Vulnerabilities > CVE-2006-6365 - SQL Injection vulnerability in DUware DUpaypal Pro

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
duware
nessus
exploit available
NVD
Published: 2006-12-07
Updated: 2018-10-17

Summary

SQL injection vulnerability in detail.asp in DUware DUpaypal 3.1, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the iType parameter. NOTE: the iState parameter is already covered by CVE-2005-3976 and the iPro parameter is already covered by CVE-2005-2047.

Vulnerable Configurations

Part Description Count
Application
Duware
4

Exploit-Db

descriptionDUware DUpaypal 3.0/3.1 detail.asp iPro Parameter SQL Injection. CVE-2006-6365. Webapps exploit for asp platform
idEDB-ID:25866
last seen2016-02-03
modified2005-06-22
published2005-06-22
reporterDedi Dwianto
sourcehttps://www.exploit-db.com/download/25866/
titleDUware DUpaypal 3.0/3.1 detail.asp iPro Parameter SQL Injection

Nessus

NASL familyCGI abuses
NASL idDUPAYPAL_SQL_INJECTIONS.NASL
descriptionThe remote host is running DUpaypal Pro, an ASP-based storefront from DUware for Paypal. The installed version of DUpaypal Pro fails to properly sanitize user- supplied input in several instances before using it in SQL queries. By exploiting these flaws, an attacker can affect database queries, possibly disclosing sensitive data and launching attacks against the underlying database.
last seen2020-06-01
modified2020-06-02
plugin id18568
published2005-06-28
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18568
titleDUpaypal Pro Multiple Scripts SQL Injection
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(18568);
  script_version("1.20");
  script_cve_id("CVE-2005-2047", "CVE-2006-6365");
  script_bugtraq_id(14034);

  script_name(english:"DUpaypal Pro Multiple Scripts SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that is vulnerable
to multiple SQL injection attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host is running DUpaypal Pro, an ASP-based storefront from
DUware for Paypal. 

The installed version of DUpaypal Pro fails to properly sanitize user-
supplied input in several instances before using it in SQL queries. 
By exploiting these flaws, an attacker can affect database queries,
possibly disclosing sensitive data and launching attacks against the
underlying database." );
 script_set_attribute(attribute:"see_also", value:"http://echo.or.id/adv/adv19-theday-2005.txt" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Jun/175" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/22");
 script_cvs_date("Date: 2018/11/15 20:50:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

  script_summary(english:"Checks for multiple SQL injection vulnerabilities in DUpaypal Pro");
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0);


# Loop through CGI directories.
foreach dir (cgi_dirs()) {
  # Try to exploit one of the flaws.
  u = string(
      dir, "/shops/sub.asp?",
      "iSub=", SCRIPT_NAME, "'"
    );
  r = http_send_recv3(method: "GET", port:port, item: u);
  if (isnull(r)) exit(0);

  # There's a problem if...
  if (
    # it looks like DUpaypal Pro and...
    'href="../css/DUpaypalPro.css" rel="stylesheet" ' >< r[2] && 
    # there's a syntax error.
    egrep(string:r[2], pattern:string("Syntax error .+ AND PRO_SUBS.SUB_ID = ", SCRIPT_NAME, "'"))
  ) {
    security_hole(port);
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    exit(0);
  }
}

References