0

I'm trying to concat a SQL query string and a hex string that should be capitalized. hURL -X -s takes a string or file and coverts it to hex.

cmd = "/root/Desktop/pentest/tools/hURL/hURL -X -s " +
  md5_got.chomp.delete("\n").to_s
md5_tohex = `#{cmd}`  
md5_where = md5_tohex.chomp.delete("\n").to_s

At this point, md5_where is:

1b5b316d34303339613365663766633739653461646236306234336163313038643634381b5b306d

I need this hex capitalized. I did both of these in all permutations including leaving out the to_s and the !:

md5_where.upcase! 
md5_where.to_s!

I try and combine my query and my hex value:

sql_comp = "SELECT word FROM captcha_rbow WHERE hex(md5) = " + md5_where
puts sql_comp
puts '###
abort()

This is what I get:

                         1B5B316D653...B306D

Leading spaces equal to the length of the SQL query and the upstring variable printed on the screen with no trace of the SQL query

If I take md5_where, I get this, which is as it should be:

SELECT word FROM captcha_rbow WHERE hex(md5) =

Why does this clobber the text? Here is full script require 'open-uri' require 'sqlite3'

open('GOT_captcha.png', 'wb') do |file|
  file << open('http://192.168.56.101/captcha/example5/captcha.png').read
end

cmd = "/root/Desktop/pentest/tools/hURL/hURL -m -s -f GOT_captcha.png"
md5orig = `#{cmd}`

cmd = "/root/Desktop/pentest/tools/hURL/hURL -X -s " +  md5orig.chomp.delete("\n").to_s
puts cmd
md5_tohex = `#{cmd}`  
md5_where = md5_tohex.to_s
puts md5_where

sql_comp = "SELECT word FROM captcha_rbow WHERE (hex(md5)) = " + md5_where.upcase
puts sql_comp  
#THIS IS WHERE THE PROBLEM IS

begin
    db = SQLite3::Database.open( "akad_web2" )
    sql_comp = "SELECT word FROM captcha_rbow  WHERE hex(md5) = '" + md5_where.upcase + "';"
    puts sql_comp
    stm = db.prepare sql_comp
    rs = stm.execute        
    row = rs.next
    puts row.to_s
rescue SQLite3::Exception => e    
        puts "Exception occurred"
        puts e
ensure
        stm.close if stm
        db.close if db
end
abort()

NOTE - input is an image file (a captcha generated via RMagick with a known set of possible strings) to generate an MD5 rainbow table.

This is the output:

/root/Desktop/pentest/tools/hURL/hURL -X -s 4039a3ef7fc79e4adb60b43ac108d648
1b5b316d34303339613365663766633739653461646236306234336163313038643634381b5b306d
                                                 1B5B316D34303339613365663766633739653461646236306234336163313038643634381B5B306D
                                                 1B5B316D34303339613365663766633739653461646236306234336163313038643634381B5B306D';

root@kali:~/Desktop/Akademy_webpentest_2#
Dan Miller
  • 261
  • 2
  • 7

1 Answers1

1

Here is the problem: by default hURL colors the output with ANSI escape sequences.

Example:

> hURL -X -s "test" | hexdump -C
00000000  1b 5b 31 6d 37 34 36 35  37 33 37 34 1b 5b 30 6d  |.[1m74657374.[0m|

So what you're getting back to your Ruby script inside your md5_tohex variable is an ANSI escaped string. This is why everything seems to behave strangely from that point forward.

Run hURL with the --nocolor option to disable this behavior:

> hURL -X -s --nocolor "test" | hexdump -C
00000000  37 34 36 35 37 33 37 34                           |74657374|

Further evidence of the problem:

irb> s = `hURL -X -s "xyz"`
=> "\e[1m78797a\e[0m"
irb> s.upcase
=> "\e[1M78797A\e[0M"
irb> puts s.upcase
                                  # <- exactly nothing is printed    
=> nil

By using --nocolor everything is resolved:

irb> s = `hURL -X -s --nocolor "xyz"`
=> "78797a"
irb> puts s.upcase
78797A
=> nil
Casper
  • 33,403
  • 4
  • 84
  • 79
  • Is there some way to strip away any special characters that may have embedded themselves into a string? Thx – Dan Miller Jan 26 '16 at 18:56
  • @DanMiller Have a look at these for some ideas: http://stackoverflow.com/questions/20146704/ruby-convert-non-printable-characters-into-numbers http://stackoverflow.com/questions/16530038/how-to-remove-non-printable-invisible-characters-in-ruby – Casper Jan 26 '16 at 19:11