Re: SQL injection in Persianblog

[nummish <nummish () gmail com>]

I fail to see how this is a SQL injection of any kind, unless of
course you only intend to inject numbers into the database records..

The CInt calls force typecasting, preventing non-integers from being
processed further.

The next error you post indicates no records are being returned, I
assume the same would happen with a negative number.

Are any of these actually injectable against? Or is it really just an
application that doesn't fail gracefully?

On 8/16/05, alireza hassani <trueend5 () yahoo com> wrote:
>  This is the KAPDA.ir 's advisory
>   (Powered by PersianHacker.NET)
>
>
> Discussion:
>
> PersianBlog.com is the Weblog service for Persian
> users.
> Over 75 per cent of Persian-language content on the
> Internet belonged to Persianblog with 63,000 number of
>  blogs.
> Website: http://www.persianblog.com
> ----------------------------------------------------------------
> vulnerability:
> Several scripts do not properly validate user-supplied
> input. A remote user can create specially crafted
> parameter values that will execute SQL commands on the
> underlying database.
> ----------------------------------------------------------------
> Description:
>
> http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16
> Error :
>
> Microsoft VBScript runtime error '800a000d'
> Type mismatch: 'Cint'
> /userslist.asp, line 213
> http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5
> Error :
>
> Microsoft VBScript runtime error '800a0006'
> Overflow: 'Cint'
> /userslist.asp, line 213
>
> CInt is a Visual Basic function, There is no programs
> or modules or anything failing. Just that single ASP
> script, that someone specifically passes wrong
> arguments to, fails.
> and the next one is not a buffer overflow or anything
> of that nature,When the multiple numbers go through
> the CInt conversion the conversion fails because the
> number sent is bigger than Long can store. Once again,
> there is no exploit or vulnerability here.
> but playing with catid parameter gives us something
> new.
> http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000
> Error :
>
> ADODB.Field error '800a0bcd'
> Either BOF or EOF is True, or the current record has
> been deleted. Requested operation requires a current
> record.
> /userslist.asp, line 221
> http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid=
> Error :
>
> Microsoft OLE DB Provider for SQL Server error
> '80040e14'
> Line 1: Incorrect syntax near ','.
> /userslist.asp, line 220
>
> We are not going to discuss about this issue in
> detaills anymore, because
> There is not any vendor-supplied solution at the time
> of this entry.
> -----------------------------------------------------------------
> Impact:
>  A remote user can execute SQL commands on the
> underlying database.
> solution:
> Currently we are not aware of any vendor-supplied
> patches for this issue
> -----------------------------------------------------------------
> This vulnerabilty has been found and released by
> trueend5
> Kapda - Security Science Researchers Insitute of Iran
> http://www.KAPDA.ir
> (PersianHacker.NET)
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com


-- 
Bigger 1:23
This address if for mailing list traffic only. 
Please direct non-list correspondence to 0x90.org