Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Dotnet CMS - SQL Injection

By kannthu

Critical
Vidoc logoVidoc Module
#dotnetcms#dotnet#sqli
Description

What is the "Dotnet CMS - SQL Injection?"

The "Dotnet CMS - SQL Injection" module is designed to detect a SQL injection vulnerability in the Dotnet CMS software. Dotnet CMS is a content management system built on the .NET framework. This module specifically targets the SQL injection vulnerability, which is a critical security issue. It allows attackers to manipulate the SQL queries executed by the application, potentially gaining unauthorized access to sensitive information, modifying data, or even executing arbitrary code.

This module is authored by an unknown individual or group.

Impact

A successful SQL injection attack on the Dotnet CMS can have severe consequences. It can lead to unauthorized access to sensitive data, such as user credentials, personal information, or financial records. Attackers can also modify or delete data, disrupt the normal functioning of the application, or even gain control over the underlying server.

How the module works?

The "Dotnet CMS - SQL Injection" module works by sending a specific HTTP request to the target application. The request is designed to exploit the SQL injection vulnerability in the City_ajax.aspx page, which accepts a parameter called "CityId". The module injects a malicious payload into the parameter value, attempting to execute a SQL query that retrieves the MD5 hash of a randomly generated alphanumeric string.

The module then uses matching conditions to determine if the SQL injection vulnerability is present. It checks the response body for the presence of the MD5 hash of the injected payload and verifies that the HTTP response status is 200 (OK).

Example HTTP request:

GET /user/City_ajax.aspx?CityId=33'union%20select%20sys.fn_sqlvarbasetostr(HashBytes('MD5','{%randTextAlphanumeric(10)%}')),2-- HTTP/1.1
Host: example.com

The matching conditions are:

- The response body must contain the MD5 hash of the injected payload. - The HTTP response status must be 200 (OK).

If both conditions are met, the module reports the presence of the SQL injection vulnerability.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/user/City_ajax.aspx...
Matching conditions
word: {{md5("{{randstr}}")}}and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability