I fail to see how this is a SQL injection of any kind, unless of course you only intend to inject numbers into the database records.. The CInt calls force typecasting, preventing non-integers from being processed further. The next error you post indicates no records are being returned, I assume the same would happen with a negative number. Are any of these actually injectable against? Or is it really just an application that doesn't fail gracefully? On 8/16/05, alireza hassani <trueend5@xxxxxxxxx> wrote: > This is the KAPDA.ir 's advisory > (Powered by PersianHacker.NET) > > > Discussion: > > PersianBlog.com is the Weblog service for Persian > users. > Over 75 per cent of Persian-language content on the > Internet belonged to Persianblog with 63,000 number of > blogs. > Website: http://www.persianblog.com > ---------------------------------------------------------------- > vulnerability: > Several scripts do not properly validate user-supplied > input. A remote user can create specially crafted > parameter values that will execute SQL commands on the > underlying database. > ---------------------------------------------------------------- > Description: > > http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16 > Error : > > Microsoft VBScript runtime error '800a000d' > Type mismatch: 'Cint' > /userslist.asp, line 213 > http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5 > Error : > > Microsoft VBScript runtime error '800a0006' > Overflow: 'Cint' > /userslist.asp, line 213 > > CInt is a Visual Basic function, There is no programs > or modules or anything failing. Just that single ASP > script, that someone specifically passes wrong > arguments to, fails. > and the next one is not a buffer overflow or anything > of that nature,When the multiple numbers go through > the CInt conversion the conversion fails because the > number sent is bigger than Long can store. Once again, > there is no exploit or vulnerability here. > but playing with catid parameter gives us something > new. > http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000 > Error : > > ADODB.Field error '800a0bcd' > Either BOF or EOF is True, or the current record has > been deleted. Requested operation requires a current > record. > /userslist.asp, line 221 > http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid= > Error : > > Microsoft OLE DB Provider for SQL Server error > '80040e14' > Line 1: Incorrect syntax near ','. > /userslist.asp, line 220 > > We are not going to discuss about this issue in > detaills anymore, because > There is not any vendor-supplied solution at the time > of this entry. > ----------------------------------------------------------------- > Impact: > A remote user can execute SQL commands on the > underlying database. > solution: > Currently we are not aware of any vendor-supplied > patches for this issue > ----------------------------------------------------------------- > This vulnerabilty has been found and released by > trueend5 > Kapda - Security Science Researchers Insitute of Iran > http://www.KAPDA.ir > (PersianHacker.NET) > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- Bigger 1:23 This address if for mailing list traffic only. Please direct non-list correspondence to 0x90.org
