Anastasios Stasinopoulos stasinopoulos
💉
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| It was identified that the blog module in Kentico CMS 5.5 R2 (build 5.5.3996) is vulnerable to SQL injection attacks via “tagname” parameter, since user-controllable data is incorporated into database SQL queries in an unsafe manner. | |
| This vulnerability can be leveraged by a potential attacker in order to interact with the back-end database and access/modify/delete stored data, interfere with application logic, escalate his privileges within the database and/or potentially take control of the database server. | |
| The vulnerability was exploited using the sqlmap tool: | |
| * Sample url: https://target.com/blog?tagname=test&groupid=1 | |
| * Vulnerable parameter: tagname | |
| * Type: time-based blind sql injection | |
| * Sample payload: tagname=test'+(SELECT CHAR(118)+CHAR(103)+CHAR(85)+CHAR(89) WHERE 1718=1718 AND 6176=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7))+'&groupid=1 |
stasinopoulos
/ ping_blind.aspx
Created
September 6, 2017 05:27
Simple ASPX application (vulnerable to blind OS command injections)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <%@ Page Language="C#" Debug="true" Trace="false" %> | |
| <%@ Import Namespace="System.Diagnostics" %> | |
| <%@ Import Namespace="System.IO" %> | |
| <script Language="C#" runat="server"> | |
| string ExcuteCmd(string arg){ | |
| ProcessStartInfo psi = new ProcessStartInfo(); | |
| psi.FileName = "cmd.exe"; | |
| psi.Arguments = "/c ping -n 2 " + arg; | |
| psi.RedirectStandardOutput = true; |
stasinopoulos
/ ping.aspx
Created
April 14, 2017 13:14
Simple ASPX application (vulnerable to OS command injections)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <%@ Page Language="C#" Debug="true" Trace="false" %> | |
| <%@ Import Namespace="System.Diagnostics" %> | |
| <%@ Import Namespace="System.IO" %> | |
| <script Language="c#" runat="server"> | |
| void Page_Load(object sender, EventArgs e){ | |
| } | |
| string ExcuteCmd(string arg){ | |
| ProcessStartInfo psi = new ProcessStartInfo(); |
stasinopoulos
/ cmd.jsp
Created
April 14, 2017 07:09
Simple JSP application (vulnerable to OS command injections)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <FORM METHOD=GET ACTION='cmd.jsp'> | |
| <INPUT name='addr' type=text> | |
| <INPUT type=submit value='Submit!'> | |
| </FORM> | |
| <%@ page import="java.io.*" %> | |
| <% | |
| String addr = request.getParameter("addr"); | |
| String[] ping = {"/bin/sh", "-c", "ping -c2 " + addr}; | |
| String output = ""; |