Discussion:
SQL injection in Persianblog
(too old to reply)
alireza hassani
2005-08-16 07:57:21 UTC
Permalink
This is the KAPDA.ir 's advisory
(Powered by PersianHacker.NET

Discussion

PersianBlog.com is the Weblog service for Persia
users
Over 75 per cent of Persian-language content on th
Internet belonged to Persianblog with 63,000 number o
blogs.
Website: http://www.persianblog.co
---------------------------------------------------------------
vulnerability
Several scripts do not properly validate user-supplie
input. A remote user can create specially crafte
parameter values that will execute SQL commands on th
underlying database
---------------------------------------------------------------
Description

http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=1
Error

Microsoft VBScript runtime error '800a000d'
Type mismatch: 'Cint'
/userslist.asp, line 21
http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=
Error

Microsoft VBScript runtime error '800a0006'
Overflow: 'Cint'
/userslist.asp, line 213

CInt is a Visual Basic function, There is no program
or modules or anything failing. Just that single AS
script, that someone specifically passes wron
arguments to, fails
and the next one is not a buffer overflow or anythin
of that nature,When the multiple numbers go throug
the CInt conversion the conversion fails because th
number sent is bigger than Long can store. Once again
there is no exploit or vulnerability here
but playing with catid parameter gives us somethin
new
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=1600
Error

ADODB.Field error '800a0bcd'
Either BOF or EOF is True, or the current record ha
been deleted. Requested operation requires a curren
record.
/userslist.asp, line 221
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid
Error

Microsoft OLE DB Provider for SQL Server erro
'80040e14'
Line 1: Incorrect syntax near ','.
/userslist.asp, line 22

We are not going to discuss about this issue i
detaills anymore, becaus
There is not any vendor-supplied solution at the tim
of this entry
----------------------------------------------------------------
Impact
A remote user can execute SQL commands on th
underlying database
solution
Currently we are not aware of any vendor-supplie
patches for this issu
----------------------------------------------------------------
This vulnerabilty has been found and released b
trueend
Kapda - Security Science Researchers Insitute of Ira
http://www.KAPDA.i
(PersianHacker.NET

_________________________________________________
Do You Yahoo!
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
nummish
2005-08-16 22:31:33 UTC
Permalink
I fail to see how this is a SQL injection of any kind, unless o
course you only intend to inject numbers into the database records.

The CInt calls force typecasting, preventing non-integers from bein
processed further

The next error you post indicates no records are being returned,
assume the same would happen with a negative number

Are any of these actually injectable against? Or is it really just a
application that doesn't fail gracefully
Post by alireza hassani
This is the KAPDA.ir 's advisor
(Powered by PersianHacker.NET
=2
=2
Discussion
=2
PersianBlog.com is the Weblog service for Persia
users
Over 75 per cent of Persian-language content on th
Internet belonged to Persianblog with 63,000 number o
blogs
Website: http://www.persianblog.co
---------------------------------------------------------------
vulnerability
Several scripts do not properly validate user-supplie
input. A remote user can create specially crafte
parameter values that will execute SQL commands on th
underlying database
---------------------------------------------------------------
Description
=2
http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=1
Error
=2
Microsoft VBScript runtime error '800a000d
Type mismatch: 'Cint
/userslist.asp, line 21
http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=
Error
=2
Microsoft VBScript runtime error '800a0006
Overflow: 'Cint
/userslist.asp, line 21
=2
CInt is a Visual Basic function, There is no program
or modules or anything failing. Just that single AS
script, that someone specifically passes wron
arguments to, fails
and the next one is not a buffer overflow or anythin
of that nature,When the multiple numbers go throug
the CInt conversion the conversion fails because th
number sent is bigger than Long can store. Once again
there is no exploit or vulnerability here
but playing with catid parameter gives us somethin
new
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=1600
Error
=2
ADODB.Field error '800a0bcd
Either BOF or EOF is True, or the current record ha
been deleted. Requested operation requires a curren
record
/userslist.asp, line 22
http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid=3
Error
=2
Microsoft OLE DB Provider for SQL Server erro
'80040e14
Line 1: Incorrect syntax near ','
/userslist.asp, line 22
=2
We are not going to discuss about this issue i
detaills anymore, becaus
There is not any vendor-supplied solution at the tim
of this entry
----------------------------------------------------------------
Impact
A remote user can execute SQL commands on th
underlying database
solution
Currently we are not aware of any vendor-supplie
patches for this issu
----------------------------------------------------------------
This vulnerabilty has been found and released b
trueend
Kapda - Security Science Researchers Insitute of Ira
http://www.KAPDA.i
(PersianHacker.NET
=2
=2
_________________________________________________
Do You Yahoo!
Tired of spam? Yahoo! Mail has the best spam protection aroun
http://mail.yahoo.co
=2
--=2
Bigger 1:2
This address if for mailing list traffic only.=2
Please direct non-list correspondence to 0x90.or

Loading...