pass
With this example remote attacker could make dictionary attack for
getting victim's password.
POST ->
http://[site]/mndir/Your_Account.asp?op=RegTheme&theme=default',seviye='1
And other example for SQL injection in yas params like this.
Login to your account on MiniNuke go to
/Your_Account.asp?op=UpdateProfile and open the source code of page
find yas_3 and change value like YEAR',seviye='1 and edit source
correctly dont forgot to edit Timeline:
* 27/05/2006: Vulnerability found.
* 27/05/2006: Contacted with vendor and waiting reply.
---
Exploit: http://www.nukedx.com/?getxpl=31
---
Original advisory can be found at: http://www.nukedx.com/?viewdoc=31




Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close