MaxWebPortal memKey Parameter SQL Injection

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description) {
  script_id(18370);
  script_version("1.15");
  script_cve_id("CVE-2005-1779");
  script_bugtraq_id(13762);

  script_name(english:"MaxWebPortal memKey Parameter SQL Injection");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP script that is vulnerable to a
SQL injection attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of MaxWebPortal that fails to
properly sanitize input passed through the 'memKey' parameter to the
'password.asp' script.  An attacker can exploit this flaw to modify
database queries resulting in the disclosure of sensitive information,
modification of data (for example, users' passwords) and even attacks
against the underlying database." );
 script_set_attribute(attribute:"see_also", value:"http://securitytracker.com/alerts/2005/May/1014048.html" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/05/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/05/24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

  script_summary(english:"Checks for SQL injection vulnerability in MaxWebPortal's password.asp");
  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");
  script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_asp(port:port)) exit(0, "The web server on port "+port+" does not support ASP");


# Iterate through CGI directories.
foreach dir (cgi_dirs()) {
  # Pull up the password form.
  w = http_send_recv3(method:"GET", item:string(dir, "/password.asp"), port:port);
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # If it's from MaxWebPortal...
  if ("This page is generated by MaxWebPortal" >< res) {
    # Try to exploit the flaw.
    postdata = string(
      "pass=123456&",
      "pass2=123456&",
      "memId=-1&",
      # nb: this will result in a syntax error.
      "memKey=", SCRIPT_NAME, "'"
    );
    w = http_send_recv3(method:"POST", port: port,
      item: dir+"/password.asp?mode=reset",
      content_type: "application/x-www-form-urlencoded",
      data: postdata);
    if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
    res = w[2];

    if (
      (
        "<p>Microsoft OLE DB Provider for SQL Server" >< res &&
        egrep(string:res, pattern:string("Unclosed quotation mark .+'", SCRIPT_NAME), icase:TRUE)
      ) ||
      (
        "<p>Microsoft JET Database Engine</font>" >< res &&
        egrep(string:res, pattern:string("Syntax error.+M_KEY = '", SCRIPT_NAME), icase:TRUE)
      )
    ) {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      exit(0);
    }
  }
}