Microsoft Vbscript Runtime Error 800a000d Exploit
the Weblog service for Persian users. Over 75 per cent of Persian-language content on the Internet belonged to Persianblog with 63,000 number of blogs. Website: http://www.persianblog.com ---------------------------------------------------------------- vulnerability: Several scripts do not properly validate user-supplied input. A remote user can create specially crafted parameter values that will execute SQL commands on the underlying database. ---------------------------------------------------------------- Description: http://www.xxxxxxxblog.com/userslist.asp?page=2'&catid=16 Error : Microsoft VBScript runtime error '800a000d' Type mismatch: 'Cint' /userslist.asp, line 213 http://www.xxxxxxxblog.com/userslist.asp?page=255555&catid=5 Error : Microsoft VBScript runtime error '800a0006' Overflow: 'Cint' /userslist.asp, line 213 CInt is a Visual Basic function, There is no programs or modules or anything failing. Just that single ASP script, that someone specifically passes wrong arguments to, fails. and the next one is not a buffer overflow or anything of that nature,When the multiple numbers go through the CInt conversion the conversion fails because the number sent is bigger than Long can store. Once again, there is no exploit or vulnerability here. but playing with catid parameter gives us something new. http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000 Error : ADODB.Field error '800a0bcd' Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record. /userslist.asp, line 221 http://www.xxxxxxxblog.com/userslist.asp?page=2&catid=16000&catid= Error : Microsoft OLE DB Provider for SQL Server error '80040e14' Line 1: Incorrect syntax near ','. /userslist.asp, line 220 We are not going to discuss about this issue in detaills anymore, because There is not any vendor-supplied solution at the time of this entry. ----------------------------------------------------------------- Impact: A remote user can execute SQL commands on the underlying database. solution: Currently we are not aware of any vendor-supplied patches for this issue ----------------------------------------------------------------- This vulnerabilty has been found and released by trueend5 Kapda - Security Science Researchers Insitute of Iran http://www.KAPDA.ir (PersianHacker.NET) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com[ reply ]Re: SQL injection in Persianblog Aug 16 2005 10:31PM nummish (nummish gmail com) Privacy StatementCopyright 2010, SecurityFocus
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Reported error code considered SQL Injection? up vote 1 down vote favorite SQL injection that actually runs a SQL command is one thing. But injecting data that doesn't actually run a harmful query but that might tell you something http://www.securityfocus.com/archive/1/408250 valuable about the database, is that considered SQL injection? Or is it just used as part to construct a valid SQL injection? An example could be set rs = conn.execute("select headline from pressReleases where categoryID = " & cdbl(request("id")) ) Passing this a string that could not be turned into a numeric value would cause Microsoft VBScript runtime error '800a000d' Type mismatch: 'cdbl' which would tell you that the column in question only accepts numeric data and is thus probably of type integer http://stackoverflow.com/questions/3005404/reported-error-code-considered-sql-injection or similar. I seem to find this in a lot of pages discussing SQL injection, but don't really get an answer if this in itself is considered SQL injection. The reason for my question is that I have a scanning tool that report a SQL injection vulnerability and reports a VBScript runtime error '800a000d' as the reason for the finding. sql database security sql-injection share|improve this question edited Oct 19 '10 at 4:08 Robert Harvey♦ 129k29224354 asked Jun 9 '10 at 11:36 inquam 5,74192877 1 Just because you don't necessarily know how to construct a malicious attack vector, it doesn't mean that nobody else does. Use bound parameters in your sql to eliminate any possibility of injection. –Cheekysoft Jun 9 '10 at 15:36 add a comment| 2 Answers 2 active oldest votes up vote 4 down vote accepted This is clearly an SQL injection vulnerability, and it needs to be fixed. There are a few reasons for this in your scenario: Finding out incidental information such as you describe may be useful to an attacker, particulary if they have other attack vectors. An attacker finding this vulnerability would be encouraged to go look for some more. Sloppy here may mean sloppy elsewhere. In security it is important not to be too clever. Your attacker may know a lot more, or something more, than you do. So what may look to you like a contained vulnerability may be an open door to soneone else. So yes
almost every kind of organization. Programmers are capable of building applications with usable interfaces, 24/7 availability and worldwide reach. These web sites use http://www.palecrow.com/content/GCIH/Matt_Borland_GCIH.html a variety of tools to query and display data, each with their own options and idiosyncrasies. And although much emphasis has been placed on securing these applications through elaborate network mechanisms, often the applications themselves do not apply certain measures necessary to maintain data security. One threat which has already microsoft vbscript been discussed in the course material is called SQL piggybacking. SQL piggybacking, or SQL command injection, is the practice of appending or manipulating unchecked values to web-based queries. When passed to the database, these queries execute differently than expected by the application developer. Examples of this are in the course material microsoft vbscript runtime entitled 'Web Application Attacks.' In it the author articulates several potential problems posed by SQL piggybacking and describes how the first line of defense is to check any parameters supplied by the client (browser) request. However, I would like to impress upon readers that these examples are not the full extent of the damage which can be done with SQL piggybacking. This paper will articulate further flaws when executing queries with unchecked parameters, including: * How to view data from tables not specified in the original query * How to view user and table structure information from the target system * How to execute shell commands on the target machine More important than the demonstration of the exploits is a description of how to apply defense-in-depth practices to reduce web/database application risk. This too extends beyond parameter checking; it includes: * Selecting the querying methods which reduce risk * Differentiating applica