Hi,
I am trying to write a plugin for BID 13804 (os4e sql injection). for
some reason when I run the post request with wget I receive a 500 status
code and the error string I want to search for, but when I try the same thing with my
plugin I receive a 302 object moved and the message: "Please+type_in+your+Username+before+submit" .
The following is the wget string that works correctly (meaning I receive a 500 Internal
server error with the MS SQL error):
wget www.VulnerableSite.com/teachers/elementary/process_login.asp --post-data=password=%27\&id=1\&Publish=++Login++
I attached the full plugin to this message. The following is the relevant part of the plugin that returns the 302 status code
instead of 500:
######################################################################
function check(url)
{
req = http_post(port: port, item: "/teachers/elementary/process_login.asp", data: "password='&id=1&Publish=++Login++");
res = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
display("output: ", res, "\n");
if( res == NULL )exit(0);
#if (("Microsoft OLE DB Provider for ODBC Drivers error '80040e14' " >< res) && ("Unclosed quotation mark before the character string" >< res))
if ("Microsoft OLE DB Provider for ODBC Drivers error '80040e14' " >< res)
{
security_hole(port);
exit(0);
}
}
foreach dir ( cgi_dirs() )
check(url:dir);
######################################################################
Any ideas what I am doing wrong?
--
- Josh
I am trying to write a plugin for BID 13804 (os4e sql injection). for
some reason when I run the post request with wget I receive a 500 status
code and the error string I want to search for, but when I try the same thing with my
plugin I receive a 302 object moved and the message: "Please+type_in+your+Username+before+submit" .
The following is the wget string that works correctly (meaning I receive a 500 Internal
server error with the MS SQL error):
wget www.VulnerableSite.com/teachers/elementary/process_login.asp --post-data=password=%27\&id=1\&Publish=++Login++
I attached the full plugin to this message. The following is the relevant part of the plugin that returns the 302 status code
instead of 500:
######################################################################
function check(url)
{
req = http_post(port: port, item: "/teachers/elementary/process_login.asp", data: "password='&id=1&Publish=++Login++");
res = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
display("output: ", res, "\n");
if( res == NULL )exit(0);
#if (("Microsoft OLE DB Provider for ODBC Drivers error '80040e14' " >< res) && ("Unclosed quotation mark before the character string" >< res))
if ("Microsoft OLE DB Provider for ODBC Drivers error '80040e14' " >< res)
{
security_hole(port);
exit(0);
}
}
foreach dir ( cgi_dirs() )
check(url:dir);
######################################################################
Any ideas what I am doing wrong?
--
- Josh
Attached Files:
-
os4e_sql_injection.nasl (1.79 KB)