Craft Silicon Banking Home SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052203 漏洞类型
发布时间 2009-02-11 更新时间 2009-02-11
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009020026
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Craft Silicon Banking_at_Home SQL Injection

***********************************************************************

Author: Francesco Bianchino

Email: f.bianchino [at] gmail.com

Title: Craft Silicon Banking_at_Home SQL Injection

Product: Banking_at_Home - Net Banking

Versions Vulnerable: 2.1 and below

Vendor: Craft Silicon (www.craftsilicon.com)

***********************************************************************

Summary

Banking_at_Home is an home banking application that allows customers to access
their account information using the web.
The application uses data in a database management system that uses Structured
Query Language (SQL) as a data access standard.

**********************************************************************

Vulnerability Details

The login page of Net Banking is vulnerable to SQL Injection attack,
due to a missing input validation mechanisms.
An attacker can inject SQL code into the username and password fields,
altering the login procedure.
There is a classic error based injection, really easy to exploit to
take control
of the entire server.
Authentication bypass is possible using valid username, no password is
required,
or otherwise the user table can be arbitrary modified.

***********************************************************************

Exploit

http://www.example.com/document_root/Login.asp?LoginName='Some_SQL_Stuff&Password=&submit=Login

***********************************************************************

Solution

At the moment of writing this advisory there is no solution yet.
I advised Craft Silicon in November 2008 and i actually have received no answer.

***********************************************************************

Credits

Discovered by Francesco Bianchino.